US investigators have recovered $2.3m in bitcoin that was paid in ransom to the cybercriminals behind the Colonial Pipeline hack.
The FBI-led operation tracked “multiple transfers” of the cryptocurrency on the publicly available Bitcoin ledger and seized approximately 63.7 bitcoins. It did so using the private key for the bitcoin wallet address, but did not say how it acquired the cryptocurrency “equivalent of a password.”
On 7 May the operator of the biggest US fuel pipeline took its IT systems offline after they were infected by ransomware operated by the DarkSide group. It led to a five-day closure of the line carrying 45% of the East Coast’s fuel supply, sparking a jump in fuel prices and shortages at the petrol pump.
Colonial Pipeline CEO and president Joseph Blount took the decision to pay the 75 bitcoin ransom demand – worth $4.4m at the time – to gain access to a decryption key. While the FBI recovered the majority of bitcoins paid, the cryptocurrency’s price has plummeted since, leaving Colonial short-changed.
Yet the recovery of funds is a rare outcome for companies hit by ransomware attacks. Bitcoin is favoured by cybercriminals because they can receive payment with a high degree of anonymity and it operates outside of the traditional banking system.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
The Department of Justice said that Colonial Pipeline “quickly notified” the FBI of the attack, which led to the recovery operation coordinated through the newly formed Ransomware and Digital Extortion Task Force.
The group was created in response to a series of recent high profile ransomware attacks against the likes of Fujifilm, meat processor JBS and Acer. It aims to disrupt ransomware operations by “tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes.”
“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” said Deputy Attorney General Lisa O. Monaco for the US Department of Justice. “We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”
Colonial Pipeline ransom recovered: A “clear” message to criminals
Colonial Pipeline’s Blount previously told the Wall Street Journal that he made the decision to pay the ransom demand because he did not know how long it would take to get the pipeline operation running again.
In a statement released alongside the DOJ’s ransom announcement, Blount said: “Holding cybercriminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature. The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defences.”
In a Homeland Security hearing on Tuesday, Blount confirmed that the hackers gained access to Colonial’s network via an exposed password for a legacy VPN, as first reported by Bloomberg.
He also said that the decryption key only worked “to some degree” and that the company used its own database backups, but the rebuilding process took time.
“This sends a clear message to the criminals: you are not immune to repercussions,” said Sam Curry, chief security officer at Cybereason. “Ransomware gangs are, in a dark sense, startups with their own venture capital and business models. The ‘investors’ in these organisations must be getting nervous that their ill-gotten gains can be recouped.”
Jake Moore, cybersecurity specialist at ESET and a former police cyber forensics officer, said: “Discovering a private key to access the wallet used will have taken a painstaking amount of investigation and resources which unfortunately cannot be replicated in all attacks. The initial attack resulted in an enormous investigation, but this would have cost the FBI a great deal of time and money.
“However, it does highlight that cybercrime doesn’t always pay and even when the attackers themselves remain anonymous, the FBI’s secondary tactic is to fight back with their own version of disruption.”
For more information on ransomware and what to do in the event of an attack, read our explainer here.