The "win for the good guys" is a monumental step toward breaking down the business model of ransomware and digital extortion.

Morgan Demboski and Alexander J. Parella, Threat Intelligence Analyst, IronNet Cybersecurity / Threat Hunter, IronNet Cybersecurity

July 21, 2021

5 Min Read
FBI headquarters
FBI headquarters, Washington, DCKristina Blokhin via Adobe Stock

The decentralized nature of the wallet thanks to cryptocurrency has evolved into a popular cultural phenomenon, but on the other side of the (bit)coin, it has served a much darker purpose.

Take DarkSide, for example, the Russian-based cybercriminal enterprise that netted $4.4 million in untraceable bitcoins through its ransomware attack on Colonial Pipeline's IT systems. That case, which caused widespread fuel shortages across the East Coast, is just a microcosm of a much larger problem. Bitcoin is the primary enabler of our societal ransomware crisis, allowing attackers to quickly collect large volumes of cash across international borders with minimal risk of exposure. In 2020, it accounted for 98% of ransomware payments that put more than $350 million worth of financial resources into the hands of cybercriminals and nation-state cyberattackers.

The federal government's inability to track bitcoin payments has emerged as one of the top challenges to combatting ransomware. Visible progress has been made, however. On June 7, the US Department of Justice (DOJ) finally scored "a win for the good guys" by recovering 63.7 bitcoins — valued at $2.3 million at the time — paid in ransom to DarkSide by Colonial Pipeline in order to regain control of its network. The FBI's successful response can be viewed as a monumental step in the right direction toward breaking down the business model of ransomware and digital extortion.

How US Law Enforcement Responded
Nearly a week after the attack, DarkSide announced it was ceasing operations after US law enforcement seized its public infrastructure — including its website, payment server, and content distribution network (CDN) server. The group also stated it was releasing the decryption tools for all outstanding ransomware attacks that hadn't been paid yet.

Simultaneously, DOJ investigators were closely monitoring the activity of DarkSide's crypto wallet address. Unlike fiat currencies transferred privately using bank routing and individual account numbers, bitcoin transactions are all recorded in a distributed public ledger called the blockchain. Considering blockchain is inherently transparent, all transactions are public, traceable, and immutable, thereby enabling the DOJ to keep tabs on DarkSide's crypto wallet without hacking. Colonial Pipeline also collaborated closely with the DOJ throughout the process to streamline the investigation.

Cybercriminal enterprises commonly distribute cryptocurrency payments among hundreds of other crypto wallets for reasons such as sharing profit with affiliates, transferring the profit to money launderers who clean the illegal funds, or converting the bitcoin to fiat currencies. Immediately following the ransom payment, the DOJ traced several bitcoin transfers from DarkSide to other crypto wallets. Then, on May 27, the FBI observed a transfer of approximately 63.7 bitcoins (that is, $2.3 million) to a specific address that they were able to access. It had obtained the private cryptographic key that belonged to the specific bitcoin address — essentially a login password for DarkSide's crypto wallet.

We speculate this happened when DarkSide's public infrastructure was seized by federal law enforcement in mid-May. Once FBI officials used this key to access the wallet, which likely contained the sum of ransom shared with DarkSide affiliates, they were legally able to seize the bitcoins because the funds were related to computer intrusion and money laundering under criminal and civil forfeiture statutes. The FBI then transferred the cryptocurrency to another crypto wallet of its choosing.

What It Means for the Future
As ransomware attacks continue to cripple corporate networks, perhaps the outcome of the Colonial Pipeline hack can serve as a glimmer of hope for our collective fight against cybercriminals. The new Ransomware and Digital Extortion Task Force, which targets the entire ransomware criminal ecosystem, has shown it can exploit the transparent nature of the Bitcoin blockchain to intercept stolen funds from crypto wallets. As a result, federal law enforcement can more effectively disrupt the financial infrastructure that ransom groups rely on to carry out their attacks.

Executing similar responses more consistently could significantly hinder ransomware's impact on the public and private sectors. By forcing extortionists to pause their attacks and develop new methods for accepting ransom payments, corporations will have time to improve their cybersecurity posture by investing in best-in-class technologies and adopting new cyber-defense approaches. The quick formation of the Task Force exemplifies the federal government's high prioritization on monitoring cryptocurrency funds exchanged by cybercriminals. We expect that the increased monitoring, coupled with weighing pressures for tighter cryptocurrency regulations, will make it exceedingly challenging for hackers to liquidate their crypto assets.

The magnified attention on ransomware operations has intensified pressure on host countries to crack down on cybercrime, causing several ransomware groups to cease or scale back operations. Along with DarkSide, ransomware gangs such as Babuk, AKO, Everest, and Avaddon all have recently shut down or gone private. Additionally, various major cybercriminal forums — which are leveraged by criminal groups to advertise their services, find partners, and share information — have shifted their policies regarding ransomware. Several hacking forums have banned or discouraged the discussion of ransomware, prohibited ransomware ads, and/or forbidden recruitment for ransomware-as-a-service affiliate programs.

The other element of the US government's offensive approach against ransomware has been an increased focus on improving the nation's cyber defenses. President Biden's cybersecurity Executive Order promotes the idea that collective defense and public-private collaboration are vital to countering the proliferation of cyberattacks against US critical infrastructure. The Colonial Pipeline shutdown highlighted the vulnerability of our nation's infrastructure to cyberattacks, as well as how debilitating such a disruption of services can be to the country.

The need for improved cybersecurity across the nation is abundantly clear. By uniting private companies with the federal agencies that are subverting the foundations of criminal cryptocurrency operations, the cybersecurity industry may just be able to beat ransomware gangs at their own notorious game.

About the Author(s)

Morgan Demboski and Alexander J. Parella

Threat Intelligence Analyst, IronNet Cybersecurity / Threat Hunter, IronNet Cybersecurity

Morgan Demboski is a Threat Intelligence Analyst for IronNet Cybersecurity and is currently pursuing a Master's degree in Intelligence and Security Studies and a Graduate Certificate in Intelligence Analysis through The Citadel in Charleston, SC. She is also Co-Director of Communications at The Prosecution Project (tPP), a long-term, Open-Source Intelligence research platform tracking and analyzing felony criminal cases involving illegal political violence occurring in the US since 1990. She graduated from Miami University in May 2020 with a degree in Social Justice Studies (concentration in Crime & Law) and a minor in Political Science. 

Alexander J. Parella is an IronNet Cybersecurity Threat Hunter responsible for triaging network traffic as a customer-facing network defense analyst. Alex specializes in network traffic analysis (based on behavioral analytics), threat intelligence, machine learning, and blockchain technology. He holds a bachelor's degree in computer science from Boston University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights