Following a series of initiatives designed to combat the growing ransomware threat, the U.S. government pulled off one action that shows what it could do. On Monday, the U.S. Department of Justice revealed that it had managed to recover part of the ransom paid by Colonial Pipeline to its DarkSide attackers.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
The DOJ said it seized 63.7 bitcoins currently valued at $2.3 million, representing around half of the $4.4 million that Colonial Pipeline CEO Joseph Blount told The Wall Street Journal that he had authorized following the attack. The pipeline operator actually paid 75 bitcoins at the time, but the value of the cryptocurrency has fallen since the attack occurred a month ago.
Operating on a court-authorized warrant, the FBI was able to track down different bitcoin transfers to find the 63.7 bitcoins in ransom payment that had been sent to a specific address. Using a private key to access the funds from this address, the feds were able to seize the amount.
To convince organizations to take ransomware more seriously, the Biden administration has unveiled several recent measures, most notably an executive order. At the same time, the government has acknowledged its own part to play in this battle, such as holding accountable countries that harbor ransomware attackers, developing policies around ransom payments and trying to trace and block the transfer of virtual currency payments.
SEE: Security incident response policy (TechRepublic Premium)
“Following the money remains one of the most basic, yet powerful tools we have,” said DOJ Deputy Attorney General Lisa Monaco. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”
The different units in the DOJ coordinated the seizure action through the department’s Ransomware and Digital Extortion Task Force, which was created in April to fight the increased number of ransomware attacks. The aim of the task force is to track and take down malware, find the cybercriminals responsible for attacks and hold them accountable. The task force also works with other domestic and foreign agencies as well as companies in the private sector to combat ransomware.
“DAG Monaco was clear that there is no guarantee the government can do this every time,” said Suzanne Spaulding, advisor to Nozomi Networks and member of the Cyberspace Solarium Commission. “But if this can be done in even some instances, it is significant. It signals that we can impose consequences, even if we can’t prosecute these criminals because they are being harbored by Russia. It should make all those involved in the criminal activity of ransomware nervous that we may not only be able to take back their ill-gotten gains but use the ability to track cryptocurrency as a step towards identifying them.”
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Such steps may ultimately make it harder for criminals to spend their ill-gotten cryptocurrency, according to Spaulding. Further, the entire chain of events tells ransomware victims that there are benefits to working with the government, an important measure to convince victims to report cyberattacks.
However, for every Colonial Pipeline, there are plenty of other victimized organization who haven’t fared as well.
“Defending against run-of-the-mill threats is affordable and achievable,” said Chris Grove, technology evangelist for Nozomi Networks. “Some threats rise to a new level and must be dealt with differently. While it’s great that the government recovered some of the $4.4M paid by Colonial Pipeline, we can’t lose sight of the fact that while Colonial is a happier-ending story, there are dozens of victims we can also discuss who haven’t fared as well. Not to mention hundreds we know about, but can’t discuss, and another thousand that we don’t even know about.”