US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers

(Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

(CNN) — U.S. investigators have recovered millions of dollars in cryptocurrency paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, according to people briefed on the matter.

The Justice Department on Monday is expected to announce details of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, the people briefed on the matter said.

The ransom recovery is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware.

Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal in an interview published in May that the company complied with the $4.4 million ransom demand because officials didn’t know the extent of the intrusion by hackers and how long it would take to restore operations.

But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. U.S. officials have linked the Colonial attack to a criminal hacking group known as Darkside that is said to share its malware tools with other criminal hackers.

A spokesman for the Justice Department declined to comment, and CNN has reached out to the Colonial Pipeline operator.

CNN previously reported that U.S. officials were looking for any possible holes in the hackers’ operational or personal security in an effort to identify the actors responsible — specifically monitoring for any leads that might emerge out of the way they move their money, one of the sources familiar with the effort said.

In an interview with The Wall Street Journal last week, FBI Director Christopher Wray said coordination between ransomware victims and law enforcement can, in some cases, yield positive results for both parties.

“I don’t want to suggest that this is the norm, but there have been instances where we’ve even been able to work with our partners to identify the encryption keys, which then would enable a company to actually unlock their data — even without paying the ransom,” he said.

‘Misuse of cryptocurrency is a massive enabler’

The Biden administration has zeroed in on the less regulated architecture of cryptocurrency payments which allows for greater anonymity as it ramps up its efforts to disrupt the growing and increasingly destructive ransomware attacks, following two major incidents on critical infrastructure.

“The misuse of cryptocurrency is a massive enabler here,” Deputy National Security Advisor Anne Neuberger told CNN. “That’s the way folks get the money out of it. On the rise of anonymity and enhancing cryptocurrencies, the rise of mixer services that essentially launder funds.”

“Individual companies feel under pressure – particularly if they haven’t done the cybersecurity work — to pay off the ransom and move on,” Neuberger added. “But in the long-term, that’s what drives the ongoing ransom [attacks]. The more folks get paid the more it drives bigger and bigger ransoms and more and more potential disruption.”

While the Biden administration has made clear it needs help from private companies to stem the recent wave of ransomware attacks, federal agencies do maintain some capabilities that far exceed what industry partners can do on their own and are adept at tracing currency used to pay ransomware groups, CNN previously reported.

But the government’s ability to effectively do so in response to a ransomware attack is very “situationally dependent,” two sources said last week.

One of the sources noted that helping recover money paid to ransomware actors is certainly an area where the U.S. government can provide assistance but noted that success varies dramatically and largely depends on whether there are holes in the attackers’ system that can be identified and exploited.

In some cases, U.S. officials can find the ransomware operators and “own” their network within hours of an attack, one of the sources explained, noting that allows relevant agencies to monitor the actor’s communications and potentially identify additional key players in the group responsible.

When ransomware actors are more careful with their operational security, including in how they move money, disrupting their networks or tracing the currency becomes more complicated, the sources added.

“It’s really a mixed bag,” they told CNN, referring to the varying degrees of sophistication demonstrated by groups involved in these attacks.

CNN previously reported that there are indications the individual actors that attacked Colonial, in conjunction with DarkSide, may have been inexperienced or novice hackers, rather than well-seasoned professionals, according to three sources familiar with the Colonial investigation.

One of the sources also cautioned against putting too much stock in U.S. government actions, telling CNN that the unique circumstances around each attack and level of detail needed to effectively take action against these groups is part of the reason there is “no silver bullet” when it comes to countering ransomware attacks.

“It will take improved defenses, breaking up the profitability of ransomware and directed action on the attackers to make this stop,” the source added, making clear that disrupting and tracing cryptocurrency payments is only one part of the equation.

That sentiment has been echoed by cybersecurity experts who agree that ransomware actors use cryptocurrency to launder their transactions.

“In the Bitcoin era, laundering money is something that any nerd can do. You don’t need a big organized crime apparatus anymore,” according to Alex Stamos, former Facebook chief security officer, co-founder Krebs Stamos Group.

“The only way we’re going to be able to strike back against that as an entire society is by making it illegal … I do think we have to outlaw payments,” he added. “That is going to be really tough. The first companies to get hit once it’s illegal to pay, they’re going to be in a very tough spot. And we’re going to see a lot of pain and suffering.”

‘It’s happening all the time’

In recent weeks, cybercriminals have increasingly targeted organizations that play critical roles across broad swaths of the U.S. economy. The fallout from those attacks show how hackers are now causing chaos for everyday Americans at an unprecedented pace and scale.

Energy Secretary Jennifer Granholm on Sunday warned that “very malign actors” had the United States in their sights after attacks on a pipeline, government agencies, a Florida water system, schools, health care institutions and, even last week, the meat industry and a ferry service to millionaire’s playground Martha’s Vineyard.

“Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector generally … it’s happening all the time,” Granholm told CNN’s Jake Tapper on “State of the Union.”

The Justice Department signaled last week that it plans to coordinate its anti-ransomware efforts with the same protocols as it does for terrorism, following a slew of cyberattacks that have disrupted key infrastructure sectors ranging from gasoline distribution to meatpacking.

Deputy Attorney General Lisa Monaco issued an internal memo directing U.S prosecutors to report all ransomware investigations they may be working on, in a move designed to better coordinate the U.S. government’s tracking of online criminals.

The memo cites ransomware — malicious software that seizes control of a computer until the victim pays a fee — as an urgent threat to the nation’s interests.

“We must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups and the infrastructure and networks that allow these threats to persist,” Monaco wrote.

The tracking effort is expansive, covering not only the Justice Department’s pursuit of ransomware criminals themselves but also the cryptocurrency tools they use to receive payments, automated computer networks that spread ransomware and online marketplaces used to advertise or sell malicious software.

The Department of Justice directive requires U.S. attorneys’ offices to file internal reports on every new ransomware incident they hear about.