The United States Department of Justice announced it had recovered 63.7 bitcoins out of the 75 paid by Colonial Pipeline in the attack on the company.
The FBI could access a portfolio of Bitcoins DarkSide, the group behind the ransomware the same name, and to recover part of the ransom that was it.
A private key recovered by the FBI
It was in a press conference held on Monday that the United States Department of Justice announced it had access to a Bitcoin wallet belonging to DarkSide, on which was part of the ransom paid by Colonial. Pipeline. The group behind the ransomware had to split up after the attack and announced that authorities had seized its servers and cryptocurrency reserves. This announcement from the Justice Department seems to confirm his words.
The FBI got a private key allowing it to recover 63.7 Bitcoins, which now equates to approximately 1.85 million euros, out of the 75 paid by Colonial Pipeline. The agency declined to disclose precisely how this key was obtained, but hinted that it was reproducible and did not depend on the use of US cryptocurrency platforms by hackers, cutting runs on the assumption that the hackers would have used a service like Coinbase .
They put another hypothesis forward, that of a private key stored on a payment server seized by the authorities. An assumption supported by a communication from DarkSide announcing that it had lost access to one of its payment servers and because the sum recovered by the FBI corresponds more or less to the share that DarkSide would pay to those with carried out the attack using its ransomware-as-a-service.
A compromised password behind the attack on Colonial Pipeline
Bloomberg disclosed in an article on Friday how hackers gained access to the Colonial Pipeline network as early as April 29. The credentials of an account used to connect to a VPN that allows remote access to the company’s network were obtained, with no one knowing how, by hackers. This account was no longer in use, but still allowed logging in and had no basic security measures, such as two-factor authentication, which allowed hackers to log in with just a username and password.
A few days later, the ransomware struck, forcing the company to pay the demanded ransom of around 3.6 million euros. Thanks to this net, Colonial Pipeline will now be able to recover part of this payment. The operation is the first of its kind carried out by the newly created Ransomware and Digital Extortion Task Force, a specialized unit in the fight against ransomware set up by the Biden administration.