Following a high-impact attack last month, owners of the Colonial Pipeline paid a $4.4M ransom to the DarkSide ransomware gang for decrypting the company’s IT systems. Today, the US Department of Justice announced that it has recovered the majority of the ransom payment.
On May 7, 2018, the Colonial pipeline was hit by a DarkSide attack. It caused temporary gas shortages in the east coast of the US. After paying a ransom to the DarkSide ransomware attack, Colonial Pipeline was able to quickly restore their systems.
Now, the US Department of Justice has announced that it has seized a cryptocurrency wallet linked to the DarkSide ransomware attack.
According to an affidavit submitted to the U.S. Court for the Northern District of California, law enforcers gained control of a private key that belonged to a DarkSide Bitcoin wallet that contained the ransom payment for the Colonial Pipeline. With this private key, the FBI could recover 63.7 Bitcoins from the original payment of 75 Bitcoins sent by Colonial Pipeline. The amount of the Bitcoin that was recovered is valued over $2.26 million today.
It is not revealed exactly how the FBI has gained access to the private key of the DarkSide wallet which allowed them to decrypt the encrypted transactions. But as we reported on May 14th, the ransomware gang claimed to have lost access to one of their payment servers. https://cyberintelmag.com/attacks-data-breaches/darkside-ransomware-servers-allegedly-seized-by-law-enforcement-exit-scam-rumored/
“A few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address,” the DarkSide ransomware operation told its affiliates on a forum.
It is possible that the FBI recovered the private key when they seized the attackers’ server.
This operation is the first of its kind conducted by the recently launched Ransomware and Digital Extortion Task Force.
“The seizure announced today was conducted as part of the Department’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity. This is the Task Force’s first operation of this kind,” Deputy Attorney General Lisa O. Monaco stated.
And it may be the first time that the US government has publicly announced that it has recovered a ransom payment that was paid to ransomware attackers.