FBI Deputy Director Paul M. Abbate delivered the following remarks during a press conference in Washington, D.C., with Department of Justice officials announcing the seizure of ransom proceeds from the group DarkSide following the Colonial Pipeline network compromise. (Remarks as delivered)
Good afternoon, everyone.
Today the FBI successfully seized criminal proceeds from a bitcoin wallet that DarkSide ransomware actors used to collect a cyber ransom payment from a victim.
Since last year, we’ve been pursuing an investigation into DarkSide—a Russia-based cybercrime group.
The DarkSide ransomware variant is one of more than 100 ransomware variants that the FBI is currently investigating. DarkSide developers market their ransomware to criminal affiliates, who then conduct attacks and share a percentage of the proceeds with the developers, a scheme known as ransomware-as-a-service.
In this case, the FBI has identified more than 90 victims across multiple U.S. critical infrastructure sectors. Those include manufacturing, legal, insurance, health care, and energy.
Based on our investigation into DarkSide, and incredible work with other U.S. government partners, we identified a virtual currency wallet that the DarkSide actors used to collect a payment from a victim. Using law enforcement authorities, victim funds were seized from that wallet, preventing DarkSide actors from using them.
This is just the latest disruption that the FBI and DOJ have taken to impose risk and consequences on cyber adversaries.
Since announcing our new cyber strategy last year, we have dismantled the infrastructure of the Emotet criminal botnet through an unprecedented coalition of U.S. and international law enforcement and private industry partners. Additionally, we have joined other government partners to expose a cyber tool developed by the Russian GRU. We have also used legal authorities to remove malicious back doors installed on the networks of Microsoft Exchange Server customers across the United States. And just last week, DOJ announced the seizure of two command-and-control domains used by the perpetrators of a wide spear phishing campaign.
This focus on joint action and collaboration is exemplified by the National Cyber Investigative Joint Task Force, which brings together intelligence community, law enforcement, and cybersecurity agencies for a whole-of-government approach against these cyber threats.
Our partners in the intelligence community and across government are central to these efforts. Leveraging each of our authorities and capabilities enables us to conduct coordinated operations to respond to and deter malicious activity from groups like DarkSide.
There’s a lot of exceptional behind-the-scenes teamwork that goes into both identifying effective ways to target adversaries, and predicating actions that we may take against them.
I want to give major thanks to the incredibly hard-working agents, intelligence analysts, and professional staff of the FBI’s Atlanta and San Francisco Field Offices and the FBI Cyber Division, along with the government-wide partners who assisted in this investigation and seizure.
These cases require a significant level of determination and technical expertise, and without a doubt, every individual involved displayed that through the achievements reflected here today.
We continue to be committed to using the information and intelligence we develop through our investigations to take early, meaningful steps to protect the public and be preventative.
We will continue to work relentlessly and seek innovative ways to use our unique authorities, world-class capabilities, and enduring partnerships for maximum impact against our adversaries.
Today, we deprived a cyber-criminal enterprise of the object of their activity—their financial proceeds and funding. For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose.
When the FBI combines our law enforcement and intelligence authorities with those of our partners in government and the cooperative relationship with private industry, and when we have victims willing to share information to further our collective efforts against cyber adversaries, we can have immediate, permanent effect on ransomware actors.
That is why it is so critical for victims to report intrusions to us as soon as possible and then work with us to provide evidence and intelligence for our investigations, leading to recovery, attribution, and, ultimately, prevention.
Victim reporting not only can give us the information we need to have immediate, real-world impact on the actors, it can also help prevent future intrusions into other victim networks and prevent further harm from occurring.
With continued cooperation and support from victims, private industry, and our U.S. and international partners, we will bring to bear the full weight and strength of our combined efforts and resources against those actors who think nothing of threatening public safety and our national security for profit.
DAG Monaco Delivers Remarks at Press Conference on Darkside Attack on Colonial Pipeline
Monday, June 7, 2021
Remarks as Prepared
Thank you all for being here.
Today, the Department of Justice is announcing a significant development in the ransomware attack on the Colonial Pipeline.
I am joined by FBI Deputy Director Paul Abbate and Acting U.S. Attorney for the Northern District of California Stephanie Hinds to discuss the work of the Department’s Ransomware and Digital Extortion Task Force in combatting the epidemic of ransomware attacks by criminal groups.
Also with us are Assistant Attorney General for National Security John Demers, and Acting Assistant Attorney General for the Criminal Division Nick McQuaid.
Ransomware attacks have increased in both scope and sophistication in the last year – targeting our critical infrastructure, businesses of all types, whole cities and even law enforcement.
Ransomware and digital extortion pose a national security and economic security threat to the United States. The Department of Justice, with our partners, is committed to using all the tools at our disposal to disrupt these networks and the abuse of online infrastructure that allows this threat to persist.
The sophisticated use of technology to hold businesses and even whole cities hostage for profit is a decidedly 21st century challenge – but the old adage “follow the money” still applies. And that’s exactly what we do.
After Colonial Pipeline’s quick notification to law enforcement, and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Dark Side Network in the wake of last month’s ransomware attack.
Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response.
DarkSide is a ransomware-as-a-service network – that means developers who sell or lease ransomware to use in attacks, in return for a fee or share in the proceeds. DarkSide and its affiliates have digitally stalked U.S. companies for the better part of the year, and indiscriminately attacked victims that include key players in our nation’s critical infrastructure.
Today, we turned the tables on DarkSide.
By going after the entire ecosystem that fuels ransomware and digital extortion attacks – including criminal proceeds in the form of digital currency – we will continue to use all of our resources to increase the cost and consequences of ransomware and other cyber-based attacks.
The seizure announced today was conducted as part of the Department’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity. This is the Task Force’s first operation of this kind.
This work is important, because every day, the digital threats we face are more diverse, more sophisticated and more dangerous.
In this heightened threat landscape, we all have a role to play in keeping our nation safe. No organization is immune. So today I want to emphasize to leaders of corporations and communities alike — the threat of severe ransomware attacks poses a clear and present danger to your organization, to your company, your customers, your shareholders, and your long-term success.
Pay attention now.
Invest the resources now.
Failure to do so could be the difference between being secure now – or a victim later.
But also know that we are in this together. The U.S. government will continue to do more to increase our nation’s resilience while increasing the costs to our digital adversaries and those that enable or harbor them. And we cannot do so without you.
The Department of Justice will continue to evolve as the threat does.
That is why one of my first acts after returning to the Department was to launch a strategic cyber review.
That is why federal prosecutors now report ransomware incidents in the same way that we report critical threats to our national security.
And that is why we will continue to work with our public and private partners – both here and globally – to bring our collective authorities together to confront emerging threats.
There is no higher priority at the Department than using all available tools to protect our nation, including from ransomware and other digital threats.
Thank you and now I’ll turn the podium over to Paul Abbate, Deputy Director of the FBI.
Lisa O. Monaco, Deputy Attorney General
Counterintelligence and Export Control
Office of the Deputy Attorney General