It was one of the most spectacular hacker attacks of the year: When ransomware blackmailers paralyzed the Colonial Pipeline company in May, the gas stations on the US east coast ran dry and panic buying ensued. Now the US judiciary has achieved at least partial success: According to its own statements, it was able to confiscate a large part of the ransom money paid. This step is more than just an investigative success. He is a declaration of war by the US government to all ransomware gangs.
As the US Department of Justice announced on Monday, the FBI has seized 63.7 Bitcoin, currently valued at around 2.3 million dollars. The investigators were able to identify a digital purse – a so-called wallet – that the attackers had used to distribute the loot. “Following the flow of money is one of the simplest, yet most powerful, tools available to us,” said Lisa Monaco of the US Justice Department. The FBI also managed to get the encryption codes and take over the wallet. How exactly the investigators succeeded in doing this is kept secret by the FBI.
It helped the federal police that payments with Bitcoin, contrary to the cliché, are not anonymous: All transactions can be tracked on the public blockchain and ultimately assigned to the parties involved. Criminal gangs often use straw people who withdraw the money for them and keep part of the money in return.
Attacks on the infrastructure
The attack on Colonial Pipeline took place in early May. The attackers had penetrated the company network and had internal data encrypted and copied. The company then closed the pipeline, through which almost half of all fuel consumed on the US East Coast runs, for several days. In Washington, 88 percent of gas stations ran out of fuel, and there were panic buying in other parts of the country as well.
In exchange for the payment of 75 Bitcoins – at that time around 4.5 million dollars – the attackers delivered decryption software to Colonial Pipeline. However, this turned out to be useless because it was too slow to bring the company systems back on the network. The company finally made do with its own backup copies in order to resume operations after several days. Although a large part of the ransom paid has been secured, the loot recovered is currently only worth about half due to a collapse in Bitcoin’s price.
The attack on the pipeline operator quickly became a political issue. The US investigators accused the ransomware group “DarkSide”, which they suspect in Russia. Because of the worldwide attention, that group of criminals stopped their activities. It is unclear whether the people behind »DarkSide« actually withdrew completely. The US authorities now have a total of 90 different ransomware gangs.
The FBI’s success in the investigation highlights the sophisticated approach of the online blackmailers. The division of labor is part of the business: while the people behind the scenes provide the encryption software and negotiate with the victims, the company networks themselves are attacked by a large number of other attackers. They try, for example, to send malware to companies by email or they look for weak points in the company’s infrastructure. If successful, the attackers share the booty. The portion of the ransom now confiscated corresponds to the usual wages for the hackers who placed the malware.
Biden makes ransomware attacks a top priority
After the spectacular attacks on Colonial Pipeline and the world’s largest meat producer JBS, US President Biden recently made the ransomware problem a top priority. In doing so, he is putting pressure on Russia, where many of the gangs are said to be operating from. Biden’s spokeswoman Jen Psaki told journalists at the beginning of June: “The President is convinced that President Putin has a role to play in stopping and preventing such attacks.” Biden also wanted Putin on the subject at her planned meeting on June 16 in Geneva address, it is said.
On the one hand, the US government relies on prevention. In an open letter, the White House called on companies to do more to prevent attackers from taking over their networks in the first place. For example, US companies should rely on two-factor authentication across the company and regularly create backups so that they can quickly resume operations in the event of an attack. At the same time, the US government appeals to companies not to pay blackmailers under any circumstances. In this way, their sources of income are to be dried up.
At the same time, the US government has set up a task force that includes the FBI, US federal prosecutors and anti-money laundering specialists. The investigators are not only trying to convict the ransomware gangs themselves, but they are also investigating the infrastructure used by the criminals. These include, for example, underground forums through which the malware is distributed, payment services with which the ransom is smuggled across national borders, and so-called “bulletproof hosters” such as the cyberbunker, which offer criminals shelter in their data centers.
Paul Abbate, the FBI’s assistant director, said they would “use whatever resources we have and our national and international connections to thwart the ransomware business and protect our economy and the American public.”