The announcement confirms previous CNN reports of the FBI-led operation, which was carried out with the cooperation of Colonial Pipeline, the company that fell victim to the ransomware attack in question.
Specifically, the Justice Department said it seized around $ 2.3 million in Bitcoins paid out to individuals belonging to a criminal hacking group known as DarkSide. The FBI said it had been investigating DarkSide, which allegedly shared its malicious tools with other hackers, for more than a year.
But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track payment on a cryptocurrency wallet used by hackers, believed to be based in Russia.
“Tracking money remains one of the most basic, but the most powerful tools we have,” Deputy Attorney General Lisa Monaco said on Monday during the DOJ announcement, which followed CNN’s report on the recovery operation. “Ransom payments are the fuel that powers the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises . “
The seizure warrant was authorized by the United States Attorney’s Office for the Northern District of California.
“The extortionists will never see this money,” Acting US Attorney Stephanie Hinds for the Northern District of California said Monday at a press conference at the Department of Justice. “New financial technologies that attempt to anonymize payments will not provide a curtain behind which criminals will be allowed to dip into the pockets of hard-working Americans.”
Blount released a statement following the DOJ announcement.
“When Colonial was attacked on May 7, we quietly and quickly contacted local FBI offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington DC to share with them what we knew at the time- There. The Justice Department and the FBI have been instrumental in helping us understand the threat actor and his tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable, “Blount said.
CNN had previously reported that U.S. officials were looking for possible loopholes in the operational or personal security of hackers in order to identify the actors responsible – particularly by monitoring any leads that might emerge from how they move their money, one people familiar with the effort said.
“I don’t mean to suggest that this is the norm, but there have been instances where we have even been able to work with our partners to identify the encryption keys, which then would allow a company to actually unlock their data – even without paying the ransom, ”he said.
“The misuse of cryptocurrency is a great catalyst”
The Biden administration has focused on the less regulated architecture of cryptocurrency payments, which allows for greater anonymity as it steps up its efforts to disrupt growing and increasingly destructive ransomware attacks, at following two major incidents on critical infrastructures.
“The misuse of cryptocurrency is a huge catalyst here,” Anne Neuberger, deputy national security adviser, told CNN. “This is how people make money out of it. With the rise of anonymity and the improvement of cryptocurrencies, the rise of blending services which essentially launder money.”
“Individual businesses feel pressured – especially if they haven’t done the cybersecurity job – to pay the ransom and move on,” Neuberger added. “But in the long run, that’s what drives the ongoing ransom [attacks]. The more people are paid, the more it generates larger and larger ransoms and more and more potential disruption. “
While the Biden administration has made it clear that it needs the help of private companies to stem the recent wave of ransomware attacks, federal agencies maintain some capabilities that far exceed what partners in the industry can do this by themselves and are adept at tracking the currency used to pay ransomware groups. , CNN previously reported.
But the government’s ability to do so effectively in response to a ransomware attack is very “situation dependent,” two sources said last week.
One of the sources noted that helping to recover money paid to ransomware actors is certainly an area where the US government can provide assistance, but success varies widely and largely depends on whether there is vulnerabilities in the attackers’ system that can be identified and exploited.
In some cases, U.S. officials can find ransomware operators and “own” their network within hours of an attack, one of the sources explained, noting that this allows relevant agencies to monitor the actor’s communications and potentially to identify other key players in the responsible group.
When ransomware players are more careful with their operational security, including how they move money, disrupting their networks or tracking currency becomes more complicated, the sources added.
“It’s really a mixed bag,” they told CNN, referring to the varying degrees of sophistication shown by the groups involved in the attacks.
CNN previously reported that there were indications that the individual actors who attacked Colonial, working with DarkSide, may have been inexperienced or novice hackers, rather than seasoned professionals, according to three sources familiar with the Colonial investigation. .
One of the sources also cautioned against placing too much importance on the actions of the US government, telling CNN that the unique circumstances of each attack and the level of detail needed to take effective action against these groups Part of the reason there is “no silver bullet” is countering ransomware attacks.
“It will take improved defenses, breaking the profitability of ransomware and actions directed at attackers to stop this,” the source added, adding that disrupting and tracking cryptocurrency payments is only part of the story. equation.
This sentiment has been echoed by cybersecurity experts who agree that ransomware players are using cryptocurrency to launder their transactions.
“In the age of Bitcoin, money laundering is something any nerd can do. You don’t need a big organized crime apparatus anymore, ”according to Alex Stamos, former Facebook security manager and co-founder of the Krebs Stamos group.
“The only way for us to be able to fight back against this as a whole society is to make it illegal… I think we need to ban payments,” he added. “It’s going to be really tough. The first companies to get hit once it’s illegal to pay, they’re going to be in a very difficult situation. And we’re going to see a lot of pain and suffering.”
“It happens all the time”
In recent weeks, cybercriminals have increasingly targeted organizations that play critical roles in large swathes of the US economy. The fallout from these attacks shows how hackers are now wreaking havoc on ordinary Americans at an unprecedented rate and scale.
“As we speak, there are thousands of attacks on all aspects of the energy sector and the private sector in general… it happens all the time,” Granholm told CNN’s Jake Tapper on “State of the Union”.
Deputy Attorney General Lisa Monaco released an internal memo directing U.S. prosecutors to report any ransomware investigations they may be working on, in an effort to better coordinate the U.S. government’s tracking of criminals online.
The memo cites ransomware – malware that takes control of a computer until the victim pays a fee – as an urgent threat to the nation’s interests.
“We need to improve and centralize our internal monitoring of investigations and prosecutions of ransomware groups as well as the infrastructure and networks that allow these threats to persist,” Monaco wrote.
The tracking effort is extensive, covering not only the DOJ’s pursuit of ransomware criminals themselves, but also the cryptocurrency tools they use to receive payments, the automated computer networks that spread ransomware, and online marketplaces used to advertise or sell malware.
The DOJ directive requires U.S. attorneys’ offices to file internal reports on every new ransomware incident they hear about.
CNN’s Christina Carrega, Brian Fung and Geneva Sands contributed reporting.