A little over half of the $4.4 million Colonial Pipeline ransomware payment has been recovered by the FBI, and in the process some questions about the source of the attack may have been answered. The FBI is keeping its sources and tactics close to the vest, but inferences about how the money moved and was ultimately recovered lend credence to it being an incompetent ransomware-as-a-service client rather than a secret operation backed by the Russian government.
FBI says it had access to the wallet
At a press conference on Monday, FBI officials revealed that they had recovered about $2.3 million (75 Bitcoin) of the Colonial Pipeline ransomware payment. They said that this was done via direct access to the Bitcoin wallet, but would not get into specifics so as to “protect tradecraft”; the officials only said that it was “seized via a court order” from someplace within American infrastructure.
Though the FBI will likely not release further details, there is some reasonable speculation as to how this played out. Since the perpetrators used Bitcoin, which is far from being completely anonymous, it would be possible to follow the movement of the money to some degree via the wallet address. The fact that the court order that led to the seizure of the ransomware payment came from the Northern District of California points to the criminals attempting to cash out to fiat currency via Coinbase (which currently lists “no official headquarters” but used its San Francisco office for that purpose until recently).
If that theory holds up, it further reinforces the initial explanation that the DarkSide ransomware group offered to the public — that it was one of their more unsophisticated “ransomware as a service” clients that perpetrated the attack and got themselves in over their head with a target that was too big and public. There has been rampant speculation that the Russian government somehow had a direct hand in this attack, along with budding conspiracy theories regarding the FBI’s announcement that they had access to the digital wallet. But if the “incompetent criminals try to cash out via Coinbase” theory is true, there is no need for any sort of government conspiracy. The FBI would merely have to serve a warrant to Coinbase to recover the funds once identifying them as being in a wallet it hosts. Some cybersecurity experts are floating the idea that the FBI may have located the private key elsewhere via sloppy password storage. The Biden administration maintains that there is no intelligence link showing a connection to the Russian government.
Anurag Gurtu, CPO at StrikeReady, points out that though the FBI was able to intervene in terms of access to the wallet this seizure does not necessarily bring them any closer to identifying the ultimate perpetrators: “Trying to determine who holds the crypto wallet is a wild goose chase. There is no bitcoin address registry that lists the owners of every address. Identifying the owner of that address requires knowing where you got it from. But even then, it’s the end of the road.” The agency would have to hope that the criminals registered an identifiable piece of information that can be tracked when they set up the Coinbase account, such as an email address that can be linked to an identity.
While the hackers may have been clumsy in their target selection and methods of handling the ransomware payment, the damage they did was considerable. Colonial Pipeline was forced to suspend operations for about a week as its billing and inventory tracking systems were offline due to the ransomware, meaning severe gas shortages in the coastal states it is the primary source of gasoline for. There were price spikes, extremely long lines and certain gas stations even ran entirely out of fuel for days. In total, Colonial Pipeline is responsible for providing about 45% of the fuel used on the East Coast.
New task force recovers ransomware payment
The ransomware payment recovery is one of the first actions taken by the Justice Department’s new ransomware and extortion task force, which was first reported on in April. The task force was formed as a response to a record year in terms of ransomware incidents and payments, as attacks not only became more severe but incorporated new elements such as threatening blackmail and distributed denial of service (DDoS) attacks. The Justice Department recently moved ransomware attacks to the same response priority as terrorist attacks, calling the consequences “destructive and devastating.” Ilia Kolochenko, Founder, CEO and Chief Architect of ImmuniWeb observes: “The $2.3 million is a drop in the ocean of ransomware, however, it sends a bold statement that the DoJ now has tolerance-zero for ransomware gangs. The seizure continues the previously announced efforts to combat surging ransomware, and is likely to be a first palpable step to deter cybercriminals. Importantly, the DoJ will certainly need more funding to gradually expand its cybercrime prosecution unit (CCIPS) and foster interagency collaboration. Moreover, international cooperation is essential to curb surging ransomware attacks, including a baseline cooperation with traditionally hostile jurisdictions. Otherwise, even though uncovered, the perpetrators will likely enjoy impunity due to missing extradition treaties with foreign jurisdictions.”
The FBI also used the Colonial Pipeline outcome to highlight the importance of contacting officials as soon as possible after being hit by an attack, even if the organization plans to make the ransomware payment. Substantial recovery of funds is possible if the attackers route the money through the right places.
The outcome will also likely add fuel to the debate over making ransomware payments illegal, which some cybersecurity experts and government officials believe is the only real way to curb digital extortion. Critics argue that it creates a virtual death sentence for certain companies that happen to be hit by ransomware, and could force managers into making unethical decisions not in the best interests of the parties they are charged with overseeing. The US government has yet to show serious signs of adopting this stance, and a recent expansive executive order on cybersecurity reinforced that payments would continue to be a legal option in the near future, but some officials have debated the idea of issuing large fines to companies that make ransomware payments to any source known to be associating with terrorist organizations.