The FBI has successfully recovered US$2.3 million that Colonial Pipeline paid to the Darkside cybercrime gang. It represents 85% (63.7) of the bitcoins used (75) to pay the ransom. Colonial made the payment, despite saying that it wouldn’t, to get its systems back online. That allowed it to restart the fuel pipelines that serve the US East Coast.
In a press conference, FBI Deputy Director Paul M. Abbate said: “Based on our investigation into DarkSide, and incredible work with other US government partners, we identified a virtual currency wallet that the DarkSide actors used to collect a payment from a victim. Using law enforcement authorities, victim funds were seized from that wallet, preventing DarkSide actors from using them.”
Since the story broke, there has been much confusion as to what actually happened. The cybersecurity community has hailed this as a major win for the FBI, with some going as far as to claim the FBI “hacked the hackers.” In cybercriminal communities, however, there is a different narrative. That is that this wasn’t a hack and that cryptocurrencies are still secure.
What do we know?
One of the key sources in this story is the FBI’s affidavit to seize the bitcoins. In it, the FBI details that the 75 bitcoins were paid in two separate transactions on May 8th. Both went to the same address as set out by Darkside. Using Blockchain Explorer, the FBI then tracked how the bitcoin travelled through over 30 different bitcoin addresses.
In particular, the affidavit records that 63.7 bitcoin was transferred to a bitcoin address where: “The private key for the subject address is in the possession of the FBI in the Northern District of California.” It was the use of that private key that allowed the FBI to recover the payment.
How did the FBI get the private key?
This is where the story gets unclear. There are claims that the FBI was able to decrypt the private key. There is absolutely no evidence for this, especially given the strength of the encryption in force. Had the FBI managed this, it would likely have used the technology to gain access to the remainder of the ransom payment.
Another claim is that the FBI hacked the owner of the wallet and seized the key from their computer. This is slightly more believable, but it assumes that the FBI knows who owns that bitcoin wallet and was able to infect their machine with some form of malware that captured the bitcoin. However, there is no evidence from the affidavit that the address was ever accessed. Without that, how would the FBI know who owned the wallet and whom to target?
A more likely scenario goes back to a few days after the Colonial Pipeline attack. At that point, Darkside admitted it had lost control of part of its infrastructure. According to Threatpost: “the servers for its blog, payment processing and denial-of-service (DoS) operations had been seized.” While the location of those servers wasn’t mentioned, it is not a stretch of the imagination that they were in the US. It is equally possible that the passphrase to the key bitcoin wallet was recovered from one of those servers.
There has also been the suggestion that this could be related to the FBI ANOM operation. This is where the FBI persuaded criminals to unwittingly use the encrypted phones it supplied. The thought is that the passphrase for the bitcoin wallet was exchanged between people using the service. If that is the case, then it is an unexpected bonus for the FBI.
How big an issue is this?
That depends on your point of view. It has certainly caused significant chatter in cybercriminal communities. However, there is no sense of panic or impending doom. Instead, the focus has been on how payments should be handled and the merits of different cryptocurrencies.
Peter Grimmond, International CTO & VP Technical Sales at Veritas Technologies, expects to see attackers evolve. He said: “It is important that businesses now prepare for hackers to evolve their strategies in response because, while we may have won the battle, there’s a whole lot more to come in the war on ransomware.
“To avoid authorities being able to repeat this playbook in the future, hackers will be looking for ways to safeguard their windfalls. That might include, for example, longer delays in releasing encryption keys so that they have time to launder on their money, leaving behind backdoors to re-encrypt data if needed, or retaining exfiltrated data as ‘security’ to publish if any attempts are made to recoup the ransom.”
The news has been met with widely differing views in the cybersecurity industry, ranging from all-out cheerleading to more considered opinions.
Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network said: “The $2.3 million is a drop in the ocean of ransomware, however, it sends a bold statement that the DoJ now has tolerance-zero for ransomware gangs. The seizure continues the previously announced efforts to combat surging ransomware, and is likely to be a first palpable step to deter cybercriminals.”
Enterprise Times: What does this mean?
One win does not signal the end of ransomware or the retrieval of hundreds of millions of ransom payments. What is important is that this sends a warning that law enforcement is stepping up its game.
The takedown of dark web marketplaces has yielded significant intelligence in the past. It has also seen multiple cryptocurrency wallets seized. However, only a few of those have been opened and only when the passphrases were given up as part of a plea agreement.
In the case of Darkside, there is unease about the intelligence that law enforcement will be able to retrieve from the seized infrastructure. Will it lead to more ransom recoveries? Possibly but don’t hold your breath.
