Digging into the Darkside Ransomware Payment

TRM InsightsInsights

May 14, 2021

What Happened

On Friday, May 7, Colonial Pipeline Co., which operates a 5,500-mile pipeline that delivers 45% of the gasoline and jet fuel supplied to the U.S.'s east coast, announced that it had been the victim of a ransomware attack. In response to the attack, Colonial proactively shut down operations. Stores of gasoline, diesel, home heating oil, jet fuel, and military supplies had been so heavily affected that the Federal Motor Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states to help with the shortages. Some schools went virtual.

On Monday May 10, the New York Times reported that the F.B.I. confirmed that “the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks." Darkside is a ransomware-as-a-service (RaaS) business, selling their malware on the darknet and getting a cut of the buyer’s profits from use of the malware. It essentially allows illicit actors, without coding experience, to launch ransomware attacks. At a White House briefing later that day, Anne Neuberger, deputy national security adviser for cyber and emerging technology, described the attack as "ransomware as a service variant" in which "criminal affiliates conduct attacks and then share proceeds with the ransomware's developers," and confirmed that the F.B.I. had been investigating DarkSide since October. In addition to locking Colonial Pipeline’s computer systems including the company’s billing system leaving it unable to track fuel distribution and billing, DarkSide also stole over 100GB of corporate data.

The Latest

On Thursday, May 13, nearly a week after the attack, reports emerged that Colonial paid a 75 Bitcoin (BTC) ransom – worth as much as $5 million, allowing the company to restore service on Wednesday. Preliminary analysis of the blockchain by TRM Labs confirms this account, showing that on May 8, 2021, 75 BTC were withdrawn from a U.S.-based exchange and soon after, transferred to the Darkside ransomware payment address. The funds were soon cleared into Darkside's Bitcoin wallet.

On Friday, May 14, things went dark for Darkside. According to Intel471, Darkside told affiliates it had lost access to its own infrastructure and would be closing, citing disruption from law-enforcement and pressure from the U.S. Darkside added that funds from their payment server were transferred to an unknown account as part of a "seizure." Analysis by TRM shows that on May 13, 2021, 113.5 BTC was withdrawn from Darkside's wallet and placed into a different wallet.

Anaylsis will be ongoing as new events and on-chain activities emerge.

Questions for us? hello@trmlabs.com

Subscribe to our latest insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
You can unsuscribe at any time. Read our Privacy Policy.