The Justice Department on Monday touted a $2.3 million recovery, or about half the ransom the hackers collected in last month’s Colonial Pipeline attack. Experts say it is an astonishing result of increasingly violent crime.
“Ransomware is virtually irretrievable,” said April Falcon Doss, executive director of Georgetown Law’s Institute for Technology Law and Policy, who described it as “a slew of ransomware.” “A really big win” for the government, “what we don’t know is whether this will pave the way for similar success in the future.”
That’s because there are many unexplained factors that make the operation successful.
The new working group holds the key.
During a press conference on Monday A senior federal law enforcement official explained that the money was recovered by the recently launched Ransomware and Digital Extortion Task Force. It was created as part of the government’s response to the rapidly growing cyberattack.
to fix the colonial pipeline attack The company paid about $4.4 million on May 8 to regain access to its computer systems. After oil and gas pipelines across the United States
Victims of these attacks are given very specific instructions about when and where to send money. Therefore, it is not uncommon for investigators to track the amount of payments to the cryptocurrency account. This is basically Bitcoin, set up by the criminal organization behind the extortion. What’s unusual is that those accounts can be unlocked to recoup the money.
Court documents released in the Colonial Pipeline case say the FBI came in using cryptographic keys linked to the Bitcoin account to which the ransom money was sent. However, officials have not revealed how the keys were obtained. One of the reasons criminals prefer using Bitcoin and other crypto-currencies is their complete anonymity. Like the idea that funds in any digital wallet can only be accessed with a complex digital key.
“The private key is from a technology perspective. That makes it possible to seize these funds,” Doss said, adding that cyber attackers will do their best to protect any information. That could lead someone to associate the key with a person or organization: “They really are trying to hide their tracks.”
Officers are likely to retrieve private keys in one of three ways.
One possibility is that the FBI was shut down by the person involved in the attack: either the person or group behind the project, Doss said, or the person involved in DarkSide, a Russian ransomware developer that rented malware to. other criminals Fees or share of income
The second theory is that the FBI exposed the keys. Thanks to the careless criminals
FBI deputy director Paul Abbate said Monday the office has been investigating DarkSide since last year.
Doss noted that there is the possibility of surveillance. Officers may have a search warrant that gives them access to email or other communications. by at least one person participating in the project “And hence So they can access the private key. Because maybe someone sends some emails to help them follow up,” she said.
Doss said the third possibility is that the FBI extracted the keys with the help of Bitcoin or from an exchange. cryptocurrency where money has been bounced from one account to another since the first payment
She said it was unknown whether any exchanges were willing to cooperate with the FBI or respond to agency subpoenas. but if so It could be a game changer in the fight against ransomware attacks.
what not It’s possible the FBI hacked the keys on its own, according to Doss, while she admits that it’s theoretically possible. “The idea that the FBI would have it through some sort of brute force decryption activity. We found that the private key seemed to be the least likely scenario.”
However, Doss said that if the authorities were able to remove the profits from the attacks consistently, They also tend to eradicate crime.
track money soon
That said, the attacker made an unusual mistake in this case by failing to move the funds. The $2.3 million recovered ultimately remained in the same Bitcoin account that it was sent.
“You don’t see that in cybercrime,” Doss said.
For example, she said there was another scam where companies were tricked into sending payments using fake orders. “Money was transferred to a legitimate bank account. The bank did not know that the account was set up by fraudsters. And as soon as those money into the account Most of the time, criminals will be withdrawn from their accounts,” Dos said. “Within 72 hours, those funds will disappear and become difficult to track or trace.”
Doss suspects that in the Colonial Pipeline attack, the attackers are overconfident that their money cannot be verified and that their private keys are safe.
More disruption to these extortion schemes could be vital for the US economy, according to Coalition, a cybersecurity firm that tracks insurance claims. Ransom demand doubles from 2019 to 2020.
Those expenses continue to rise sharply this year. In March, CNA Financial Corp., one of the largest insurance companies in the United States, paid $40 million after a ransomware attack, Bloomberg reported.
In April, the ransomware gang REvil demanded $50 million from Apple in exchange for data and schemes they claim were stolen. Focusing on unreleased products, Wired reports, it’s unclear whether Apple met REvil’s demands, but criminal groups threatened to auction the data if they couldn’t.