According to the DOJ, the funds were originally sent on May 8 as a ransom payment after the critical piece of energy infrastructure was compromised by the group. The recovery of the ransom payment was made possible, in part, by the newly minted Ransomware and Digital Extortion Task Force.
“Following the money remains one of the most basic, yet powerful tools we have,” said DOJ Deputy Attorney General Lisa O. Monaco, in a statement. “Ransom payments are the fuel that propels the digital extortion engine, and [this] announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”
Law enforcement agents were able to successfully track Bitcoin transfers associated with the payment, according to the announcement. From there the FBI was able to obtain the requisite “private key” needed to access the coins. As such, U.S. Magistrate Judge for the Northern District of California Laurel Beeler authorized the seizure warrant.
“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. [The] announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide,” Monaco added.
From Twitter:
The Daily Beast @thedailybeast Jun 4
"The ransomware attack that cost Colonial Pipeline roughly $5 million and sent gas prices soaring seems to have been the result of a single stolen password https://t.co/IngHcL7pjk?amp=1"
Krebs on Security, citing data from intelligence company Flashpoint, said the attack was likely intended only to solicit the ransom payment and was not primarily intended to damage U.S. energy infrastructure.
They added that DarkSide has made a habit of “big game hunting” type attacks aimed at organizations that have the means to pay the hefty ransoms they are seeking. In fact, DarkSide has even made statements to that effect, claiming they are only interested in money. “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads the DarkSide Leaks blog, as noted by Krebs. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Regardless of DarkSide’s self-reported social consciousness, guidance for the new DOJ taskforce calls for it to be vigilant and aggressive with them and other similar operations.
“A central goal of the recently launched Ransomware and Digital Extortion Task Force is to ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat,” it reads. “We know that ransomware attacks and digital extortion schemes are often conducted by transnational criminal actors, spread without regard to geographic borders, and thrive on the abuse of online digital and financial infrastructure. Accordingly, the Department must make sure that its efforts in combating digital extortion are focused, coordinated, and appropriately resourced.”