Andrew Harnik / AP
The Justice Department on Monday touted the recovery of $ 2.3 million – about half – of the ransom collected by hackers in the attack on the Colonial Pipeline last month. Experts say it was a surprising outcome to an increasingly frequent and serious crime.
“Ransomware is very rarely recovered,” said April Falcon Doss, executive director of the Institute for Technology Law and Policy at Georgetown Law, who described it as “a very big victory” for the government. “What we don’t know is whether or not this will pave the way for similar future successes.”
This is because there are several unexplained factors that contributed to the success of the operation.
A new task force holds the key
At a press conference on Monday, senior federal law enforcement officials explained that the money had been clawed back by a recently launched ransomware and digital extortion task force, which was established in the part of the government’s response to a wave of cyber attacks.
To resolve the attack on Colonial Pipeline, the company paid approximately $ 4.4 million on May 8 to regain access to its computer systems after its oil and gas pipelines across the eastern United States were crippled. by ransomware.
Victims of these attacks are given very specific instructions on when and where to send the money, so it is not uncommon for investigators to trace payment amounts to cryptocurrency accounts, usually Bitcoin, placed in place by the criminal organizations behind the extortion. What is unusual is being able to unblock these accounts in order to collect the funds.
Court documents released in the Colonial Pipeline case indicate that the FBI entered using the encryption key linked to the Bitcoin account to which the ransom money was handed over. However, officials have not disclosed how they obtained this key. One of the reasons criminals like to use Bitcoin and other cryptocurrencies is the anonymity of the entire system, as well as the idea that funds from a given cryptocurrency wallet cannot be accessed. than with a complex digital key.
“The private key is, from a technological standpoint, what made it possible to seize these funds,” Doss said. She added that cyber attackers will do their utmost to protect any information that could cause someone to associate the key with an individual or an organization: “They will really try to cover their tracks.”
Officials likely recovered the private key in one of three ways
One possibility is that the FBI was notified by someone associated with the attack: either the person or group behind the scheme, Doss says, or someone associated with DarkSide, a Russian-based ransomware developer who leases its malware to other criminals for a fee or a share of the proceeds.
A second theory is that the FBI discovered the key thanks to a reckless criminal.
FBI Deputy Director Paul Abbate said on Monday that the bureau had been investigating DarkSide for the past year.
Doss notes that it is likely that in their surveillance, officials may have had search warrants allowing them to access e-mails or other communications from one or more of the people who participated in the scheme. “And because of that, they were able to access the private key, because maybe someone emailed something to help them find it,” she says.
Doss says the third possibility is that the FBI recovered the key with the help of Bitcoin, or the cryptocurrency exchange where money had bounced from one account to another since its first payment.
She says it’s unclear whether any of the exchanges were willing to cooperate with the FBI or respond to the agency’s subpoenas – but if they are, it could be a game-changer in the fight against ransomware attacks.
what do not It’s likely that the FBI hacked the key itself, according to Doss. Although she admits that this is theoretically possible, “the idea that the FBI has, through some sort of brute-force decryption activity, discovered the private key appears to be the least likely scenario.”
Either way, Doss says, if the authorities are able to systematically reap the benefits of the attacks, they are likely to eliminate the crime.
Tracking the money didn’t take long
That said, the attackers made an unusual mistake in this case by not circulating the money. The $ 2.3 million that was eventually recovered was still in the same Bitcoin account it was delivered to.
“You really don’t see that with cybercrime,” Doss said.
For example, she said, there is another scam in which a business is tricked into submitting a payment using bogus instructions. “The funds are transferred to accounts in legitimate banks. The banks do not realize that the account was created by a fraudulent actor. And as soon as these funds arrive in the account, they are almost transferred from the account by the criminals. instantly, ”Doss said. “Within 72 hours, these funds are gone and are very difficult to track or trace.”
Doss suspects that during the attack on Colonial Pipeline, the attackers were too convinced that the money could not be traced and that their private key was secure.
Thwarting more of these extortion plans could become critical for the US economy. According to Coalition, a cybersecurity firm that tracks insurance claims, ransom demands doubled from 2019 to 2020.
These costs appear to be skyrocketing again this year. In March, CNA Financial Corp., one of the largest insurance companies in the United States, paid $ 40 million after a ransomware attack, Bloomberg reported.
In April, the REvil ransomware gang demanded $ 50 million from Apple in exchange for data and schematics they claimed to have stolen, focused on unreleased products, Wired reported. It’s unclear whether Apple responded to REvil’s requests, but the criminal group threatened to auction the information if it didn’t.