US returns most of Colonial Pipeline Bitcoin ransom after cyberattack

The chief executive of a major fuel pipeline hit by ransomware last month is expected to detail his company’s response to the cyberattack and explain his decision to authorize the multimillion-dollar payment when he testifies before Congress this week.

Colonial Pipeline CEO Joseph Blount will appear before the Senate Homeland Security Committee on Tuesday, a day after the Justice Department said it returned most of the $4.4 million (€3.6 million) ransom the company made in hoping to get your system back online. . A second hearing is scheduled for Wednesday at the House Homeland Security Committee.

Blount’s testimony marks his first appearance before Congress since the May 7 ransomware attack that temporarily shut down Colonial Pipeline, which supplies about half of the East Coast’s fuel consumption. The attack was attributed to a Russian-based gang of cybercriminals using a variant of the DarkSide ransomware, one of more than 100 variants the FBI is currently investigating.

Shortly after the attack, the company decided to pay a ransom of 75 bitcoins, which was then valued at around $4.4 million (3.6 million euros). While the FBI has historically disapproved of ransomware payments for fear of encouraging cyberattacks, colonial officials have said they believe the transaction is necessary to get the vital fuel transportation business back on track as soon as possible.

“Restrain and Protect”

The operation to seize the cryptocurrency paid to the Russian hacker group is the first of its kind undertaken by a specialized anti-ransomware task force set up by the Biden administration’s Department of Justice. This reflects a rare victory in the fight against ransomware as US officials struggle to counter a rapidly growing threat targeting critical industries around the world.

“By exploring the entire ecosystem that fuels ransomware and digital ransomware attacks, including digital currency criminal proceeds, we will continue to use all of our resources to increase the cost and impact of ransomware and other cyberattacks.” This was announced at a press conference by Deputy Attorney General Lisa Monaco.

In a statement Monday, Blount said he was grateful to the FBI for the effort and said that holding hackers accountable and stopping their activities “is the best way to deter and protect against future attacks of this kind.”

“The private sector also plays an equally important role, and we must continue to take cyber threats seriously and invest in strengthening our defenses accordingly,” he added.

Cryptocurrency is popular with cybercriminals because it allows direct online payments regardless of geographic location, but in this case, the FBI was able to identify the virtual currency wallet being used by the hackers and monetize it, Abbate said.

The Justice Department did not provide details on how the FBI obtained the “key” for a particular bitcoin address, but said law enforcement was able to trace several cryptocurrency transfers.

“For financially motivated cybercriminals, especially those who are presumed to be located abroad, the termination of access to income is one of the most severe consequences that we can apply,” Abbate said.

Racket with lots of compartments

The amount of bitcoins seized – 63.7, now valued at $2.3 million (1.9 million euros) after the price of bitcoin fell – accounted for 85 percent of the total ransom paid, which is the exact amount claimed by the cryptocurrency tracing firm Elliptic. believes it is the capture of an affiliate who carried out the attack. The ransomware software provider, DarkSide, would have received the remaining 15 percent.

“The extortionists will never see this money,” said Stephanie Hinds, acting U.S. Attorney for the Northern District of California, where a judge issued a forfeiture warrant earlier Monday.

Ransomware attacks, in which hackers encrypt the data of the victim organization and demand a large amount for the return of information, are flourishing around the world. Last year was the most costly for such attacks in history. Hackers attacked vital industries as well as hospitals and police departments.

Weeks after the Colonial Pipeline attack, a ransomware attack attributed to REvil, a Russian-speaking gang that has filed some of the largest ransomware claims on record in recent months, has disrupted Brazil’s JBS SA, the world’s largest meat processing company.

The ransomware business has become a highly fragmented racket where labor is divided between a vendor of software that locks data, ransomware negotiators, hackers who break into targeted networks, hackers who can surreptitiously move through these systems and extract sensitive data – and even make phone calls. by phone. centers in India that threatened people whose data was stolen to force them to extort money.