Andrew Harnick / AP
The Justice Department announced on Monday the recovery of $ 2.3 million – about half – of the ransom collected by hackers in last month’s attack on the colonial pipeline. Experts say this is a surprising result for an increasingly common and serious crime.
“Ransomware rarely recovers,” said April Falcon Doss, executive director of the Georgetown Lowe Institute for Technological Law and Policy, who described it as a “really big profit” for the government. “What we don’t know is whether this will pave the way for similar successes in the future.”
This is because there are several unexplained factors that have contributed to the success of the operation.
A new working group holds the key
During a press conference Monday, senior federal law enforcement officials explained that the money had been recovered from a recently launched extortion and extortion task force set up as part of the government’s response to the wave of cyberattacks.
To resolve the attack on the colonial pipeline, the company paid about $ 4.4 million on May 8 to regain access to its computer systems after its oil and gas pipelines in the eastern United States were crippled by ransomware.
Victims of these attacks receive very specific instructions on when and where to send the money, so it is not uncommon for investigators to track payments to cryptocurrency accounts, usually bitcoin, created by criminal organizations behind the extortion. It is unusual to be able to unlock these accounts to get your money back.
Court documents released in the Colonial Pipeline case say the FBI entered using an encryption key linked to the Bitcoin account to which the ransom money was delivered. However, officials did not disclose how they obtained the key. One of the reasons criminals like to use bitcoin and other cryptocurrencies is the anonymity of the whole system, as well as the idea that the funds in any given cryptocurrency wallet can only be accessed with a complex digital key.
“The private key is, from a technological point of view, the thing that allowed these funds to be seized,” Doss said. She added that cyberattacks will do everything possible to keep any information that could cause someone to associate the key with a person or organization: “They will really try to cover their tracks.”
Officials may have retrieved the private key in one of three ways
One possibility is for the FBI to be notified by a person involved in the attack: either the person or group behind the scheme, says Doss, or someone associated with DarkSide, a Russian ransomware developer who rents out his malware to other criminals for a fee, or revenue share.
A second theory is that the FBI reveals the key thanks to a reckless criminal.
FBI Deputy Director Paul Abbott said Monday that the bureau has been investigating DarkSide since last year.
Doss notes that it is likely that during their monitoring, employees had search warrants that allowed them to have access to emails or other communication from one or more of the people involved in the scheme. “And through that, they were able to access the private key because maybe someone emailed something to help them keep track,” she said.
Doss says the third option is for the FBI to retrieve the key using bitcoin or the cryptocurrency exchange, where money has jumped from one account to another since it was first paid.
She says it is not known if any of the exchanges were willing to cooperate with the FBI or respond to the agency’s summons – but if they are, it could be a player in the fight against ransomware attacks.
What no it’s likely that the FBI somehow hacked the key on its own, according to Dos. Although she acknowledges that it is theoretically possible, “the idea that the FBI would have, through some brute force of decryption, would understand that the private key seems to be the least likely scenario.”
Nevertheless, Doss says, if the authorities are able to consistently eliminate the profits from the attacks, they are likely to eliminate the crime.
It didn’t take long to follow the money
However, the attackers made an unusual mistake in this case, failing to maintain money. The $ 2.3 million that was eventually recovered was still in the same Bitcoin account to which it was delivered.
“You really don’t see that in cybercrime,” Doss said.
For example, she said, there is another scam in which a company is tricked into making a payment using false instructions. “The funds are linked to accounts in legitimate banks. Banks do not realize that the account was created by a fraudulent actor. And as soon as these funds get into the account, they are almost returned from the account by criminals almost immediately,” Doss said. “Within 72 hours, these funds have disappeared and are very difficult to track or trace.”
Doss suspects that in the attack on the Colonial Pipeline, the attackers were too confident that the money could not be traced and that their private key was secure.
Breaking more of these extortion schemes could become critical to the US economy. According to Coalition, a cybersecurity company that tracks insurance claims, ransom demands will double from 2019 to 2020.
These costs still look sharp this year. In March, CNA Financial Corp., one of the largest insurance companies in the United States, paid $ 40 million after a ransomware attack, Bloomberg reported.
In April, the ransomware gang REvil demanded $ 50 million from Apple in exchange for data and schemes they claimed to have stolen, focusing on unreleased products, Wired reported. It is unclear whether Apple complied with REvil’s demands, but the criminal group threatened to sell the information if it did not.