Experts React: US Recovers Millions Paid To Colonial Pipeline Ransomware Hackers


The US investigators have recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, the Justice Department announced Monday. Specifically, the Justice Department said it seized approximately $2.3 million in Bitcoins paid to individuals in a criminal hacking group known as DarkSide. The FBI said it has been investigating DarkSide, which is said to share its malware tools with other criminal hackers, for over a year.

Notify of
9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
June 8, 2021 11:58 am

<p>There is no doubt an incredible story behind the scenes that we look forward to hearing more about. Yesterday’s developments have put threat actors on notice, and for the ransomware writers and other malware authors – now the gloves are off. However, this sends a clear message to the criminals: you are not immune to repercussions. Ransomware gangs are, in a dark sense, startups with their own venture capital and business models. The “investors” in these organisations must be getting nervous that their ill-gotten gains can be recouped.</p> <p> </p> <p>Now is the time for law enforcement agencies and other important players in the public and private sector to continue in the same vein and put pressure on all fronts: technological, economic and diplomatic. It is far past time to let the malware authors and the cyber criminal gangs know that they have been put on notice and that their criminal enterprises will be exposed one by one. Now, it is hoped that Monday’s recovery of more than $2 million leads to Russia distancing itself in a face-saving way and moving ransomware gangs and cybercriminal outfits clearly into the pirate category. In other words, truly make it clear that they are enemies of the connected world.</p>

Last edited 1 year ago by Sam Curry
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
June 8, 2021 12:00 pm

<p>In what will be a huge blow to the DarkSide group behind the attacks, this is an extremely rare outcome. Discovering a private key to access the wallet used will have taken a painstaking amount of investigation and resources which unfortunately cannot be replicated in all attacks. The initial attack resulted in an enormous investigation, but this would have cost the FBI a great deal of time and money. However, it does highlight that cybercrime doesn’t always pay and even when the attackers themselves remain anonymous, the FBI’s secondary tactic is to fight back with their own version of disruption.</p>

Last edited 1 year ago by Jake Moore
Chris Grove
Chris Grove , Product Evangelist
InfoSec Expert
June 8, 2021 12:03 pm

<p>The joint action and collaboration by the government and National Cyber Investigative Joint Task Force is exactly what defenders are asking for.</p> <p> </p> <p>Defending against run-of-the-mill threats is affordable, and achievable. Some threats rise to a new level, and must be dealt with differently. While it\’s great that the government recovered some of the $4.4M paid by Colonial Pipeline, we can\’t lose sight of the fact that while Colonial is a happier ending story, there are dozens of victims we can also discuss who haven\’t fared as well. Not to mention 100s we know about, but can\’t discuss, and another 1,000 that we don\’t even know about.</p> <p> </p> <p>We need to keep our eye on the ball and continue to build our defenses, while using actions like those today, as a way to trim the weeds that grow too tall.</p>

Last edited 1 year ago by Chris Grove
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
June 8, 2021 12:05 pm

<p><span lang=\"EN-US\">The $2.3 million is a drop in the ocean of ransomware, however, it sends a bold statement that the DoJ now has tolerance-zero for ransomware gangs. The seizure continues the previously announced efforts to combat surging ransomware, and is likely to be a first palpable step to deter cybercriminals. Importantly, the DoJ will certainly need more funding to gradually expand its cybercrime prosecution unit (CCIPS) and foster interagency collaboration. Moreover, international cooperation is essential to curb surging ransomware attacks, including a baseline cooperation with traditionally hostile jurisdictions. Otherwise, even though uncovered, the perpetrators will likely enjoy impunity due to missing extradition treaties with foreign jurisdictions. </span></p> <p> </p> <p><span lang=\"EN-US\">Finally, the government should consider promoting cybersecurity among businesses to establish a continuous, risk-based and process-driven information security programs based on ISO 27001 or similar international standards that cover people, processes and technologies. Most ransomware victims of all sizes neglect even the basics of data protection, eventually becoming low-hanging fruit for unscrupulous cybercriminals. Therefore, merely prosecuting the criminals with more force will not help without first enhancing national cybersecurity awareness and preparedness.</span></p>

Last edited 1 year ago by Ilia Kolochenko
John Hultquist
John Hultquist , Director of Intelligence Analysis
InfoSec Expert
June 8, 2021 12:11 pm

<p>The move by the Department of Justice to recover ransom payments from the operators who disrupted U.S. critical infrastructure is a welcome development. It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law. In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle.<i></i></p>

Last edited 1 year ago by John Hultquist
John Hammond
John Hammond , Senior Security Researcher
InfoSec Expert
June 8, 2021 12:19 pm

<p>One of the single most enabling factors of modern cybercrime is the advent of cryptocurrencies. No other technology offers a bad actor the perfect crime: anonymous threats without borders, blackmail and extortion without a financial oversight or governing authority. These almost always go undetected, because despite currencies like Bitcoin and Ethereum offering a public ledger, there is nothing to stop criminals from laundering money through an automated mixer. Bad actors can \"wash\" the money by having it go through many transactions until it has no apparent ties to the origin. Unless the bad actors make any unintentional mistake, the inherent design of cryptocurrency makes for a perfect getaway car. It is great to see the thorough investigation and detective work could help recover money for Colonial <span class=\"il\">Pipeline</span>, but unless something is done about cryptocurrencies, we might not be as fortunate again. Whether it is abolishing cryptocurrencies, adding oversight or other safeguards, something has to be changed so at the very least we aren\’t relying on a mere hope that the criminals made a mistake.</p>

Last edited 1 year ago by John Hammond
Rohit Hajela
Rohit Hajela , Co-Founder
InfoSec Expert
June 8, 2021 2:45 pm

<p>This is a great win against the bad guys, but more needs to be done. Seems like a movie scene- after receiving 100 punches on our body, this is one of the swings that hit their face. We need more crackdowns ideas to catch cyber criminals, such as the FBI\’s &amp; Australian Federal Police\’s brainchild secure Messaging App \"ANOM\" that they promoted in underworld. Fight against ransomware needs to be done at a war footing level, collaborating with Government, Private Sector, Cyber Security Experts, Insurance, Banks, and Crypto Currency advocates.</p> <p>&nbsp;</p> <p>Ransomware gangs collected more than $350MM last year and it is a growing problem. Governments need to realize and step up their game on regulation and governance around Crypto Currency. Virtual currencies do not play by the same rules as the legal money tender, which gives criminals ample opportunities to use them in money laundering, terrorist financing and ransomware. US treasury Secretary Janet Yellen came hard on cryptocurrency in February during Financial Sector Innovation Policy Roundtable and called out the crypto and virtual currencies are used for fund illegal activities. More regulations need to be applied on it to make it at par with regulations on legal tender. Rules to remove to anonymity behind crypto transactions, know your customer, account opening procedures, tougher licensing requirement, extending money laundering rules to kiosks for converting currency, seizures of crypto currency, disclosure rules for transactions more than $10,000, international cooperation for enforcing regulations in different jurisdictions. Crpto currency advocates might argue that this will stifle the growth of virtual currencies, but there need to be rules and regulations to protect us from various criminal activities.</p> <p>&nbsp;</p> <p>Virtual currencies are safe haven for cyber criminals as they lack regulatory oversight today. Although analysts claim that only 0.34% of Crypto Currency activity can be attributed to crime, we don\’t have to wait before it becomes 34% or more. We all know that crypto is the favorite choice of ransomware gangs, and if we act now we may be able to put brakes before the car falls off the cliff.</p> <p>&nbsp;</p> <p>This does not take the discussion away from the need to upgrade your IT infrastructure and focusing on software and hardware currency. Making sure your partners and vendors that your organization works on a regular basis have done the same as well. Make currency program a part of your monthly and quarterly vendor governance and vendor oversight. Ask your vendor if they have sufficient controls in place to protect your information, ask for evidence, validate, approve, repeat. This is not a one-time activity, it needs to be done on a regular basis so that we make the world a more safer place.</p> <p>&nbsp;</p>

Last edited 1 year ago by Rohit Hajela
Alan Grau
Alan Grau , VP of IoT
InfoSec Expert
June 9, 2021 10:53 am

<p>This was the most disruptive ransomware attack on record, illustrating how cybercriminals are confident enough to attack ever-more critical targets in search of ransom fees. This brings into sharp focus just how vulnerable a nation\’s critical infrastructure is to cyberattacks.</p> <p> </p> <p>Whilst the Justice Department recovering $2.3 million is welcome news, the nation is yet to address the glaring security risks that led to the attack. Had this been a nation-state wanting to damage to the cyber-physical systems controlling the pipeline, they may have been able to do so.</p> <p> </p> <p>Critical infrastructure providers must harden all of their systems against cyber-attacks. The embedded devices and control systems managing critical infrastructure are not isolated from the IT systems, and attacks against IT systems can be used as a beachhead to launch further attacks against these control systems. Multiple levels of security, starting with strong authentication and S/MIME protection for email provides a layer of protection against phishing attacks and other cyberattacks that are commonly used as entry points for ransomware attacks.</p>

Last edited 1 year ago by Alan Grau
Peter Grimmond
Peter Grimmond , International CTO & VP Technical Sales
InfoSec Expert
June 9, 2021 2:10 pm

<p>Everyone wants to see ransomware hackers defeated, so it’s great to see that most of the ransom paid by Colonial Pipeline has been recovered. It is important that businesses now prepare for hackers to evolve their strategies in response because, while we may have won the battle, there’s a whole lot more to come in the war on ransomware. To avoid authorities being able to repeat this playbook in the future, hackers will be looking for ways to safeguard their windfalls. That might include, for example, longer delays in releasing encryption keys so that they have time to launder on their money, leaving behind backdoors to re-encrypt data if needed, or retaining exfiltrated data as ‘security’ to publish if any attempts are made to recoup the ransom. Businesses should be acting now to ensure that they’re ready for this by backing up their data, scanning their networks and deploying strong encryption. Ransomware has long been regarded as a cat-and-mouse game where hackers and businesses are constantly striving to outdo each other. In the case of Colonial, it seems like the cat has won, but there are plenty more mice out there! We all need to be two steps ahead to succeed.</p>

Last edited 1 year ago by Peter Grimmond
Information Security Buzz
Would love your thoughts, please comment.x