How will ransomware attackers respond to the Colonial Pipeline ransom recovery?
- Published: Thursday, 10 June 2021 09:04
The FBI has announced that it successfully seized criminal proceeds from a bitcoin wallet that DarkSide ransomware actors used to collect a cyber ransom payment from Colonial Pipeline.
In a recent press conference, FBI Deputy Director Paul M. Abbate’s explained how the operation was conducted:
“Since last year, we’ve been pursuing an investigation into DarkSide — a Russia-based cybercrime group. The DarkSide ransomware variant is one of more than 100 ransomware variants that the FBI is currently investigating. DarkSide developers market their ransomware to criminal affiliates, who then conduct attacks and share a percentage of the proceeds with the developers, a scheme known as ransomware-as-a-service. In this case, the FBI has identified more than 90 victims across multiple US critical infrastructure sectors. Those include manufacturing, legal, insurance, health care, and energy.
“Based on our investigation into DarkSide, and incredible work with other US government partners, we identified a virtual currency wallet that the DarkSide actors used to collect a payment from a victim. Using law enforcement authorities, victim funds were seized from that wallet, preventing DarkSide actors from using them.”
The question that the Colonial Pipeline ransom recovery raises is how will ransomware attackers respond?
Peter Grimmond, International CTO & VP Technical Sales at Veritas Technologies told Continuity Central:
“Everyone wants to see ransomware hackers defeated, so it’s great to see that most of the ransom paid by Colonial Pipeline has been recovered. It is important that businesses now prepare for hackers to evolve their strategies in response because, while we may have won the battle, there’s a whole lot more to come in the war on ransomware.
“To avoid authorities being able to repeat this playbook in the future, hackers will be looking for ways to safeguard their windfalls. That might include, for example, longer delays in releasing encryption keys so that they have time to launder on their money, leaving behind backdoors to re-encrypt data if needed, or retaining exfiltrated data as ‘security’ to publish if any attempts are made to recoup the ransom.
“Businesses should be acting now to ensure that they’re ready for this by backing up their data, scanning their networks and deploying strong encryption. Ransomware has long been regarded as a cat-and-mouse game where hackers and businesses are constantly striving to outdo each other. In the case of Colonial, it seems like the cat has won, but there are plenty more mice out there! We all need to be two steps ahead to succeed.”