The US recently announced that it had recovered the ransom paid by Colonial Pipeline to the ransomware group Darkside in May this year. The Department of Justice said on June 7 that it had managed to recover 63.7 Bitcoins of the 75 that was paid as ransom to resume operations.
The ransom was paid after Colonial Pipeline had to close over 8,000 km of its network due to a ransomware attack.
Colonial Pipeline had paid a ransom of $4.5 million in order to decrypt their software. Of that amount, $2.3 million was recovered by the Federal Bureau of Investigation. Even though a significant portion of Bitcoins was recovered, the drop in Bitcoin price means that a large portion of the value was lost.
How was the money paid?
Colonial Pipeline had paid the ransom through Bitcoin to Darkside, the group that had claimed responsibility for the ransom attack. Bitcoin exchange is preferred by cybercriminal groups because of its decentralised nature. Digital currency is believed to be totally anonymous, confidential, and hard to trace. But such assumptions have been put to test with the FBI managing to recover the ransom.
The shared public record is stored in the blockchain and it is often possible to track these.
How did the FBI recover the ransom?
After the ransom was paid, the Bitcoins were transferred through multiple addresses and wallets. As the FBI had been informed well in advance, they began tracking the money as it was being transferred. Since every Bitcoin transfer is recorded in a public ledger, the transfers can be traced easily.
The FBI managed to trace back 69.6 Bitcoins back to a single account using a blockchain explorer. The organisation found that over two dozen unique Bitcoin addresses were used in the laundering attempt.
After this, the investigators managed to access the private key to the wallet holding the ransom. Details are unclear as to how the FBI managed to get a hold of the wallet key. Possible sources include hacking the group to find the private key address, using an informant, or asking a cryptocurrency exchange to hand over the information if the ransom was stored there.
The FBI provided no details but promised they would continue to improve its mechanism to recover digital ransom payments.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate.
“We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
“Cybercriminals are employing ever more elaborate schemes to convert technology into tools of digital extortion,” said Acting U.S. Attorney for the Northern District of California Stephanie Hinds. “We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”
Bitcoin prices slumped to a two-week low, with analysts pointing to a technical breakdown as well as the recovery of Colonial Pipeline’s ransom as evidence that cryptocurrency isn’t beyond government control.