Data Recovery Digest

There have been very few – if any – ransomware attacks on the scale that was seen in early May 2021; when Colonial Pipeline Co. was effectively shut down by a group known as DarkSide. As the company provides gasoline, diesel, home heating fuel and jet fuel at a rate of approximately 100 million gallons per day, the attack ultimately affected a large portion of the eastern United States.

Left with little other choice, Colonial Pipeline Co. quickly paid the requested sum – totaling approximately $5 million. The U.S. Department of Justice was able to locate and seize some of these funds, approximately 63.7 bitcoin totaling $2.3 million, thus far.

However, this isn’t your ordinary group of hackers. Instead of using ransoms to fund lavish lifestyles or even to build up their own resources, DarkSide has been known to donate some of their previous ransoms to various charities. Moreover, the group officially announced that they were ceasing any and all operations on May 14, 2021 -- less than two short weeks after the attack on Colonial Pipeline.

Tracking the Ransom

According to the Justice Department, they were able to locate and seize some of the funds simply by reviewing public ledger information. Since all bitcoin transactions are traceable through the blockchain, this was a relatively straightforward – if not monotonous – task. Exactly how they were able to secure the funds from that point, however, remains a mystery.

In a recent state, Paul Abbate, current deputy director with the FBI, said: “There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors. We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

Within the same statement, Stephanie Hinds, acting U.S. attorney with the Northern District of California, said: “Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion. We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”

The case, which is still ongoing, is spearheaded by the Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California. Additionally, they are receiving significant assistance from the National Security Division’s Counterintelligence and Export Control Section as well as the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section alongside the Computer Crime and Intellectual Property Section.

During the asset seizure itself, experts from the Department of Justice’s Ransomware and Digital Extortion Task Force was utilized, too.

Since the full ransom has yet to be recovered and specific culprits have yet to be identified, this case is actively being pursued by U.S. law enforcement. Considering the group responsible for the attacks has appeared to disband, however, this could prove even more difficult as the days, weeks, and months progress.