Newly Formed Federal Unit Recovers Part of Colonial Pipeline Ransom

In a surprising turn of events, the US Department of Justice announced that it was able to recover the better part of the ransom payment that Colonial Pipeline was forced to make in the wake of the ransomware attack on its infrastructure. The announcement was made by Lisa Monaco, in her capacity of US Deputy Attorney General.

The money was recovered thanks to the work and efforts of a newly formed federal team of cyber experts. The unit is called the Ransomware and Digital Extortion Task Force. The reason why the new team was formed in the first place was what the DoJ calls an "epidemic" in ransomware attacks that took place over the past year, citing the bad actors increasingly more advanced attacks and their growing frequency.

Colonial Pipeline was hit by ransomware launched by Darkside and associated bad actors in May. With Colonial being one of the biggest liquid fuel suppliers in the entire US, with operations critical to huge chunks of infrastructure located on the East Coast and adjacent regions, the company was forced to pay the ransom of about $4.5 million.

The big question is, how were the federal authorities able to get inside the account that received the ransom payment and recover the funds? The documentation released publicly and related to the Colonial case states that authorities actually used the proper encryption key that was associated with the account receiving the ransom payment. However, the documents make no specific mention of how that key was obtained.

There are currently three theories about how the new cyber security team got hold of the key, offered by April Doss, the executive director of the Institute for Technology Law and Policy, a part of Georgetown Law - the country's biggest law school.

The first theory is that they received a tip by an entity associated with the attack or with DarkSide in some way. Another theory stipulates that the federals may have been able to obtain the key as a result of an ongoing investigation into DarkSide that was launched even before the Colonial attack took place.

The third theory is that the FBI managed to obtain information from Bitcoin or the specific crypto exchange which worked with the accounts that were used to bounce the ransom payment and to make it even harder to trace. Even though there is no hard information that the exchange was willing to help the FBI and cooperated in this instance, if that was indeed the case, this would be a very significant event with implications for the future battle with ransomware.

Doss finally adds that the least likely scenario, however romantic it may sound, is that the FBI managed to brute-force the key on its own.

The large chunk of $2.3 million that has been successfully recovered was shockingly still sitting in the very first account that the ransom was paid to. This is a pretty big oversight on part of the bad actors in charge of those accounts.

At any rate, the fact that a high-profile ransom payment was recovered in this way is a very significant event for cyber security and for the global, ongoing battle against ransomware in general. While ransomware attacks will no doubt continue in the current year and beyond, this unusual case of recovered money is a spot of light on an otherwise bleak landscape.

June 8, 2021

Leave a Reply