Colonial Pipeline ransom seizure is a win, but don’t relax yet
The security community is enthusiastic about the US authorities’ recovery of a significant part of the Colonial Pipeline ransomware payment, but this positivity should perhaps be somewhat tempered
The seizure of bitcoin worth about $2.3m by US authorities, allegedly part of the ransom payment made by critical infrastructure operator Colonial Pipeline to the DarkSide ransomware gang last month, has drawn praise from the cyber community, but is also a reminder that defenders cannot necessarily rely on such good luck.
The funds were seized on Monday 7 June under a warrant issued in the Northern District of California, and was the culmination of an in-depth FBI-led investigation into the 7 May attack on Colonial Pipeline, which prompted panic buying of fuel across parts of the US.
The US Department of Justice (DoJ) revealed that by reviewing the bitcoin public ledger, the FBI tracked multiple transfers of the cryptocurrency and found that about 63.7 bitcoin (out of the 75 bitcoin ransom) was transferred to a specific address, for which the FBI was able to obtain the private key to access it.
The DoJ said the bitcoin represented “proceeds traceable to a computer intrusion and property involved in money laundering”, therefore could be seized under criminal and civil forfeiture statutes.
“Following the money remains one of the most basic, yet powerful tools we have,” said the DoJ’s deputy attorney general, Lisa Monaco. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.
“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement. We thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”
FBI deputy director Paul Abbate added: “There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors.
“We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
The seizure itself was handled by the Special Prosecutions and Asset Forfeiture Unit of the Northern District of California’s US Attorney’s Office, supported by the DoJ Criminal Division’s Money Laundering and Asset Recovery, and Computer Crime and Intellectual Property sections, alongside the National Security Division’s Counterintelligence and Export Control section. The operation itself was one of the first to be coordinated through the US’s new Ransomware Task Force, set up earlier in 2021 in response to the current surge in attacks.
Stem the tide
Reaction to the seizure was broadly positive, with cyber community members praising the US authorities for taking decisive action. Mandiant’s vice-president of analysis, John Hultquist, was among those to voice their support.
He said: “The move by the DoJ to recover ransom payments from the operators who disrupted US critical infrastructure is a welcome development. It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law.
“In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivise this behaviour, which is growing in a vicious cycle.”
Nozomi Networks product evangelist Chris Grove was similarly enthusiastic, saying the action was exactly what security defenders needed to see.
“Defending against run-of-the-mill threats is affordable, and achievable,” he said. “Some threats rise to a new level, and must be dealt with differently. While it’s great that the government recovered some of the $4.4m paid by Colonial Pipeline, we can’t lose sight of the fact that while Colonial is a happier-ending story, there are dozens of victims we can also discuss who haven’t fared as well. Not to mention hundreds we know about but can’t discuss, and another thousand that we don’t even know about.
“We need to keep our eye on the ball and continue to build our defences, while using actions like those today, as a way to trim the weeds that grow too tall.”
Don’t stop me now
ImmuniWeb founder Ilia Kolochenko, who is also a member of Europol’s data protection experts network, agreed that the seizure sent a clear message that the authorities have reached the end of their “tolerance” for ransomware attacks, but said it was important to back up this action with more funding and support, rather than just accepting the win.
“The DoJ will certainly need more funding to gradually expand its cyber crime prosecution unit and foster interagency collaboration,” he said. “Moreover, international cooperation is essential to curb surging ransomware attacks, including a baseline cooperation with traditionally hostile jurisdictions. Otherwise, even though uncovered, the perpetrators will likely enjoy impunity due to missing extradition treaties with foreign jurisdictions.”
The seizure also needs to be backed up with more attention from governments – not just the US government – to support businesses in establishing continuous, risk-based and process-driven cyber security programmes – based on standards such as ISO 27001 – to mitigate the risk of falling victim to a ransomware hit.
“Most ransomware victims of all sizes neglect even the basics of data protection, eventually becoming low-hanging fruit for unscrupulous cyber criminals,” said Kolochenko. “Therefore, merely prosecuting the criminals with more force will not help without first enhancing national cyber security awareness and preparedness.”
The DoJ’s Monaco took a similar line, saying: “In this heightened threat landscape, we all have a role to play in keeping our nation safe. No organisation is immune. So today I want to emphasise to leaders of corporations and communities alike – the threat of severe ransomware attacks poses a clear and present danger to your organisation, to your company, your customers, your shareholders and your long-term success.
“Pay attention now. Invest the resources now. Failure to do so could be the difference between being secure now – or a victim later.”
Up all night to get lucky
But John Hammond, senior security researcher at Huntress, said it was likely that the investigators had got lucky, and questioned the notion that such seizures would ever be commonplace.
“One of the single most enabling factors of modern cyber crime is the advent of cryptocurrencies,” he said. “No other technology offers a bad actor the perfect crime: anonymous threats without borders, blackmail and extortion without a financial oversight or governing authority.
“These almost always go undetected, because despite currencies like bitcoin and ethereum offering a public ledger, there is nothing to stop criminals from laundering money through an automated mixer. Bad actors can ‘wash’ the money by having it go through many transactions until it has no apparent ties to the origin.”
Hammond added: “Unless the bad actors make any unintentional mistake, the inherent design of cryptocurrency makes for a perfect getaway car. It is great to see that thorough investigation and detective work could help recover money for Colonial Pipeline, but unless something is done about cryptocurrencies, we might not be as fortunate again.
“Whether it is abolishing cryptocurrencies, adding oversight or other safeguards, something has to be changed so that, at the very least, we aren’t relying on a mere hope that the criminals made a mistake.”