How a new team of feds hacked the hackers and got Colonial Pipeline’s ransom back
The Department of Justice on Monday touted the recovery of $2.3 million — about half — of the ransom that was collected by hackers in the Colonial Pipeline attack last month. Experts say it was a surprising outcome to an increasingly frequent and severe crime.
“Ransomware is very seldom recovered,” said April Falcon Doss, executive director of the Institute for Technology Law and Policy at Georgetown Law, who described it as “a really big win” for the government. “What we don’t know is whether or not this is going to pave the way for future similar successes.”
That’s because there are several unexplained factors that contributed to the operation’s success.
A new task force holds the key
During a press conference Monday, top federal law enforcement officials explained that the money was recovered by a recently launched Ransomware and Digital Extortion Task Force, which had been created as part of the government’s response to a surge of cyberattacks.
To resolve the attack on Colonial Pipeline, the company paid about $4.4 million May 8 to regain access to its computer systems after its oil and gas pipelines across the eastern U.S were crippled by ransomware.
Victims of these attacks are given very specific instructions about when and where to send the money, so it’s not uncommon for investigators to trace payment sums to cryptocurrency accounts, typically Bitcoin, set up by the criminal organizations behind the extortion. What is unusual is to be able to unlock those accounts to recoup the funds.
Court documents released in the Colonial Pipeline case say the FBI got in by using the encryption key linked to the Bitcoin account to which the ransom money was delivered. However, officials have not disclosed how they got that key. One of the reasons criminals like to use Bitcoin and other cryptocurrencies is the anonymity of the entire system, as well as the idea that funds in any given cryptocurrency wallet can be accessed only with a complex digital key.
“The private key is, from a technology perspective, the thing that made it possible to seize these funds,” Doss said. She added that cyberattackers will go to great lengths to guard any information that could lead someone to associating the key with an individual or organization: “They’re going to really try and cover their tracks.”
Officials likely got the private key in one of three ways
One possibility is that the FBI was tipped off by a person associated with the attack. Either the person or group behind the scheme, Doss says, or someone associated with DarkSide, a Russia-based ransomware developer that leases its malware to other criminals for a fee or a share of the proceeds.
A second theory is that the FBI uncovered the key thanks to a careless criminal.
Deputy FBI Director Paul Abbate said on Monday that the bureau has been investigating DarkSide since last year.
Doss notes that it is probable that in their surveillance, officials may have had search warrants that enabled them to access the emails or other communication by one or more of the people who participated in the scheme. “And through that, they were able to get access to the private key because maybe somebody emailed something to help them track down,” she says.
Doss says the third possibility is that the FBI tracked down the key by leveraging information it got from Bitcoin or from the cryptocurrency exchange where the money had been bouncing from one account to another since it was first paid.
She says it’s not known whether any of the exchanges have been willing to cooperate with the FBI or to respond to the agency’s subpoenas — but if they are, it could be a game changer in fighting ransomware attacks.
What’s not likely is that the FBI somehow hacked the key on its own, according to Doss. While she admits it is theoretically possible, “the idea that the FBI would have, through some sort of brute-force decryption activity, figured out the private key seems to be the least likely scenario.”
Regardless, Doss says, if authorities are able to consistently remove the profits from the attacks, they’ll likely eliminate the crime.
Following the money didn’t take long
That said, the attackers made an unusual error in this case by failing to keep money moving. The $2.3 million that ultimately was recovered was still sitting in the same Bitcoin account it had been delivered to.
“You really don’t see that with cybercrimes,” Doss said.
For instance, she said, there’s another scam where a company is tricked into submitting a payment using phony instructions. “Funds get wired to accounts at legitimate banks. The banks don’t realize that the account was set up by a fraudulent actor. And as soon as those funds hit the account, they are wired back out of the account by the criminals almost instantly,” Doss said. “Within 72 hours, those funds are gone and very hard to track or trace.”
Doss suspects that in the attack on Colonial Pipeline, the attackers were overly confident that the money couldn’t be traced and that their private key was secure.
Thwarting more of these extortion schemes could become critical to the U.S. economy. According to Coalition, a cybersecurity company that tracks insurance claims, ransom demands doubled from 2019 to 2020.
Those costs still appear to be skyrocketing this year. In March, CNA Financial Corp., one the largest insurance companies in the U.S., paid $40 million after a ransomware attack, Bloomberg reported.
In April, ransomware gang REvil demanded $50 million from Apple in exchange for data and schematics they claimed to have stolen that were focused on unreleased products, Wired reported. It is unclear whether Apple met REvil’s demands, but the criminal group threatened to auction off the information if it didn’t.