Since opening the DarkSide account in March, Elliptic had received $ 17.5 million from 21 Bitcoin wallets, indicating the number of ransom amounts it had raised as recently as this spring. Cybersecurity analysts estimate the group has been active for at least August and has most likely used a number of different Bitcoin wallets to get ransom money.
According to TRM Labs, a blockchain intelligence company in San Francisco, on Thursday someone withdrew approximately 113.5 bitcoin, or $ 5.6 million, from DarkSide’s bitcoin wallet and moved it to an account belonging to an unknown user. The total was Colonial’s 75 bitcoin ransom plus that of a German company, Brenntag, which also chose to pay for its digital extortionists, TRM Labs said.
Who owns this other account is another twist in the hacking episode.
“It’s hard to speculate,” said Esteban Castaño, co-founder of TRM Labs, in an interview on Friday. He noted that anyone who moved DarkSide’s winnings would have had access to the group’s private key to their Bitcoin wallet.
“The question is, where were these private keys stored?” Mr Castaño said. “Were you on a server that someone else found? Or did DarkSide initiate the broadcast itself? “
The intensive examination after the attack on the Colonial Pipeline clearly unsettled ransomware groups. This week, the operators of REvil and Avaddon, two major Russian-language ransomware platforms, announced tough new rules for the use of their products, including bans on targeting government-affiliated companies, hospitals or educational institutions.
The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted on the forum, the administrator drew attention to a “critical mass of damage, nonsense, hype and noise” and said even the spokesman for President Vladimir V. Putin of Russia weighed the colonial whistle attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin was involved in the attack on the pipeline.)
“The word ransom is linked to a whole range of nasty things – geopolitics, extortion, government cyberattacks,” the XSS administrator wrote. “That word has become dangerous and poisonous.”