The Justice Department is expected to release details of the FBI-led operation in collaboration with the operator of the Colonial Pipeline on Monday, the people briefed on the matter said.
Ransom recovery is a rare outcome for a company that has fallen victim to a debilitating cyber attack in the booming ransomware criminal business.
But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers believed to be are based in Russia. US officials have linked the Colonial attack to a criminal hacking group called Darkside, which is said to be sharing its malware tools with other criminal hackers.
A Justice Department spokesman declined to comment, and CNN has reached out to the Colonial Pipeline operator.
CNN previously reported that US officials were looking for possible loopholes in the hackers’ operational or personal security to identify the actors responsible, sources familiar with the hassle, said.
“I’m not saying that this is the norm, but there have been instances where we have even been able to work with our partners to identify the encryption keys that would then allow a company to actually unlock its data – even” without it to pay the ransom, “he said.
“The abuse of cryptocurrency is a massive enabler”
The Biden administration has focused on the less regulated architecture of cryptocurrency payments that allows for greater anonymity while stepping up efforts to halt the growing and increasingly destructive ransomware attacks following two major incidents on critical infrastructure.
“The abuse of cryptocurrency is a massive trailblazer here,” said Deputy National Security Advisor Anne Neuberger to CNN. “This is how people get the money out. On the rise of anonymity and the improvement of cryptocurrencies, the advent of blender services that essentially launder funds.”
“Individual companies feel pressured – especially if they haven’t done the cybersecurity work – to pay the ransom and move on,” added Neuberger. “But in the long run, that’s why the ransom is continuing [attacks]. The more people are paid, the more and more ransom money and more and more potential disruptions are generated. “
While the Biden government has made it clear that it needs the help of private companies to contain the latest wave of ransomware attacks, federal agencies have and are capable of some capabilities that go well beyond what industry partners can do alone To track currencies used to pay ransomware groups, CNN previously reported.
But the government’s ability to do this effectively in response to a ransomware attack is very “situational,” two sources said last week.
One of the sources noted that assistance in recovering funds paid to ransomware actors is certainly an area where the US government can provide help, but success varies dramatically and depends largely on whether There are loopholes in the attacker’s system that can be identified and exploited.
In some cases, US officials can find the ransomware operators and “own” their network within hours of an attack, said one of the sources, which allows the competent authorities to monitor the actor’s communications and possibly other key actors in the responsible party Identify group.
When ransomware actors are more careful with their operational security, including the way they move money, disrupt their networks, or track currency, things get more complicated, the sources added.
“It’s really a mixed bag,” they told CNN, referring to the varying degrees of sophistication demonstrated by the groups involved in these attacks.
CNN previously reported that there is evidence that the individual actors who attacked Colonial in connection with DarkSide were more likely inexperienced or inexperienced hackers than seasoned professionals, according to three sources familiar with the Colonial investigation.
One of the sources also cautioned against placing too much emphasis on US government action, telling CNN that the unique circumstances of each attack and the level of detail required to effectively target these groups was one of the reasons for this are that there is “no silver bullet” when it comes to defending against ransomware attacks.
“Stopping this will require improved defenses, ransomware destruction and targeted action against the attackers,” added the source, making it clear that disrupting and tracking cryptocurrency payments is only part of the equation.
This opinion has been confirmed by cybersecurity experts who agree that ransomware actors use cryptocurrency to launder their transactions.
“In the Bitcoin era, money laundering is something any nerd can do. You no longer need a large organized crime apparatus,” said Alex Stamos, former Facebook chief security officer and co-founder of the Krebs Stamos Group.
“The only way we as a whole society can act against it is to make it illegal … I think we need to ban payments,” he added. “This is going to be really tough. The first companies to be hit when it is illegal to pay will be in a very difficult position. And we will experience a lot of pain and suffering.”
“It happens all the time”
In the past few weeks, cyber criminals have increasingly targeted companies that play a critical role in much of the US economy. The aftermath of these attacks shows how hackers are now wreaking havoc for ordinary Americans at an unprecedented rate and scale.
“Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector in general … it happens all the time,” Granholm told CNN’s Jake Tapper on the State of the Union.
Assistant Attorney General Lisa Monaco issued an internal memo instructing US attorneys to report any ransomware investigations they may be working on in order to better coordinate the US government’s prosecution of online criminals.
The memo names ransomware – malicious software that takes control of a computer until the victim pays a fee – as an urgent threat to the nation’s interests.
“We need to improve and centralize our internal tracking of investigations and prosecutions of ransomware groups, as well as the infrastructure and networks that enable these threats to continue,” wrote Monaco.
The tracking effort is extensive and covers not only the DOJ’s tracking down of ransomware criminals, but also the cryptocurrency tools they use to receive payments, automated computer networks that spread ransomware, and online marketplaces that are used to Promote or sell malicious software.
The DOJ policy requires U.S. law firms to file internal reports of every new ransomware incident they hear about.
Read Also :