First on CNN: US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers

US investigators have recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, the Justice Department announced Monday.

The announcement confirms CNN’s earlier reporting about the FBI-led operation, which was carried out with cooperation from Colonial Pipeline, the company that fell victim to the ransomware attack in question.

Specifically, the Justice Department said it seized approximately $2.3 million in Bitcoins paid to individuals in a criminal hacking group known as DarkSide. The FBI said it has been investigating DarkSide, which is said to share its malware tools with other criminal hackers, for over a year.

The ransom recovery, which is the first seizure undertaken by the recently created DOJ digital extortion taskforce, is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware.

Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal in an interview published last month that the company complied with the $4.4 million ransom demand because officials didn’t know the extent of the intrusion by hackers and how long it would take to restore operations.

But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia.

“Following the money remains one of the most basic, yet powerful, tools we have,” Deputy Attorney General Lisa Monaco said Monday during the DOJ announcement, which followed CNN’s reporting about the recovery operation. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”

The seizure warrant was authorized through the US Attorney’s Office for the Northern District of California.

“The extortionists will never see this money,” acting US Attorney Stephanie Hinds for the Northern District of California said at the news conference at the Justice Department Monday. “New financial technologies that attempt to anonymize payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans.”

Blount issued a statement following the DOJ announcement.

“When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington D.C. to share with them what we knew at that time. The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable,” Blount said.

CNN previously reported that US officials were looking for any possible holes in the hackers’ operational or personal security in an effort to identify the actors responsible — specifically monitoring for any leads that might emerge out of the way they move their money, one of the sources familiar with the effort said.

In an interview with The Wall Street Journal last week, FBI Director Christopher Wray said coordination between ransomware victims and law enforcement can, in some cases, yield positive results for both parties.

“I don’t want to suggest that this is the norm, but there have been instances where we’ve even been able to work with our partners to identify the encryption keys, which then would enable a company to actually unlock their data — even without paying the ransom,” he said.

‘Misuse of cryptocurrency is a massive enabler’

The Biden administration has zeroed in on the less regulated architecture of cryptocurrency payments which allows for greater anonymity as it ramps up its efforts to disrupt the growing and increasingly destructive ransomware attacks, following two major incidents on critical infrastructure.

“The misuse of cryptocurrency is a massive enabler here,” Deputy National Security Advisor Anne Neuberger told CNN. “That’s the way folks get the money out of it. On the rise of anonymity and enhancing cryptocurrencies, the rise of mixer services that essentially launder funds.”

“Individual companies feel under pressure – particularly if they haven’t done the cybersecurity work — to pay off the ransom and move on,” Neuberger added. “But in the long-term, that’s what drives the ongoing ransom [attacks]. The more folks get paid the more it drives bigger and bigger ransoms and more and more potential disruption.”

While the Biden administration has made clear it needs help from private companies to stem the recent wave of ransomware attacks, federal agencies do maintain some capabilities that far exceed what industry partners can do on their own and are adept at tracing currency used to pay ransomware groups, CNN previously reported.

But the government’s ability to effectively do so in response to a ransomware attack is very “situationally dependent,” two sources said last week.

One of the sources noted that helping recover money paid to ransomware actors is certainly an area where the US government can provide assistance but success varies dramatically and largely depends on whether there are holes in the attackers’ system that can be identified and exploited.

In some cases, US officials can find the ransomware operators and “own” their network within hours of an attack, one of the sources explained, noting that allows relevant agencies to monitor the actor’s communications and potentially identify additional key players in the group responsible.

When ransomware actors are more careful with their operational security, including in how they move money, disrupting their networks or tracing the currency becomes more complicated, the sources added.

“It’s really a mixed bag,” they told CNN, referring to the varying degrees of sophistication demonstrated by groups involved in these attacks.

CNN previously reported that there are indications the individual actors that attacked Colonial, in conjunction with DarkSide, may have been inexperienced or novice hackers, rather than well-seasoned professionals, according to three sources familiar with the Colonial investigation.

One of the sources also cautioned against putting too much stock in US government actions, telling CNN that the unique circumstances around each attack and level of detail needed to effectively take action against these groups is part of the reason there is “no silver bullet” when it comes to countering ransomware attacks.

“It will take improved defenses, breaking up the profitability of ransomware and directed action on the attackers to make this stop,” the source added, making clear that disrupting and tracing cryptocurrency payments is only one part of the equation.

That sentiment has been echoed by cybersecurity experts who agree that ransomware actors use cryptocurrency to launder their transactions.

“In the Bitcoin era, laundering money is something that any nerd can do. You don’t need a big organized crime apparatus anymore,” according to Alex Stamos, former Facebook chief security officer, co-founder Krebs Stamos Group.

“The only way we’re going to be able to strike back against that as an entire society is by making it illegal … I do think we have to outlaw payments,” he added. “That is going to be really tough. The first companies to get hit once it’s illegal to pay, they’re going to be in a very tough spot. And we’re going to see a lot of pain and suffering.”

‘It’s happening all the time’

In recent weeks, cybercriminals have increasingly targeted organizations that play critical roles across broad swaths of the US economy. The fallout from those attacks show how hackers are now causing chaos for everyday Americans at an unprecedented pace and scale.

Energy Secretary Jennifer Granholm on Sunday warned that “very malign actors” had the US in their sights after attacks on a pipeline, government agencies, a Florida water system, schools, health care institutions and, even last week, the meat industry and a ferry service to millionaire’s playground Martha’s Vineyard.

“Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector generally … it’s happening all the time,” Granholm told CNN’s Jake Tapper on “State of the Union.”

The Justice Department signaled last week that it plans to coordinate its anti-ransomware efforts with the same protocols as it does for terrorism, following a slew of cyberattacks that have disrupted key infrastructure sectors ranging from gasoline distribution to meatpacking.

Deputy Attorney General Lisa Monaco issued an internal memo directing US prosecutors to report all ransomware investigations they may be working on, in a move designed to better coordinate the US government’s tracking of online criminals.

The memo cites ransomware — malicious software that seizes control of a computer until the victim pays a fee — as an urgent threat to the nation’s interests.

“We must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups and the infrastructure and networks that allow these threats to persist,” Monaco wrote.

The tracking effort is expansive, covering not only the DOJ’s pursuit of ransomware criminals themselves but also the cryptocurrency tools they use to receive payments, automated computer networks that spread ransomware and online marketplaces used to advertise or sell malicious software.

The DOJ directive requires US attorneys’ offices to file internal reports on every new ransomware incident they hear about.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up