U.S. law enforcement officials say they are fighting back against the Russian-based criminal network that shut down gasoline pipelines in parts of the United States last month, with most of the virtual currency ransom money intercepted before it could be used.
The U.S. Department of Justice announced Monday (June 7) that Colonial Pipeline paid about $5 million to the DarkSide network after a ransomware attack. Of the $5 million paid by Colonial Pipeline to the DarkSide network, $2.3 million was recovered by the Department of Justice. The ransomware attack had led to fuel supply shortages on the U.S. East Coast.
“We turned the tide against DarkSide,” said Deputy Attorney General Lisa Monaco. She called the interception of the ransom money a “significant development.
She added, “Ransomware attacks are never acceptable, but when they target critical infrastructure, we will respond relentlessly.”
“Colonial Pipeline, the target of the May 7 attack by Dark Side, is the largest fuel pipeline operator in the United States, responsible for about half of the fuel supply on the U.S. East Coast.
After the attack, the company decided to comply with the Dark Side’s demands and paid about $5 million in cryptocurrency bitcoin. But U.S. government officials said Colonial Pipeline also worked closely with law enforcement agencies, and authorities were able to track the ransom money and uncover a virtual wallet.
Specifically, officials said they obtained the virtual key that unlocked the contents of this virtual wallet.
As a result, the Justice Department said it had recovered about 80 percent of the cryptocurrency before the “dark side” was able to extract the ransom from the wallet. The value of cryptocurrency has fallen in recent weeks.
“We let a cybercriminal group’s campaign fail to succeed,” said FBI Deputy Director Paul Abbate. “For financially motivated cybercriminals, especially those who may be located overseas, cutting off access to revenue is one of the most impactful consequences we can impose.”
Officials said this is not the first time they have recouped ransom payments to groups like Dark Side and encouraged other companies to cooperate with the government in the event of an attack.
Monaco said, “The message we’re sending today is that if you step up and work with law enforcement, we may be able to take the actions that we’re taking today to keep criminals from achieving what they’re trying to achieve.”
But she added that such actions are a “major undertaking” and “we can’t guarantee it and may not be able to do it every time.”
The FBI has been investigating the “dark side” since October of last year. The network has attacked 90 victims in key sectors such as manufacturing, health care and energy, the FBI said.
“The Dark Side and its affiliates have also been linked to ransomware attacks in at least 14 other countries. Last month, the Wall Street Journal reported that the group made nearly $60 million in seven months, including $46 million in the first three months of the year.
Joseph Blount, president of Colonial Pipeline, said in a statement late Monday that the company thanked the Justice Department and the FBI for their help, saying they “played a key role in helping us understand the threat actors and their tactics.
“Holding cybercriminals accountable and disrupting the ecosystem they depend on is the best way to deter and defend against such attacks in the future,” Blount added. “As we continue our investigation into the incident, the Colonial Pipeline will continue to be transparent, sharing intelligence and what we learn with the FBI and other federal agencies.”
The Justice Department’s announcement also earned praise from a number of private cybersecurity firms, one of which called the interception of the ransom money a “welcome development.
“In addition to the immediate benefits of this approach, a stronger focus on disruptive activity may inhibit what is becoming a vicious cycle,” John Hultquist, vice president for analytics at Mandiant, said in a statement. said in a statement. “Law enforcement agencies need to broaden their avenues beyond building cases against criminals who may be beyond the reach of the law.”
President Joe Biden is expected to raise the issue of the Dark Side ransomware attack when he meets with Russian President Vladimir Putin in Geneva, Switzerland, next week.
Biden had previously said Moscow was “partly responsible” for handling the attack.
White House press secretary Jen Psaki told reporters last week, “The president’s message will be that responsible countries do not harbor ransomware criminals, and that responsible countries take decisive action against these ransomware networks.”
Biden will also use next week’s meeting with G-7 leaders to discuss “strengthening our robustness and resilience against ransomware attacks,” U.S. National Security Adviser Jake Sullivan said Monday.
The United States also wants to discuss how to better share information about ransomware attacks, Sullivan said.