Colonial Pipeline ransom returned by new Department of Justice team: NPR

Ministry of Justice on Monday Promoted to recover $2.3 million – about half – the ransom collected by hackers in the Colonial pipeline attack last month. Experts say it was a surprising result of an increasingly frequent and serious crime.

“Ransomware is rarely recovered,” said April Falcon Doss, executive director of the Institute for Technology Law and Policy at Georgetown Law, calling it a “really big win” for the government. “What we don’t know is whether or not this will pave the way for similar successes in the future.”

This is due to the presence of many unexplained factors that contributed to the success of the operation.

A new team holds the key

During a press conference on Monday, top federal law enforcement officials explained that the money was recovered by the recently launched Ransomware and Digital Extortion Task Force, which was set up as part of the government’s response to a surge in cyberattacks.

To solve the Colonial pipeline attack, the company paid about $4.4 million on May 8 to restore access to its computer systems after oil and gas pipelines across the eastern United States were paralyzed by ransomware.

Victims of these attacks are given very specific instructions about when and where to send money, so it is not uncommon for investigators to trace payments to cryptocurrency accounts, usually Bitcoin, created by the criminal organizations behind the extortion. What is unusual is being able to open those accounts for a refund.

Court documents released in the Colonial Pipeline case indicate that the FBI entered using the cryptographic key associated with the bitcoin account to which the ransom money was delivered. However, officials did not reveal how they obtained this key. One of the reasons criminals prefer using Bitcoin and other cryptocurrencies is the anonymity of the entire system, as well as the idea that funds in any cryptocurrency wallet can only be accessed with a complex digital key.

“The private key, from a technological perspective, is the thing that made it possible to confiscate this money,” Doss said. She added that hackers would go to great lengths to protect any information that could lead someone to associate the key with an individual or organization: “They’ll really try to hide their tracks.”

It is possible that the administrators recovered the private key in one of three ways

One possibility is that the FBI received a tip-off from someone linked to the attack: either the person or group behind the scheme, Doss says, or someone linked to DarkSide, a ransomware developer in Russia who leases its malware to other criminals for a fee or share of money. proceeds.

The second theory is that the FBI uncovered the key thanks to a negligent criminal.

FBI Deputy Director Paul Abate said Monday that the bureau has been investigating DarkSide since last year.

Doss notes that officials while they were watching likely had search warrants enabling them to gain access to emails or other communications from one or more of the people involved in the scheme. “And through that, they had access to the private key, because someone might have emailed something to help them track,” she says.

A third possibility, Doss says, is that the FBI recovered the key with the help of Bitcoin, or from a cryptocurrency exchange where money has been bouncing from one account to another since it was first paid.

It says it’s unknown if any of the exchanges are willing to cooperate with the FBI or respond to the agency’s subpoenas — but if they are, it could be a game-changer in combating ransomware attacks.

what is it Not It’s possible that the FBI somehow cracked the switch on its own, according to Doss. While she acknowledges that this is theoretically possible, “the idea that the FBI might, through some kind of brute-force decryption activity, have figured out that the private key is the least likely scenario.”

Regardless, says Doss, if the authorities were able to consistently remove profits from attacks, they could potentially stamp out crime.

Keeping track of money didn’t take long

However, the attackers made an unusual mistake in this case by failing to keep the money flowing. The $2.3 million that was eventually recovered was still in the same Bitcoin account it was delivered to.

“You don’t really see that with cybercrime,” Doss said.

For example, she said, there is another scam where a company is tricked into making a payment using false instructions. “The funds are transferred to accounts in legitimate banks. Banks are not aware that the account has been created by a fraudulent entity. Once this money is in the account, it is transferred from the account by criminals almost immediately,” Doss said. This money is hard to track or trace.”

Doss suspects that in the Colonial pipeline attack, the attackers were overly confident that the funds could not be traced and that their private key was secure.

Thwarting more of these blackmail schemes could become critical to the US economy. According to the Coalition, a cybersecurity company that tracks insurance claims, Ransom demands doubled from 2019 to 2020.

Those costs seem to be skyrocketing this year. In March, CNA Financial Corp. It is one of the largest insurance companies in the United States. I paid $40 million after a ransomware attack, reported Bloomberg.

in April, The ransomware gang REvil asked Apple for $50 million In exchange for data and plans they claimed were stolen, it focused on unreleased products, Wired reported. It’s unclear if Apple has met REvil’s demands, but the criminal group has threatened to auction off the information if it doesn’t.