Colonial Pipeline, the company hit by ransomware that shut down a 8,850km stretch of pipe supplying fuel for states on the East Coast of US, paid its cyber attackers around $4.4 million in bitcoin to decrypt its files.
Cryptocurrency analysis firm Elliptic said it found the wallet used by the DarkSide ransomware group and spotted Colonial’s payment of 75 bitcoin – currently worth $4.4 million – move into the wallet on 8 May, shortly after the attack began.
Since early March, over $22.5 million had moved through the wallet DarkSide used for its ransomware-as-a-service operation, including a 78 bitcoin ransom from US chemical distribution company Brenntag.
Elliptic co-founder Dr Tom Robinson hopes the analysis of DarkSide’s wallets through the blockchain will help catch the perpetrators.
“By tracing previous outflows from the wallet, we can gain insights into how DarkSide and its affiliates were laundering their previous proceeds,” Dr Robinson said.
“What we find is that 18% of the Bitcoin was sent to a small group of exchanges.
“This information will provide law enforcement with critical leads to identify the perpetrators of these attacks.”
Hacking the hackers
But as their wallets were being scrutinised, DarkSide was preparing to disappear.
Last Friday, around a week after it orchestrated one of the highest profile ransomware attacks in history, DarkSide announced its servers had been taken offline and cryptocurrency siphoned out of its accounts in what appears to be a law enforcement operation.
“A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers,” DarkSide said in a note re-published by cyber security firm Intel 471.
“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.
“The hosting support service doesn't provide any information except ‘at the request of law enforcement authorities’.”
The announcement also said money from its payment server had been “withdrawn to an unknown account” and that it would pay its affiliates – hackers who the group hires to deliver its malicious payloads – by 23 May.
DarkSide’s attack has caused a shake-up among other ransomware operators as popular Russian-speaking hacking forum XSS said it would no longer allow threads hiring for ransomware affiliates, with a site admin saying it had “become dangerous and toxic”.
“There’s too much publicity. Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it,” the XSS administrator said, according to Krebs On Security.
“The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks.”
Other public hacking communities quickly followed suit with administrators for Exploit and Raid both saying they would ban ransomware groups from promoting their affiliate programs.
Taking away the money
With their recruitment centres shutting down and ill-gotten money being seized, life will be harder for the ransomware gangs that have terrorised unsuspecting organisations for years.
Crowdstrike Senior VP of Intelligence, Adam Meyers, told Information Age ransomware wouldn’t go away until you hit the operators where it hurt: their wallets.
“It’s simple economics for the bad guys – as long as they’re getting paid they keep doing what they’re doing,” he said.
“You have to make it more expensive for them to operate. Lower their return on investment and maybe they’ll go away.
“But as long as there’s no downside, I don’t see this changing in any significant way.”
Meyers said it was crucial for all organisations to invest in cyber security and not just expect they won’t get attacked.
“Of course, some school district in rural America is not going to be able to afford a hot-shot security person, but if they’re not going to hire dedicated security personnel, they at least need some kind of managed security service,” he said.