Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

US authorities recovered most of the ransom paid by Colonial Pipeline

US officials announced to have recovered most of the $4.3 million ransom that Colonial Pipeline paid to the DarkSide ransomware gang last month. During a video press conference, US officials announced to have recovered most of the $4.3 million ransomware that Colonial Pipeline paid to the DarkSide ransomware gang. The Colonial Pipeline facility in Pelham, […]

darkside US Colonial Pipeline

US officials announced to have recovered most of the $4.3 million ransom that Colonial Pipeline paid to the DarkSide ransomware gang last month.

During a video press conference, US officials announced to have recovered most of the $4.3 million ransomware that Colonial Pipeline paid to the DarkSide ransomware gang.

The Colonial Pipeline facility in Pelham, Alabama, was hit by a ransomware attack in May and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

A few days later, the U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.

Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom. However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files.

“After Colonial Pipeline’s quick notification to law enforcement, and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Dark Side Network in the wake of last month’s ransomware attack,” said Lisa Monaco, Deputy Attorney General for the US Department of Justice. “Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response.”

This is the first seizure ever made by the Justice Department task force to hijack a cybercriminal group’s profits through a hack of its Bitcoin wallet. The DoJ had seized 63.7 Bitcoins out of the 75 Bitcoin paid by Colonial Pipeline, currently valued at about $2.3 million.

The US authorities were able to follow the funds through multiple Bitcoin addresses managed by the Darkside gang and identified their main wallet (bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq) containing 75 Bitcoin.

FBI investigators said they tracked the ransom payment across multiple Bitcoin addresses, as the Darkside group moved funds around. They were able to seize the funds after they gained access to one account’s private key, which acts as a password for that account.

At the time of this writing, it is still unclear if the FBI received the private key from the Darkside gang or if it was obtained in another way.

“This address was emptied at around 1.40pm (Eastern Time) today – presumably by US authorities. (There was also the movement of an additional 5.9 BTC not mentioned in the affidavit).” reported the security firm Elliptic.

“This action by US authorities demonstrates the value of blockchain analytics to track down proceeds of crime in cryptocurrency, and ensure that ransomware does not pay for the criminals behind it.”

“The seizure announced today was conducted as part of the Department’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity,” Monaco added. “This is the Task Force’s first operation of this kind.”

FBI is currently tracking more than one hundred ransomware gangs that have targeted US companies.

The U.S. Department of Justice plans to equate investigations into ransomware attacks with investigations into terrorism in the wake of the Colonial Pipeline hack. Colonial Pipeline before, and recently the JBS attack, demonstrated that allegedly financially motivated ransomware attack could have a dramatic impact on the targeted organizations and on the related sectors.

The US authorities created a special task force to coordinate investigation into ransomware attacks in the country.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]