Andrew Harnik / AP
Monday Justice Ministry Advertised $ 2.3 Million Recovery About half of the ransom collected by hackers in last month’s Colonial Pipeline attack. Experts say this was a surprising result for increasingly frequent and serious crimes.
“Ransomware rarely recovers,” said April Falcondos, executive director of the Institute for Technology Law and Policy at Georgetown Law Firm. “I don’t know if this will pave the way for similar success in the future.”
This was due to several unexplained factors that contributed to the success of the operation.
New task force holds the key
At a press conference on Monday, top federal law enforcement officials explained that the funds had been recovered by the recently launched ransomware and digital blackmail task force created as part of the government’s response to the surge in cyberattacks.
To resolve an attack on the Colonial Pipeline, the company was about to regain access to computer systems on May 8 after an oil and gas pipeline in the eastern United States was dysfunctional by ransomware. I paid $ 4.4 million.
Victims of these attacks are given very specific instructions on when and where to send money, so investigators set up a cryptocurrency account (usually Bitcoin) by the criminal organization behind the blackmail. It is not uncommon to track payments to. Unusually, you can unlock those accounts to get your money back.
According to a court document released in the Colonial Pipeline case, the FBI was allegedly compromised using an encryption key linked to the Bitcoin account to which the ransom was sent. However, authorities have not disclosed how the key was obtained. One of the reasons criminals prefer to use Bitcoin and other cryptocurrencies is the anonymity of the entire system and the idea that funds for a particular cryptocurrency wallet can only be accessed using complex digital keys. ..
“The private key made it possible to seize these funds from a technical point of view,” Dos said. She added that cyber attackers take every possible step to protect information that someone could associate a key with an individual or organization.
Authorities are likely to have obtained the private key in one of three ways
One possibility is that the FBI leaked information from the person involved in the attack. A person or group behind the plan, or someone associated with Russia-based ransomware developer DarkSide, who leases malware to other criminals for a portion of their fees or revenue.
The second theory is that the FBI uncovered the key thanks to a careless criminal.
FBI Deputy Director Paul Abbate said Monday that the agency has been investigating the Dark Side since last year.
In their surveillance, Doss points out that authorities likely had a search warrant that would allow access to email or other communications by one or more people who participated in the plan. “And through that, they were able to access the private key, probably because someone emailed something to help track it down.”
According to Dos, the third possibility is that the FBI got the key from Bitcoin, or a crypto exchange that has been moving money from one account to another since the first payment.
She’s not sure if any of the exchanges are willing to cooperate with the FBI or respond to the agency’s subpoena, but if so, she could be a game changer in the fight against ransomware attacks. Said there was sex.
What Absent According to Doss, the FBI may have somehow hacked the key on its own. She admits that it is theoretically possible, but “the idea that the FBI found the private key through some brute force decryption activity seems to be the least likely scenario.”
In any case, Dos says that if authorities can consistently remove profits from attacks, they are likely to eradicate crime.
It didn’t take long to track the money
That said, the attacker made the unusual error of not moving money in this case. The final $ 2.3 million recovered was still in the same Bitcoin account that was sent.
“Cybercrime doesn’t really see that,” says Doss.
For example, she said there was another scam where the company was tricked into sending payments using fake instructions. “The funds are wire-transferred to a legitimate bank account. The bank is unaware that the account was set up by a fraudster, and as soon as those funds are credited to the account, Most of the time, criminals will wire from that account. Immediately, “Dos said.” Within 72 hours, those funds will run out, making tracking and tracking very difficult. ”
Doss suspects that the attack on Colonial Pipeline could have made it impossible for the attacker to track money and was overly confident that the private key was secure.
Further blocking these blackmail programs could be important to the US economy. According to Coalition, a cybersecurity company that tracks insurance claims Ransom demand doubles from 2019 to 2020..
These costs seem to be skyrocketing again this year. In March, CNA Financial, one of the largest insurance companies in the United States, announced Paid $ 40 Million After Ransomware Attack, Bloomberg reported.
During April Ransomware gang REvil demands $ 50 million from Apple Wired reported that it focused on unreleased products in exchange for allegedly stolen data and schematics. It’s unclear if Apple responded to REvil’s request, but criminal groups threatened to auction the information if it didn’t.
Colonial Pipeline ransom returned by new Justice Department team: NPR
Source link Colonial Pipeline ransom returned by new Justice Department team: NPR