The FBI surprise announcement Monday that it seized some of the ransom that Colonial Pipeline paid to criminal hackers came as a double shock.
On the one hand, it was important news that the US government had eased its cybersecurity muscles on behalf of the owner and operator of the country’s largest fuel pipeline, take over a bitcoin account and mark the first-ever public recovery of funds from a known ransomware gang.
On the other hand, it raised a question: why hadn’t the US done this before?
Ransomware has been a ubiquitous and persistent problem for years, but one that had led to little action from authorities. And while recovering some of the ransom money marked a new front for the US, it also points to its relatively limited ability to deter hackers.
Philip Reiner, the CEO of the Institute for Security and Technology, a San Francisco think tank that produced a groundbreaking report on anti-ransomware policies, praised the FBI’s move as important, but said it’s hard to assume more than that.
“It remains to be seen to what extent the FBI can sustain these kinds of actions,” Reiner said. “It’s a big first step, but we need to see a lot more of it.”
The FBI recovered a significant amount — 63.7 bitcoins, worth about $2.3 million — but it’s a tiny fraction of how much money ransomware groups make. DarkSide, the hacker group that hacked Colonial, has raised more than $90 million since it became a public hacker group in the fall of 2020, according to analysis from Elliptic, a company that tracks cryptocurrency transactions.
And DarkSide wasn’t even one of the most prolific ransomware groups, said Brett Callow, an analyst at cybersecurity firm Emsisoft.
“While seizing the funds is positive, I don’t think it will be a deterrent,” Callow said in a text message. “For the criminals, it’s a matter of winning, losing some, and the amount they win means the incidental loss is a minor setback.”
JBS, one of the largest meat processing plants in the US, announced Wednesday that it had paid its ransomware hackers, REvil, $11 million even after recovering most of its files. The company’s reasoning, it said, was because it feared ongoing IT problems and the possibility of the hackers leaking files.
The recovery of ransom comes as ransomware — a topic that has been big in the cybersecurity world and has been quietly rife — has emerged as a national security problem, with President Joe Biden pledging action.
The Colonial Pipeline hack, which led to some gas stations running out of fuel and brief fears of a substantial outage, marked a turning point in the US response to ransomware. It garnered national attention, and the Justice Department decided quickly it would elevate ransomware to the same priority as terrorism cases.
For cybersecurity experts, that attention was long overdue. Americans have suffered from ransomware attacks in almost all walks of life in recent years. The same types of hackers have made fortunes by locking up and extorting businesses, city and county governments, and police stations. They are closed schools and delayed hospitals until crawling. The ransomware epidemic caused $75 billion in damage in 2020 alone, according to Emsisoft.
The FBI has been aware of the problem from the start. It received complaints from 2,474 victims of ransomware in 2020 alone, and continues to build long-running cases of ransomware hackers.
But the agency faces difficult jurisdictional issues. If the hackers were based in the US, it could arrest them right away. If they were in a country with a law enforcement agreement with the US, the FBI could work with colleagues in that country to arrange an arrest.
But most of the most prolific ransomware gangs are based in Russia or other Eastern European countries that do not extradite their citizens to the US
In the past, the US was able to arrest Russian cyber criminals as they travel through countries that have such an agreement with the US. But so far, no such case has been made public with ransomware operators.
That leaves the agency with more limited options for how it could have responded. People like Reiner, the CEO behind the ransomware policy report, have argued that the best way to quickly mitigate the impact of hackers is to disrupt their payments, which the FBI finally announced it had done on Monday.
“Why is this only happening now?” said Reinier. “I think we can be sure that the people on the criminal side are definitely checking their systems and looking at each other, wondering what happened. It causes a stutter in their step.”
The FBI was deliberately vague on Monday in describing exactly how it had seized the funds. Bitcoin accounts work a bit like an email address: users have a public account called a wallet that can be accessed with a secret password called a key. At the FBI warrant to seize the money, it simply said that “the private key” is “in the possession of the FBI in the Northern District of California,” without specifying how that private key came about.
Elvis Chan, an assistant special agent in charge of the FBI’s San Francisco office, said in a press interview with reporters that the agency would not specify how it came into possession of the key so that criminal hackers have less of a chance to find ways to work around it.
“I don’t want to give up our craft in case we want to reuse this for future endeavors,” he said.
That means it’s unclear how often the FBI can deploy it. For example, it is not known why the agency was unable to recover all the money Colonial paid.
However, Chan indicated that the method was not limited to criminals who make the big mistake of using a US cryptocurrency service to move their funds.
“Overseas is not a problem for this technique,” he said.
Gurvais Grigg, the public sector chief technology officer at Chainalysis, a company that tracks bitcoin transactions, said that while actually arresting ransomware hackers would be the best deterrent, stopping their money flow is a big help.
“It is important to identify those who carried out an attack, put on handcuffs and seize the ill-gotten gains they have and return them to the victim. That must remain a focus. But more is needed than that,” said Grigg. in a Zoom interview.
“The key to disrupting ransomware is disrupting the ransomware supply chain,” he said.