Ransomware: US recovers millions in cryptocurrency paid to Colonial Pipeline hackers

The Justice Department on Monday is expected to announce details of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, the people briefed on the matter said.

The ransom recovery is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware.

Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal In an interview published last month that the company complied with the $4.4 million ransom demand because officials didn’t know the extent of the intrusion by hackers and how long it would take to restore operations.

But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. US officials have linked the Colonial attack to a criminal hacking group known as Darkside that is said to share its malware tools with other criminal hackers.

A spokesman for the Justice Department declined to comment, and CNN has reached out to the Colonial Pipeline operator.

CNN previously reported that US officials were looking for any possible holes in the hackers’ operational or personal security in an effort to identify the actors responsible — specifically monitoring for any leads that might emerge out of the way they move their money, one of the sources familiar with the effort said.

The Biden administration has zeroed in on the less regulated architecture of cryptocurrency payments which allows for greater anonymity as it ramps up its efforts to disrupt the growing and increasingly destructive ransomware attacks, following two major incidents on critical infrastructure.

‘Misuse of cryptocurrency is a massive enabler’

“The misuse of cryptocurrency is a massive enabler here,” Deputy National Security Advisor Anne Neuberger told CNN. “That’s the way folks get the money out of it. On the rise of anonymity and enhancing cryptocurrencies, the rise of mixer services that essentially launder funds.”

“Individual companies feel under pressure – particularly if they haven’t done the cybersecurity work — to pay off the ransom and move on,” Neuberger added. “But in the long-term, that’s what drives the ongoing ransom [attacks]. The more folks get paid the more it drives bigger and bigger ransoms and more and more potential disruption.”

While the Biden administration has made clear it needs help from private companies to stem the recent wave of ransomware attacks, federal agencies are adept at tracing currency used to pay ransomware groups, CNN previously reported.

But the government’s ability to effectively do so in response to a ransomware attack is very “situationally dependent,” two sources said last week.

One of the sources noted that helping recover money paid to ransomware actors is certainly an area where the US government can provide assistance but noted that success varies dramatically and largely depends on whether there are holes in the attackers’ system that can be identified and exploited.

In some cases, US officials can find the ransomware operators and “own” their network within hours of an attack, one of the sources explained, noting that allows relevant agencies to monitor the actor’s communications and potentially identify additional key players in the group responsible.

When ransomware actors are more careful with their operational security, including in how they move money, disrupting their networks or tracing the currency becomes more complicated, the sources added.

“It’s really a mixed bag,” they told CNN, referring to the varying degrees of sophistication demonstrated by groups involved in these attacks.

One of the sources also cautioned against putting too much stock in US government actions, telling CNN that the unique circumstances around each attack and level of detail needed to effectively take action against these groups is part of the reason there is “no silver bullet” when it comes to countering ransomware attacks.

“It will take improved defenses, breaking up the profitability of ransomware and directed action on the attackers to make this stop,” the source added, making clear that disrupting and tracing cryptocurrency payments is only one part of the equation.

That sentiment has been echoed by cybersecurity experts who agree that ransomware actors use cryptocurrency to launder their transactions.

“In the Bitcoin era, laundering money is something that any nerd can do. You don’t need a big organized crime apparatus anymore,” according to Alex Stamos, former Facebook chief security officer, co-founder Krebs Stamos Group.

“The only way we’re going to be able to strike back against that as an entire society is by making it illegal … I do think we have to outlaw payments,” he added. “That is going to be really tough. The first companies to get hit once it’s illegal to pay, they’re going to be in a very tough spot. And we’re going to see a lot of pain and suffering.”

This story is breaking and will be updated.