Today the FBI executed a seizure warrant and recovered 63.7 of the 75 bitcoins paid by Colonial Pipeline as ransom to the DarkSide. The difference between what was seized and what was paid is in line with the “commission” DarkSide was paying their “affiliates,” i.e., 10%. In the Department of Justice (DoJ) announcement Deputy Attorney General Lisa O. Monaco highlighted how the announcement of this success demonstrates, “the value of early notification to law enforcement.”
How the Colonial Pipeline recovery went down
The DoJ had formed a “Ransomware and Digital Extortion (RADE) Task Force” comprised of members of the DoJ –
- Criminal Division:
- Computer Crime and Intellectual Property Section (CCIPS)
- Office of International Affairs (OIA)
- Money Laundering and Asset Recovery Section (MLARS)
- National Security Division – Counterintelligence and Export Control Section (CES)
- Executive Office of the U.S. Attorneys
- Civil Division
- Federal Bureau of Investigation (FBI)
- National Cyber Investigative Joint Task Force (NCIJTIF)
The RADE task force “prioritizes the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. The Task Force also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.” In other words, they are operating as both an intelligence organization with a mandate to penetrate the ecosystem of the criminal entities and as a reactionary force to neutralize those entities conducting hostile actions and recover funds paid as a result of the extortion.
FBI Warns Cryptocurrencies Aren’t Beyond Its Grasp
FBI Deputy Director Paul Abbate spoke directly to the long-arm of the law, “There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors. We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
On June 3 Deputy Attorney General Monaco issued a memorandum to all Federal prosecutors which in essence adjusted the landscape with respect to bringing the resources of the U.S. government to bear against the cyber criminals behind the ransomware and extortion attacks. The memorandum discusses the task force formation and highlights new requirements dealing with this type of cyber crime.
As it turned out the FBI was able to track the “untraceable” by following the money: The 63.7 bitcoins of the ransom were “transferred to a specific address.” The DoJ announcement notes that the FBI had the “private key” which permitted control of that bitcoin account. Upon issuance of the seizure warrant, the FBI took control of the 63.7 bitcoins. This is indicative of the FBI being able to track the DarkSide bitcoin ledger, but not that of their affiliate.
Important takeaway for facility security officers
The reference by the deputy attorney general to timely notification isn’t just a public relations comment. The fact Colonial brought the FBI in early to their ransomware situation enabled the FBI to be in place to collect information associated with the crime and, as it turned out, recover 90% of the bitcoins paid.
That’s not to say the cards will fall in this manner each and every instance. It does say, however, you up your odds by bringing law enforcement into the equation early.