Following the creation of the DOJ’s Ransomware and Digital Extortion Task Force in April 2021 and on the heels of the Biden administration’s characterization of ransomware as a national security threat, on June 7, 2021, the DOJ announced it has seized $2.3 million (63.7 bitcoin) in proceeds from a recent ransom paid to DarkSide in connection with a ransomware attack on U.S. critical infrastructure.  In seizing the funds, the DOJ recovered most of a ransom paid on May 8, 2021 to DarkSide criminal actors.  Although the ransom initially paid was 75 bitcoin (approximately $4.3 million at the time of payment) the amount recovered was 63.7 bitcoins (or $2.3 million at the time of seizure).  There are five key takeaways from this development.

DarkSide disrupted.  On May 14, 2021, as DarkSide announced it was disbanding due to U.S. pressure, it was also reported that around this same time, that DarkSide had lost control over some of its assets, including a payments server, and funds were directed to unknown addresses.  It was also publicly reported that a third-party computer security company had identified the bitcoin wallet used by DarkSide to collect the ransom that was later recovered by the FBI.   This firm observed that the DarkSide had collected $17.5 million from 21 bitcoin wallets between March and mid-May 2021, providing some sense of the pace and payments associated with DarkSide ransomware attacks in a short period of time.

U.S. will treat ransomware like terrorism.  An internal DOJ memo from June 3, 2021 has been publicly released and reiterates that the DOJ Ransomware and Digital Extortion Task Force’s objective to “bring to bear the full authorities and resources of [DOJ] in confronting the many dimensions and root causes of this [ransomware and digital extortion] threat.”  The memo articulates a centrally coordinated process for handling ransomware or digital extortion cases among U.S. Attorneys’ Offices, Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), Money Laundering and Asset Recovery Section (MLARS), the National Security Division (NSD), and the FBI.  Previously, DOJ has applied this model in response to terrorism but not to ransomware before this month.  Although it is unclear what impact this model may have on ransomware incidents that do not impact critical infrastructure, it is a notable indication as to how DOJ views the scale of the current ransomware threat and the means intends to use to address it.

FBI methods.  Based on the FBI’s June 7, 2021 affidavit in support of the seizure warrant, blockchain explorer was used to track the payments made to the hackers and as the hackers moved the payments through ten bitcoin addresses from the point of initial payment on May 8 to May 27, 2021.  (Blockchain explorer is an online tool that function as a search engine for blockchain by identifying and organizing transactional data so that the user can review the data to identify bitcoin addresses in a given blockchain.)  However, there has been speculation in news reports that although DarkSide moved the payments through various bitcoin addresses, it may not have taken advantage of more advanced methods such as automated mixers, which may also available to criminal actors to further shuffle and hide payments across bitcoin addresses and wallets to evade law enforcement.  It is also unclear how the FBI obtained the private key needed to access the funds at the bitcoin address.

Market volatility of bitcoin.  In the past, volatility in bitcoin has been attributed to some combination of its limited supply, lack of a central bank, and because it is a relatively new asset class.  Whatever the reason, bitcoin volatility is evident is the difference in BTC to USD exchange rates between May 8 and June 7, which at market close was approximately $58,803.78 to 1 BTC on May 8 (the date of the ransom payment) and $36,110.87 to 1 BTC on June 7 (the date of seizure).  However, the additional ten percent decline in the value of bitcoin on June 8 has been attributed at least in part to the seizure, because it calls into question the relative security of bitcoin.

Public-private cooperation.  The seizure of funds in part depended on the FBI’s ability to trace the funds, beginning with the initial payment to the attacker’s bitcoin wallet.  This success highlights importance of timely, confidential cooperation with FBI as companies respond to ransomware attacks and particularly where a company may be considering payment of a ransom demand. It remains to be seen whether the role of third-party security firms in identifying and tracing bitcoin payments in ransomware incidents of scale develops into a trend, and whether that activity ultimately helps law enforcement and impacted organizations identify organized criminal groups and recover digital extortion payments.

[View source.]