The FBI recovered a huge chunk of the Colonial Pipeline ransom by secretly gaining access to Darkside’s bitcoin wallet password

The bitcoin logo is seen on a smartphone screen device in front of a computer screen that says "cancelled. "
The FBI managed to gain access to the “private key” of a bitcoin wallet that the hacking group Darkside used to collect its ransom payments.

The Department of Justice announced Monday that it had recovered a majority of the ransom paid by Colonial Pipeline to hackers who shut down its operations last month and caused massive fuel shortages and price hikes.

The DOJ said that it had recovered $2.3 million worth of bitcoin out of the $4.4 million ransom that Colonial had paid to Darkside, the group behind the hack.

How did the government pull it off?

The FBI had what was effectively the password to a bitcoin wallet that Darkside had sent the ransom money to, allowing the FBI to simply seize the funds, according to the DOJ.

‘Following the money’

Despite cybercriminals’ increasingly sophisticated use of technology to commit crimes, the DOJ said it used a time-tested approach to recover Colonial’s ransom payment.

“Following the money remains one of the most basic, yet powerful tools we have,” Deputy Attorney General Lisa Monaco said in the DOJ’s press release.

Colonial was hacked by Darkside on May 7, and alerted the FBI that same day, according to the DOJ.

On May 8, with its operations knocked offline and amid an emerging gas crisis, Colonial opted to pay the ransom (much to the chagrin of government crimefighters who were simultaneously trying to shut down the hack).

Colonial told the FBI that Darkside had instructed it to send 75 bitcoin, worth about $4.3 million at the time, according to an affadavit from an FBI special agent involved in the investigation.

The FBI agent then used a blockchain explorer – software that lets users search a blockchain, like bitcoin, to determine the amount and destination of transactions – to figure out that Darkside had tried to launder the money through various bitcoin addresses (similar to bank accounts), according to the affadavit.

Eventually, through the blockchain explorer, the FBI agent was able to track 63.7 bitcoin to a single address that had received an influx of payments on May 27.

Fortunately for the FBI, according to the agent’s affadavit, the agency had the private key (effectively the password) for that very address.

Bitcoin addresses rely on a two-key encryption system to keep transactions secure: one public and one private. The public key is shared openly so anybody can send money to that address. But once the sender has encrypted their payment with the recipient’s public key, only the recipient’s private key can decrypt and gain access to that money.

That’s why private keys are meant to be closely held secrets, stored in a secure place. As of January, $140 billion in bitcoin – around 20% of existing bitcoin – were held in wallets where people had forgotten or lost their private keys.

In Darkside’s case, the FBI managed to gain access to its public key, and after getting a seizure warrant from a federal court, the agency used the key to access Darkside’s address and swipe 63.7 bitcoin, or around $2.3 million.

The FBI didn’t say how it had managed to obtain the key, but said it sent a warning to other potential ransomware hackers.

“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” Monaco said in the release.

Read the original article on Business Insider

The White House is urging private companies to take the threat of cyberattacks seriously as ransomware hacks ‘have increased significantly’

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks about the Colonial Pipeline cyber attack during the daily press briefing at the White House on May 10, 2021 in Washington, DC.

  • The Biden Administration is calling on the private sector to do more in the fight against cybercrime.
  • “The number and size of ransomware incidents have increased significantly,” the administration says.
  • The memo follows an attack on the world’s largest meatpacker, which shut down several US factories.
  • See more stories on Insider’s business page.

The private sector needs to do more to defend itself in the face of a rising cybersecurity threat, the White House said in a memo addressed to corporate executives and business leaders on Wednesday.

“The number and size of ransomware incidents have increased significantly,” wrote Anne Neuberger, Biden’s deputy national security advisor for cyber and emerging technology.

“The private sector also has a critical responsibility to protect against these threats,” she added. “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”

The memo follows the latest attack on a key resource supplier in the US by ransomware attackers said to be based in Russia. Over the weekend, the world’s largest meat processor, JBS, was forced to shut down much of its North American operations after an attack the FBI attributed to a group known as Pinchy Spider.

And in April, the Colonial Pipeline was temporarily shut down when the company’s IT infrastructure was held hostage by the hackers known as Darkside for a ransom worth $4.4 million.

This week, the New York subway system and a Massachusetts ferry operator were each victims of cyber attacks.

Business leaders should immediately discuss their risk exposure and response strategies, the memo said, including following guidance outlined in last month’s Executive Order on improving the country’s cybersecurity.

The “highly impactful steps” include using a multi-factor authentication system instead of relying on passwords, conducting regularly scheduled data backups, keeping systems updated, and segmenting networks so an attack doesn’t bring the whole system down.

“Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat,” the memo said.

Read the original article on Business Insider

JBS says meatpacking operations will be back to normal Wednesday after a ransomware attack over the weekend

General view of Brazilian meatpacker JBS SA in the city of Lapa, Parana state, Brazil, March 21, 2017. Picture taken March 21, 2017. REUTERS/Ueslei Marcelino
General view of Brazilian meatpacker JBS SA in the city of Lapa

  • JBS, the world’s largest meatpacking company, says it’s getting back online after a cyber attack.
  • The attack, believed to have originated in Russia, disrupted plants in the US and Canada.
  • Late on Tuesday, the company said its production should be back to normal on Wednesday.
  • See more stories on Insider’s business page.

Meatpacking operations are returning to normal Wednesday at JBS plants across the US and Canada, after a ransomware attack over the weekend against the world’s largest meat processor’s IT infrastructure, the company said.

“Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow,” JBS USA CEO Andre Nogueira said in a statement late on Tuesday.

The attack on the Brazil-based company is thought to have originated from a criminal organization based in Russia, the White House said, and the FBI is investigating.

JBS is responsible for about one-fifth of all US beef and pork processing capacity, and the disruption yesterday caused the US Department of Agriculture to delay the release of its daily price report. Bloomberg noted that excluding JBS’s data from the report could reveal proprietary information about its competitors.

In its statement on Tuesday, JBS said it was able to sell and ship product from nearly all of its North American facilities, and that it was not aware of any customer, supplier or employee data being compromised in the attack.

Livestock industry analysts did say that even a single day of disrupted supply could significantly impact the beef market, which is already seeing a trend of rising prices.

Last month, the cyber gang Dark Side executed a similar attack against the Colonial Pipeline, leading the fuel company to shut off its supply, leading to gasoline shortages across the southeast. The company ended up paying a ransom worth $4.4 million in bitcoin to the hackers.

The issue is getting rapidly larger with the rise of various cryptocurrencies. A recent study estimated that in 2020, more than $350 million worth of cryptocurrency was paid to hackers by victims of ransomware attacks, nearly four times the amount in 2019.

Read the original article on Business Insider

A cyberattack targeting the world’s largest meat supplier was perfectly timed to add a new layer of industry chaos

JBS
JBS was forced to shut down operations at some plants after a cyberattack.

  • JBS said on Tuesday that operations are returning to normal after a cyberattack shut down plants.
  • Just one day of disruption can impact the meat supply chain.
  • The industry faces layers of disruption, from labor shortages to lingering effects of the pandemic.
  • See more stories on Insider’s business page.

A cyberattack on the largest meat supplier in the world came at a potentially catastrophic time for the meat supply chain.

On Monday, JBS announced that a ransomware attack forced the company to shut down operations at a number of major plants. As JBS controls roughly 20% of the beef and pork slaughtering capacity in the US, the attack sent shockwaves through the industry.

“Our systems are coming back online and we are not sparing any resources to fight this threat,” Andre Nogueira, JBS USA CEO, said in a statement late Tuesday.

By Wednesday, operations were back on track at most US slaughterhouses – a far more positive outcome than what could have been, according to meat industry expert Anne-Marie Roerink.

“In a way, this situation is much like the Colonial pipeline, where the severity of the impact will much depend on the duration of the disruption and on where you are in the country,” Roerink told Insider on Tuesday. “While even one day of disrupted production causes ripples in the supply chain, a lengthier disruption could seriously impact beef and pork prices.”

The attack highlights the delicate nature of the meat supply chain in the US. With the attack coming on Memorial Day weekend – a major event for grilling – hackers timed the disruption to coincide with a time when stores are placing orders to refill the meat case, Roerink said.

Meat prices are already up compared to 2020, with Morning Brew reporting that pork prices were up 4.8% and beef prices were up 3.3% in April. The market for beef has been tight in recent weeks, Roerink said, and supply disruptions could drive prices even higher.

Multiple factors are behind the limited supply and increased prices. The pandemic threw the supply chain out of whack, as slaughterhouses shut down due to workers catching COVID and restaurant demand disappeared.

“Stack on top of that the disruptions in the plants, on top of that the ongoing issues with labor and transportation and now more supply chain disruptions,” Roerink said.

The result is an environment in which further disruptions – even if the only impact one company – can drive up prices across the US.

Last year highlighted the tenuous nature of the supply chain, and how much it depends on a few major players. Some politicians are calling for increased scrutiny of the dominance of companies like JBS, Tyson, and Cargill. Last week, members of Congress publicly urged the US Department of Justice to provide updates to an antitrust investigation into the largest meatpackers in the US.

“Cattle producers, especially small feeders, are again experiencing difficult conditions that are threatening their ability to stay in business,” reads the letter, which was signed by members of Congress including South Dakota Senator John Thune and Iowa Senator Chuck Grassley. “With a tight supply chain, any changes in processing capacity can have a dramatic impact on cattle prices, preventing producers from capturing margin from boxed beef rallies.”

Read the original article on Business Insider

Up to one-fifth of US beef and pork capacity may be shut down after the ransomware attack on JBS, the world’s largest meat processing company

In this Oct. 12, 2020 file photo, a worker heads into the JBS meatpacking plant in Greeley, Colo
In this Oct. 12, 2020 file photo, a worker heads into the JBS meatpacking plant in Greeley, Colo

  • Brazilian meat processing giant JBS is the latest major firm to suffer a ransomware attack.
  • JBS has over 64,000 meatpackers in the US and is responsible for a fifth of beef and pork capacity.
  • The White House says the attack originated in Russia and that the FBI is investigating.
  • See more stories on Insider’s business page.

JBS, the world’s largest meat processing company, has become the latest major firm to fall victim to a ransomware attack, bringing some production to a halt, the company said on Monday.

The Brazil-based meatpacker’s US operations are headquartered in Greeley, Colorado, and control an estimated one-fifth of the country’s slaughtering capacity for beef and pork. The company employs more than 64,000 workers in the US, many of whom are reporting cancelled shifts during the stoppage.

“On Sunday, May 30, JBS USA determined that it was the target of an organised cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” the company said in a Monday statement.

“Resolution of the incident will take time, which may delay certain transactions with customers and suppliers,” the statement said.

A White House spokesperson said JBS notified the US government about the attack, which is thought to have originated in Russia. The FBI is investigating, as well.

“Even one day of disruption will significantly impact the beef market and wholesale beef prices,” a livestock trade publication wrote, while analysts told Reuters that the disruption to JBS’s business could lead to higher prices for meat and potential shortages in some areas if the shutdowns continue.

On Tuesday, the US Department of Agriculture delayed its daily wholesale price report, citing “packer submission issues.” Agriculture markets rely on the data, but leaving JBS out of the report could reveal proprietary information about its competitors, Bloomberg reported.

Last month, a cyber attack on Colonial Pipeline’s billing system led to supply shocks across the southeastern US when the company chose to shut off service for several days. Colonial quickly paid the $4.4 million ransom to the hacker group Dark Side.

“This decision was not made lightly, however, one that had to be made,” Colonial CEO Joseph Blount said in a statement.

Read the original article on Business Insider

Ransomware attacks add to bitcoin’s woes, shining a light on the use of cryptocurrencies in crime

GettyImages 1299369052
Critics have long highlighted bitcoin’s use in crime.

  • Ransomware attacks have turned an uncomfortable spotlight onto the use of cryptocurrencies in crime.
  • Hackers attacking the Colonial Pipeline and Ireland’s health service demanded payment in crypto.
  • One analyst said the issue will not go unnoticed by US regulators, which could step up enforcement.
  • Sign up here for our daily newsletter, 10 Things Before the Opening Bell.

Recent high-profile cyber attacks in which hackers demanded to be paid in cryptocurrencies have turned an uncomfortable spotlight on digital tokens and their use in crime.

One analyst said the ransomware attack on the Colonial Pipeline was facilitated by cryptocurrencies, which “will not go unnoticed by the US government and other countries.”

Hackers severely disrupted the US energy network earlier in May when they attacked the crucial Colonial Pipeline’s computing systems. To get the system back up and running, Colonial paid a ransom of nearly $5 million in cryptocurrency, Bloomberg reported, citing people familiar with the matter.

Days later, hackers targeted Ireland’s health service and also demanded a ransom be paid in bitcoin.

Bitcoin has crashed in recent days after Elon Musk said Tesla would no longer accept the token as payment, due to its “insane” and environmentally damaging energy use. Cryptocurrencies slid again on Tuesday after Chinese regulators cracked down on the use of digital assets for payments.

But Jeffrey Halley, senior market analyst at currency firm Oanda, said the so-called ransomware attacks had been an underappreciated factor.

“With Elon Musk grabbing all the headlines on his bitcoin/dogecoin pivot, the real issue is the $5 million ransom paid by Colonial Pipeline,” he said.

“Attacks on critical US infrastructure facilitated by cryptocurrencies will not go unnoticed by the US government and other countries. I would argue that the regulatory threat to cryptocurrencies has increased exponentially.”

Critics of bitcoin and other cryptocurrencies have long argued that they facilitate crime thanks to their anonymous and decentralized nature, which means they are very hard to trace and link to individuals.

Treasury Secretary Janet Yellen said in January that she was concerned about cryptocurrencies for this reason. “I think many are used – at least in a transaction sense – mainly for illicit financing,” she told lawmakers during her confirmation hearing.

Gary Gensler, the Chair of the Securities and Exchange Commission markets regulator, has made similar criticisms in the past.

“Beyond use on the darknet, there are those around the globe who seek to use these new technologies to thwart government oversight of money laundering, tax evasion, terrorism financing, or evading sanctions regimes,” he told Congress in 2018.

Although cryptocurrency companies that deal with customers in the US are covered by various financial regulations, the digital asset markets is largely a grey area outside the traditional world of finance. Regulators have consistently warned that investors should only buy in if they’re willing to lose all their money.

In the US, regulators are keeping a close eye on cryptocurrencies but have not yet committed to any major rule changes during the latest digital asset boom.

Fox Business reported in April that Gensler is waiting for the Treasury to review the currency cryptocurrency rules before the SEC lays out its approach. Fox said Gensler is likely to step up enforcement action.

Regulators are likely to increase their focus on crypto as ransomware attacks become more prevalent, said Rahul Bhushan, co-founder of Rize ETF, which runs a cybersecurity fund.

Yet Bhushan said a stronger “regulatory framework around cryptocurrencies… will help legitimize that market.”

Michael Shaulov, chief executive of crypto firm Fireblocks, said: “The true solution is a capability for law enforcement agencies around the world to distribute real-time information about illicit activities allowing wallet and custody providers to block these funds in transit.”

Colonial Pipeline has been contacted for comment.

Read the original article on Business Insider

Colonial Pipeline says it has restored service to ‘normal operations’ following cyberattack that forced a shutdown

Two women fill their cars with gasoline.
A gas station runs out of gasoline after motorists rush to fill up on May 12, 2021 in Arlington, Virginia.

  • Colonial Pipeline said Saturday that it returned its service to “normal operations.”
  • The company began a restart of pipeline operations at 5 p.m. Wednesday.
  • The company, which provides nearly half of all fuel on the East Coast, was the victim of a cyberattack.
  • Visit Insider’s homepage for more stories.

Colonial Pipeline on Saturday announced that it had returned to “normal operations” days after it restarted its pipeline following a cyberattack that resulted in disruptions across the East Coast.

The company made the announcement on Twitter Saturday at 7:30 a.m. It had restarted the pipeline at 5 p.m. on Wednesday.

“Since this incident began, we have been clear that our focus was on the safe and efficient restoration of service to our pipeline system,” Colonial Pipeline said in a tweet. “That is what we have achieved through the commitment and dedication of the many Colonial team members.”

Read more: The Colonial Pipeline hack finally made the ransomware crisis real for America, and Americans got really mad

It continued: “Our team members across the pipeline worked safely and tirelessly around the clock to get our lines up and running, and we are grateful for their dedicated service and professionalism during these extraordinary times.”

The Colonial Pipeline is the largest pipeline of refined oil products in the US. It transports more than 45% of all fuel used on the East Coast to more than 50 million people from New York to Texas.

The Wall Street Journal reported Friday that DarkSide, the hacker group that took responsibility for the ransomware attack, said it planned to disband following pressure from the US and investigations by law enforcement agencies.

Bloomberg first reported that DarkSide received approximately $5 million in untraceable cryptocurrency from Colonial. According to the Bloomberg report, the company paid the ransom within hours of the May 7 attack.

The attack caused governors in several states to declare states of emergency as residents panic bought gasoline and caused gas stations to hike up prices and run out of fuel. Experts said it could take days to weeks for a return to normal in the affected states.

Read the original article on Business Insider

Ransomware attacks hit ‘under-resourced’ city governments hardest, says cybersecurity expert whose kids’ school was shut down by hackers for 4 days

Colonial Pipeline
Trucks line up at a Colonial Pipeline facility.

  • Friday’s DarkSide attack took down a major oil pipeline that supplies the US East Coast.
  • A cybersecurity expert said such ransomware attacks tend to target municipal governments.
  • The expert’s kids were out of school for four days last year after Baltimore’s school system was hacked.
  • See more stories on Insider’s business page.

The hacking of a major US oil pipeline Friday is the latest in a string of cyberattacks under federal investigation.

The stories read like movie loglines: A reportedly Russia-backed group slowly burrowed its way into US digital infrastructure, gaining access to important government accounts. An unknown cyber-assailant tried to poison a Florida town’s water supply. And now, a group of veteran cybercriminals took down an East Coast oil pipeline and held it ransom.

Ransomware attacks are common and are the cyberattack with the most potential to wreak havoc on everyday life, according to Ben Miller, an executive at the industrial cybersecurity firm Dragos Inc.

Miller had firsthand experience with a ransomeware attack in November, when hackers took over Baltimore’s school system and forced it to shut down for four days.

“My kids didn’t have any snow days this year because they had school from home,” Miller told Insider. “They had ransomware days.”

There are two major types of cyberattacks, according to Miller: attacks like the one on US information technology firm SolarWinds, which US intelligence agencies say Russia was behind, that seek some kind of geopolitical advantage. Then there is smaller-scale ransomware, where – normally private actors that may or may not work with tacit government permission – go after companies and other institutions and then extort them to ease up on the attack.

The DarkSide attack against the Colonial Pipeline was a ransomware attack. The hacking group shut down a major pipeline that runs from Texas to New York, demanding money in order to restore its service in what Miller said was an example of how cyberattacks are increasingly affecting the “real world.”

Some of the most common targets of ransomware are municipal governments that are “under-resourced and under-managed” when it comes to cybersecurity, Miller said. Several other school systems in the US were hit by ransomware attacks in the past year. In April, the Justice Department announced a new task force to address ransomware attacks across the US.

Ransomware gangs also go after hospitals, as in the 2017 Wannacry hack that shut down parts of Britain’s National Health Service.

The hackers typically want to cause as much pain as possible so that they can get paid quickly, Miller said, making critical infrastructure an appealing target.

“When they can have a direct impact on their business – like shutting down a pipeline or impact to some facility – it does ring a chord with the victims and how they respond to that,” Miller said.

Miller said cyberattacks are so commonly directed at US companies because they’re wealthy enough to pay off ransomware attackers. Ransomware hacking groups view themselves as businesses, he said, and target companies and institutions in countries where they’re likely to make money: The United States, Britain, and Germany.

“The industry in the US would be more likely to pay an extortion of a couple of hundred thousand dollars or whatever,” Miller said. “Not to say that they should, or do – but they’re perceived that way, compared to firms in South America or Africa where that would literally, in many cases, put these firms out of business.”

Read the original article on Business Insider