ransomware, security, Colonial Pipeline, a seizure warrant, they announced, during a press briefing, an affidavit, reports, in a multi-part offensive, statement

Credit: Dreamstime

The Justice Department has seized 63.7 bitcoins currently valued at approximately $2.3 million that allegedly represents some portion of a May 8 payment by the Colonial Pipeline company to DarkSide ransomware attackers.

Colonial Pipeline admitted paying the cyber criminals a total ransom of around $4.4 million in bitcoin to restore full functionality to its systems following the crippling ransomware attack announced by the company on May 7.

The Special Prosecutions Section and Asset Forfeiture Unit of the US Attorney’s Office for the Northern District of California seized the bitcoin wallet after a magistrate judge for the Northern District of California authorised a seizure warrant.

News of the wallet seizure came as little surprise given that the DarkSide attackers themselves foreshadowed it when they announced in mid-May that the group lost control over some of its servers, including a payment server, and was shutting down due to “pressure” from the United States. At that time, DarkSide also stated that some of its funds had been withdrawn to an unknown account.

The adage of “follow the money” still applies

Lisa Monaco, a deputy attorney general of the Justice Department, said during a press briefing that “the old adage ‘follow the money still applies.’ And that’s exactly what we do.

“After Colonial Pipeline’s quick notification to law enforcement and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month’s ransomware attack.”

The targeted seizure of the wallet aims to undercut the current wave of increasingly destructive ransomware attacks, particularly those targeted at highly critical infrastructure such as oil and gas pipelines.

“We turned the tables on DarkSide by going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency,” Monaco said. “We will continue to use all of our tools and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks.”

FBI is vague on how it identified the attacker’s wallet

Precisely how law enforcement identified the attacker’s wallet is unclear. During the briefing, FBI Deputy Director Paul Abbate said that the Bureau has been investigating Russia-based cyber crime gang DarkSide since last year. DarkSide is only one of 100 ransomware variants affecting 90 identified victims that the FBI is investigating, Abbate said.

“We identified a virtual currency wallet that the DarkSide actors use to collect a payment from a victim using law enforcement authorities. Victim funds were seized from that wallet, preventing DarkSide actors from using it,” Abbate said while offering few details on how the operation worked.

In an affidavit accompanying an application for the seizure warrant, an FBI field agent, whose name was redacted, said that Colonial Pipeline informed the FBI on May 8 of the cryptocurrency address it used to make its ransom payment.

From there, the FBI reviewed the bitcoin public ledger to trace the bitcoins to the ultimately seized wallet. “The private key for the [wallet] is in the possession of the FBI in the Northern District of California,” the agent said in the affidavit.” Private keys, which are 256-bit secret numbers that allow bitcoin to be unlocked and sent, are critical components of how the cryptocurrency is kept anonymous and secure.

Knowing how the FBI obtained the DarkSide actor’s private key is critical to determining whether law enforcement might be able to follow the money again and remove the economic incentive for other ransomware attackers in the future.

According to reports of an FBI press call on the wallet seizure, the Bureau said it is deliberately vague regarding how it obtained the private key to avoid tipping off hackers. According to one agent, the method the FBI used is “replicable,” which means authorities could use it against the next ransomware attacker. The FBI also revealed it received substantial help from the Microsoft Threat Intelligence Center (MSTIC) in seizing the wallet.

Three theories on how law enforcement found the wallet

“The FBI court documents leave much to speculation, but one thing that is certain is that they did take possession of the hacker group’s private key and the 63.7 bitcoin associated with it,” Adrian Bednarek CISO of virtual economy company Overflow Labs, tells CSO. Bednarek speculates that one of three scenarios explain how the FBI obtained the hackers’ private key.

First, “sloppy operational security by DarkSide led to the FBI discovering the physical location of any computing devices that were used to collect ransomware payments,” he says, with the seizure of those devices leading to the forensic recovery of DarkSide’s private keys. This notion fits with DarkSide’s mid-May statement that it lost control over its servers.

Under another, least likely, scenario, a DarkSide insider cooperated and cut a deal with the FBI to turn over any private key, Bednarek says.

Bednarek’s third scenario holds that the FBI used non-public zero-day exploits in either operating systems or software (or both) used by DarkSide to either “reveal the real internet protocol (IP) address of DarkSide computing devices and work with ISPs to get their physical location or execute malicious code to recover any bitcoin private keys forensically,” Bednarek says. “From previous experience, I can say that they even seek out and hire firms to specifically discover exploits in software used by adversaries.”

Monaco said this latest action is not the first time the US government has seized cryptocurrency connected with ransomware attacks. In January, authorities seized approximately $454,530.19 in cryptocurrency ransom payments in a multi-part offensive against the NetWalker ransomware gang.

Colonial Pipeline’s collaboration could encourage other victims to work with the feds

Colonial Pipeline acknowledged its collaboration in working with the FBI to seize the wallet and share knowledge with field officers and prosecutors. “When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington DC to share with them what we knew at that time,” Colonial said in a statement.

The FBI hopes that this successful seizure would encourage other ransomware victims to work with law enforcement to deprive ransomware attackers of financial gain.

“The message we are sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they’re going after here, which is the proceeds of their criminal scheme,” Monaco said.

“This was an attack against some of our most critical national infrastructure in the form of the Colonial Pipeline. This represents the swift whole of government response represented in the work of this [FBI ransomware] task force and our determination to go after the entire ransomware criminal ecosystem used by these types of criminal networks and their affiliates.”

Ransomware actors could struggle to remain anonymous

Whether authorities successfully weaken the ransomware ecosystem, it is clear that this latest law enforcement action signals that ransomware actors can be traced, which is bound to force some regrouping among the cyber criminals.

“Remaining anonymous on the internet is very difficult and requires meticulous attention to detail,” Bednarek says. “There are countless things to keep track of, so it’s very hard to remain anonymous online, especially when directing a ransomware attack that deals with the collection of cryptocurrency as a ransom.”

Speaking at the Justice Department’s press briefing, Acting U.S. Attorney Stephanie Hinds for the Northern District of California underscored the seeming futility of ransomware actors hiding behind supposedly anonymous cryptocurrency payment systems.

“New financial technologies that attempt to anonymise payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans,” she said. “This case demonstrates our resolve to develop methods, to prevent evildoers from converting new methods of payment into tools of extortion for undeserved profits.”


Japan travel news, japan travel guides, japan holiday destinations and japan reviews

LATEST NEWS

NEWS RELATED

Sydney MSSP Nueva Solutions scores international deal with Anytime Fitness Asia

Sydney-based MSSP Nueva Solutions has landed a deal with Anytime Fitness Asia to provide email and endpoint security as a managed service. Nueva co-founders and directors Ferdinand Tadiaman and Cameron Cumming told CRN in an interview that Inspire Brands Asia found its newly acquired Anytime Fitness premises across nine countries…

Read more: Sydney MSSP Nueva Solutions scores international deal with Anytime Fitness Asia

Virgin, Westpac, ANZ, CommBank hit by widespread net outages

Australia’s central bank, the postal service and several commercial lenders, as well as other companies, grappled with internet outages on Thursday, disrupting customer accounts and financial transactions before some services were restored late in the day. One of the companies affected, Virgin Australia, said it was “one of many organisations…

Read more: Virgin, Westpac, ANZ, CommBank hit by widespread net outages

Behind the scenes of Verizon’s new SASE solution

Verizon has released its own SASE (secure access service edge) solution that combines network connectivity and security services into a unified, cloud-delivered service. The offering combines Versa SD-WAN, Zscaler threat protection, and Verizon’s own zero-trust SDP (software-defined perimeter) solutions to create the product it calls Advanced SASE. While there has…

Read more: Behind the scenes of Verizon’s new SASE solution

Tim Cook says proposed EU tech rules threaten security of iPhones

Apple boss Tim Cook took aim on Wednesday at proposed European rules aimed at curbing the power of U.S. tech giants, saying they could pose security and privacy risks to iPhones. Cook, in his first public comments about the Digital Markets Act (DMA) proposed by EU antitrust chief Margrethe Vestager,…

Read more: Tim Cook says proposed EU tech rules threaten security of iPhones

The next iPad mini: More screen and no more home button

Here are the major features and changes that have been rumored for the next iPad mini.

Read more: The next iPad mini: More screen and no more home button

A bug in Samsung's Galaxy S21 Ultra drains battery when you put the phone in your pocket

As per a number of complaints by S21 Ultra users, a bug in the phone’s software is waking it up while in their pockets and draining battery A curious bug within Samsung Galaxy S21 Ultra‘s software is causing the camera app to wake the phone up when its in user’s…

Read more: A bug in Samsung's Galaxy S21 Ultra drains battery when you put the phone in your pocket

Unique TTPs link Hades ransomware to new threat group

Researchers claim to have discovered the identity of the operators of Hades ransomware, exposing the distinctive tactics, techniques, and procedures (TTPs) they employ in their attacks. Hades ransomware first appeared in December 2020 following attacks on a number of organisations, but to date there has been limited information regarding the…

Read more: Unique TTPs link Hades ransomware to new threat group

Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

Three weeks after releasing patches for a critical vulnerability in VMware vCenter, thousands of servers that are reachable from the internet remain vulnerable to attacks. VMware vCenter is used by enterprises to manage virtual machines, the VMware vSphere cloud virtualisation solution, ESXi hypervisors, and other virtualised infrastructure components. Remote code…

Read more: Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

Unique TTPs link Hades ransomware to new threat group

Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

ForcePoint to buy UK security provider Deep Secure for threat removal know-How

McDonald’s South Korea and Taiwan falls prey to data breach

McDonald’s South Korea and Taiwan falls prey to data breach

Singapore digital users lax on cyber security

Companies remain exposed to unmanaged BYOD risks during pandemic

US Supreme Court revives LinkedIn bid to shield personal data

OTHER NEWS