DarkSide Transfers $7 Million Worth of BitcoinMove by Colonial Pipeline Attackers Follows Law Enforcement Action Against REvil
Following a massive outage of the notorious REvil - aka Sodinokibi - ransomware operation due to coordinated law enforcement efforts involving the U.S. and foreign partners, the operators behind DarkSide ransomware have moved bitcoin worth almost $7 million to multiple new wallets, making it more difficult to track.
Just hours after reports about REvil itself getting hacked and being forced offline by a multicountry operation, DarkSide ransomware operators quickly started transferring funds into multiple accounts.
Omri Segev Moyal, CEO and co-founder of security firm Profero, on Friday tweeted that 107* BTC from the Colonial Pipeline ransomware attackers has been moved to new wallets.
"Preliminary research is showing it's starting to look like typical ransomware money heist path. Someone cashing out? Dear #bitcoin exchange platform, please block the following wallets from the incoming transactions: https://pastebin.com/vuWRGutY," Moyal notes.
The 107* BTC from Colonial PipeLine ransomware has moved to a new wallet: "bc1q2sewgrnau4e4gvceh8ykzf8lqxawpluu0k0607" > "bc1qvya30xewdeatneqj90ypvzq4kjzgyz8cnvu7rm"— Omri Segev Moyal (@GelosSnake) October 22, 2021
Transaction hash: "8fe2131dd4b4be77034c3af4928415c2daffed950572d270d5e9dd1aa6b71088"
Feds control wallet?
He also says that the attackers have split the BTC into seven wallets in what looks like preparation to convert to other exchanges or cash out somehow.
"These funds remained dormant until yesterday (October 21). Beginning at 7am GMT, the funds, now worth $7 million, were moved through a series of new wallets over the course of several hours, with small amounts being 'peeled' off at each step," according to blockchain analysis company Elliptic. "This is a common money laundering technique, used to attempt to make the funds more difficult to track and to aid their conversion into fiat currency through exchanges. The process is ongoing, but small amounts of the funds have already been sent to known exchanges."
In addition, the company also notes that DarkSide has strong links to REvil, with the ransomware groups sharing similarly structured ransom notes and using the same code.
A DarkSide ransomware variant was used in the May attack that caused disruption to services at Colonial Pipeline Co., which operates a 5,500-mile pipeline suppling fuel, gasoline and other petroleum products throughout large portions of the eastern U.S.
Jake Williams, formerly of the National Security Agency's elite hacking team, notes that it’s not hard to conclude that DarkSide's bitcoin move is related to REvil.
"DarkSide likely believes that seizing funds from multiple wallets will be more difficult than seizing a single wallet. Of course, they're right. Given the reporting on this, I expect we'll see conversion of at least some BTC into XMR or other privacy-preserving coins where chain analysis is much harder," says Williams, who is also the CTO at BreachQuest.
But Moyal tells Information Security Media Group that its cryptotracking team constantly researches and monitors many ransomware threat actors' transactions, and it spotted it around 4 a.m. IST GMT+3 on Friday.
"We have reported to our bitcoin exchange customers to block incoming transactions. The motive is unknown but we see it’s taking typical laundering chains as other ransomware operators do. Regarding REvil, it’s just speculations and we can’t really comment on that. It can be for many reasons," Moyal notes.
Staying Under Radar
After Colonial Pipeline paid a $4.4 million ransom to DarkSide, the operation reported on May 13 that its infrastructure was being disrupted, and it said it would cease its operations. Unusually, the FBI managed to recover some of that ransom.
"In view of the above and due to the pressure from the U.S., the affiliate program is closed. Stay safe and good luck," DarkSide reportedly said on its data leak site, adding: "The landing page, servers and other resources will be taken down within 48 hours."
But security experts at Emsisoft claim that someone wielding DarkSide ransomware helped to launch the BlackMatter operation. The new BlackMatter ransomware-as-a-service operation announced its launch in July via Russian-language cybercrime forums.
"The project has incorporated in itself the best features of DarkSide, REvil and LockBit," a user with the handle "BlackMatter" claimed in July 19 posts, threat intelligence firm Recorded Future reported (see: BlackMatter Ransomware Claims to Be Best of REvil, DarkSide).