On June 7, the U.S. Department of Justice announced that Colonial Pipeline had confiscated 63.7 BTC worth approximately $2.3 million, believed to be part of a May 8 payment to DarkSide ransomware attackers. .
Colonial Pipeline admitted to paying cybercriminals a total of $4.4 million in Bitcoin ransom to restore the system’s full intelligence after the severe ransomware attack the company announced on May 7th.
The Northern California District Attorney’s Special Prosecutor’s Office and the Asset Forfeiture Unit confiscated Bitcoin wallets immediately after a magistrate in the Northern District of California approved a search and seizure warrant. Darkside attackers announced in mid-May that they would lose control of some servers, such as payment servers, and shut them down due to US ‘pressure’. With that in mind, the news of the wallet confiscated comes as no surprise. At the time, Darkseid stated that part of the funds had been withdrawn to an unknown account.
“The old adage ‘follow the flow of money’ still applies,” Lisa Monaco, Assistant Attorney General at the U.S. Department of Justice, told a press briefing. After Colonial Pipeline promptly notified law enforcement officials, the Justice Department found most of the ransom in the early morning of the 7th, following a search and seizure warrant issued by the District Court for the Northern District of California. Colonial paid the Darkside Network in the aftermath of a ransomware attack last month.
The rhetorical maxim of ‘follow the flow of money’ still works
Targeted seizure of wallets aims to weaken increasingly destructive ransomware attacks, particularly targeting critical infrastructure such as oil and gas pipelines. “We turned the dark side upside down by tracking the entire ecosystem that triggers ransomware and digital takeover attacks, including criminal proceeds in the form of digital currency,” Monaco said. We will continue to use all the tools and resources we need to do this.”
It’s unclear exactly how US law enforcement identified the attacker’s wallet. “The FBI has been investigating Darkseid, a Russian-based cybercriminal organization since last year,” said FBI deputy director Paul Abate, during a briefing. It’s just one of the wear variants.”
How the FBI identified attacker wallets “ambiguous”
“We have identified virtual currency wallets used by darkside actors to impersonate law enforcement and collect payments from victims,” Abate said. “The victim’s funds were confiscated from their wallets and prevented from being used by dark side actors.” However, the details of how the operation was carried out were not disclosed.
An FBI field agent whose name has been changed in an affidavit accompanying the seizure request said the Colonial Pipeline had notified the FBI of the cryptocurrency address it used to pay the ransom on May 8.
This allowed the FBI to review the Bitcoin public ledger and track the wallet that finally seized the Bitcoin. “The private keys of the wallet are in the possession of the FBI in Northern California,” the agent said in an affidavit. A private key, a 256-bit password that can unlock and transfer bitcoins, is a key component in keeping cryptocurrencies anonymous and secure.
How the FBI obtained the darkside attacker’s private key is critical to determining whether law enforcement can track the money back and eliminate the economic interests of other ransomware attackers in the future.
According to FBI media reports on the seizure of the wallet, the FBI deliberately obscured how the private key was obtained so as not to give the attackers information. According to one agent, the method used by the FBI was ‘replicable’, meaning that authorities could also use it against the next ransomware attacker. The FBI also said it had received substantial assistance in confiscating the wallet from the Microsoft Threat Intelligence Center (MSTIC).
There are three scenarios for how US law enforcement secured the wallet:
3 Scenarios to Secure a Cryptocurrency Wallet
“The FBI documents give rise to a lot of speculation, but what is certain is that they possessed the hacker group’s private key and associated 63.7 bitcoin,” said Adrian Bednarek, CISO at cryptocurrency firm Overflow Labs. Bednarek speculated that one of three scenarios would be how the FBI obtained the hacker’s private key.
The first scenario is that due to the dark side’s misguided operational security, the FBI discovered the physical location of all computing devices used to collect ransomware payments. The device was confiscated and Darkseid’s private key was forensically recovered. This hypothesis aligns with Darkseid’s mid-May statement that he had lost control of the server.
“Another second, less likely scenario, is when a darkseid insider works with the FBI to sign a contract to hand over a private key,” Bednarek said.
Bednarek’s third scenario is that the FBI uses a private zero-day exploit in the operating system or software (or both) used by the dark side to disclose the actual Internet Protocol (IP) addresses of dark side computing devices and work with ISPs to determine their physical location. It is said that the Bitcoin private key was recovered by forensic analysis or by executing malicious code.
“Based on previous experience, the FBI finds and hires specialized companies to discover exploits in software used by adversaries,” Bednarek added.
Monaco said the move is not the first time the US government has seized cryptocurrencies in connection with a ransomware attack. In January, U.S. law enforcement authorities seized about $454,530 in ransom in cryptocurrencies in a strong offensive against NetWalker ransomware attackers.
Colonial Pipeline, in collaboration with the FBI, admitted that it shared knowledge with prosecutors and field investigators when they seized wallets. “When Colonial was attacked on May 7, we quietly and quickly reached out to local FBI offices in Atlanta and San Francisco and prosecutors in Northern California and Washington DC to share what we knew at the time,” Colonial said in a statement. did,” he said.
Collaborating in the Colonial Pipeline, Encouraging Other Victims to Work with the FBI
The FBI hopes that the successful seizure will allow other ransomware victims to work with law enforcement to deprive ransomware attackers of their financial interests. “The message we are sending is that if the affected companies work with law enforcement authorities, they can take action to take away the money that criminals are pursuing in their criminal schemes,” Monaco said.
“The Colonial Pipeline attack was an attack on the country’s most critical infrastructure,” Monaco said. “The response to this attack represents the government’s rapid response, represented by the FBI Ransomware Task Force, and our commitment to tracking the entire ransomware criminal ecosystem used by this type of criminal network and its affiliates.”
Whether or not law enforcement has successfully weakened the ransomware ecosystem, the move indicates that law enforcement can track ransomware attackers, which inevitably compels cybercriminals to act.
Ransomware attackers need more work to remain anonymous
Staying anonymous on the Internet is very difficult and requires meticulous attention to detail. “It’s very difficult to remain anonymous online because there are so many tracking methods,” Bednarek said. This is especially true when conducting ransomware attacks that demand cryptocurrency as ransom.”
Acting Northern District Attorney Stephanie Hines, at a press briefing with the U.S. Department of Justice, said at a press briefing with the U.S. Department of Justice, “New financial technologies that seek to anonymize payments will not provide a means to allow criminals to rob hard-working citizens. It shows our resolve to prevent the conversion of payment methods into tools of extortion for undue gain.”
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!