June 7, 2021

The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. The funds had been sent to DarkSide, a ransomware-as-a-service syndicate that disbanded after a May 14 farewell message to affiliates saying its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

On May 7, the DarkSide ransomware gang sprang its attack against Colonial, which ultimately paid 75 Bitcoin (~$4.4 million) to its tormentors. The company said the attackers only hit its business IT networks — not its pipeline security and safety systems — but that it shut the pipeline down anyway as a precaution [several publications noted Colonial shut down its pipeline because its billing system was impacted, and it had no way to get paid].

On or around May 14, the DarkSide representative on several Russian-language cybercrime forums posted a message saying the group was calling it quits.

“Servers were seized, money of advertisers and founders was transferred to an unknown account,” read the farewell message. “Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information.”

A message from the DarkSide and REvil ransomware-as-a-service cybercrime affiliate programs.

Many security experts said they suspected DarkSide was just laying low for a while thanks to the heat from the Colonial attack, and that the group would re-emerge under a new banner in the coming months. And while that may be true, the seizure announced today by the DOJ certainly supports the DarkSide administrator’s claims that their closure was involuntary.

Security firms have suspected for months that the DarkSide gang shares some leadership with that of REvil, a.k.a. Sodinokibi, another ransomware-as-a-service platform that closed up shop in 2019 after bragging that it had extorted more than $2 billion from victims. That suspicion was solidified further when the REvil administrator added his comments to the announcement about DarkSide’s closure (see screenshot above).

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

According to an analysis published May 18 by cryptocurrency security firm Elliptic, 47 cybercrime victims paid DarkSide a total of $90 million in Bitcoin, putting the average ransom payment of DarkSide victims at just shy of $2 million.

HOW DID THEY DO IT?

The DoJ’s announcement left open the question of how exactly it was able to recover a portion of the payment made by Colonial, which shut down its Houston to New England fuel pipeline for a week and prompted long lines, price hikes and gas shortages at filling stations across the nation.

The DOJ said law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins (~$3.77 million on May 8), “representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”

A passage from the DOJ’s press release today.

How it came to have that private key is the key question. Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the most likely explanation is that law enforcement agents seized money from a specific DarkSide affiliate responsible for bringing the crime gang the initial access to Colonial’s systems.

“The ‘obtained the private key’ part of their statement is doing a lot of work,” Weaver said, pointing out that the amount the FBI recovered was less than the full amount Colonial paid.

“It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.”

Experts at Elliptic came to the same conclusion.

“Any ransom payment made by a victim is then split between the affiliate and the developer,” writes Elliptic’s co-founder Tom Robinson. “In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer.”

The Biden administration is under increasing pressure to do something about the epidemic of ransomware attacks. In conjunction with today’s action, the DOJ called attention to the wins of its Ransomware and Digital Extortion Task Force, which have included successful prosecutions of crooks behind such threats as the Netwalker and SamSam ransomware strains.

The DOJ also released a June 3 memo from Deputy Attorney General Lisa O. Monaco instructing all federal prosecutors to observe new guidelines that seek to centralize reporting about ransomware victims.

Having a central place for law enforcement and intelligence agencies to gather and act on ransomware threats was one of the key recommendations of a ransomware task force being led by some of the world’s top tech firms. In an 81-page report, the industry led task force called for an international coalition to combat ransomware criminals, and for a global network of investigation hubs. Their recommendations focus mainly on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.


237 thoughts on “Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang

  1. damian

    Hopefully the money is not returned to Colonial Pipeline. Yes, they were a victim, but they chose to have poor security, they chose to not have backups that could enable rapid recovery, and they chose to make the payment.

    Reply
    1. Stuart

      The definition of choice is deciding between two or more options. Asserting Colonial Pipeline’s management chose an ill-equipped infrastructure stretches credulity. They may indeed be negligent, but neither you nor I know the facts. Damian, do you hold yourself to comparable standards? If burglarized and your property recovered by police. Would you decline its return because you inadvertently left a door unlocked?

      Reply
      1. rando

        defending the c suite …good look…would you defend equifax the same way …password as password…000000 as password…sheesh bootlick much on your high horse?

        Reply
    2. JamminJ

      It’s gotta go back to them. Could you imagine the shiitestorm if the. DOJ kept the money?

      Reply
      1. Mahhn

        frankly I expect the doj to keep it. That’s what the court system does – strip money from people. they will come up with some reason, a fine for paying the fine most likely.

        Reply
        1. JamminJ

          For poor people with a public defender, yeah there are many examples of such injustice.
          But really, anyone who can afford an attorney, gets their money back.

          Reply
          1. Goose @ Gander

            “But really, anyone who can afford an attorney, gets their money back.”

            Hmm… Your legal credentials are not coming up in my search, can you supply them for us?

            Reply
          2. Citation needed

            “But really, anyone who can afford an attorney, gets their money back.”

            Reply
            1. JamminJ

              I will add a caveat.

              But really, anyone who can afford an attorney, gets their money back most likely.

              Reply
                1. Gregory

                  Are you really that pathetic and hard up to catch this guy in a lie that you’re claiming victory for this?
                  I haven’t seen your level of pettiness in a while. Do you wear orange makeup too?

                  Reply
                  1. mealy

                    Gregory is someone’s troll-bodyguard today.
                    It’s a love affair without the letter-reading.

                    Thanks though, we’ll both be fine when you get well.
                    Soon no doubt.

                    Reply
      2. mealy

        They committed a crime by paying it unless the FBI specifically authorized and ordered them to do it.
        If they did so they can have it back. If not forget it.

        Reply
        1. security vet

          …it’s not illegal to pay…

          …highly recommended not to, but’s not against the law…

          Reply
        2. security vet

          …there’s no law against paying…

          …only wishful thinking…

          Reply
              1. phat

                “civilly liable”
                The article is badly worded. It’s not “illegal”, it’s against regulations for which there is a civil penalty.

                Reply
                1. Hm

                  Thanks for confirming it’s illegal as stated in the treasury.gov memo.
                  Not all laws or regulations attach criminal penalties that much is true.

                  Reply
                  1. JamminJ

                    It’s not illegal at all. Not even civil penalties.

                    It might be, if Darkside was specifically designated as a sanctioned entity. They are not, as of today, sanctioned by OFAC.

                    There is no broad sanction that covers all ransomware crime. The US Treasury OFAC advisory, is a reminder, a bit of advice, that paying a ransom, MAY result in legal risk if it turns out the money went to a designated sanctioned entity. Russia is NOT sanctioned as a whole (like North Korea and Iran)… so OFAC has not made it illegal.
                    The headline you are believing is incorrectly interpreting the advisory as a scare tactic.

                    Reply
                    1. mealy

                      Credibility matchup : US Treasury memo > Your opine

                      https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

                      If you wilfully pay a criminal organization a ransom, you are committing a crime whether prosecuted in the end or not. I don’t really need to further paraphrase their words to an argumentative egotist who refuses to read and then refuses to believe the words themselves have meaning, deferring entirely to their own repeated opine instead.

                    2. mealy

                      Nobody paid “Russia” obviously, stop obfuscating jeez.

                      Break down and admit you were wrong, Treasury is not.
                      Whether 100% are prosecuted is not the determinant.

                    3. JamminJ

                      Nice try. But the Treasury OFAC advisory is on my side of the argument.
                      The memo actually Refutes your claim.

                      North Korea, Syria, and Iran are examples of comprehensive country or region embargoes. But Russian is unfortunately not.
                      Nobody paid North Korea either…. but paying a ransom to Lazarus Group would violate OFAC sanctions. That’s the difference, Lazarus is listed and Darkside is not.

                      The US Treasury cannot prosecute Colonial for paying a ransom, nor can the DOJ.

                      Your claim, “If you willfully pay a criminal organization a ransom, you are committing a crime whether prosecuted in the end or not.” is utterly false and delusional. There is no law that says this, even if we would all like it to be true. The US Treasury OFAC advisory doesn’t even apply here. Some headlines want to grab attention, and claim it applies to all ransomware, but it doesn’t. The criminal activity is not the deciding factor that would make OFAC applicable. The recipient of the funds MUST be listed on the SDN.

                    4. Farley

                      J loves to listen to themselves argue and finds semantic faults of no consequence to the discussion.

                      Just acknowledge the ego issue and move on, no point trying to convince them the sky is blue either.

                    5. Totality of circumstances

                      “MAY result in legal risk if it turns out the money went to a designated sanctioned entity” – you admit, yet don’t know who it went to nor the actual individuals (or sister orgs, backers) behind the operation. You know the word “Darkside” and that’s literally all you have at all to go on, yet assert it’s all you’d ever require to “prove” that paying a ransom is “not illegal” here when you don’t even actually know who was paid at all. It’s pretty entirely silly in distillate.

                      Nope. I wasn’t misinterpreting a headline. US DOT’s own words:
                      “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations”

                      *They don’t list ‘every possible’ legal risk, that would be absurd. Moving that kind of cash around in the situ of a corporate entity, state laws, tax law, there are actually a ton of ways that could trip up “legally” besides direct OFAC violation. That’s the example given because DOT directly control and are warning of it specifically in addition to other unspecified concerns beyond “merely” aiding and encouraging ransom attacks. That doesn’t mean there “are no other” legal concerns because they list OFAC as their go-to either. That’s your own unfounded, uncredentialed invention that it’s the sole and entire legal concern as a non-lawyer.

                      “This advisory describes these sanctions risks and provides information for contacting __relevant U.S. government agencies__,” (emphasis mine) “including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

                      Like Iranian infrastructure or backers could add rather instantly,
                      or any other post facto trivial oversight/misconception you might make from a position of informational ignorance compared to the experts in those aforementioned agencies, admittedly or not.

                      Not cooperating leaves risks intact and outside of their auspices. DOJ/FBI/UST is not going to sign off on illegal actions, can indemnify those they authorize and seal the whole thing off. It’s a no brainer, even for a pseudo-lawyer. Or at least it ought to be.

                      The group in question claims at the least to have operational ties in Iran, is a criminal group for obvious starters, so checking in depth required on that and other aspects (my suggestion was getting full cooperative signoff from as-mentioned __relevant US government agencies__ beyond merely as you claim typing “darkside” into your 1 search engine, then asserting “welp, that’s all that can be done there”)… it’s really a damn obvious suggestion before risking corporate millions and the eye of Treasury or even DOJ scrutiny in other aspects. Even for a pseudo-lawyer.

                      You claim “Darkside got away with their cut”, but you don’t really know that either. Another claim. We know the total recovered so far and publicly acknowledged in reporting is a large fraction of the total paid and the investigation is ongoing. If you wish to pick at my choice of “would” that might more correctly have been a “could” (while you are also simultaneously ignoring the conditional statement that was apparently met, they seem to have cooperated), that’s pseudo-pedantry on top. You weren’t trying to understand the point was far wider than your circumscribed legal assertion-sanbox.

                      You have not facilitated payments of multi-million dollar crypto ransoms to unknown individuals from a corporate entity outside of your direct personal control of assets, or you would understand it’s actually not legally trivial. You certainly don’t demonstrate that you understand any legal risks possible beyond the 1, and you seem to think that you can make them ALL go away here by typing “darkside” in an OFAC search and having nothing come up and thus assuming it’s “all legally good” on that single basis, in contravention with actually basic sound advice from DOT that you denote as “scaremongering.” What ridiculous puffery.

                      As if somehow yourself were a sole source of this contradictory legal “grand summary” (/s) despite (obviously!) not having any such credentials or real legal knowledge, credibility as a legal professional either juxtaposed with theirs or even by your own legally baseless assertions a la carte.

                      “This is proof that it’s not illegal to pay ransom, even in kidnapping situations.” – Purely wrong, & specifically as written. Legally.
                      law.cornell.edu/uscode/text/18/1202

                      This is where pure-BS assertions get into trouble, playing lawyer. Real ones don’t tend to make that mistake, they’ll err on the other side, account for a range of unlikely possibilities. It’s their real (*actual, not purely for forum posterity) profession. So while you’ve got your single-item OFAC search “proof” (of very little if anything) and (prima facie false) assertions that “it’s not illegal to pay a ransom even in kidnapping” and such, is it any real wonder that you haven’t actually passed any state’s bar to give such “advice” from a proposed position of authority, (if anonymously online even,) lest of all yourself paid multi-million dollars of corporate assets to a criminal organization without a single identifiable legal concern you can acknowledge exists? Not really at all, from my perspective. Uninformed, lazy, unprofessional and egotistical lawyers (and also security pros) do obviously exist and thrive already so why shouldn’t self-confirming semantic nonsense ones like yourself pretend also?

                      What’s the worst that could happen with the tens of millions and corporate reputation trusted to someone so confidently unconcerned? You’ve searched the single keyword search, it’s all the “legal proof” you believe you require – and you’re the final arbiter, according to you. And what’s to stop you from assuming so? Nothing at all, certainly not an ACTUAL judge at any rate. Dept of Treasury is “scaremongers” the law is as far as you’re aware an entirely single-factor affair that you’re confident you can pretend to explain away sight-unseen, and you’ve left no stone unturned that you weren’t going to leave unturned anyway.

                      When you’ve convinced a Gregory or a Stuart anonymously online (despite their non-readership entirely) that you’ve exhausted all legal considerations without the burden of much if any formal training, what further accolades could you even seek to self-bestow? Skip straight to monarchy, no need to pretend to be a lawyer. You aren’t one.

                    6. JamminJ

                      Dear single person with infinite user names…
                      TLDR

                      Is this still your claim,
                      “If you wilfully pay a criminal organization a ransom, you are committing a crime”
                      ???

                    7. Ah, soooo desu

                      No doubt reading is hard (for legal professionals?) today.
                      Troll, snipe, claim, reduce to absurdium, TLDRun away.
                      #Lincoln-Douglas-Style-Trolling?

                      (It took me ~4 minutes to write this as I sip coffee. Gee. No doubt your high-$ “lawyer’s” time is super valuable. /s)

                      But you couldn’t help yourself, you just had to revive it.

                      ““If you wilfully pay a criminal organization a ransom, you are committing a crime” – Is going back to a 10x-since-amended initial statement I (still) can’t edit – after pretending to have not wasted your (entire) afternoon yesterday demanding pedantic explanations over and over (see below) that you weren’t actually looking to read or comprehend either, as you now pretend only yourself can add caveats or fill in details to your own slight over-statements after the fact, yet nobody else can.

                      “I will add a caveat.” – Oh, so you aren’t sticking to your claim that “If you hire a lawyer you get your $ back”? Gee.
                      I analyzed my statement as you demanded (20x) yesterday, today suddenly you can’t read. Cuteness, Esq.
                      That law school really paid off.

                      I honestly don’t care if you do read it either – but an actual legal professional wouldn’t be deterred by ~30 seconds of text lol – yet it’s the absolute minimus of the job. They also don’t really need to waste time trolling nor intentionally misunderstand basic concepts semantically over and over for no other purpose than to use reductio ad absurdum (and obvious limbless strawmen “arguments”) to pretend not to be able to parse basic points – after demanding them all afternoon so derpetulantly.

                      Best of luck on the state Bar though, the world obviously needs more trolling half-a** pseudo-lawyers… Certainly uncredentialed legal advice is solid enough to wager millions and a huge company’s reputation on –
                      You’ve “never lost a case” no doubt lol. Good line, have it.
                      Put in in your pseudo-briefcase so you don’t forget it.

                    8. Goose@gander.com

                      I do recall someone amending their own over-statement,
                      “But really, anyone who can afford an attorney, gets their money back.”

                      Maybe we should ask if they intend to stick by that entirely too, especially after having seen them amend it already?
                      Or would that just be more pointless quasi-illiterate trolling.

                    9. JamminJ

                      Not at all, I was willing to caveat my statement “But really, anyone who can afford an attorney, gets their money back.”
                      with “most likely”. I wasn’t making a claim, just referencing that money does help in court.

                      Are you willing to caveat your statement?
                      “If you wilfully pay a [foreign] criminal organization a ransom, you [may be] committing a crime [but no one has ever been charged yet]”.

                    10. mealy

                      “I wasn’t making a claim, just referencing that money does help in court.” – Claims were made in fact. It’s ok though, we’ve been over it already and I’m not trying to rehash.

                      Anyhow I don’t myself feel a need to reciprocally troll you ongoing for an overstatement after you’ve amended it already – much as I’ve already explained mine – so whether or not you’re asking seriously in earnest above (not) or just require the last word, let’s try to find a more constructive outlet for your ‘creative juices’ than playing pedant lawyer. It’s potentially a beautiful day to give half-a^^ed legal advice, but it’s also potentially a beautiful day to break that habit and grow a bit wiser instead of trolling. Seize it as you see most valuable.

                    11. JamminJ

                      Fair enough. I am willing to meet you half way. I have previously amended what may have been perceived as a claim, with “most likely” which should clear up any perceptions that I was giving legal advice. (no comment in a blog, even from a lawyer, should be taken as legal advice).

                      Are you willing to meet me half way, and amend your claim?
                      Can you respond with,
                      > “If you wilfully pay a [foreign] criminal organization a ransom, you [may be] committing a crime [but no one has ever been charged yet]”?

                    12. mealy

                      No ‘one’ has been (publicly) fined or (publicly) sanctioned (yet?) under the ‘new’ (re)-directive by DoT, but such settlements could also be under seal and you’d have no way of knowing unless a direct party. This is plausible once you understand how many benign cases end up under court seal for various security and privacy concerns. UK’s Sec 17 of TA00 is a further example where if/whether it had been used noone publicly would even know outside of security clearances. Similarly US courts (and especially those sensitive agencies petitioning them) may have sealed away entire case types including settlements or triggered sanctions actions – We have no way of knowing that. Ockham’s razor perhaps, but also not.

                      This still doesn’t affect whether or not it’s ‘illegal’ under existing statutes/regs or if they could bring those publicly in the future. They could, they may yet be waiting for an particularly eggregious case to flesh out the policy in case law. They could also be doing that to ensure they don’t trip on ‘equal protection’ defenses given what’s already transpired without visible action, they’d have to open all of that up and look at it for comparison. You can probably see why all parties may want to avoid that.

                      Per the example of mine the issue was of cooperation vs. not cooperating w authorities, getting that sign-off to ensure that it would be legal, exculpatory. Not cooperating is a can of variables (in both directions) and risks additional reputational damage or possible further Federal financial scrutiny that companies wouldn’t want if avoidable. Many of those (newsmakers, anyhow) I’ve read about making ransom payments are cooperating to some degree but we don’t have statistics obviously, that’s not tabulated. The biggest ones certainly seem to have done that and I can’t find (any?) exceptions where they clearly avoided that, for pragmatic reasons or otherwise. Gov’t and certain public entities would be required under Federal law and those could easily be sealed by rote for years to decades because there’s no public 3rd party to object.

                      So yes it can be illegal, but you can all but avoid that entire realm of possibility by simply cooperating and in such a case as this perhaps even get a ransom back or aid law enforcement tracking them. From a defensive legal posture unless you have a good reason why cooperating is a bad idea or would open them up to a worse legal outcome, that seems like the easiest path. Perhaps a criminal organization masquerading as legitimate business, like say Tr**p organization, they might not want to but even that just invokes more scrutiny. So while this is WTL now and DR has already been invoked : It is potentially illegal, the issue is more complex than a single search box keyword is going to be necessarily illustrative or exculpatory of and those risking millions and millions of dollars (Billions, when it’s a pipeline) and their corporate/organizational reputations have (in my view at least) a straightforward decision to cooperate or incur an additional unknown risk they could easily avoid. Whether or not they’re ‘all’ or ‘none’ prosecuted privately or publicly is not the determinant of actual legality under Fed statute/regs. So we can scrape everything in plain view without a court seal, Federal agency seal, NDA or combination, but I’ve used up my 15 minute break +3 now and there’s not much more to do but wait and see how it plays out. Rehashed enough? It’s not black and white, it’s gray and maybe opaque, we’ll see – or perhaps ‘we’ won’t.

                    13. mealy

                      I forgot to mention NSL possibilies also. Who knows what we don’t know yet.

                    14. JamminJ

                      Are you seriously trying equivocate right now?
                      Is it really that hard to meet me half way? It’s starting to look like you are incapable of seeing the fault in anything you said.

                      Your claim is simple, and you have a chance to amend with a caveat. You accused me of having an ego, just because I have worked with this stuff before and probably know more.
                      But it seems like you are projecting your own ego and narcissism.

                      I have met you half way, and you can too. Make a statement that we can both agree on…
                      > “If you wilfully pay a [foreign] criminal organization a ransom, you [may be] committing a crime [but no one has ever been publicly charged yet]”?

                      Is there anything unreasonable or that you disagree with?

                      You said, “If you wilfully pay a criminal organization a ransom, you committing a crime”
                      But now you are saying we don’t know enough to say if this is true. But you said it was true.

                      You made a claim of fact, and now are saying we will never know the facts?

                      Do you still make this claim?

                    15. Let's not, k?

                      “You made a claim of fact” – As did you. You walked it back, I walked it all the way around the issue I still see to explain my rationale which was a more complex point, IMO. I’m pretty sure I met you half way at least explaining my rationale there for saying we don’t really know and that included the phraseology you wanted, AFAIK. Oh well.

                      You seem to need some kind of hard and fast conclusion culminating in a clear bright line, I think that’s probably unlikely as explained. Saying it’s “not illegal” seems to be what you want and nothing less. It’s less B&W than you seem to be willing to entertain even in thought, so… stay peeved if that appeals, I’m over it and not interested in re-re-explaining why US Treasury says it’s potentially illegal regardless of what you point to. I’ve explained my “would” should have been a “could” already. Take it, leave it, who cares? It changes nothing about the law ongoing.

                      Have a good one if you can, no seriously.

                    16. mealy

                      Tell you what, let’s not rehash. It’s getting pretty pointless anyway now that BK is only allowing every 2nd or 3rd reply probably due to the length already used up debating known unknowns vs unknown unknowns. They say it’s illegal, we don’t know if they’ll enforce it or how, neither of us knows if they have and it’s been sealed to protect the entities or economy under NSL and there’s no way to find out but wait because it’s still a rather young policy directive. You want to catch me on a misstatement after I already amended it and forgave yours… it’s rather dull.

                      Have a great day if you can though.

                    17. JamminJ

                      I seems like you take the act of amending previous statements that may be too broad or absolute, by adding a caveat like “most likely” … as a weakness.
                      That is why you attacked me as if you won some prize and caught me in a lie. My statement wasn’t a claim, it was a reply to Mahhn’s comment. You weren’t even on that thread, but injected yourself into the conversation, removed all context that would have shown that I wasn’t making a claim of fact… just so you can sound smart.

                      Since I am willing to clarify my comments for anyone reading without the context, to show I wasn’t making definitive statements claiming a fact, I amended with a caveat.
                      ” That’s what the court system does strip money from people. they will come up with some reason, a fine for paying the fine most likely.”
                      “For poor people with a public defender, yeah there are many examples of such injustice. But really, anyone who can afford an attorney, gets their money back [most likely].”

                      Now, you have made an absolutists statement, a claim of fact, that you have failed to back up with evidence, but rather you doubled down, distracted, diverted, and tried to turn the burden of proof on me.
                      “If you wilfully pay a criminal organization a ransom, you are committing a crime”
                      And you still stubbornly want to avoid walking back or adding any caveats… why? For pride?

                      Narcissists like Trump are pathologically opposed to apologizing, admitting fault, or compromising. Narcissists think it makes them look weak. Further, they attack people when they do these common things.
                      What does a narcissist like you and Trump do when backed into a corner of lies? You double down, lean into the BS, and hope your confidence in your answer will prevail.

                    18. Gregory

                      DAAAAMMMMMNNNN!!

                      Dude not only did you lose this argument badly but jammin just danced around all of your diversions, ignored your million aliases, and obliterated you.

                      He reached into your soul and dove into your psychology and put it all on display for anyone watching.

                      Your tantrums were fun mealy, but this is better.

                    19. Gregory

                      @JamminJ

                      Hats off to you sir, well played and very well done. You kept your cool while he went on an emotional rampage with fake accounts and bullying and projecting his own narcissism.

                      I’ve enjoyed this oh, probably a bit too much. Enjoy your win.

                    20. JamminJ

                      It’s not about the win or lose, but I wanted to find common ground.
                      I don’t like bullies like mealy or Trump, and I really don’t like all the misinformation that spreads online. A lot of security professionals read KrebsOnSecurity. Not sure how many read the comments, but it was irresponsible to fearmonger and spread lies about the legality of corporate responses to ransomware.
                      We have to work together against this scourge of ransomware, and lies aren’t the path forward.

                    21. mealy

                      Suppose I wasn’t clearly enough disengaging? Hm, no..

                      If you can’t even admit US Treasury says it’s potentially illegal I can’t help you, but I didn’t make it up. Enjoy the rest of your… existence? I do tend to entirely doubt you’ll be paying many ransoms either way despite “claims” lol.

                      Ego and edgelording doesn’t help you win this “legally.”

                      I only wasted 1 minute this time, that’s my max for you now. Enjoy the respite, you’re still wrong, it’s still potentially illegal to pay an unknown entity a ransom says the Dept. of the Treasury as cited, and most folks would be real wise to consult the authorities beforehand. That’s all, you picked that nit all the way, nothing changed.

                      Get well soon. Try harder to have a good day, seriously.
                      Blowing it hard.

                    22. Well beyond Grendel

                      You’re all about verifiable info and certainly NOT pedantic trolling. Noted.

                      Let them (The US Treasury Dept. that put out the memo) know that it’s not illegal, who knows, see what they write back. Maybe they’ll rewrite their memo, who knows.

                      But I can’t, so do step off already. Have a great one.

                    23. JamminJ

                      It seems like you take the act of amending previous statements that may be too broad or absolute, by adding a caveat like “most likely” … as a weakness.
                      That is why you attacked me as if you won some prize and caught me in a lie. My statement wasn’t a claim, it was a reply to Mahhn’s comment. You weren’t even on that thread, but injected yourself into the conversation, removed all context that would have shown that I wasn’t making a claim of fact… just so you can sound smart.

                      Since I am willing to clarify my comments for anyone reading without the context, to show I wasn’t making definitive statements claiming a fact, I amended with a caveat.
                      ” That’s what the court system does strip money from people. they will come up with some reason, a fine for paying the fine most likely.”
                      “For poor people with a public defender, yeah there are many examples of such injustice. But really, anyone who can afford an attorney, gets their money back [most likely].”

                      Now, you have made an absolutists statement, a claim of fact, that you have failed to back up with evidence, but rather you doubled down, distracted, diverted, and tried to turn the burden of proof on me.
                      “If you wilfully pay a criminal organization a ransom, you are committing a crime”
                      And you still stubbornly want to avoid walking back or adding any caveats… why? For pride?

                      Narcissists like Trump are pathologically opposed to apologizing, admitting fault, or compromising. Narcissists think it makes them look weak. Further, they attack people when they do these common things.
                      What does a narcissist like you and Trump do when backed into a corner of lies? You double down, lean into the BS, and hope your confidence in your answer will prevail.

                    24. Gregory

                      @JamminJ

                      Hats off to you sir, well played and very well done. You kept your cool while he went on an emotional rampage with fake accounts and bullying and projecting his own narcissism.

                      I’ve enjoyed this oh, probably a bit too much. Enjoy your win.

                    25. mealy

                      “Narcissists like Trump are pathologically opposed to apologizing, admitting fault, or compromising.”

                      Couldn’t have said it better, sorry for your loss, my fault no doubt. Anything I can do to help?

                      No? Ok. Get well soon.

            1. JamminJ

              Wow… that headline is completely false and misleading. CISOs beware.

              For anyone who has worked in a financial institution… they know what OFAC is… and it’s been around for a while. This advisory is not law, it’s only a reminder.

              The US Treasury can only enforce payments made to KNOWN entities that have been officially sanctioned by the US. So it would be illegal to send a ransomware payment if the ransom note said “pay to Hamas/Hezbollah/North Korean/etc”

              There is no blanket sanction that would cover ALL cybercriminals. The sanctioned entity has to be listed by name. There is no “stretching” definitions that could possibly make ransomware payments illegal in a broad sense.

              OFAC compliance is a big part of many US companies. But it simply cannot be done when the recipient of payment is anonymous. KYC cannot be done, and companies cannot be compelled to wait for an investigation and the payment recipient to be identified, before paying the ransom.

              Reply
                1. JamminJ

                  “They committed a crime by paying it unless the FBI specifically authorized and ordered them to do it.”

                  Your claim is completely unfounded. The OFAC advisory makes suggestions and recommendations. It’s a warning, but one without teeth.
                  Having done several OFAC compliance checks, it’s not hard to understand what this advisory does and does not do.

                  You make an extraordinary claim, and you haven’t provided anything to back it up.

                  Reply
                  1. mealy

                    I don’t much care what you believe or don’t personally.
                    Treasury says it’s illegal, you can dither as needed.

                    Reply
                    1. JamminJ

                      Treasury does not say it’s illegal.

                      It’s not a belief, it is English literacy. The ability to read a document. You didn’t read the document you posted, because it says the opposite of your claim.

                    2. reading

                      The troll can go argue with Treasury instead.
                      Federal Gov 1, opinionated denialist 0.

                    3. JamminJ

                      For those of us who have to work with Treasury, there is no argument. OFAC is pretty clear, and easy to check.

                      The only one arguing against the US Treasury, is those who think they have created their own law which broadly makes all ransom payments illegal.

                      It is ignorant to post a link to a document that you don’t understand, to then claim it supports your wild claim. Although it is a bit funny, and sad.

                    4. mealy

                      You’ve demonstrated zero knowledge or history of “working with the Treasury” so nice appeal to authority, but that’s not evidence of anything except your logical fallacy.

                      Read the memo or don’t, today is a work day for some.
                      Not you apparently.

                    5. mealy

                      The denialist can argue the point with Treasury’s memo author, apparently they need something to do.

                    6. Whatever lol derp

                      Good luck arguing with the Treasury Dept on a work day.
                      The memo exists, some few can even read. *(YMMV.)

                    7. JamminJ

                      https://sanctionssearch.ofac.treas.gov/
                      Go look up Dark Side if your so sure 🙂

                      Your claim of, “They committed a crime” is without any evidence. The only thing you offer is proof AGAINST your claim.

                      Like the Trump cultists who say, “read the transcript”, but don’t read the actual transcript. You haven’t actually bolstered your argument… but rather think being first to hold up a paper is good enough.

                    8. concerned

                      Mealy,
                      You should just quit bro cuz youre getting your ass handed to you. You made a wild statement and handed them the evidence to destroy your argument

                    9. concerned

                      Mealy,
                      You should just quit bro cuz youre getting your butt handed to you. You made a wild statement and handed them the evidence to destroy your argument

                    10. Nope

                      From Krebs previous article on subject :

                      “The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.”

                      Hence the question when you don’t know their ID.
                      And you don’t.
                      Basic stuff.

                2. JamminJ

                  The advisory does not say, “any criminal org”. Don’t make up statements.

                  OFAC has to Specifically Designate foreign Nationals by name. (SDN)
                  Hint: The “F” in OFAC stands for “foreign”. Not even all of Russia is sanctioned, like North Korea and Iran are designated.

                  This means that it is impossible for a broad/blanket definition of “any criminal organization”.
                  When getting extorted by ransomware, it is always possible that the recipient isn’t foreign at all. So OFAC cannot even apply until AFTER the criminal has been identified.
                  That is why this OFAC advisory is not a law. It is advice.

                  As of today, Darkside is NOT on the OFAC sanction list. So it’s not illegal to pay them a ransom.

                  Reply
                3. JamminJ

                  Lazarus Group, Evil Corp are both designated as sanctioned by OFAC.
                  There are also several individual cyber criminals sanctioned.
                  Also, those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).

                  Darkside is currently NOT designated as sanctioned. This may change in the future, but it was legal for Colonial to pay a ransom last month.

                  Look it up for yourself… it’s easy.
                  https://sanctionssearch.ofac.treas.gov/

                  Reply
                  1. Today is a work day.

                    “Darkside” as so named is not an “entity” either way derp, just a recent public media monicker for a “dissolved” group of which you know nothing further. You have no idea which individuals or agencies on that list are related to that effort or malware campaign beyond what the media put out publicly nor do you know if Treasury/FBI/etc authorized the ransom as part of their snare, which they can surely do if they see fit. Somehow they didn’t ask you for permission and I doubt they’ll go to you for broad vague legal advice either lol.

                    Reply
                  2. QED

                    So do you know anyone in the dissolved “Darkside” group then to search for their name or additional associations?
                    Nope.

                    Reply
                    1. JamminJ

                      You can search for Dark Side or Darkside. They are NOT sanctioned.
                      Just like the OFAC advisory says, you can just put in the group name such as Lazarus Group, Evil Corp, Bluenoroff and Andariel.

                      All are group names, you don’t need individuals to sanction. But Darkside is not a sanctioned group. Maybe in the future they will be… but Colonial didn’t break any laws by paying a ransom since they aren’t currently sanctioned at the time of payment. Perhaps if it turns out that a listed international terrorist was a member of Darkside at the time of the payment, but that is a big maybe. It still would not make your claim of “any criminal org” being illegal to pay, true.

                  3. mealy

                    Name one person in the group that received payment, go on.
                    Oh, so you can’t. Ah well.

                    Reply
                    1. JamminJ

                      OFAC SDN can be a group/entity name, like Lazarus Group or Evil Corp.
                      It doesn’t need an individual name.

                      If it isn’t on the list… then it’s not illegal to pay the ransom.

                    2. Dear Psuedo-Lawyer

                      It’s not limited to a group/entity name.

                      You don’t know the names or any other associations of those paid in this case, you’re posting a search link as if a negative were somehow provable thus. Good thinking, lol. /s

                    3. Assistant Consul

                      As a legal advisor to a financial institution, I have reviewed payment processing many times. I can confirm that it is not illegal unless the money makes its way to specific individuals or entities so designated by the US Treasury department.
                      OFAC was set up specifically to combat the sponsoring of terrorism. So most criminal activity is not even grounds to get put on such a list.

                    4. Basics

                      “specific individuals”

                      How many specific individuals can you name in said organization, for the point to be standalone?

                      More than zero? That’s a quick search isn’t it.

                  4. From the Krebs himself

                    “The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.”

                    Any reconsiderations, double down on clueless again?
                    You don’t know who they are, AND
                    you don’t know who they are not.

                    It’s that simple, yet still more complex than your single-search suggestion criteria as if that were at all realistic for the purpose of vetting a multi-Billion dollar corporate move to pay criminals.

                    Reply
                    1. Seriously now

                      If you don’t know who you’re paying it can be anyone.
                      If you cooperate with authorities and they sign off,
                      you’re off the hook. It’s that simple.

                      Potential not really known future risk vs ~0.
                      If you don’t cooperate you don’t get the ransom back.

                      Problem? Simple solution! Or… don’t solve it? Whatever.
                      Get a job, this can’t be it.

      3. Shamsham

        Colonial paid for a service (the ransom), and got the key/password they paid for. The money that was retrieved by the DOJ was not stolen from Colonial, but seized from an illegal operation. There is no reason to return the money to Colonial.

        Reply
    3. JamminJ

      That would be like the cops keeping your car because it was stolen when you left the doors unlocked.

      This kind of attitude is exactly the justification used by Russian hackers. “These big corporations are greedy, and stupid,… They deserved to be hacked”

      Everyone can play Monday morning quarterback and boast about how they would be better at security.
      It’s easy in hindsight.

      But 24/7/365 ironclad security is hard, and the attackers only have to be right once.

      Reply
      1. nuh-uh

        “That would be like the cops keeping your car because it was stolen when you left the doors unlocked.”

        No. Leaving your doors unlocked is not a crime. Paying a ransom to criminals IS.

        Reply
            1. JamminJ

              He’s right. YOU look it up.

              There is no law that will prosecute for being a victim of extortion.

              Reply
              1. Reading

                The memo speaks for itself and far louder than your repeated opinion. Sorry.

                Reply
                1. JamminJ

                  Then please quote the memo.

                  The OFAC advisory says that it’s only illegal to pay designated sanctioned entities. Darkside is NOT sanctioned by the US… so it’s not illegal to pay the ransom.

                  Look it up for yourself.
                  https://sanctionssearch.ofac.treas.gov/

                  Reply
                  1. mealy

                    Posting that link when you don’t know anyone’s name is pointless.
                    Memo was posted, learn to read and argue @ US Treasury.
                    Nobody here cares if you consider yourself an authority lol.

                    Reply
                  2. mealy

                    Please read the already-posted memo you’re pretend not to understand using semantics, then re-read the original statement.

                    Then you may continue being a pretend lawyer.
                    It’s not limited to the name of the organization. QED.
                    You know of zero individuals paid in this case by name.

                    Reply
                    1. Arkansas Alan

                      I read the document too. mealy is wrong, jammin is right. It doesn’t seem like colonial pipeline would be in legal trouble by paying the ransom. As much as we would like it to be true.

                    2. Pfft

                      “Arkansas Alan” isn’t on the list either…

                      “Therefore I can make a legal ransom payment to you, according to JJ’s ‘deep’ knowledge of the US Dept. of Treasury. Oh that’s not his real name? Oh… well then.”

                      Feel free to gamble millions of your own anytime Alan.
                      (You might want a better lawyer than JamminJ though.)

                    3. JamminJ

                      Yes, that’s the point. Paying a ransom (being a victim of extortion) is perfectly legal. What is so hard to understand about that?

                      The extortionist bears all legal responsibility and criminal liability. Do you think you need to be a lawyer to comprehend this?

                    4. mealy

                      “Paying a ransom (being a victim of extortion) is perfectly legal”

                      That’s a false statement in blanket form, sorry.
                      You’re falling into your own semantic hole now.
                      Can’t help you there.

                2. Gregory

                  Dude, you aren’t winning this argument.
                  He’s right, the memo actually says that it’s only illegal if The Ransom was paid to someone specifically designated by name to be sanctioned.
                  So paying the ransom is still legal in this case. Thats what the memo says.

                  Reply
                  1. orly

                    Who personally was sent the payment in this case?
                    You don’t have their name do you?

                    The DOJ can waive that for investigation purposes also, you don’t know which is the relevent point here yet because it’s not public information yet. Our “Treasury friend” here doesn’t either, but don’t intimate that to them or you’ll never hear the end.

                    Reply
                    1. Gregory

                      The name that would be listed would be the group name, dark side.

                      I checked it out, and it totally works to just type in an affiliated group name, so if any individual is a member, it would show up in the search.
                      Just like if some no name dude is affiliated with Hamas, any payment to that guy is flagged and that would be an OFAC violation.

                      I do not know what you mean when you say the DOJ can waive that for investigation.
                      Are you saying that the DOJ can prosecute a company for paying a ransom to a sanctioned person while withholding the name of that person? That doesn’t make sense to me.

                      Maybe we will find out more information, that’s there is a sanctioned person not yet tied to this darkside group.

                      But it seems like a legal trap to be able to legally pay ransom one day, then have someone add a name retroactively to make paying the ransom criminal.

                      I’ve got no skin in this game, but it’s fun to watch an argument like this.
                      But really, you and mealy are coming across like sore losers who won’t let it go.

                    2. Basics

                      “Who personally was sent the payment in this case?
                      You don’t have their name do you?”

                      Question stands. Individuals may be listed despite your single keyword not finding them in the list.

                      Basics.

                      You’re blowing it.

                    3. Gregory

                      Haha, dude, you lost bad. You are looking very pathetic by spamming the same comment with different names.
                      He gave you the answer already you just don’t like it.

                    4. YANAL

                      Well, exhibit A says Gregory is a troll, dude.
                      Movin’ on, get well soon.

                    5. Gregory

                      You keep changing your name but you sign off with the same lame diss.
                      it’s pretty clear by the definition of troll, that you mealy are the biggest one here

                    6. orly

                      Keep trolling Greg but you know little about this.
                      Whatever keeps your ego intact I guess? Lol.
                      Good luck with that ongoing. Bring glue.

                    7. dictionary.com

                      “I do not know what you mean when you say the DOJ can waive that for investigation.”

                      Indemnification.

                    8. mealy

                      If you don’t know who you paid up front it’s not actually retroactive when they find out later and it’s found to be an illegal payment on whatever grounds including OFAC. JJ’s position is that it’s “not illegal” when he does a single keyword search for the group and it’s not in there, he thinks his work is then done without full investigation or cooperation or signoff from agencies/depts. If someone is affiliated with x-group and you pay them and y-group gets a cut and they’re on the list, that can go sideways. You’ve failed to indemnify yourself by cooperating fully and getting the signoff and if investigated your entire chain of events is scrutinizeable, fund procurement, fund disbursement, disclosures, and probably an investigation into insiders should there be any contact or overlap that suggests the possibility. Then the plain view probable cause of having an open investigation is allowed to “look and see” anything it can. That can all end in fines, criminal charges depending, not “just” an OFAC violation for the actual payment to a listed entity but anything touching it. Instead of preemptively indemnifying you, they then can investigate you and it goes where it leads. When you pay people you don’t know and some of that ends up with a listed entity, that’s a violation. When they do it willingly it’s a real big deal, when they do it out of negligence they’re still going to get looked at and dinged, maybe more. You want to rely on cooperation agreements, not some non-lawyer knowitall pal telling you he did a search for a single keyword and it wasn’t in there, therefore you’re 100% fine. He hasn’t been down all those roads even as he vaguely claims to have, and you don’t want to if you can avoid it. They’re offering you assurance, he says don’t take it. Why? You don’t need to cooperate because they’re “scaremongers” according to the non-lawyer who gives uncautious, unsolicited and unusually trollish legal “advice” that is as often black-letter wrong as it is over-simplistic and detail averse.

                    9. JamminJ

                      You keep asking for individual names that would “prove the negative”, putting the burden on the victim to “prove” they are acting legally when sending the ransom.

                      But the real question is… has anyone, ever, in the history of paying ransoms, been charged with an OFAC violation?
                      What are the names of those people?

                      That would be the positive assertion to prove your claim that, “If you wilfully pay a criminal organization a ransom, you are committing a crime”.
                      NAME ONE PERSON OR COMPANY WHO HAS EVER BEEN FINED, CHARGED, OR SUFFERED ANY PENALTY FOR PAYING A RANSOM.

                    10. JamminJ

                      Is this your claim, “If you wilfully pay a criminal organization a ransom, you are committing a crime” ??

            1. JamminJ

              OFAC only applies to “sanctioned” individuals/entities.

              The problem with ransomware in cyberspace, is that the victims do NOT really know who the ransom payments are going to. They may suspect, but it’s not certain.
              Look at the actual OFAC list, it has to have actual names.

              The US Treasury only cares about money going to “known” sanctioned entities.
              And no… they cannot broadly sanction all hackers, or all entities that “may” be located in Russia.

              The OFAC advisory is a warning that companies MAY BE in violation since they are sending money to unknown entities. But it is going to be hard, if not impossible, to charge the company with the crime of paying a sanctioned entity when it was impossible for them to verify the identity beforehand.

              As of today, Darkside is not listed as a sanctioned entity by OFAC. It may change in the future… but it was not illegal to send a ransom when Colonial did it.

              Reply
              1. security vet

                …btw a sanctioned entity is by definition a terrorist org or some known trans-national org like the IRGC, Hamas or Hezbollah, not a run of mill, garden variety criminal…

                …that’s why the OFAC was established…

                …so no, paying a ransom is not against the law as many have correctly pointed out…

                Reply
              1. Lol

                Except you know nobody’s name or associations, other than proving yourself a troll seems like a daily thing around here given your vociferous history of same.

                Reply
              2. Try again

                You’ve “proven” you don’t know any individual’s name in the group, that’s about it.

                Reply
                1. JamminJ

                  And therefore… The US Treasury can’t make it illegal to pay the ransom.

                  If they aren’t designated as sanctioned, it is NOT illegal. That is simple proof.

                  Reply
                  1. Lol

                    It’s simple alright but you don’t understand what proof means.

                    Reply
                2. Gregory

                  You really want to die on this hill when you have nothing to stand on? Dude, just give it up. You look like an idiot doubling down on this

                  Reply
                  1. mealy

                    “the memo actually says that it’s only illegal if” – That’s all I’m saying, see original comment or don’t.

                    It is illegal to pay it to a “known” criminal group according to the US Treasury (which maintains that “knowledge”) and for all his “deep work” (citation needed) with them, he doesn’t at all know every individual on that list or their other associations or orgs.

                    Thus paying a ransom to an unknown criminal org is quite potentially illegal though as mentioned in this case the FBI was involved at an earlier stage than publicly known and could have authorized it, we don’t have that access. Either way the org in question was DISSOLVED and the INDIVIDUALS on the list are NOT, and he has ZERO idea who the paid individuals are to be able to search for them. He just likes to pretend to be involved on every single topic and picks semantic word battles to intentionally misunderstand and then “correct” people without actual corrections. Probably just an ego thing, you’d be hard pressed to miss it on other articles here.

                    If I’m wrong and every last individual in this group is not on the list or associated with any “known” criminal group on the list, how would you go about preemptively proving that without even knowing their names or anything about them beyond a media’s monicker? It’s comical that he wants to be the authority if he hasn’t even thought this much through, no doubt there was more (*actual) thought going on by the actual parties at the time tens of millions of dollars were actually going out the door to the criminal group, apparently with the FBI’s knowledge on some level.

                    Reply
                  2. Craig Lutz, official pedant of MLB

                    It’s illegal to pay a ransom to a “known” criminal org as designated by the memo I posted including individuals as well as groups. The group disbanded yet the individuals were paid – and he doesn’t know any single individual’s names involved. He doesn’t seem to know much about the group in question either.

                    I never said “paying any ransom is always illegal” as implied and the misunderstanding is obviously deliberate, moreover he does this constantly. He tried to correct me the literal word choice of “summons and complaint” as if nobody knows those are two separate things, just so he could pretend to play teacher-pedant and I was making a “big legal mistake” by combining them, lol. It’s hilarious in aggregate, really. (Your personal attention span may vary, Greg, that’s ok)

                    The fact remains, wilfully paying a “known” (to US Treasury, as further denoted) criminal or organization is in fact illegal and if you want to pretend you know every individual’s name and associations in these campaigns to check against that, good luck with that strategy of guesswork and self-confirmation bias with your rhetorical tens of millions of dollars and subsequent fallout. They didn’t here, they had the FBI involved at an earlier stage. If they hadn’t there’s still a chance they could have broken the law by paying the ransom, we don’t know that at this point, but the point stands : Paying a “known” (designated) criminal is illegal. He claimed there’s no law because it’s a “regulation”, his pal claims it’s civil law and thus not “illegal”, and both are nonsense arguments to intentionally avoid the obvious point.
                    Feel free to run away into a semantic slapfight though, it’s his favorite pastime on a work day apparently as history denotes.

                    (As you don’t understand the point feel free to say that instead.
                    On my end you look like the idiot chiming into a (completely pointless and semantic now) argument you’re not even involved in as if that would settle it, though perhaps I’d prefer to be more charitable in my characterizations of people I don’t actually know than to attempt to insult them reciprocally based on an opinon I may not agree with or understand at first terse glance, assuming.
                    Have a “nice” day. – Omg omg “nice” is undefined! And are we talking 24 hours or just daytime!?? Let’s invoke egos!)

                    Reply
                    1. Gregory

                      You keep on ranting but you are still trolling when everyone can see how pathetic you are. You really think changing your name, but spamming the same comments will confuse people here?

                      You lost the argument, but you still want to claim that ALL criminal organizations would be illegal to pay. But the facts are clear from the documents that it’s not all crime gangs, they have to be specified on the list. It’s not on the list, either group name, or individual, then it’s not illegal. Deal with it and stop whining.

                      You are a sore loser. Just admit it and move on.

                    2. Craig Lutz, official pedant of MLB

                      Gregory troll is gregory troll. Moving on.
                      Reading is not his strong suit.

                    3. Craig Lutz, official pedant of MLB

                      “You lost the argument, but you still want to claim that ALL criminal organizations would be illegal to pay”

                      No. You missed the conditionals. Basic reading fail.
                      You didn’t even get to the logical fail in that statement.
                      You don’t know who was paid. JJ doesn’t either.

                      Get better at reading, the rest will go smoother I promise.

                    4. JamminJ

                      “If you wilfully pay a criminal organization a ransom, you are committing a crime”
                      Are you still claiming, “If you wilfully pay a criminal organization a ransom, you are committing a crime”
                      ???

                    5. mealy

                      Troll ignored.

                      BK might even need to administer meds or something.

    4. Infosec Pro

      Damian, you must not have broad experience in several key areas of IT around this. If you did you’d know how ridiculous statements like “backups that could enable rapid data recovery” are to those who have worked in large corporate IT and even more, OT.
      And OT is really key. Colonial chose to shut down and make payment because they didn’t know if OT was compromised. All the bs about them shutting down because they couldn’t bill is a red herring by anti-capitalist Luddites who don’t know enough to understand the real reason. Real reason is that if OT was compromised and they didn’t pay and didn’t shut down the criminals could as easily trigger an oil spill as they have in the past spilled data. That’s the game changer here, and many of you are not seeing that.

      Reply
      1. rando

        yawn…truth is you CAN have quick recovery w quaranteened backups…check ur ego bruh..anticapitalist luddites? lol …milton freidman over here…

        Reply
    5. DML

      Even if they had backups, they still may have wanted to pay the ransom because the crooks also threatened to release company confidential information. Backups will help you get back online sooner, but they won’t block someone from releasing stolen info.

      Reply
    6. Jan

      I quite agree with Damian – just not about ‘backup’ solving the problem. Large companies such as Colonial could have easily implemented readily available security auditing technologies that could have detected, identified the DNA of the attacker, and then automatically isolated the infected system. These companies need to take the lead auditing security of all networked devices as part of their normal operating IT procedure – and no we are not talking about AI (dubious value tbh). This is the only way to tip the risk-reward percentage against ransomware attackers – companies need to take ownership of the problem. The FBI won’t protect every company.

      Reply
  2. Greg

    I am hoping that when Biden meets with Putin even more progress will be made. Then we will only have the Third World to worry about. And China. “What? Me Worry?”

    Reply
  3. Scott

    Congrats to my Infosec colleagues on this take over.This type of operation is not easy to pull off, nor should the average reader assume so given the physical distance, the access to private keys, and likely a great deal of humint!

    Reply
  4. Dave Moore

    The alleged recovered money (in the form of Bitcoin) is evidence in a criminal investigation. DOJ is not in the business of making victims “whole” after a loss. They are, however, in the business of gathering evidence to prosecute criminal cases, and the alleged recovered funds are such evidence. Colonial will also have to answer questions regarding collusion, due diligence and due care as to how the crime succeded in the first place. The whole affair has, in effect, been a huge moneymaker for many people not associated with the DarkSide “bad guys.” Jacked up prices, phony shortages, etc., but has anyone at Colonial been fired, yet?

    Even if found completely clean, Colonial will not get the ransom money back for a very long time.

    Then, there is the question of, how exactly does law enforcement “sieze (i.e., legalized theft)” cryptocurrency such as Bitcoin? Isn’t it supposed to be protected by blockchain stuff, the digital “wallet,” etc.? You can’t just steal it and say, “this is mine, now,” without breaking the blockchain protections, can you? Can you? Is it a cold wallet vs. hot wallet deal?

    Reply
    1. JamminJ

      Virtual cryptocurrency does not get stored in an evidence locker. The DOJ could itself face legal action if they withhold without cause. The only real “evidence” needed, is the blockchain ledger. It’s not like possession of the Bitcoin offers anything to the investigation, now that they have the transaction records.

      Don’t hold your breath that colonial will get in any sort of trouble here. It’s not illegal to be a victim of crime. Even if they practiced poor security. Just like getting robbed because you left your door unlocked. Insurance payouts do have clauses for due diligence, but if cops recover your loss, they are obligated to return your property without excessive delay.
      Even loss that is freely given through extortion is considered theft and will be returned without withholding.

      Reply
    2. steak

      Law enforcement hacked into the attacker’s machine where the wallet was setup for access.

      Reply
  5. Andy Rosa

    Colonial paid $4.4 million. Government got back $2.3 million.
    How come? Because 75 bitcoins was worth $4.4 million on 5/6, and they are worth $2.3 million today.

    Reply
    1. JamminJ

      Read the article.
      The ransom was split between affiliates and devs. Only the affiliate server was seized, so only those Bitcoin were recovered.

      Darkside got away with their cut.

      Reply
      1. Hm

        We don’t know that. Only that the total had been greater than what was publicly recovered.
        There are no doubt ongoing investigations following where the remainder went.
        It’s no coincidence they shut down either.

        Reply
    1. JamminJ

      It’s not ethics, its a reputational business model.

      They need to have a reputation of being truthful. Not ethical honesty which would not allow them to be criminals in the first place. Rather just truthful honesty, they are thieves but can be believed when they tell you something.

      The biggest problem with ransomware in the beginning was the reputation for lying to victims. So victims couldn’t trust that they would get decryption keys if they paid, so they didn’t pay.

      They aren’t ethical criminals, but they don’t want to by liars too. Lying hurts their business model too much.

      Reply
  6. Magenta

    Ransomware crimes should be punished by the death penalty. Enough is enough. Torturing the public is not acceptable.

    Reply
    1. JamminJ

      Jail time is the appropriate punishment. The punishment should fit the crime.

      When you start advocating for the death penalty to be applied so broadly, you are advocating for a draconian police state, that you really don’t want to live in. There will always be some law you are breaking, and if you think not, you probably just don’t know. And some things that are legal today, may become illegal tomorrow… then you’ll be begging for leniency.

      Reply
  7. Karl

    Excerpt: So, the hackers were so sophisticated they could hack a major gas pipeline, but not sophisticated enough to protect their wallet and hosted it online on a US-based server?

    Reply
    1. JamminJ

      It was an affiliate payment server. Since this is “ransomware as a service” they have to deal with unknown 3rd party affiliates to split the share. Really hard to keep 3rd parties secure, especially when they are all anonymous.

      Don’t think it was a US-based server.
      The US and the 5 Eyes nations all work together. Even beyond that, there are dozen of countries that will allow the US to intervene. Of course, maybe the FBI had an informant as one of the affiliates on another job, but with access to the server.

      Darkside knew that they needed to keep their operations small and off the radar of the US government. They didn’t count on Colonial reacting by shutting down the pipeline, which affects US critical infrastructure and wakes the entire US intelligence community.

      Reply
    2. Hm

      Another question is were they really after the ransom or was that just a cover. The “ransomware” in question can function as a DOS, document theft, lots of roles that don’t necessarily all fit with a direct personal profit motive. Then combine the fact that a lot of these are run by adversarial nation state sponsored groups – the disruption to the US was significant far beyond the few millions of the ransom payment itself.

      Reply
      1. JamminJ

        Maybe. But it wasn’t as though the ransomware actually affected the pipeline though.
        It was a decision made by Colonial, as a precaution, to disrupt their own services.

        Darkside would probably have rather stayed in the shadows, and didn’t foresee this much attention.

        Reply
        1. Hm

          Where exactly are you getting this, their “press release” about targets they “won’t” attack, yet still do?

          The ransomware definitely “affected the pipeline” IP infrastructure and could have allowed ongoing access in a lateral attack on physical pipeline infrastructure/controls themselves. They didn’t just shut down the pipeline “because they felt like taking a precaution” suddenly, nor would they have paid millions in ransom if they weren’t critical systems. They hadn’t taken even the basic patching precautions disclosed months ago. Hacking groups that put out press releases are not exactly subtle to LE, but I can see how you might consider them “in the shadows” if you haven’t noticed those high profile and widely reported announcements.

          Reply
          1. JamminJ

            They didn’t want to attack charities, government, hospitals, etc. Colonial is not a government entity, it’s private. They perhaps didn’t realize that in the US, there is a blurry line between private enterprise and critical infrastructure.

            The corporate IT infrastructure COULD indeed be leveraged to get into the actual physical pipeline. But that doesn’t mean it was. Colonial shut down the pipeline themselves. Maybe they thought the ransomware was eventually going to shut it down anyway, and they did it to contain the damage.

            In the intelligence community, yes, Darkside and many others are clearly known players. But in the public eye… they were unknown. To higher echelons of government, the ones that would single them out for a counter offensive, they wanted to stay off the radar. They failed with this attack.

            Reply
            1. Pfft

              They still did attack such groups despite the press release, somehow you missed it despite your “deep work” with the Treasury dept and FBI, according to yourself as own source.

              Reply
              1. JamminJ

                Which group?
                Maybe I did miss it. I haven’t look too deep to validate their press release.

                Reply
                1. mealy

                  “I haven’t look too deep to validate their press release.”

                  You took it at face value instead, hence my point. (one of)

                  Reply
                  1. JamminJ

                    Not face value. I don’t believe their words. These are not ethical people. I do believe that they will act in their own self interest. And keeping their activity off the radar, is in their interest. Too bad for them, they messed up.

                    Reply
                    1. mealy

                      How many of them can you name personally?

                      That’s what your “search fix” implies you’ve done.
                      QED.

                    2. JamminJ

                      Can you name anyone who has been fined or even charged with a crime for paying a ransom?
                      No? Why not?

                      You ask me to prove a negative, but you can’t prove your claim of, “If you wilfully pay a criminal organization a ransom, you are committing a crime”

                    3. JamminJ

                      You are trying to change the subject now?

            2. Riiight

              Except they’ve attacked all of those yet you’re taking the vague word of a malware campaign’s authors without even knowing their names or anything about them or their actual motives, while convincing yourself that you’re an expert on them. Who is fooled?

              Reply
              1. JamminJ

                So who did they attack that they promised to not attack? And when?
                Seems like an easy thing to prove, if you know.

                I’m no expert on Dark Side. I have seen several groups come and go, and rebrand themselves. What I’ve noticed is that they do want to keep low and of the radar of major government law enforcement. Seems reasonable.

                Reply
                1. mealy

                  If you care to research the specific detailed history of attributions to the group in question and their latest campaign so you can make claims of validating their press release, feel free to do that for them. You took their claim at face value you admitted, that’s not on me to undo for you at length on this forum. Google is your friend, try that first next time.

                  If you know the name of the individual(s) who was/were paid the ransom here, provide any, otherwise your search bar isn’t of much use to determine if it was in fact legal nor prove the inverse corollary either way – and my original comment stands as stated that paying KNOWN criminal organizations as designated a ransom as stated IS, IN FACT, illegal. It was a broad statement of fact and you’ve wasted time pretending otherwise and pretending they didn’t say what it DOES SAY, in fact, is illegal. QED. You like to bicker too much for my taste, historically speaking I’ve watched you do this with dozens of people and it goes nowhere because you are TRYING to misunderstand them, constantly. I see you doing this on Krebs every other article. Get well soon.

                  Reply
                  1. JamminJ

                    The first sign that someone is losing an argument, is to say to “google it”. It means you’ve lost, and want to save face.
                    You don’t seem to have any understanding of enterprise security, but are arrogant enough to make a ridiculous claim and then double down when someone refutes it with fact.

                    You’ve been lying on this forum for a while, and hate it when I or others call you out on your BS. You go away for a while, then come back with more nonsense. You haven’t really shown you belong among a cohort of security professionals, but rather are just an obstinate person who doesn’t like to be challenged.

                    I don’t take the word of a criminal gang at face value. Their actions and their selfish motivations speak for themselves. They want to avoid large targets to avoid being on the radar, duh. They have failed at that goal, and probably failed in past too.

                    You seem to be under the delusion that not being on the OFAC SDN list means it is illegal to pay them. But it’s the opposite that is true.
                    Do you think that law makes things illegal by default and it’s up to the defense to prove innocent? This is a good example of innocent until proven guilty.
                    It’s not up to me or Colonial to prove that their payment was legal, by having perfect knowledge of all recipients of the ransom. It is up to the prosecution (you, and anyone claiming they broke the law), to prove that Darkside is listed as a sanctioned entity by OFAC. And that is easy to prove, just search for a group name such as Lazarus Group, Evil Corp, Bluenoroff and Andariel. They show up. Darkside does not.

                    Reply
                    1. mealy

                      Treasury. Omitted the a, typo.
                      “A typo, AHA!” – in before ego…

                    2. Honestly

                      “The first sign that someone is losing an argument, is to say to “google it”. It means you’ve lost, and want to save face.”

                      Haha, the first sign you’re an egotist is you start making up “the first rule about losing an argument” to butter up your position despite knowing nothing about the case and having a purely semantic nonsense argument and zero info.
                      Good luck with that.

                    3. Gregory

                      Dude, you’re really digging a grave for yourself, if you thought you had any credibility here it’s long gone by now.

                      If you can’t commit to a username, you look like a troll trying to bolster his own argument. You lost this fight a while ago. And now you’re just amusing me 🙂

                      I hope you stick around and continue you are tantrum mealy.

                    4. mealy

                      Gregory step 1 in you joining this fight is reading better.
                      Understanding complex legal conditionals is not step 2.
                      Not for you, it’s not step 3 either. Trolling is not a real step.

                      “I hope you stick around and continue you are tantrum mealy.”

                      Read every day, remember. You’ll improve over time.
                      Good luck.

                    5. JamminJ

                      “If you wilfully pay a criminal organization a ransom, you are committing a crime”
                      Is this still your claim?

          2. JamminJ

            “targets they won’t attack, yet still do”
            “They still did attack such groups”

            Nobody has yet to provide a name of a victim, that Darkside has attacked but said they wouldn’t. I’m waiting.

            Reply
            1. Honestly

              Nobody has yet to prove the opposite either. “It should be easy!” = google.com motto.
              Get to work, “deeply connected” Treasury gumshoe.

              Reply
              1. JamminJ

                Nope, the person making the claim, has the burden of proof.

                “targets they won’t attack, yet still do”
                “They still did attack such groups”
                Are two claims that have yet to be substantiated.

                Reply
                1. Honestly

                  You’re making the claim. Who are the individuals who were paid?
                  Oh you don’t even know, but pretend you can search for them?
                  How dumb. Good thing you didn’t wager millions.

                  Reply
                  1. JamminJ

                    Nope, the original claims were,
                    “targets they won’t attack, yet still do”
                    “They still did attack such groups”

                    Simple claim to substantiate if the evidence exists.

                    “Who are the individuals who were paid?”
                    So you are mealy, and you are commenting on another thread?
                    You use so many names.

                    I’ve addressed this question before. Read it on the original thread and stop trying to hijack.

                    Reply
                2. mealy

                  Your claim that we can search up the names of all individuals also has yet to be substantiated, you have yet to supply even one name of a single individual to prove they aren’t on the sanctions list. You don’t know who was paid here. You have no idea if they’re on the list. Q_D

                  Reply
                  1. Gregory

                    Haha, dude, you lost bad. You are looking very pathetic by spamming the same comment with different names.
                    He gave you the answer already you just don’t like it.
                    Pathetic and delusion to keep up this futile fight

                    Reply
                    1. mealy

                      Greg “losing” would be not being able to admit you’re wrong about something like the fact that you don’t know who was paid, how much, or whether they’re actually on the list.

                      Nice try at trolling but you’re not great at it yet.
                      I’d say try harder but it’s also moot.

  8. James Schumaker

    Bitcoin CM is continuing its crash today, down 9.52% to $32, 169.82. Many are attributing this to a statement by Donald Trump that Bitcoin is a scam, leading his gullible followers to dump their investment.

    I would also offer a further thought. Now that the FBI is going after bitcoin wallets, the whole trading model for Bitcoin, and perhaps other such currencies, will be under threat, as confiscating the proceeds of criminal activities could just be the first step in a clampdown on trading in Bitcoin generally. Anyone viewing Bitcoin as a surefire investment is probably going to be gravely disappointed in the coming months.

    Reply
    1. JamminJ

      Interesting.

      Bitcoin, like any cryptocurrency, or like fiat currency in general… is based on perceived confidence. The value is subject to even untrue misunderstandings. People “think” it’s a scam because dear leader said it… or people “think” the FBI is going after Bitcoin wallets.

      The FBI got access to the affliate server, with the wallet keys. It isn’t like the blockchain is broken, but so many people in the market today aren’t the original group of knowledgeable people who understand how it all works.

      Reply
      1. Greggie

        Excellent observation. I would argue that Crypto Currency is worse than the Global Exchange Currency issuer (GECI) Fiat script as Crypto is absolutely denominated in U$D. When one has to say “My Bitcoin or Dodgecoin or whatever-coin is worth X amount of US dollars…,” then then that crypto is nothing more than a simple trading proxy for its underlying value base: The US Dollar. The day when BTC holders can truly declare their Crypto-Currency as an absolute Independent store of value – where a majority quorum of trading entities don’t care about its FX value to other incumbent government backed currencies – would be the day Crypto is real. Unfortunately that day is an impossibility as the GECI is demonstrated it is more than willing to violently and brutally defend its position without prejudice.

        Moreover, as you correctly pointed out, The seduction of BTC is its perceived anonymity and decoupling from the grasp of the Global Exchange Currency issuer. Otherwise, why trade in it (other than the gamble of the Greater Fool theory)? No, the underlying Blockchain has …yet… to be compromised, but that is irrelevant in light of the now FACT that individual anonymity has been compromised. I can not see how BTC, or any non-permissioned Blockchain based currencies can survive other than as casino-like gambling chips that can only be cashed at one casino.

        Reply
        1. Nopie

          “as Crypto is absolutely denominated in U$D.” – This is true on your phone/screen.
          Not for everyone who uses cryptocoins. Another derp assumption of the pile.
          The US dollar is “a” fiat currency any of which coins can be traded for.
          Pretty basic stuff.

          Reply
    2. JamminJ

      What’s really interesting is this.

      Donald Trump is likely calling Bitcoin a Scam against the Dollar, because China has such a huge amount of control against the mining of Bitcoin.
      This is actually a subplot of the TV show, Mr. Robot… from years ago.

      E-Coin was managed by a faltering US corporation, and the characters in the show mentioned that the main antagonist China’s head of state security, and secret mastermind, wanted to sink E-Coin in favor of Bitcoin, which gave China the advantage.

      Reply
      1. Blahblah

        TLDR TV Guide, “TV shows are really interesting to me”

        Reply
        1. interested

          I think Mr robot is a really good show especially for those in security or hacker culture

          Reply
            1. interested

              JJ Abrams didn’t direct episodes of Mr robot i don’t think

              Reply
  9. security vet

    …the quoted policy from OFAC comes down to this key phrase…

    …”…(including the amount of civil monetary penalty, if any)…”…

    …so no, it’s not a crime and OFAC may assess a civil penalty…

    …huge difference…

    Reply
    1. Honestly Voltaire...

      It’s “illegal” to violate someone’s civil rights, and there is a “Civil penalty” for doing so.
      You can still call that illegal because yes, it is illegal.
      A FINE for violating a US Treasury regulation = “illegal” still applicable. IDGAF, but it is.

      huge difference… to pedants tring hard to make it into a huge difference by sheer opine…

      Reply
      1. security vet

        …the difference is there’s various laws against violation of so-called civil* rights…

        …there’s no law against paying a ransom…

        …only policy from OFAC…

        …*this is different civil – civil rights is different from a civil infraction of rules (or OFAC policy in this case)…

        Reply
        1. mealy

          blogs.findlaw.com/law_and_life/2015/10/whats-the-difference-between-laws-and-regulations.html
          “Violation of a US Dept regulation resulting in a fine” can in fact be described as “illegal”

          “Like laws, regulations are codified and published so that parties are on notice regarding what is and isn’t legal. And regulations often have the same force as laws, since, without them, regulatory agencies wouldn’t be able to enforce laws.”

          Any other misconceptions or semantic rabbit holes to fill in? No? Great.

          Reply
          1. JamminJ

            So Security Vet said “it’s not a crime” and you reply, “it’s still illegal”… thinking that you someone how defeated him with semantics? You’re just using different words with different meanings, so what?

            Criminal law wouldn’t apply, so not a “crime”, yet still illegal.

            But all this is moot, because not even civil liabilities, violation of regulation, etc… even apply to this case. The US Treasury has ZERO to say about money paid to entities not on the OFAC SDN list. It doesn’t apply, no matter how much you try to shoe horn this into the topic.

            What’s your real motivation here? The populist notion that Colonial is a bad company, deserves to be punished, lose their money, lose their customers, get their executives fired?
            Yeah, many would agree. But it doesn’t make law that doesn’t exist, suddenly pop into existence just because you want justice.

            Reply
          2. security vet

            …but it’s not a rule (in law) per se – it’s just an OFAC policy…

            …so a law is passed, say the Illegal Internet Gambling Enforcement Act, that directs an Agency to implement Rules that than have the power of law. In this case the OFAC just did a policy, not a Rule…

            …so no, it’s not against the law to pay a ransom to a non-OFAC sanctioned entity…

            Reply
            1. security vet

              …proposed Rules (that have the force of law) have to be published in the Code of Federal Regulations (CFR) first…

              …OFAC did not do that with their policy…

              …so again, no, it’s not illegal…

              Reply
              1. You need to clue in

                Neither of you can name the individuals involved in this payment.
                That’s going to make it tough to ensure they weren’t listed. Oops.
                Good thing it’s not your millions.

                Reply
                1. JamminJ

                  Individuals names are not needed. You don’t need to know the names, just a group name, like Darkside or REvil. Neither are listed. But Lazarus Group and others are listed.

                  That’s the problem with ransomware. The anonymity makes enforcement of OFAC nearly impossible. That’s why the Treasury “suggests” that victims contact them first, before paying. But even if they do, attribution takes a while and they can’t force companies to wait idle while someone verifies.

                  That’s the thing about being innocent until proven guilty. The defense (the victim company paying the ransom) doesn’t have to “ensure they weren’t listed” to be considered innocent. It is up to the prosecution (and commenters here insisting its illegal to pay a ransom) to prove the recipients WERE listed.

                  Reply
                  1. Nope

                    You’ve paid zero ransoms. Is that right? Just making sure.

                    They can have multiple group affiliations. One group monicker not listed doesn’t mean the individual is not in another group or severally listed themselves. This is basic logic. You don’t get past this point repeatedly by ego, less so a choice for you apparently. You know nothing about the group, whether or not individuals are listed, names, other affiliations or previous groups, who was sent money, how much, how many payments – none of it.
                    Sheer egotism + posing as an “expert” (or lawyer, neither) given what you don’t know is entirely unconvincing, sorry. But at least you have a few trolls who are impressed with your skills in their domain instead, perhaps you can monetize that… /s

                    You have no idea if individuals involved are sanctioned already. Searching a single keyword is not how you’d find that out unless lucky on the first go. You really do think it’s a 1 step process, lol? It’s remarkable naivete.

                    A single keyword is not going to determine what is needed to be certain that you’re not paying a “known” criminal and breaking US law, and your claims below that “proof a ransom is never illegal” are entirely nonsense garbage, just a heads up. Obama didn’t change kidnapping ransom law, for starters. That’s just one of several ways your blanket assertions are meritless today.

                    Thankfully, your troll friend Gregory? Isn’t a Federal Judge either.
                    Yeah, we can tell that much too. No search required.

                    Reply
                    1. Phasma

                      Hello I have not paid a ransom but I work for global company and have done international payments with new clients.
                      We are required by US Treasury and other regulators to search OFAC database before sending any payments.
                      It is a fairly easy process that is baked into our checklist.

                      Several times we have accidentally started processing payments to individuals that shared similar names with those on the ofac list, but after further checking we were cleared to process payment.

                      I personally work with legal to clear up issues. And they have told me that I’m required to perform simple searches of the database. And that it is legal for us to proceed with payment after the search comes up clear. I was not required to wait for any investigation.
                      Our client onboarding forms requires to collect any aliases. So we search for different variant names. It’s not hard only a few minutes.

                      I’ve never had to pay a ransom, but I don’t imagine they give you a name to check. How could anyone check before the ransomware expires?

              2. mealy

                It’s not just the “entity” it’s individuals also. Severally.

                Name the individuals involved or can’t you?
                There’s the rub. BTW, they’re hosted in IRAN.
                It’s on the list. Not sure if you know that.

                Reply
                1. JamminJ

                  Please link to an article showing darkside is really hosted in Iran. All I am seeing is articles from last year saying that there were “plans” for Darkside to host in Iran (unconfirmed). It obviously didn’t happen since OFAC has updated their list many many times since then, last update last week… and Darkside still isn’t on the list.
                  But if true, that indeed might change things. Ball’s in your court to provide evidence to me and to the US Treasury to get them added to the list.

                  But I suspect you casually replaced “plan to host” with “they’re hosted”, in yet another flagrant lie.

                  Reply
                  1. mealy

                    You’re not in the FBI. I shouldn’t have to remind you of that,
                    but apparently…

                    Reply
            2. derps

              It’s a Dept of Treasury REGULATION semantics detectives. It has legal weight.

              Reply
              1. JamminJ

                Yes, it has legal weight. But only applicable to OFAC SDN listed. That is not the case here. So it’s irrelevant

                Reply
                1. mealy

                  Provide the names of individuals paid so we can check?
                  Oh right. Still mealy-mouthed on that critical point.

                  Reply
                  1. JamminJ

                    It’s not a critical point since OFAC deals with group names too.
                    It’s like me saying your favorite color is required to comment on this site. It isn’t relevant. Just because you keep asking, doesn’t make it required knowledge.
                    You haven’t even searched for DRIDEX Gang yet to see how they are listed, but individual members are not.

                    Reply
                    1. Hm

                      Groups and individuals, severally listed in the DB.
                      If you don’t know the names, you don’t actually know.
                      Just like you don’t know who got paid nor how much.

                  2. Gregory

                    It’s really not hard to see that all of these comments with different user names are from a single insecure person.
                    They all have the same weak argument, the same transparently ignorant fixation on requiring individual names to prove innocence.

                    It’s simple logic. The names have to be on the list, whether group or individual to make any claim that it’s illegal to pay the ransom. If he or I, or any one cannot provide a name list… Then it is legal.
                    The burden of proof is on you, not the other way around

                    Reply
              2. security vet

                …so we’ll wait and see if everyone whoever paid a ransomware get fined…

                …meanwhile I won’t be holding my breath…

                Reply
                1. Honestly

                  You probably should, it might improve your zero info position…

                  Reply
                2. JamminJ

                  That’s a good point.
                  He seems to go on and on asking for individual names that would “prove the negative”, putting the burden on the victim to “prove” they are acting legally when sending the ransom.

                  But the real question is… has anyone, ever, in the history of paying ransoms, been charged with an OFAC violation?
                  What are the names of those people? Why won’t he answer that?

                  Reply
                  1. mealy

                    Court seals exist, NSL’s exist, lots of factors exist outside of the public realm that ‘we’ can readily point to. It doesn’t negate them.

                    It’s also why internet arguments don’t always have verdicts. This case is no more or less ultimately provable as a result of searching for a single keyword either. That’s all.

                    Reply
                    1. JamminJ

                      OFAC and companies paying ransomware has been going on for several years. Court seals don’t last that long. And NSL’s don’t keep criminal charges or civil penalties out of public records.
                      What victim was ever charged with paying a ransom?
                      Answer the question and stop dodging.

  10. Eitan Caspi

    Interesting… Not so long ago, on October 2020, the The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” (https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/)

    And now we learn that “The United States Department of Justice on Monday touted the recovery of $2.3 million — about half — of the ransom that was collected by hackers in the Colonial Pipeline attack last month.” (https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac)

    So, one arm of the US government say it is illegal to pay to release ransomware, but another arm, the one that is in charge of acting against illegal actions – not only it is not acting against such payment, but also helps to get the money back. Wow, that made me confused. Maybe because it was allowed because it was related to a critical infrastructure. Flexibility in enforcement is important.

    Reply
    1. JamminJ

      From the Krebs article:
      Faulk said OFAC may impose civil penalties for sanctions violations based on “strict liability,” meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
      “In other words, in order to be held liable as a civil (administrative) matter (as opposed to criminal), no mens rea or even ‘reason to know’ that the person is sanctioned is necessary under OFAC regulations,” Faulk said.

      So not criminal, but civil.

      But the larger context of US Treasure OFAC shows that most ransomware payments won’t even apply, as this only applies to the OFAC SDN list of sanctioned individuals. So if hit by North Korean or Iranian ransomware…. then yes, worry about OFAC. But Russia, unfortunately, isn’t going to have the same sanctions on the entire country.

      Darkside is not sanctioned by the US Treasury. Probably because they don’t sponsor terrorism (that we know of yet). So there is no real confusion.
      It was legal for Colonial to pay the ransom (not even a civil penalty in this case). And the DOJ will likely return the recovered funds without too much delay.

      Reply
      1. If Then

        Name all individuals paid by Colonial pipeline, then we’ll search.

        Oh you can’t?

        Reply
      2. Nope

        “So not criminal, but civil.”

        This is not a distinction between “legal” and “illegal”, sorry.

        Reply
        1. JamminJ

          I was referencing the October Krebs article that was linked in the OP
          “In other words, in order to be held liable as a civil (administrative) matter (as opposed to criminal)”
          I wasn’t arguing a distinction between legal and illegal.

          But its all moot, since Colonial’s ransom payment made to a criminal gang wasn’t illegal at all. The recipient would have to be listed on the OFAC SDN, which they have not.

          Reply
          1. Nope

            “The recipient would have to be listed on the OFAC SDN, which they have not.”

            You don’t know who the actual recipient of the payment was.
            You don’t even know the total or if there were multiple payments.
            You don’t know any of the individuals in the organization either.
            You’re not in a position to know any of these things. Whoops?
            Slight gap in your #logic. But you’re right about one thing :
            Oh yes, it’s moot. It’s been moot since you picked this line up.

            Reply
            1. Gregory

              So you’ve changed your name here about a million times, all spamming the same stupid response.
              You keep demanding an answer that wouldn’t vindicate you anyway, just to catch someone in a gotcha. Stop asking for individuals, it’s not gonna make your chain true.
              Anyone with half a brain could see that jammin was right and you mealy are just stubborn with a million aliases.

              You’re looking pretty pathetic and like a sore loser.
              Get over it dude, you were wrong. Man up and bow out.

              Reply
              1. Nope

                Gregory he’s a worse lawyer than your are a troll,
                and that’s saying something.

                You don’t know the names of the individuals, you don’t know they’re not on the list if the particular org you’re searching for isn’t there, and you have no idea who got paid in this case either way. I don’t care what you think of what you don’t know. It’s like caring about outer space, it’s voluminous.

                Reply
              2. Try a nap?

                How many times will you feel the need to troll in reply, 10? 20?
                Or will you simply realize neither of you knows jack about this, really?
                You can’t name a single individual. You know nothing of their organization.
                You don’t know who was paid, how much, or who has remaining coins now.
                You don’t know who authorized it. You don’t know anything about it.
                The difference is he claims to, and you can’t pretend quite as well.

                Reply
                1. Phasma

                  I have skipped most of your bickering but it seems you might appreciate someone who’s actually knowledgeable about OFAC.
                  I can tell you from my experience directly and consultation with legal department. None of that information is necessary prior to approving payment processing.
                  I work for a global company that must routinely pay new international client.

                  Reply
    2. mealy

      FBI (DOJ) may waive/exonerate if they’re acting in coordination with official investigation to further it.
      It’s unclear exactly how that went here, it’s also unclear if the individual / groups are officially designated.
      I agree from the public view it’s seemingly contradictory without those missing details.
      When it’s ransom for actual kidnapping it’s more directly straightforward than malware.
      law.cornell.edu/uscode/text/18/1202

      Reply
      1. JamminJ

        2015 – President Obama unveiled new rules Wednesday that would basically allow families to offer private ransom payments for relatives kidnapped overseas.

        While the federal government will continue to refuse to make ransom payments, Obama and other officials said families will no longer be threatened with prosecution if they seek to do so privately.

        “I’m making it clear that these families are to be treated like what they are — our trusted partners and active partners in the recovery of their loved ones,” Obama said in announcing the changes from the White House.

        While it is illegal for private citizens to pay ransoms [for international terrorism], Obama stressed that no family member has ever been prosecuted for trying to do so.

        “We have had a policy in the United States for over 200 years of not paying ransom and not negotiating with terrorists,” said House Speaker John Boehner, R-Ohio.

        The law banning “material support” to terrorist groups — including money — remains intact, and Obama and other officials have repeatedly said that ransom payments would only encourage more kidnappings.

        Reply
        1. Anton Smiley

          What does any of that have to do with this situation though?

          Reply
          1. JamminJ

            A reply to a comment claiming that ransom payments are illegal to make, and a comparison to kidnapping ransom. This is proof that it’s not illegal to pay ransom, even in kidnapping situations.
            It may be counterproductive and a bad idea that both sides can agree, don’t pay ransoms… but that doesn’t make it illegal.

            Reply
            1. Uh, no

              “This is proof that it’s not illegal to pay ransom, even in kidnapping situations.”
              That’s not what it says.

              Reply
              1. Gregory

                Mealy alias #463, it’s pretty much what it says, and anyone can read for themselves. It’s a direct quote.

                Reply
    3. Eitan Caspi

      Brian Krebs previously wrote “Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions” (https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/)

      I guess the keywords are “if the crooks .. are ALREADY under economic sanctions”. Most cyber crime gangs are not already under economic sanctions and it looks like these crooks are not either.

      Reply
  11. JamminJ

    Longer response pending moderation (not sure why).
    But short answer is there is no conflict. DOJ has to return recovered property from an extortion victim, and OFAC only applies to sanctioned entities (groups or individuals). Darkside, and the majority of criminal ransomware gangs, are NOT sanctioned by the Treasury Dept (OFAC was designed for sponsored terrorist states).

    Reply
    1. All Day Long

      Name all individuals in the group so we can search. We’ll wait.

      Reply
      1. JamminJ

        You say you’re waiting for me… but you have asked for something irrelevant. So good, hold your breath while you wait 🙂 You have all you need to search the SDN.

        Sanctions Lists May Include Hackers
        Hacker Groups, and Governments Known To Support Hackers. Illegal cyber activities (e.g., hacking) have been declared a national emergency and can result in the actors being added to the Sanctions Lists.
        For example, OFAC imposed sanctions on two Russian individuals for engaging in malicious cyber-enabled activities. One of the individuals was responsible for the development and use of Cryptolocker, a form of ransomware, which infected over 120,000 U.S. victims.”
        Legality-of-Paying-Ransom-FINAL-2018.1.19.pdf

        I gave you the group name (“Darkside”), and if any member were to be sanctioned… the entire group would be listed and available to search.

        Reply
        1. All Day Long

          So you admit you can’t name the “individuals AND entities” you asked me to search for to prove you wrong with your spammed search link, how simple was that.

          I guess we’re finally done.

          Reply
          1. Gregory

            So you’ve changed your name here about a million times, all spamming the same stupid response. You keep demanding an answer that wouldn’t vindicate you anyway, just to catch someone in a gotcha.
            Anyone with half a brain could see that jammin was right and you mealy are just stubborn with a million aliases.

            You’re looking pretty pathetic and like a sore loser.
            Get over it dude, you were wrong. Man up and bow out.

            Reply
            1. All Day Long

              I guess you’ll run from the same questions he did, in the end. Er, dude.

              Reply
              1. Gregory

                Is that really your move? To keep trolling asking a question you’ve already got the answer to?

                You sound like you are 12 years old having a tantrum.

                Everyone here can see through your transparent fake accounts. You made a stupid claim but won’t let it go.

                Reply
                1. All Day Long

                  “Is that really your move? To keep trolling asking a question you’ve already got the answer to?” – Actually that’s his. Mine is asking one there is no answer to, which is required for basic due dilligence if you’re not going to be cooperating with authorities to be absolutely sure you aren’t breaking a law or regulation. I’m not trying to debate you on it, that’s not worth much.

                  “You sound like you are 12 years old having a tantrum.’

                  The more times you repeat this, the less it is about me.
                  Take care now.

                  Reply
  12. Stuart

    JamminJ: 23 points
    mealy and aliases: 0

    Not even a fair fight.

    Reply
    1. Little

      Reading : 0, required to have opine, form argument.
      Arguing about unrelated semantics : Less than 0
      Cheerleading Stuart : no points awarded, troll

      Good luck naming any individuals who were paid.

      Reply
      1. Gregory

        So another fake username? You are the sorest loser I’ve ever seen. Well second sorest loser.

        You’re not even creative, but had to repeat someone else’s remark. I’m beginning to think that you’re a child trolling here.

        You haven’t shown any real-world experience or cyber security expertise, just some rhetoric about it being always illegal to pay ransom to criminal gangs. You got called out on that crap and now you’re having a tantrum.

        Reply
  13. Gregory

    It’s really not hard to see that all of these comments with different user names are from a single insecure person.
    They all have the same weak argument, the same transparently ignorant fixation on requiring individual names to prove innocence.

    This forum is usually a place of informative discussion, but ignorant misinformation does get challenged and corrected.
    Jammin is correct, so yeah people will confirm that. Don’t get butt hurt because nobody is backing up your lie. It’s certainly no reason to spam the comment section with fake aliases just to try to win an argument by brute Force.

    Reply
  14. Oldami

    Wow. The most childish and long-winded flame war I’ve seen since I left alt.2600.
    Stop with the egotistical piss match and get back to discussing security.

    Reply
    1. Gregory

      Original security-related claim was that making a ransom payment to any criminal organization is illegal by default.
      That would have huge implications in the cybersecurity world.

      Reply
      1. Anton Smiley

        Has anyone ever got in trouble for paying a ransom? seems like an easy thing to show.

        Reply
        1. nativetexan

          If nobody has ever gotten in trouble, its probably a made up law based on wishful thinking. I know a lot of us want to see Colonial Pipeline get in trouble for something.

          Reply
          1. security vet

            …Colonial Pipeline did not do 2FA, a security best practices no no, but commit a crime? No they did not…

            Reply
        2. security vet

          …never…

          …fraud, yes, but just paying a ransom, never…

          Reply
  15. security vet

    …btw JBS Meat did not break any law paying $11m either…

    …criminalizing ransom paying is not the way to fix this…

    …fixing the vulns is…

    Reply
  16. WSmarty online

    Brian Krebs previously wrote “Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions”
    If you care to research the specific detailed history of attributions to the group in question and their latest campaign on https://paidposthelp.com/ so you can make claims of validating their press release, feel free to do that for them. You took their claim at face value you admitted, that’s not on me to undo for you at length on this forum of http://ups-tracking.co/ Google is your friend, try that first next time.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *