Introduction
Of Late, the U.S. has been hit by a wave of disruptive ransomware attacks. In the official press release detailing the actions taken by regulators to counter ransomware, the U.S. Department of Treasury noted that roughly $400 million in ransom was paid to malicious cyber actors in 2020, more than four times the amount in 2019. Globally, the frequency of ransomware attacks has increased dramatically in 2021, with ransomware attacks surging 93% in the last six months.
Ransomware Attacks are Evolving
According to the Federal Bureau of Investigation (FBI), ransomware is “a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay ransom for their return.”
Further, ransomware attacks are becoming increasingly sophisticated. As per industry reports, previously the attackers stole or accessed data threatening to leak or sell it whereas, now they conduct more strategic attacks, targeting critical infrastructure, private companies, and municipalities. The attackers encrypt the data causing disruption of the service provided by the company. In exchange for decryption and service resuming to normal, the attackers demand ransom, often in the form of cryptocurrency. Attackers use sophisticated techniques incorporated in softwares such as Ryuk and Sodinokibi (REvil) to target specific enterprises. These particularly insidious ransomware variants deny users access to their device, system, or file until a ransom is paid.
According to the report published by cybersecurity firm Check Points, the global surge in ransomware attacks is fuelled by the “triple extortion” ransomware technique. Traditionally, ransomware attacks consisted of only the first stage, where a single victim faced a demand for ransom in return for the data. Slowly the attackers moved towards the second stage, wherein the threat of stolen data being published online has been a common point of leverage for attackers looking for further ransom payments. And lately, the multilayered triple extortion technique is quickly gaining traction where the attackers are also targeting the data of organizations’ final customers, vendors, and partners.
Due to its difficulty in traceability, cryptocurrency is not only used to pay the ransom but is also used as a form of payment to the platforms facilitating ‘ransomware as a service.’ Under ransomware as a service, anyone can hire a hacker to curate ransomware attacks or buy off-the-shelf ransomware from the darknet, and these services are usually paid for in crypto.
Understanding Why Criminal Prefer Crypto-Ransomware Attacks
To hide the trail of payments, the attackers leverage on anonymity provided by the blockchain technology. Attackers make use of services such as mixers or tumblers to hide the source of funds. A ransom paid in crypto can be swiftly run through a mixer or tumbler, which obscures the trail of ownership by pooling it with other people’s holdings. Attackers also use non-compliant exchanges and peer-to-peer (P2P) exchanges situated in jurisdictions with weak AML/CFT controls to liquidate the ransom funds. Further, attackers may also use the ‘peel chain pattern’ to obfuscate illicit funds. Basically, in the peel chain pattern, the ransom amount is broken down and passed through a chain of multiple crypto wallets concealing the trail of funds.
The second reason why attackers may be looking at cryptocurrency is the efficiency and transparency of crypto networks. The attacker can monitor the public blockchain to assess whether victims have paid the ransom. Upon receiving such ransom, the attacker can automate the process of returning the data back to the victim.
Using Blockchain Analytics to Track Ransomware Payments
However, using crypto to facilitate ransom payments, can act as a double-edged sword. For instance, if the ransom is paid in Bitcoin, blockchain analytics companies can trace the transaction on the public bitcoin blockchain, which can lead them to the attached bitcoin address.
Blockchain analytics providers may also aggregate off-chain - data to identify senders and receivers of the funds. To achieve this, analytics analyze historical blockchain data, combined with knowledge of good and bad actors and techniques, to detect transaction patterns. This makes it possible to identify the blockchain addresses of illicit actors and provides a critical opportunity to track illicit funds.
Merkle Science’s Analysis of Colonial Pipeline Attacks
Attacks involving Colonial Pipeline have brought ransomware to the forefront. In the Colonial Pipeline ransomware incident, an attacker known as DarkSide hijacked the company’s network. The attackers then demanded ransom in exchange for an encryption key to gain access to the network. The attackers shared a newly created Bitcoin address 15JFh88FcE4WL6qeMLgX5VEAFCbRXjc9fr for ransom. Within two days of the attack, the attackers received over USD $4.4 million in ransom.
Since DarkSide operates as “ransomware as a service,” the attackers made a payment to DarkSide in return for the use of ransomware tools and moved the funds to the addresses owned by DarkSide ransomware developers. The first incoming transaction was USD 1 and then the next transaction was USD $4,433,726. Post this, 63.79 BTC (approximately USD $2.3 million) was moved from the wallets controlled by DarkSide developers back to the attackers. On 7th June 2021, the FBI got access to the address controlled by the attackers and recovered 63.70 BTC (USD $2.3 million).
Image Description - Tracing ransom sent by Colonial Pipeline on Crypto Forensics Tool
Regulatory Crackdown on Ransomware Attacks
The U.S government has taken a series of steps to counter disruptive waves of ransomware attacks. On 6 October 2021, Deputy Attorney General Lisa O. Monaco announced the creation of a National Cryptocurrency Enforcement Team. NCET aims to tackle complex investigations and prosecutions involving misuse of cryptocurrency, particularly crimes committed by virtual currency exchanges and mixers or tumblers amongst others. Additionally, NCET will also assist in tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups.
On 15 July 2021, the U.S. Department of State released an official statement offering a reward of up to USD $10 million to the person who will provide information that will lead to the identification or location of any person who is engaged in a foreign government-sanctioned malicious cyber activity including ransomware attacks against U.S. critical infrastructure. On the same day, the U.S. Department of Homeland Security launched a new website, StopRansomware.gov, that consolidates ransomware resources from federal government agencies.
On 21 September 2021, the United States Department of the Treasury announced that it will impose sanctions on the Czech Republic and Russia-based virtual currency exchange SUEX OTC for its part in facilitating financial transactions for a ransomware attack
The Office of Foreign Assets Control (OFAC) also issued the Updated Advisory on potential sanctions risks for facilitating ransomware payments in efforts to counter ransomware. Though the payment of a ransomware demand is strongly discouraged by the U.S. Government, the payment of a ransom is not illegal in and of itself. However, if the payment is made to a sanctioned party, OFAC may impose civil penalties for sanctions violations based upon a strict liability standard.
OFAC also encouraged FIs and crypto businesses to implement a risk-based compliance program to mitigate exposure to sanctions-related violations and analyze whether they have any regulatory obligations under FinCEN regulations. The FBI in an official statement urged the businesses to employ best practices to minimize ransomware risks and report ransomware incidents to their local field office or FBI’s Internet Crime Complaint Centre (IC3).
Why Merkle Science
Merkle Science’s source of funds transaction monitoring tool can accurately identify the proceeds of ransomware payments. This makes it harder for ransomware actors to launder the proceeds of their illegal activity, Merkle Science’s block monitor tool can be used to detect ransomware transactions. For example, if an address receives payments of similar amounts from many different counterparties, the address is immediately flagged and escalated to compliance teams. Further, any rule created can be combined with other rules — such as range-bound transactions — to identify if the address is receiving many payments of similar size, which may indicate a scam. Ultimately, putting more conditions into a rule will make it difficult for an attacker to satisfy all of them, thereby reducing the chance of him engaging in criminal activity.