US recovers $ 2.3 million in paid bitcoin
A sign warns consumers of the availability of gasoline at a RaceTrac gas station on May 11, 2021, in Smyrna, Georgia.
Elie Nouvelage | AFP | Getty Images
WASHINGTON (Reuters) – U.S. law enforcement said Monday it was able to recover $ 2.3 million in bitcoin paid to a cybercriminal involved in the crippling ransomware attack on Colonial Pipeline.
“Today we have turned the situation around on DarkSide,” Deputy Attorney General Lisa Monaco told a press briefing, adding that the money had been seized via a court order.
During the briefing, FBI Deputy Director Paul Abbate said agents were able to identify a virtual currency wallet that DarkSide hackers were using to collect payment from Colonial Pipeline.
“Using law enforcement, victims’ funds were seized from this wallet, preventing dark side actors from using them,” Abbate said.
The FBI declined to say precisely how it accessed the bitcoin wallet, citing the need to protect the craft.
Elvis Chan, deputy special agent in charge of the FBI, told reporters that even overseas-based cybercriminals like DarkSide typically use U.S. infrastructure at some point during a crime. When they do, it gives the FBI a legal window to recover the funds.
DarkSide, allegedly a Russian-based criminal organization, operates as a ‘ransomware as a service’ business model, which means that its hackers develop and market ransomware hacking tools and sell them to other ‘affiliates’ criminals who then carry out attacks.
It is still unclear who the DarkSide affiliates were in the Colonial Pipeline attack.
U.S. Deputy Attorney General Lisa Monaco announces recovery of millions of dollars in cryptocurrency from Colonial Pipeline Co. ransomware attacks as she speaks at press conference with Deputy Director FBI Paul Abbate and Acting U.S. District Attorney for the Northern District of California Stephanie Hinds at the Department of Justice in Washington on June 7, 2021.
Jonathan Ernst | Reuters
DarkSide’s massive ransomware attack on Colonial Pipeline last month forced the company to shut down approximately 5,500 miles of U.S. fuel pipeline, disrupting nearly half of the East Coast’s fuel supply and causing gasoline shortages in the southeast and airline disruptions.
Ransomware attacks involve malware that encrypts files on a device or network, rendering the system unusable. The criminals behind such cyber attacks usually demand a ransom in exchange for disclosing data.
Colonial Pipeline has paid hackers nearly $ 5 million in ransom, a source familiar with the situation confirmed to CNBC. It was not immediately clear when the transaction took place.
The FBI has previously warned victims of ransomware attacks that paying a ransom could encourage further malicious activity.
The government stopped short of banning ransomware payments altogether, fearing it would have little impact on whether or not companies pay ransoms and simply discourage them from reporting attacks.
Monday’s announcement was part of a larger effort to counter the private sector’s longstanding reluctance to publicly report cyber attacks and involve the government in its responses.
âThe message here today is that [if you report the attack], we will use all our tools to fight against these criminal networks “, declared Monaco.
Officials highlighted the benefits to be gained by companies that promptly report cyber breaches to the FBI.
âReporting victims can not only provide us with the information we need to have an immediate and real impact on actors.â¦ It can also prevent future damage from occurring,â Abbate said.
“The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” Colonial Pipeline CEO Joseph Blount said in a statement Monday evening.
“As our investigation into this event continues, Colonial will continue to be transparent in sharing information and learning with the FBI and other federal agencies,” he said.
Blount is scheduled to testify before the Senate Homeland Security Committee on Tuesday.
After the DarkSide attack, President Joe Biden told reporters that the United States had no intelligence linking the group’s ransomware attack to the Russian government.
âSo far there is no evidence from our intelligence services that Russia is involved, although there is evidence that the actor’s ransomware is in Russia, they have some responsibility to handle that, âBiden said on May 10. He added that he would discuss the situation with Russian President Vladimir Putin.
The two leaders are expected to meet in Geneva on June 16.
The Kremlin has denied launching cyber attacks against the United States.
“The president’s message will be that responsible states do not harbor ransomware criminals, and responsible countries must take decisive action against these ransomware networks,” White House press secretary Jen Psaki told reporters before the summit.
The Biden administration is also pressuring the private sector to strengthen its defenses against ransomware.
“All organizations must recognize that no business is immune to being targeted by ransomware, regardless of size or location,” wrote Anne Neuberger, deputy national security adviser for cybersecurity and emerging technologies, in a June 2 memo.
“To understand your risk, business leaders should immediately convene their leadership teams to discuss the ransomware threat and review the company’s security posture and business continuity plans to make sure you have the opportunity. to continue or quickly restore operations, âshe added.
At the same time, the White House is working to modernize cybersecurity protocols and banking laws to respond to cryptocurrency and its growing role in financial crimes, from ransomware to corruption.
The prevalence of cryptocurrency in crimes such as ransomware attacks has also caught the attention of lawmakers on Capitol Hill.
“We have a lot of cash needs in our country, but we haven’t figured out, in the country or in the world, how to trace the cryptocurrency,” Sen. Roy Blunt, R-Mo, said on Sunday on the NBC program. “Meet the press.”
âYou can’t trace the ransomware – the ransom payment of choice now. And we have to do a better job here,â he added.