The FBI’s surprise announcement on Monday that it had confiscated part of the ransom that Colonial Pipeline paid to criminal hackers came as a double shock.
On the one hand, it was big news that the US government had eased its cybersecurity Muscle on behalf of the owner and operator of the country’s largest fuel pipeline, taking over a Bitcoin account and marking the first public recovery of funds from a well-known ransomware gang.
On the other hand, it raised a question: why hadn’t the US done this sooner?
Ransomware has been a pervasive and persistent problem for years, but it has resulted in poor government action. And while reclaiming some of the ransom represented a new front for the US, it also points to the relatively limited ability to deter hackers.
Philip Reiner, the CEO of the Institute for Security and Technology, a San Francisco think tank that produced a landmark report on anti-ransomware guidelines, praised the FBI’s move as important, but said it was hard to do more than that to accept.
“It remains to be seen how much the FBI can sustain this type of action,” Reiner said. “It’s a great first step, but we have to see a lot more of it.”
The FBI got a sizable amount of money back – 63.7 bitcoins worth around $ 2.3 million – but it’s a tiny fraction of how much money ransomware groups make. DarkSide, the hacking group that breached Colonial, has raised more than $ 90 million since it launched a public hacking group in the fall of 2020, according to an analysis by Elliptic, a company that tracks cryptocurrency transactions.
And DarkSide wasn’t even one of the most prolific ransomware groups, said Brett Callow, an analyst at cybersecurity firm Emsisoft.
“The seizure of the funds is positive, but I don’t think it will be a deterrent,” Callow said in a text message. “For the criminals, losing a situation is a win, and the amount they win means that occasional losses are a small setback.”
JBS, one of the largest meat processors in the United States, announced Wednesday that it had paid its ransomware hacker REvil $ 11 million even after it restored most of its files. The company’s reasoning is that it feared that IT problems would persist and that the hackers might leak files.
Ransomware recovery is happening as ransomware – an issue that has been big and quiet rife in the cybersecurity world – has become a national security issue, with President Joe Biden promising action.
The Colonial Pipeline hack, which caused some gas stations to run out of fuel and briefly feared major outages, was a turning point in the US response to ransomware. It caught national attention, and the Justice Department soon decided to put ransomware on the same priority as terrorism cases.
For cybersecurity professionals, that attention was long overdue. Americans have suffered ransomware attacks in virtually all walks of life over the past few years. The same hackers have made fortunes by banning and blackmailing corporations, city and county governments, and police stations. They closed schools and brought hospitals to a standstill. According to Emsisoft, the ransomware epidemic caused damage of $ 75 billion in 2020 alone.
The FBI knew about the problem from the start. It received complaints from 2,474 ransomware victims in 2020 alone and continues to build long-running cases of ransomware hackers.
But the agency faces difficult legal issues. If the hackers were based in the United States, they could be arrested directly. If you are in a country with a US law enforcement treaty, the FBI could work with colleagues in that country to arrange an arrest.
But most of the most prolific ransomware gangs are based in Russia or other Eastern European countries that do not extradite their citizens to the United States
In the past, the US has been able to arrest Russian cyber criminals while traveling through countries that have such an agreement with the US. So far, however, no such case has been made public with ransomware operators.
This gives the agency more limited options for reacting. People like Reiner, the CEO behind the Ransomware Policy Report, have argued that the best way to quickly reduce the hacker’s impact is to interrupt their payments, which the FBI finally announced on Monday.
“Why is this only happening now?” said Reiner. “I think we can be sure that the people on the criminal side are definitely checking their systems and looking at each other and wondering what happened.
The FBI deliberately described vaguely on Monday how exactly it had seized the funds. Bitcoin accounts work in a similar way to an email address: users have a public account, a so-called wallet, which can be accessed with a secret password, a so-called key. The FBI’s arrest warrant for the seizure of the funds simply stated that “the private key” was “in the possession of the FBI in the Northern District of California” without specifying how it had been obtained.
In a press interview with reporters, Elvis Chan, a deputy special agent for the FBI’s San Francisco office, said the agency would not reveal how it got hold of the key so that criminal hackers are less likely to find ways to circumvent it .
“I don’t want to give up our craft if we want to use this again for future endeavors,” he said.
That said, it’s unclear how often the FBI can use it. For example, it is not known why the agency was unable to get back all of the money Colonial paid.
However, Chan pointed out that the method isn’t limited to criminals who make the big mistake of using a U.S. cryptocurrency service when moving their money.
“Overseas is not a problem for this technology,” he said.
Gurvais Grigg, chief technology officer of the public sector at Chainalysis, a company tracking Bitcoin transactions, said that while arresting ransomware hackers would be your best deterrent, their cash flow would be of great help.
“It is important to identify those who carried out an attack, handcuff their wrists, and grab the ill-gotten gains they have and give them back to the victim. That has to remain a focus. But it takes more than that, ”said Grigg in a Zoom interview.
“The key to breaking ransomware is breaking the ransomware supply chain,” like their payments, he said.