The FBI’s seizing one bitcoin wallet won’t stop ransomware — but it’s a start

The FBIs Surprise announcement The Monday that a portion of the ransom that Colonial Pipeline paid to criminal hackers was confiscated was a double shock.

On the one hand, it was big news that the US government had eased its cybersecurity Muscle on behalf of the owner and operator of the country’s largest fuel pipeline, takes over a Bitcoin account and marks the first ever public recovery of funds from a well-known ransomware gang.

On the other hand, it raised a question: why hadn’t the US done this before?

Ransomware has been a pervasive and persistent problem for years, but it has resulted in poor government action. And while reclaiming some of the ransom represented a new front for the US, it also points to the relatively limited ability to deter hackers.

Philip Reiner, CEO of the Institute for Security and Technology, a San Francisco think tank that has manufactured a landmark report on anti-ransomware guidelinesHe praised the FBI’s move as important, but said it was hard to take on more than that.

“It remains to be seen how much the FBI can sustain such actions,” said Reiner. “It’s a great first step, but we need to see a lot more of it.”

The FBI got a sizable amount of money back – 63.7 bitcoins valued at around $ 2.3 million – but it’s a tiny fraction of how much money ransomware groups make. DarkSide, the hacking group that breached Colonial, has raised more than $ 90 million since it became a public hacking group operating in the fall of 2020 analysis from Elliptic, a company that tracks cryptocurrency transactions.

And DarkSide wasn’t even one of the most prolific ransomware groups, said Brett Callow, an analyst at cybersecurity firm Emsisoft.

“The seizure of the funds is positive, but I don’t think it will be a deterrent,” Callow said in a text message. “For the criminals, losing a situation is a win, and the amount they win means that occasional losses are a small setback.”

JBS, one of the largest meat processing companies in the United States, Announced Wednesday that it paid its ransomware hackers REvil $ 11 million even after restoring most of its files. The company’s reasoning was because it feared IT problems would persist and the hackers might leak files.

Ransomware recovery is happening as ransomware – an issue that has been big and quiet rife in the cybersecurity world – has become a national security issue, with President Joe Biden promising action.

The Colonial Pipeline hack, which caused some gas stations to run out of fuel and short-term fears of major outages, was a turning point in the US response to ransomware. It caught national attention, and the Department of Justice decided soon it would give ransomware the same priority as terrorism cases.

For cybersecurity professionals, that attention was long overdue. Americans have suffered ransomware attacks in virtually all walks of life over the past few years. The same hackers have made fortunes by banning and blackmailing businesses, city and county governments, and police stations. They are closed schools and slowed down hospitals to a creep. According to Emsisoft, the ransomware epidemic caused damage of $ 75 billion in 2020 alone.

The FBI knew about the problem from the start. It received complaints from 2,474 ransomware victims in 2020 alone and continues to build long-running cases of ransomware hackers.

But the agency faces difficult legal issues. If the hackers were based in the United States, they could be arrested directly. If you are in a country with a US law enforcement treaty, the FBI could work with colleagues in that country to arrange an arrest.

But most of the most prolific ransomware gangs are based in Russia or other Eastern European countries that do not extradite their citizens to the United States

In the past, the US could Arrest of Russian cyber criminals while traveling through countries that have such an agreement with the United States. So far, however, no such case has been made public with ransomware operators.

This gives the agency more limited options for reacting. People like Reiner, the CEO behind the Ransomware Policy Report, have argued that the best way to quickly reduce the hacker’s impact is to interrupt their payments, which the FBI finally announced on Monday.

“Why is this only happening now?” said Reiner. “I think we can be sure that the people on the criminal side are definitely checking their systems and looking at each other and wondering what happened.

The FBI deliberately described vaguely on Monday how exactly it had seized the funds. Bitcoin accounts work much like an email address: users have a public account, a so-called wallet, which can be accessed with a secret password, a so-called key. At the FBIBI arrest warrant In order to confiscate the funds, it was simply stated that “the private key” was “in the possession of the FBI in the Northern District of California” without specifying how the private key had been obtained.

In a press interview with reporters, Elvis Chan, a deputy special agent for the FBI’s San Francisco office, said the agency would not reveal how it got hold of the key so that criminal hackers are less likely to find ways to circumvent it .

“I don’t want to give up our craft if we want to use this again for future endeavors,” he said.

That said, it’s unclear how many times the FBI can use it. For example, it is not known why the agency was unable to get back all of the money Colonial paid.

However, Chan pointed out that the method isn’t limited to criminals who make the big mistake of using a U.S. cryptocurrency service when moving their money.

“Overseas is not a problem for this technology,” he said.

Gurvais Grigg, chief technology officer of the public sector at Chainalysis, a company that tracks Bitcoin transactions, said that while arresting ransomware hackers would be the best deterrent, stopping their money flow would be of great help.

“It is important to identify those who carried out an attack, put cuffs on their wrists, and seize the ill-gotten gains they have and return them to the victim. That has to remain a focus. But it takes more than that, ”said Grigg in the Zoom interview.

“The key to disrupting ransomware is disrupting the ransomware supply chain,” like their payments, he said.

Comments are closed.