chatsimple

How Did DarkSide Ransomware Make $10+ million, Shut Down the Colonial Pipeline, and Hide Its Trace?

May 21, 2021

Author: Victor Fang, Ph.D. , Founder and CEO, AnChain.AI

AnChain.AI, a San Francisco based blockchain cybersecurity company, has been tracking the notorious Darkside ransomware that disrupted the 5,500-mile Colonial pipeline causing fuel shortages throughout the southeastern United States. Partnering with leading cybersecurity law expert and co-founder of Law & Forensics, Daniel Garrie Esq, we have revealed the most in-depth blockchain forensics timeline, as well as how DarkSide obfuscated the bitcoin ransom using Coinjoin mixing tactics.

Cryptocurrencies inevitably serve as the perfect payment vehicle for ransomware and will continue to emerge in the near future. This article sheds light on how enterprises, individuals, VASP’s, and governments can better prepare for the next wave of ransomware attacks.

DarkSide Ransomware Bitcoin Flow Timeline

The timeline below shows how the DarkSide hacker group launched the Colonial ransomware campaign with a wallet cluster of around 30 bitcoin addresses that were active for 70 days, from March 4 to May 13. Darkside received over 300 Bitcoins, worth over $16 million, in ransom payments from Colonial, Brenntag, and various unnamed victims.

Figure 1: Timeline for DarkSide ransomware bitcoin flow.

This wallet cluster currently has 0 balance, and we suspect it has been abandoned. The majority of the ransom is sitting in a new wallet that has been dormant since May 13. Since May 1 the hackers have been laundering the bitcoin received from the ransomware campaign through a sophisticated mixing technique called Coinjoin.

Coinjoin is an algorithmic cryptocurrency system that can make traditional money tracing almost impossible. Using AnChain.AI Auto-Tracing AI, we were able to reveal the Coinjoin tactics and trace down its complex money laundering pathways, as shown below.

Figure 2: DarkSide bitcoin Coinjoin mixing paths since May 1, 2021.

Read more about Coinjoin mixing:

https://anchainai.medium.com/cryptocurrency-mixers-pt-1-from-privacy-tool-to-billion-dollar-laundering-machine-80140e14aeb5

Figure 3, One bitcoin Coinjoin mixing transaction associated with DarkSide hacker money laundering on May 1, that obfuscated over 14 bitcoins in this operation as illustrated.

How to defend against DarkSide ransomware?

Depending on the roles, we are suggesting these countermeasures:

1. Enterprises and Individuals:

AntiVirus software is still the most effective way to defend DarkSide ransomware. 60 out of 69 AV endpoint vendors, per VirusTotal (a Google company), including FireEye, Symantec, McAfee, and Microsoft can detect Darkside malware. However, Baidu, Tencent, Qihoo 360 (China-based), and Yandex (Russia-based) still missed detection as of writing. AnChain.AI urges all cybersecurity vendors to update DarkSide in their malware detection engines.

FireEye Mandiant, just published a technical blog on DarkSide malware operation.

In addition to antivirus software, it is critical for enterprises to have a documented cybersecurity incident response plan that is tested regularly. A good incident response plan will set out protocols for coordinating between the incident response team, business stakeholders, in-house and outside counsel, and other relevant stakeholders. Many organizations use ransomware-specific incident response plans to address the unique technical, business, and legal aspects of ransomware attacks. The key for any organization is to make an incident response plan that will work with the personnel and technical environment. Additionally, it is essential to test the incident response plan on a regular basis using tabletop exercises or ransomware simulations.

2. Cryptocurrency industry, VASP:

Take a clear stance on fighting crypto Money Laundering. As identified by AnChain.AI, the DarkSide hacker group has been laundering the bitcoins received from the Colonial ransomware campaign. Make sure the onchain AML screen engine is preventive and comprehensive, so as to fully comply with the requirements of your jurisdiction, such as OFAC, FinCEN, SEC, and OCC in the United States; MAS in Singapore; and 5AMLS in the EU.

3. Governments & Regulators:

Most jurisdictions have been implementing their cryptocurrency AML regulations.

Cryptocurrency is hard to regulate but not impossible. UTXO and smart contract-based mixing and tumbling and billion scale pseudonymous cryptocurrency address space make it difficult for governments and regulators such as OFAC (Office of Foreign Assets Control of the US Department of the Treasury) to defend against this emerging cyber threat landscape effectively.

For example, the OFAC Sanction list has been lagging behind to catch these sophisticated cybercriminals and terrorists using cryptocurrency as payment vehicles.

During DarkSide outbreak, on May 12, President Biden signed a White House Executive Order on Improving the Nation’s Cybersecurity. The executive order clearly defines stages in the Cybersecurity Cycle and Corresponding Contributions where preventing intrusion and detecting and responding to intrusion will be critical for defending ransomware.