How did the United States recover part of the ransom paid in a ransomware attack on Colonial Pipeline? – Internet

Ransomware attacks are becoming increasingly common. a The State of the Colonial Pipeline of North America, which led to the shutdown of one of the largest pipelines in the United States, quickly became one of the biggest incidents on the cybersecurity scene in 2021, prompting the US government to act to mitigate its consequences.

In a double blackmail scheme, a group of Russian-linked attackers known as DarkSide stole nearly 100GB of information from the colony pipeline, threatening to reveal it if the company failed to pay a ransom of 75 bitcoins, which due to the recent devaluation of the cryptocurrency. amounting to approximately $4.4 million.

Colonial Pipeline ended up agreeing to the cybercriminals’ request, but through a process in collaboration with the FBI and the US Department of Justice (DOJ) it was possible to recover part of the ransom paid by the company. In all, 63.7 bitcoins were recovered, equivalent to about $2.3 million.

“Using cutting-edge technologies to hold companies and even cities hostage for profit is certainly a 21st century challenge, but the old adage ‘follow the money’ still applies,” said Lisa O’Monaco, the US attorney general. a Press Conference about the process.

The attorney general stressed that “ransom payments are the fuel that drives the digital extortion engine,” adding that the announcement makes clear that “the United States will use all available tools” to make attacks less profitable for cybercriminals. “We will continue to focus our attention on the ransomware ecosystem in order to destabilize and stop these attacks.”

The seizing of part of the rescue is allegedly the first operation carried out by the newly established task force of the Department of Justice, which includes members of the FBI, the Cybersecurity and Infrastructure Security Agency and other agencies. The task force will now coordinate investigations into cases of digital extortion, keeping abreast of techniques and tools used by criminals.

“Follow the money”: how did the investigators come to the rescue?

Last month , New York Times Journal I have previously submitted that the amount paid by Colonial Pipeline has been deducted from DarkSide Group’s original virtual wallet. to me official documents During the investigation, authorities worked with Colonial Pipeline to identify a hypothetical rescue path through 23 cryptocurrency wallets operated by criminals.

Investigators later found a cryptocurrency wallet used by the group to collect the ransom of the victim, who was described in the documents as “Victim X,” whose details match those of the Colonial pipeline. With the approval of the judge, who approved the investigating man, they were able to gain access to the wallet in question and recover part of the ransom, the Justice Department explains in the statement.

According to Paul M. Abate, Deputy Director of the FBI, during the Justice Department conference, the FBI began investigating the Darkside Group last year and identified more than 90 victims from multiple sectors. The cybercriminals are believed to have started their operations in August of last year, and even before they started their solo journey into the world of cybercrime, they belonged to another Russian group called REvil.

Remember that weeks after the colonial pipeline attack, REvil group attacked JBS, one of the world’s largest meat processing companies, forcing it to shut down part of its production in three countries. Even earlier, the group was also behind the ransomware attacks in left e At Quanta Computers, a Taiwanese computer and electronics hardware manufacturer working with Apple.

Recently, a new investigation by Mandiant, part of the cybersecurity company FireEye, revealed that DarkSide group cybercriminal portal will be password hack. Hackers gained access to Colonial Pipeline’s intranet through an account that was not active on the company’s Virtual Private Network (VPN) on April 29.

The account’s password was discovered in a set of credentials exposed on the Dark Web, which means that a Colonial Pipeline employee may have used the same password on another previously compromised account. The VPN account also did not use multi-factor authentication, allowing cybercriminals to easily enter the internal network using only the credentials in question.