The FBI's surprise announcement Monday that it had seized some of the ransom that Colonial Pipeline paid to criminal hackers came as a double shock.
On one hand, it was major news that the U.S. government had flexed its cybersecurity muscles on behalf of the owner and operator of the country's largest fuel pipeline, taking over a bitcoin account and marking the first public recovery of funds ever from a known ransomware gang.
On the other hand, it raised a question: Why hadn't the U.S. done this before?
Ransomware has been a pervasive and ongoing problem for years, but one that had resulted in little action from authorities. And while recovering some of the ransom marked a new front for the U.S., it also hints at the relatively limited options to deter hackers.
Philip Reiner, the CEO of the Institute for Security and Technology, a San Francisco think tank that produced a seminal report on policies to fight ransomware, praised the FBI's move as important, but said it's hard to assume anything more than that.
"It remains to be seen how much the FBI can sustain this sort of action," Reiner said. "It's a big first step, but we need to see a lot more of it."
The FBI recovered a significant amount of money — 63.7 bitcoins, worth around $2.3 million — but it's a tiny slice of how much money ransomware groups make. DarkSide, the hacker group that breached Colonial, has raked in more than $90 million since it became a public hacker group operational in the fall of 2020, according to analysis from Elliptic, a company that tracks cryptocurrency transactions.
And DarkSide wasn't even one of the most prolific ransomware groups, said Brett Callow, an analyst at the cybersecurity company Emsisoft.
"While the seizing of the funds is a positive, I don't think it will act as a deterrent at all," Callow said in a text message. "For the criminals, it's a win some, lose some situation, and the amount they win means the occasional loss is a minor setback."
JBS, one of the largest meat processing plants in the U.S., announced Wednesday that it had paid its ransomware hackers, REvil, $11 million even after it had restored most of its files. The company's reasoning, it said, was because it feared lingering IT issues and the possibility the hackers would leak files.
The ransom recovery comes as ransomware — a topic that was big in the cybersecurity world and quietly widespread — has emerged as a national security issue, with President Joe Biden pledging action.
The Colonial Pipeline hack, which led to some gas stations running out of fuel and brief fears of a substantial outage, was a turning point in the U.S. response to ransomware. It garnered national attention, and the Justice Department soon decided it would elevate ransomware to the same priority as terrorism cases.
For cybersecurity experts, that attention was long overdue. Americans have been suffering ransomware attacks in practically all walks of life in recent years. The same kinds of hackers have been raking in fortunes by locking up and extorting businesses, city and county governments, and police stations. They've shut down schools and slowed hospitals to a crawl. The ransomware epidemic caused $75 billion in damages in 2020 alone, according to Emsisoft.
The FBI has known about the problem from the beginning. It received complaints from 2,474 ransomware victims in 2020 alone, and is continuing to build long-running cases on ransomware hackers.
But the agency faces tough issues with jurisdiction. If the hackers were based in the U.S., it could arrest them directly. If they were in a country with a law enforcement agreement with the U.S., the FBI could partner with colleagues in that country to arrange an arrest.
But the majority of the most prolific ransomware gangs are based in Russia or other eastern European countries that don't extradite their citizens to the U.S.
In the past, the U.S. has been able to arrest Russian cybercriminals as they travel through countries that do have such an agreement with the U.S. But so far, no such case has been made public with ransomware operators.
That leaves the agency with more limited options for how it's been able to respond. People like Reiner, the CEO behind the ransomware policy report, have argued that the best way to quickly reduce the hackers' impact is to disrupt their payments, which is what the FBI finally announced it had done Monday.
"Why is this only happening now?" Reiner said. "I think we can rest assured that the folks on the criminal side are definitely checking their systems and looking at each other, wondering what happened. It puts a stutter in their step."
The FBI was deliberately vague Monday in describing how exactly it had seized the funds. Bitcoin accounts work somewhat like an email address: Users have a public account, known as a wallet, which can be accessed with a secret password, called a key. In the FBI's warrant application to seize the funds, it simply said that "the private key" is "in the possession of the FBI in the Northern District of California," without specifying how it got that private key.
Speaking with reporters on a press call, Elvis Chan, an assistant special agent in charge at the FBI's San Francisco office, said that the agency didn't want to specify how it came into possession of the key so criminal hackers would be less likely to find ways to work around it.
"I don't want to give up our tradecraft in case we want to use this again for future endeavors," he said.
That means it's unclear how frequently the FBI will be able to deploy it. It's unknown, for example, why the agency wasn't able to regain all of the money Colonial paid.
Chan did, however, indicate that the method wasn't restricted to criminals committing the major error of using a U.S. cryptocurrency service when moving around their money.
"Overseas is not an issue for this technique," he said.
Gurvais Grigg, the public sector chief technology officer at Chainalysis, a company that tracks bitcoin transactions, said that while actually arresting ransomware hackers would be the best deterrent, stopping their money flow is a big help.
"It's important to identify those who've conducted an attack, put cuffs on wrists, and seize the ill-gotten gains they have and return them to the victim. That must remain a focus. But it takes more than that," Grigg said in a Zoom interview.
"The key to disrupting ransomware is disrupting the ransomware supply chain," like their payments, he said.