The unexpected announcement by the FBI on Monday that it had confiscated part of the ransom paid by the Colonial Pipeline to criminal hackers came as a double shock.…
On the one hand, the big news is that the US government has changed its cyber security. muscle on behalf of the owner and operator of the nation’s largest fuel pipeline, taking over a Bitcoin account and ushering in the first public collection of funds from a notorious gang of extortionists.
On the other hand, the question arose: why did the US not do this earlier?
Ransomware has been a pervasive and persistent problem for years, but it has not resulted in minimal government action. And while the return of some of the ransom is a new front for the US, it also hints at a relatively limited ability to deter hackers.
Philip Rainer, CEO of the Institute for Security and Technology, a think tank in San Francisco that produced the groundbreaking report on anti-ransomware policy, praised the FBI move as important, but said it was hard to imagine more than that. …
“It remains to be seen how much the FBI will be able to withstand this kind of action,” Rainer said. “This is a big first step, but we need to see a lot more.”
The FBI has recovered a sizable amount of money – 63.7 bitcoins, worth about $ 2.3 million – but that’s a tiny chunk of how much money the ransomware groups are making. DarkSide, the hacking group that hacked Colonial, has earned over $ 90 million since it became a public hacking group in the fall of 2020, according to an analysis by Elliptic, a cryptocurrency transaction tracking company.
According to Brett Callow, an analyst at cybersecurity firm Emsisoft, DarkSide was not even one of the most prolific groups of ransomware.
“While the withdrawal of funds is a positive development, I don’t think it will serve as a deterrent at all,” Kellow said in a text message. “For criminals, it’s a win in some situation, and in some loss, and the amount they win means that random losses are a small setback.”
JBS, one of the largest meat processing plants in the US, announced Wednesday that it paid its ransomware hackers REvil $ 11 million even after it recovered most of its files. The reason, the company said, was that it feared lingering IT problems and the likelihood of file leaks by hackers.
Ransom recovery is happening as ransomware – a topic that has been big in the cybersecurity world and quite widespread – has become a national security issue, and President Joe Biden has pledged to take action.
The Colonial Pipeline hack, which resulted in some gas stations running out of fuel and fearing a significant shutdown for a while, was a turning point in the US response to ransomware. It attracted the attention of the entire country, and soon the Department of Justice decided that extortionists would become the same priority as terrorism cases.
For cybersecurity experts, this attention has long been needed. In recent years, Americans have been attacked by ransomware in almost all walks of life. These same hackers make fortunes by blocking and extorting money from businesses, city and county authorities, and police stations. They closed schools and slowed down hospitals. The ransomware epidemic caused $ 75 billion in damage in 2020 alone, according to Emsisoft.
The FBI knew about this problem from the very beginning. In 2020 alone, it received complaints from 2,474 ransomware victims and continues to create long-standing ransomware hacker cases.
But the agency has serious jurisdictional problems. If the hackers were based in the US, they could arrest them directly. If they were in a country that has a law enforcement agreement with the United States, the FBI could work with colleagues in that country to arrange for an arrest.
But most of the most widespread ransomware gangs are based in Russia or other Eastern European countries that do not extradite their citizens to the United States.
In the past, the United States has been able to arrest Russian cybercriminals while traveling to countries that have such an agreement with the United States, but so far no such case of ransomware operators has been made public.
This leaves the agency with more limited options to respond. People like Rainer, the CEO who prepared the ransomware policy report, argued that the best way to quickly reduce the impact of hackers is to disrupt their payments, which the FBI finally announced on Monday.
“Why is this only happening now?” Rainer said. “I think we can be sure that the people on the criminal side are definitely testing their systems and looking at each other wondering what happened. It makes them stutter. “
On Monday, the FBI was deliberately vague about how it confiscated the funds. Bitcoin accounts work like an email address: users have a public account known as a wallet, which can be accessed using a secret password called a key. The FBI’s statement on the seizure warrant simply stated that the “private key” was “in the possession of the FBI in the Northern District of California,” without specifying how it obtained the private key.
Speaking to reporters during a press conference, Elvis Chan, an assistant special agent in charge of the FBI’s San Francisco office, said the agency did not want to clarify how it acquired the key so that criminal hackers are less likely to find ways to get around it.
“I don’t want to give up our craftmanship in case we want to use it again in future endeavors,” he said.
This means it is unclear how often the FBI will be able to use it. It is not known, for example, why the agency was unable to return all the money paid by Colonial.
However, Chan pointed out that the method was not limited to criminals who made the serious mistake of using a US cryptocurrency service to move their money.
“Abroad is not a problem for this technique,” he said.
Gurveis Grigg, CTO for public sector Chainalysis, a company that tracks bitcoin transactions, said that while arresting ransomware hackers would actually be the best deterrent, stopping their cash flows is a big help.
“It is important to identify those who attacked, handcuffed their wrists, collect the ill-gotten gains and return them to the victim. This should remain the focus of attention. But it takes more than that, ”Grigg said. in an interview with Zoom.
“The key to destroying ransomware is disrupting the ransomware supply chain,” as well as their payments, he said.