On June 7th, 2021, the Department of Justice rang the bells in announcing the recovery of $2.3 million of the ransom that was paid to cyber criminals by Colonial Pipeline. The investigation that led to the historical recovery was in no doubt unique on it's own, as it was the first time that amount of ransom was left sitting in the same Bitcoin account that it had been originally delivered and eventually hacked resulting in its recovery.
As many tout on the recovery of funds for Colonial Pipeline, many are questioning if they should receive that money back. Should a company be rewarded for possible negligence in implementing standard cybersecurity protections against ransomware?
On Monday June 7th, 2021, the Department of Justice announced the recovery of about half of the ransom amount that was collected by cyber criminals associated with DarkSide, a notorious Ransomware-as-a-Service company that gives tools to criminals to make hacks while charging a profit and undergoing attacks on their own. Court documents released in the Colonial Pipeline case say "the FBI got in using the encryption key linked to the Bitcoin account to which the ransom money was delivered."1
It is very uncommon for Ransomware money to be recovered because criminals keep the money moving making it hard to track. These particular cyber criminals were caught making a huge mistake. The money was split into different crypto wallets with one in particular holding the $2.3 million, which sat in the account longer than usual, allowing it to be identified. Officials then somehow hacked into the private key that guarded the account, seizing the money and shouting for victory.
But is this a victory we should be boasting about when according to MarketWatch "roughly 1,000 businesses every week are being hit by hacks that lock up computer networks for ransom".2 In addition to the frequency of these attacks, the cost of ransomware continues to rise to the point where cyber insurance companies could soon choose to shut its doors.
Neither government intervention nor cyber insurance can solely be your security plan.
The CEO of Colonial Pipeline made the decision to pay the ransom that totaled $4.4 million in an attempt to get the business up and running as soon as possible. When asked if Colonial's cybersecurity response planning had a focus related to ransom, the CEO Joseph Blount stated "Specifically no, no discussion on ransom".3
Ransomware is finding a permanent spot in our news stories with now even the Federal Government rolling out an Executive Order and Memo to bring awareness to businesses to take action. We have seen an increase of attackers on infrastructure companies where we are now all being affected by the actions of cyber criminals and by irresponsible businesses that continue to operate while taking security protections for granted.
Large or small, every business can work to improve where Colonial failed. In this case, the cyberattack victim failed in at least three of four best practice areas:
1. https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac
2. https://www.marketwatch.com/amp/story/ransomware-boom-comes-from-gangs-that-operate-like-cloud-software-unicorns-a-truly-incredible-business-model-11623168504
3. https://www.cnn.com/business/live-news/us-cyberattacks-cybersecurity-06-08-21/index.html