Premium

Huh: DOJ recovers most of the ransomware paid to hackers by Colonial Pipeline

This is the way to deter ransomware attacks, right? There’s only so much you can do to reach the hackers themselves since they’re based overseas. And while you can retaliate against the governments of the nations where those hackers are based by hacking those countries back, that risks a cycle of escalation.

But if you make it so that hackers can’t keep the ransoms that are paid to them, eventually you’ll get fewer attacks. Which is the goal.

My first thought when I heard the news today was to wonder if the Russian government had assisted in the ransom recovery behind the scenes. The DarkSide hackers who hit Colonial Pipeline are believed to operate in Russia, and while normally the Kremlin wouldn’t care about that, in this case the target was a key supplier of energy to the east coast of the United States. Holding up a bank for a few million dollars is one thing, causing a gasoline shortage in multiple U.S. states is something else entirely. The crisis was so serious, in fact, that the hackers took the unusual step of apologizing and then announcing that they were shutting down. It’s strange to see such instantaneous contrition from a bunch of criminals whose heist had worked perfectly.

Which makes you wonder if someone close to home might have come knocking on their door.

This sounds like good cyberdetective work by the DOJ, though. The $4.4 million ransom was paid by Colonial Pipeline last month in Bitcoin, as is customary in this sort of attack since cryptocurrency is difficult to trace and thus a natural option for money laundering. Maybe the feds have gotten better at that.

The seizure on Monday marked a first-of-its-kind effort by the Justice Department to hijack a cybercriminal group’s profits through a hack of its Bitcoin wallet. The Justice Department said that it had seized 63.7 Bitcoins, currently valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)…

Officials said that they identified a virtual currency account, often referred to as a “wallet,” that DarkSide had use to collect payment from one of its ransomware victims, and that a magistrate judge in the Northern District of California had granted a warrant to seize funds from the wallet earlier in the day.

How did the feds identify the group’s Bitcoin wallet? Apparently there’s reason to believe that the DarkSide hackers in this case weren’t very sophisticated, which is good news and bad news. The bad news is that even mediocre hackers are evidently capable of causing a gas shortage in the United States. The good news is that mediocre hackers tend not to have good operational security, which, per CNN, means that the feds here can sometimes sneak into their own servers and exact some justice. “In some cases, US officials can find the ransomware operators and ‘own’ their network within hours of an attack, one of the sources explained…” Elsewhere in the same story CNN claims that the U.S. government has gotten “adept” at tracing the currency used to pay ransoms.

In fact, the feds have had a bead on the hackers’ Bitcoin wallet for weeks. In mid-May the Times reported that a cybersecurity specializing in cryptocurrency called Elliptic had identified the wallet. Then money started moving around:

Since the DarkSide account was opened in March, Elliptic said, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August, and has most likely used a number of different Bitcoin wallets to receive ransoms.

But on Thursday, someone withdrew roughly 113.5 Bitcoin, or $5.6 million, from DarkSide’s Bitcoin wallet and moved it into an unknown user’s account, according to TRM Labs, a San Francisco blockchain intelligence company. The sum amounted to Colonial’s 75 Bitcoin ransom plus that of a German company, Brenntag, which also opted to pay its digital extortionists, TRM Labs said.

To whom that other account belongs is yet another plot twist in the hacking episode.

To access the wallet and transfer the money, someone would have needed a “private key.” Was one of the hackers using that key to move it out of there, possibly because they knew somehow that the wallet had been identified? (In that case, why didn’t they empty the entire wallet?) Were the hackers themselves hacked, with some third party siphoning off cash in the account?

Even though the DOJ didn’t recover the entire ransom, obviously they want to advertise their partial success as a deterrent to future ransomware hackers. The Colonial Pipeline attack isn’t the only hit on infrastructure that the U.S. has taken this past month, after all; the meatpacking company JBS resumed operations a few days ago after an attack from another group of hackers in Russia locked it up. Not only are they messing with the food supply after messing with the energy supply, their tactics are getting more aggressive: The outfit that hacked JBS has been known to engage in “triple extortion,” in which a company’s system is locked down, then the hackers threaten to release its private data, then they threaten to release data belonging to customers and partners of the hacked company obtained during the hack. Sometimes they demand multiple ransoms to avert all of that. Hence this splashy press conference this afternoon and Chris Wray recently comparing the threat from ransomware to 9/11. The feds want everyone, both Americans and the hackers, to know that they’re taking this seriously.