The surprise announcement by the FBI on Monday that it had seized part of the ransom Colonial Pipeline paid to hackers was a double shock.
On the one hand, it was major news that the US government had flexed its cybersecurity muscles on behalf of the owner and operator of the country’s largest pipeline, taking over a bitcoin account and marking the first public recovery of funds from a known ransomware gang.
On the other hand, this raised a question: why hadn’t the United States done this before?
Ransomware has been a pervasive and ongoing problem for years, but one that has attracted little action by authorities. And while recovering some of the ransom has marked a new front for the United States, it also hints at the relatively limited options for deterring hackers.
Philip Reiner, CEO of the Institute for Security and Technology, a San Francisco think tank that produced a seminal report on anti-ransomware policies, hailed the FBI’s decision as significant, but said it was hard to assume anything other than that.
“It remains to be seen how well the FBI can support this kind of action,” Reiner said. “It’s a big first step, but we need to see a lot more.”
The FBI has recovered a significant amount of money – 63.7 bitcoins, worth around $ 2.3 million – but that’s only a tiny fraction of the money the groups are making of ransomware. DarkSide, the hacker group that violated Colonial, has made more than $ 90 million since it became an operational public hacker group in fall 2020, according to analysis by Elliptic, a company that tracks cryptocurrency transactions.
And DarkSide wasn’t even one of the most prolific ransomware groups, said Brett Callow, analyst at cybersecurity firm Emsisoft.
“While the seizure of funds is positive, I don’t think it will be a deterrent at all,” Callow said in a text message. “For criminals it’s winning some, losing some situations, and the amount they earn means the occasional loss is a minor setback.”
JBS, one of the largest meat processing plants in the United States, said on Wednesday it had paid $ 11 million to its hackers, REvil, even after it restored most of its files. The company’s reasoning, he said, was that it feared persistent computer problems and the possibility of hackers leaking files.
The ransom recovery comes as ransomware – a hot topic in the cybersecurity world and quietly spread – has become a national security concern, with President Joe Biden vowing to act.
The Colonial Pipeline hack, which led to fuel shortages at some gas stations and brief fears of a major outage, was a turning point in the United States’ response to the ransomware. It gained national attention, and the Justice Department quickly decided it would elevate ransomware to the same priority as terrorism cases.
For cybersecurity experts, this attention was long overdue. Americans have suffered ransomware attacks in virtually every walk of life in recent years. The same types of hackers have made their fortunes by shutting down and extorting businesses, city and county governments, and police stations. They have closed schools and slowed down hospitals at a breakneck pace. The ransomware outbreak caused $ 75 billion in damage in 2020 alone, according to Emsisoft.
The FBI has known about the problem from the start. It received complaints from 2,474 ransomware victims in 2020 alone, and continues to build long-standing files on ransomware hackers.
But the agency faces difficult jurisdictional issues. If the hackers were based in the United States, it could stop them directly. If they were in a country with a law enforcement agreement with the United States, the FBI could partner with colleagues in that country to arrange an arrest.
But the majority of the most prolific ransomware gangs are based in Russia or other Eastern European countries that do not extradite their citizens to the United States.
In the past, the United States has been able to arrest Russian cybercriminals as they passed through countries that have such an agreement with the United States. But so far, no such case has been made public with the ransomware operators.
This leaves the agency with more limited options on how it may have responded. People like Reiner, the CEO behind the ransomware policy report, argued that the best way to quickly reduce the impact of hackers was to disrupt their payments, which the FBI finally announced on Monday.
“Why is this only happening now? Said Reiner. “I think we can rest assured that the people on the criminal side are definitely checking their systems and looking at each other, wondering what happened. It puts a stutter in their step.”
The FBI was deliberately vague on Monday in describing exactly how it seized the funds. Bitcoin accounts work much like an email address: users have a public account, called a wallet, which can be accessed with a secret password, called a key. In the FBI’s request for a warrant to seize the funds, he simply stated that “the private key” is “in the possession of the FBI in the Northern District of California,” without specifying how he obtained this private key.
Speaking to reporters on a press call, Elvis Chan, a deputy special agent in charge of the FBI’s office in San Francisco, said the agency was unwilling to clarify how it came into possession of the key so that hackers are less likely to find ways to bypass it.
“I don’t want to give up our craft in case we want to use it again for future endeavors,” he said.
This means that it is not known how often the FBI will be able to deploy it. It is not known, for example, why the agency was not able to recover all the money paid by Colonial.
Chan said, however, that the method was not limited to criminals making the major mistake of using a U.S. cryptocurrency service while circulating their money.
“The foreigner is not a problem for this technique,” he said.
Gurvais Grigg, public sector chief technology officer at Chainalysis, a company that tracks bitcoin transactions, said that while stopping ransomware hackers would be the best deterrent, stopping their money flow is a big help.
“It is important to identify those who carried out an attack, to put handcuffs on the wrists, to seize the ill-gotten gains they have and return them to the victim. This must remain a goal. But it takes more than that. this, ”Grigg said. in a Zoom interview.
“The key to disrupting ransomware is disrupting the ransomware supply chain,” like their payments, he said.