The FBI and the US Department of Justice celebrated a victory in the fight against ransomware this week when they seized $2.3m worth of cryptocurrency which formed part of the ransom paid following the Colonial Pipeline attack. This move has been seen as a show of force from the US Government against attacks on American infrastructure, but may prove a fleeting triumph if it prompts hacking gangs to tighten their own security.
The joint operation saw 63.7 bitcoin (BTC) seized from a wallet confirmed to be connected to DarkSide, the Ransomware-as-a-Service (RaaS) group is responsible for the attack on Colonial Pipeline. The pipeline provides 45% of the oil supply to the East coast of the US, and the attack last month caused major disruption. “The BTC funds recovered appear to have been seized via direct access to the wallet,” says Pamela Clegg, VP of financial investigations at cryptocurrency intelligence company CipherTrace. “In mid-May, Darkside announced that their ‘servers were seized,’ although they did not specify where or how.”
According to the affidavit signed for the bitcoin seizure, the funds which appear to be the ransom was sent to two separate wallets; 11.25 BTC being sent to one and 63.7 BTC, the amount seized this week, to another. This account was then left untouched until the FBI managed to trace it back from the Colonial Pipeline payment. “Following the money remains one of the most basic, yet powerful, tools we have,” said US deputy attorney general Lisa O. Monaco in the DoJ press release.
The split in the ransom is thought to be the cut taken by DarkSide itself, before the Initial Access Broker and other affiliates who helped perpetrate the attack had been paid, explains Clegg. “Since DarkSide was a RaaS group, the split in funds most likely mirrors the RaaS agreement of the breakout of the proceeds,” she says. In the case of the funds seized, it may be that the criminals did not launder or secure the proceeds of the crime very well, says Jason Hill, head of research at CyberInt. “It almost feels like the threat actors, or those who have this portion of the ransom, had a few operational security failings,” he says. “They were perhaps storing their private key somewhere where it could be seized, rather than offline on an encrypted stick.” This could have enabled the FBI to trace it quickly, Hill says.
Will the seizure of the Colonial Pipeline ransom deter hackers?
Ironically, ransomware groups may need to tighten their own security to ensure law enforcement agencies can’t use similar tactics in future. “The next step for ransomware groups is likely to be to learn from this mistake and perhaps double down on their operational security and on how they store their private keys for cryptocurrency, as well as how they’ve spread that cryptocurrency around, to try and keep it outside the borders of law enforcement,” explains Hill.
This kind of infrastructure is really critical (…) There is an increased risk, but an increased chance of getting paid perhaps.
Jason Hill, CyberInt
Hill believes the success of the action by the FBI is unlikely to deter ransomware groups, as the stakes are now so high that criminals will just accept the risk. “I think they’ll probably just work around it,” he says. “Maybe it will just come down to being a risk of their business; they might say ‘we could lose 75% of our funds, so we’ll have to hit two companies’.” The nature of critical infrastructure means the prospect of a quick payment is likely to outweigh any elevated risk of funds being seized, Hill adds. “If you attack this [kind of infrastructure], it’s really critical and therefore the organisation or the government has to get it back up pretty quick. There is an increased risk, but an increased chance of getting paid perhaps.”
How serious is the threat of ransomware?
Ransomware gangs have been attacking public and private sector organisations with increasing veracity over the past two years. In 2020 ransomware attacks increased globally by 485% according to a report by security company Bitdefender.
In 2021 these attacks became even more devastating as the ransoms rose into the millions. JBS, the largest US meatpacking company which received the most recent attack late last month, revealed today it had felt it necessary to pay a ransom worth $11m in cryptocurrency.
While most governments have been allowing private sector companies to handle these attacks however they see fit, a line has now been drawn by the FBI in a bid to protect national infrastructure. This is a "significant" moment, says Syedur Rahman, partner at law firm Rahman Ravelli, "We can see that... the US authorities are actively taking steps in order to recover proceeds of crime following ransomware attacks," Rahman says.