Colonial Pipeline: a victory in the fight against ransomware hackers

Last week was a tough one for the cyber-criminals at DarkSide (an Eastern Europe-based cyber-criminal hacking group). On Monday 7 June 2021, the US Justice Department (the DoJ) announced that it had seized approximately 64 bitcoin ($2.3m) paid by Colonial Pipeline to DarkSide following a ransomware attack that had been carried out by the group.

This development demonstrates a rare victory for law enforcement agencies targeting cyber-criminals responsible for ransomware attacks. Its implications will, however, be felt outside of the cyber-criminal underworld: those in the broader crypto-currency community will be pondering the implications for their own crypto assets, often favoured for their perceived anonymity, whilst others in the broader business community will be taking stock of the threat posed by ransomware attacks. We address some of the key issues below.

Crypto-assets: recovering the 'un-traceable'

The main question on the lips of many crypto market participants will be how the US authorities were able to trace and seize the bitcoin ransom that had been paid to DarkSide. Court filings in the US show that the FBI used blockchain explorers (searchable public directories of blockchain transactions) to track the movement of the bitcoin to various public addresses, before obtaining a private key (akin to a password) for a virtual wallet linked to one of the addresses, where the crypto-currency had (somewhat unwisely on the part of the hackers) been sitting for some time.

The FBI has not disclosed how it came to obtain the private key. Along with the many others speculating in the market, NPR has suggested that the FBI likely obtained the key through one of the following:

1. a tip off from an insider associated with the attack;

2. an error on the part of one of the cyber-criminals (eg by storing the key on a private email account to which the FBI had gained access); or

3. by leveraging information it got from a cryptocurrency exchange (many of which are based in the US (eg Coinbase) and are therefore likely to be subject to requests for assistance).

The consensus appears to be that the FBI obtained the private key through human error or assistance (either from an insider or an exchange) rather than through a novel hacking method. Understandably, it is likely that the FBI intends not to reveal their workings.

By contrast, the means by which the FBI located the wallet using the public blockchain ledger is very much in focus. It is helpful in clarifying one of the still common (and incorrect) depictions of the crypto-asset as the sole preserve of cyber-criminals, because of its apparent un-traceability. As the FBI has demonstrated, for the most part (with the exception of some privacy tokens) crypto-assets may be traced through the public blockchain ledger, and it is likely that we will see an increase in the forensic use of blockchain explorers to identify public ledger keys and thereby trace ransom payments.

However, as many will know, this is only half of the transaction. The significance of the recovery of the Colonial Pipeline ransom payment lies in the successful tracing of the other half of the transaction, which has until now frustrated most, if not all efforts to recover such payments. For ransom payments made in the form of crypto-assets to be traced and ultimately recovered, they must also be either tied to an individual (eg via information provided to an exchange) or traced through an online wallet service, which stores the user's private key. It is at this stage that scrupulous hackers (unlike those in this case) may successfully evade detection, eg by using the anonymous Tor browser to access the exchange or storing the crypto-assets in an offline desktop wallet. Nevertheless, there will always be room for human error in the storage, mixing and transfer of ransom payments, which the authorities are clearly increasingly learning how to exploit.

It remains to be seen how this development will alter the playing field between hacker groups such as DarkSide and cyber-crime units. Until we know the FBI's methodology in obtaining the private key, it is impossible to understand whether this is simply a lucky break for the authorities and/or misfortune on the part of the hackers, or a new chapter in the fight against ransomware attacks.

Implications for businesses facing ransomware attacks

Notwithstanding this development, the ability to trace and (importantly) recover ransom payments is likely to remain highly uncertain. The overwhelming majority of ransom payments made in the form of crypto-currencies have been successfully dissipated by the hackers, never to be seen again. Indeed, there is an ongoing debate in the market (eg amongst the Ransomware Task Force, a global coalition of cyber experts) about whether ransom payments should be banned by governments, on the basis that they simply encourage ransomware attacks; the French Cyber Security Agency also recently published guidance advising against such payments (see our Paris office's article here). Whether that is a realistic prospect remains to be seen, particularly in circumstances where a business is faced with ransomware impeding a critical business function. In any event, businesses must think very carefully before making a ransom payment, no matter how business critical the affected operations are; notwithstanding the FBI's recent victory, it remains very uncertain that such payments will ever be recovered.

Nevertheless, the recovery of the bitcoin by the FBI raises interesting questions for legal practitioners and clients considering the civil recovery of crypto assets following a ransomware payment made in crypto-currency. Whilst there have long been service providers in the market offering forensic blockchain tracing through public ledgers, the English Courts earlier this year demonstrated their willingness to enforce civil interim relief in aid of claims for the recovery of fraudulently obtained crypto-currencies. In the unreported case of Ion Science Ltd v Persons Unknown and others (unreported, 21 December 2020)) the High Court granted Bankers Trust relief against crypto exchanges residing outside of the jurisdiction, requiring the disclosure of personal information about the holders of accounts into which fraudulently obtained bitcoin had been transferred (although this time in the context of an ICO fraud). In light of the prevalence of ransomware attacks, it is likely only a matter of time before we see such relief granted in aid of an attempt to recover a ransom payment.

All of this comes at a time when the threat posed to businesses and individuals by ransomware hackers looms larger than ever. Lindy Cameron, the chief executive of the National Cyber Security Centre has today given a speech describing state-backed cyber activity such as online espionage and the theft of intellectual property as a "malicious strategic threat to the UK's national interests". As the "ransomware as a service" business model (deployed by groups such as DarkSide) proliferates, the threat posed by such attacks must be taken all the more seriously.

In our TechFocus webinar on 15 June, we consider whether it ever pays to pay a ransom, how to be proactive so you are ready to face a ransomware attack if it occurs, and what reactive steps you can take if the worst happens. We also look at the legal risks following an attack, including regulatory, litigation and insurance risks. You can register for the webinar here.