Security experts at London-based blockchain analytics firm Elliptic discovered the bitcoin wallet used by the ransomware group responsible for the Colonial Pipeline attack and the extortion amount received from victims.
According to a report from blockchain analytics firm Elliptic, the ransomware gang Darkside received a ransom payment of 75 Bitcoin, or roughly $5 million, made by Colonial Pipeline on May 8 following the cyberattack on its operations.
The cyberattack on Colonial Pipeline led to widespread fuel shortages in the U.S. and has been described as the worst cyberattack on critical U.S. infrastructure to date.
Security researchers first spotted the ransomware gang’s operation in August 2020 and nearly after 9 months in May 2021, the FBI confirmed the role of the Darkside ransomware gang in engineering the attack on Colonial Pipeline.
In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, emerging from 47 distinct wallets. According to DarkTracer, 99 organizations have been attacked with the DarkSide malware – indicating that almost half of DarkSide victims paid a ransom and that the average payment was $1.9 million. DarkSide says it targets only big companies and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector, and non-profits.
The firm also discovered a ransomware bitcoin payment made by Brenntag, a large chemical distribution company in Germany, totaling roughly $ 4.4 million. The group's wallet has been active since March 4, 2021, and has received 57 payments from 21 different wallets, according to Elliptic.
DarkSide and other ransomware groups have engineered the ransomware-as-a-service model, where the designers of the malware can effectively outsource the actual hacking and infecting of a target and then split whatever ransom comes in. The practice has democratized ransomware use, allowing less experienced cybercriminals to get in on the scam without any technical knowledge.
"In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organization. This new business model has revolutionized ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organization," Elliptic told.