During a press conference Monday, Deputy Attorney General Lisa Monaco announced that the Department of Justice (DOJ) had "turned the tables on DarkSide," the ransomware network behind the attack on Colonial Pipeline. The DOJ found and recaptured $2.3 million of the $4.4 million Colonial paid in bitcoin to DarkSide, which is known for using a double extortion technique of encrypting victims' data and threatening to expose such data to the public.
Monaco said Colonial's quick notification to law enforcement aided in the retrieval, which was achieved by the newly formed Ransomware Task Force in a first for operations of this kind. The swift notification was also addressed at a Senate hearing Tuesday where Joseph Blount, CEO of Colonial Pipeline, testified. Blount said the company contacted the FBI within hours of the attack and working with law enforcement from the start "may have helped lead to the substantial recovery of funds."
In Monday's press conference, Monaco discussed how the DOJ would combat the "epidemic" of ransomware attacks, which included going after the "entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency."
While digital currency is used by cybercriminals for the anonymity it provides, there are ways to trace it through blockchain ledgers, which are associated with different forms of cryptocurrency like bitcoin.
Craig WilliamsDirector of outreach, Cisco Talos
Court documents released by the DOJ show the FBI followed the bitcoin public ledger to an address that received two bitcoin payments on May 8 totaling 75,000 BTC -- the same date and amount Colonial decided to pay. From there, the FBI accessed the funds by using the private key linked to the bitcoin address. While the FBI said it came into possession of the private key, it did not specify how it obtained the key or why the full ransom amount wasn't recovered.
John Hammond, senior security researcher at managed threat detection provider Huntress, said the FBI may have been able to seize the ransom because DarkSide actors did not use an automated cryptocurrency mixer.
Requesting ransoms to be paid in cryptocurrency is a common practice among cybercriminals, who use methods such as automated mixers to obfuscate the funds and evade law enforcement. Money deposited into mixers is moved around repeatedly into different wallets and addresses, making it hard to uncover the original payments.
"This looks like DarkSide just shuffled the money around and, potentially, one of these servers was that address, the private key that they found. And maybe it's in some infrastructure that they use that the FBI still has jurisdiction over and could break in and seize it," Hammond said.
DarkSide, in particular, Hammond said, doesn't appear to be extremely sophisticated. Blount revealed during the press conference Tuesday that DarkSide breached Colonial Pipeline through a legacy VPN account that was not intended to be used. The threat actors gained access to the account, which did not have multifactor authentication protection, through an exposed password.
While they may have found initial success in the attack, Hammond said DarkSide appears to be prone to mistakes like not covering the money trail.
"If they used something like an automated utility or buried the money more, this would become extremely complex. In my opinion, I have to think that maybe we just got lucky," Hammond said.
Craig Williams, director of outreach for Cisco Talos, said the threat actors didn't take actions typically seen at a high level to hide the origin of cryptocurrency. "I think this was a case where the attackers didn't do everything that was possible in order to obfuscate their monetary path and that was advantageous for authorities."
According to Hammond, these attacks are solely enabled because of cryptocurrency.
Other methods like wire transfers through international banks would not allow that to happen, he said, and gift card scams have a cap and are easily traced. "Cryptocurrency really lights the fire for this sort of thing."
Cybercriminals are constantly changing cryptocurrency evasion tactics. Don Spies, director of market development for cryptocurrency analysis firm Chainalysis, said that while some illicit actors use privacy coins in an attempt to obfuscate their transactions, they haven't been adopted to the extent one may expect. The reason being, they aren't as liquid as bitcoin and other cryptocurrencies.
"Cryptocurrency is only useful if you can buy and sell goods and services or cash out into fiat [currency], and that is much more difficult with privacy coins," he wrote in an email.
Despite the recovery of the Colonial Pipeline payment, experts say the illicit economy of cryptocurrency and the ransomware operators behind it are not going anywhere. The growth of privateer groups like DarkSide, operating independently but effectively protected by foreign governments is on the rise, Williams said, and it will continue to be a problem for the industry.