Sunday, August 01, 2021

business

Feds recovers millions in ransomware payments from Colonial Pipeline hackers


WASHINGTON - Federal authorities have recovered more than $2 million in cryptocurrency paid in ransom to foreign hackers whose attack last month led to the shutdown of a major pipeline that provides nearly half the East Coasts fuel, according to officials.

The seizure of funds paid by Colonial Pipeline to a Russian hacker ring, DarkSide, marks the first recovery by a new ransomware Justice Department task force. It follows a string of cyber attacks that panicked consumers and led President Joe Biden to warn Russia that it needed to take "decisive action" against the criminal networks.

"The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge," Deputy Attorney General Lisa Monaco said, announcing the recovery on Monday afternoon. "But the old adage, follow the money still applies."

"Today we turned the tables on DarkSide," she said.

The ransomware attack on Colonial in early May prompted the company to shut its pipeline operation for 11 days, causing panic buying that resulted in gasoline shortages in much of the southeastern U.S. The hackers locked up Colonial's business computer networks by encrypting data on them, and demanded millions of dollars in ransom to unlock the system.

Victims worldwide paid at least $412 million in ransom last year, according to Chainalysis, a firm that tracks cryptocurrency payments. They noted that is a conservative analysis, since many victims do not report their ransom payments.

The problem has become so acute that Biden will raise it when he meets with Russian President Vladimir Putin in Geneva this month. National Security Advisor Jake Sullivan said Monday that the subject also will be raised during the president's meeting with the leaders of Group of Seven nations in Britain a few days before the Geneva summit.

Sullivan said he would like the G-7 to come up with an "action plan" to increase resilience to attacks and deal with the cryptocurrency challenge. Cryptocurrency, which allows users to mask their identities, "lies at the core of how these ransom transactions are played out," he said.

As a result, ransomware attacks have become a matter of national security and economic security, officials said.

Having obtained a warrant granted from a federal judge in the Northern District of California, the FBI on Monday seized proceeds from a digital "wallet" that held the ransom collected by the hackers, FBI Deputy Director Paul Abbate said. The ransom was paid in bitcoin, a form of cryptocurrency.

The warrant authorized seizure of 63.7 bitcoin, or $2.3 million at the current exchange rate.

The bureau obtained the "private key" for the wallet address, according to an affidavit for the warrant. The key is basically a password that enabled the FBI to move bitcoin out of the wallet.

Officials did not explain how the FBI got the key.

The hackers demanded and were paid a ransom of 75 bitcoin on May 8, according to the affidavit. On that date, the value of bitcoin was higher - worth about $4.3 million.

Colonial Pipeline CEO Joseph Blount told The Wall Street Journal last month that the firm paid the ransom. "I know that's a highly controversial decision," he said. " . . . But it was the right thing to do for the country."

On Monday, Blount issued a statement praising the FBI.

"We are grateful for their swift work and professionalism in responding to this event," he said. "Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature."

Blount said that when Colonial was hit by the cyber attack, it contacted the FBI field offices in Atlanta and San Francisco, as well as prosecutors in Northern California and D.C.

DarkSide operates under a ransomware-as-a-service model in which it provides the malware that a criminal affiliate can use to lock up data on a victim's computer system. When the victim pays the ransom to free up the system, the affiliate keeps a majority of the payment, while DarkSide gets the rest.

In this case, about 85% of the payment was to have gone to DarkSide's affiliate, said Tom Robinson, co-founder of Elliptic, a cryptocurrency analytics firm. Elliptic spotted the wallet suspected of holding Colonial's ransom payment on May 14.

The 63.7 bitcoin were the affiliate's share, Robinson said. It is not clear who has the rest of the proceeds, he said.

On May 13, DarkSide announced it was suspending its operation, that its servers had been "blocked" and funds from a payment server had been moved to "an unknown account."

Those funds are still in that wallet, said Robinson, whose firm tracks cryptocurrency payments on a public digital ledger known as a "blockchain." The ledger does not contain information identifying who controls the wallet.

The FBI has traditionally advised victims not to pay the ransom on the grounds that doing so fuels criminal enterprise. The Biden administration is in the process of determining what the government's formal ransomware policy should be, a senior administration official told The Washington Post last week.

"The message we are sending today is that if you come forward and work with law enforcement, we may be able to take that type of action that we took today to deprive the criminal actors of what they're going after here, which is the proceeds of their criminal scheme," Monaco said. She added, however, "we cannot guarantee and we may not be able to do this in every instance."

DarkSide collected $14 million in ransoms for all of 2020, according to Chainanalysis. Before it announced it had lost access to its servers, it raked in $46 million in just the first three months of this year.

The Justice Department in April created a ransomware and digital extortion task force. Its mission, officials said, is to investigate, disrupt and prosecute ransomware and digital extortion activity.

Published : June 08, 2021

By : The Washington Post · Ellen Nakashima