Ransomware, malicious software that encrypts computers and keeps them “locked” until a ransom is paid, is the world’s fastest-growing cyber threat, according to Coinfirm. Recent attacks on critical national infrastructure, like the Colonial Pipeline incursion that crippled oil and gas deliveries for a week along the U.S. East Coast, have set off alarms. Ransom payments are almost always made in Bitcoin or other cryptocurrencies.
But while many were shaken by May’s Colonial Pipeline attack — the Biden administration issued new pipeline regulations in its aftermath — relatively few are aware of that drama’s final act: Using blockchain analysis, the FBI was was able to follow the ransom payments fund flow and recover about 85% of the Bitcoin paid to ransomware group DarkSide.
In fact, blockchain analysis, which can be further enhanced with machine learning algorithms, is a promising new technique in the battle against ransomware. It takes some of crypto’s core attributes — e.g., decentralization and transparency — and uses those properties against malware miscreants.
While crypto’s detractors tend to emphasize its pseudonymity — and attractiveness to criminal elements for that reason — they tend to overlook the relative visibility of BTC transactions. The Bitcoin ledger is updated and distributed to tens of thousands of computers globally in real time each day, and its transactions are there for all to see. By analyzing flows, forensic specialists can often identify suspicious activity. This could prove to be the Achilles’ heel of the ransomware racket.
An underused means
“The blockchain ledger on which Bitcoin transactions are recorded is an underutilized forensic tool that can be used by law enforcement agencies and others to identify and disrupt illicit activities,” Michael Morrell, former acting director of the U.S. Central Intelligence Agency, declared in a recent blog, adding:
“Put simply, blockchain analysis is a highly effective crime fighting and intelligence gathering tool.[…] One expert on the cryptocurrency ecosystem called blockchain technology a ‘boon for surveillance.’”
Along these lines, three Columbia University researchers recently published a paper, “Identifying Ransomware Actors in the Bitcoin Network,” describing how they were able to use graph machine learning algorithms and blockchain analysis to identify ransomware attackers with “85% prediction accuracy on the test data set.”
Those on the frontlines of the ransomware struggle see promise in blockchain analysis. “While it may at first seem like cryptocurrency enables ransomware, cryptocurrency is actually instrumental in fighting it,” Gurvais Grigg, global public sector chief technology officer at Chainalysis, tells Magazine, adding:
“With the right tools, law enforcement can follow the money on the blockchain to better understand and disrupt the organization’s operations and supply chain. This is a proven successful approach as we saw in January’s ‘takedown’ of the NetWalker ransomware strain.”
Whether blockchain analysis alone is enough to thwart ransomware incursions or whether it needs to be joined with other tactics, like bringing political/economic pressure to bear on foreign countries that tolerate ransomware groups, is another question.
Clifford Neuman, associate professor of computer science practice at the University of Southern California, believes that blockchain analysis is an underutilized forensic tool. “Many people, including criminals, assume Bitcoin is anonymous. In fact, it is far from being so in that the flow of funds is more visible on the ‘public’ blockchain than it is in almost any other kinds of transactions.” He adds: “The trick is to tie the endpoints to individuals, and blockchain analysis tools can sometimes be used to do this linking.”
A valid means for unmasking ransomware attackers? “Yes, absolutely,” Dave Jevans, CEO of crypto intelligence firm CipherTrace, tells Magazine. “Using effective blockchain analytics, cryptocurrency intelligence software” — the sort his firm produces — “to track where ransomware actors are moving their funds can lead investigators to their true identities as they attempt to off-ramp their crypto to fiat.”
David Carlisle, director of policy and regulatory affairs at analytics firm Elliptic, tells Magazine: “Blockchain analysis is already a proven valuable technique for enabling law enforcement to disrupt the activities of these networks, as the Colonial Pipeline case made clear.”
Within days of the May 8 ransom payment by Colonial Pipeline, Elliptic was able to identify the Bitcoin wallet that received the payment. Further, “It [the wallet] had received Bitcoin payments since March totaling $17.5 million,” recounts law firm Kelley Drye & Warren LLP. Elliptic was helped by the fact that the malefactors had used no “mixers” to further obscure their trail. Carlisle adds:
“The underlying transparency of Bitcoin and other crypto assets means that law enforcement can often glean a level of insight into money laundering activity that would not be possible with fiat currencies.”
A boost from machine learning?
Machine learning (ML) is one of those emerging technologies, like blockchain, for which novel use cases seem to be discovered weekly. Can ML assist too in the war against ransomware?
“Absolutely,” Allan Liska, a senior intelligence analyst at Recorded Future, tells Magazine, adding further: “Given the large number of malicious transactions occurring at any given time and the increasing sophistication of some ransomware groups, money laundering capabilities manual analysis has become less effective — and machine learning is required to effectively track tell-tale signs of malicious transactions.”
“Machine Learning is very promising in fighting crimes,” Roman Bieda, head of fraud investigations at Coinfirm, informs Magazine, but it requires a huge amount of data to be effective. It is relatively easy to acquire Bitcoin addresses, which are available in the millions, but a dataset upon which a learning model can be trained and tested also requires a certain number of “fraudulent” Bitcoin addresses — i.e., confirmed ransomware actors. “Otherwise, the model will either mark a lot of false positives or will omit the fraudulent data as a minor percentage,” says Bieda.
Say you want to build a model that will pull out photos of dogs from a trove of cat photos, but you have a training dataset with 1,000 cat photos and only one dog photo. An ML model “would learn that it is okay to treat all photos as cat photos as the error margin is [only] 0.001,” notes Bieda. In other words., the algorithm would just guess “cat” all the time, which would render the model useless, of course, even as it scored high in overall accuracy.
In the Columbia University study, researchers made use of 400 million Bitcoin transactions and close to 40 million Bitcoin addresses, but only 143 of these were confirmed ransomware addresses.
“We show that very local subgraphs of the known such actors are sufficient to differentiate between ransomware, random and gambling actors with 85% prediction accuracy on the test data set,” reported the authors, adding that “Further improvement should be possible by improving clustering algorithms.”
They added, however, that “Getting more data which is more reliable would improve accuracy,” making the model more “sensitive” and avoiding the sort of problem described above by Bieda, presumably.
Along these lines, the United States Department of Homeland Security issued a directive in the wake of the Colonial Pipeline attack requiring pipeline companies to report cyberattacks. Reporting attacks had been optional before. Mandates like these will arguably help to build out a public dataset of “fraudulent” addresses needed for effective blockchain analysis. Adds Carlisle: “Public-private partnerships need to focus on sharing financial intelligence related to ransomware attacks.”
Much blockchain analysis is premised on the notion that attackers can be unmasked after an attack takes place. But law enforcement agencies, and especially ransomware victims, would prefer that assaults not happen in the first place. According to Jevans, blockchain analysis can also enable enforcement agencies to act preemptively. He tells Magazine:
“While blockchain clustering algorithms typically require someone to make a payment into an address in order to track the funds and identify the owner, advanced tools like CipherTrace can produce actionable intelligence on addresses that have yet to receive funds, as well, such as IP data that can assist investigators.”
Necessary but not sufficient?
Some ask, however, whether blockchain analysis by itself is sufficient to eliminate ransomware. “Blockchain analysis is an important tool in law enforcement’s toolkit, but there is no single silver bullet for solving the ransomware problem,” says Grigg.
Liska adds: “Even the best research and identification tools aren’t effective unless governments are willing to take access. Stopping ransomware transactions is going to require cooperation between private entities and governments.”
Many ransomware attacks originate on the borders of Russia, according to Coinfirm, so some ask if Vladimir Putin can be pressured to shut down those groups’ operations. “Past cases show not much can be done against the countries related to the cyberattacks, even if there are very strong indicators that the hackers are related to the secret services,” Bieda tells Magazine.
Others question whether blockchain analysis can make any dent at all in the malware problem. “It is way too soon to write off cryptocurrency as a vehicle for ransomware,” Edward Cartwright, professor of economics at De Montfort University, tells Magazine. “While there have been a few ‘good news’ stories of late, the reality is that ransomware criminals are still routinely using Bitcoin as the easiest and most anonymous way of extracting ransoms.”
Moreover, even if Bitcoin becomes too radioactive for malefactors because of its traceability — “a big if,” in Cartwright’s view — “criminals can simply move to currencies that are completely anonymous and untraceable,” like Monero and other privacy coins, he says.
“We really need to see increased collaboration between the private and public sector to build full profiles of these ransomware groups,” says Jevans. “Information sharing in these situations can be the silver bullet.”
“One of the challenges is that ransomware groups are turning to offline methods to move Bitcoin,” says Liska. “Literally, two people meeting in a parking lot or restaurant with their phones and briefcase full of cash.” These types of transactions are much harder to trace, he tells Magazine, “but still not impossible with more advanced tracking techniques.”
But will malefactors move to privacy coins?
What about Cartwright’s point that ransomware actors will simply move to privacy coins like Monero if Bitcoin proves too traceable? Elliptic is already seeing “a significant uptick” in attempts to obtain payments from ransomware victims in Monero, Carlisle tells Magazine. “This has really increased since the time of the Colonial Pipeline case, when the implications of Bitcoin’s traceability were on clear display for any other cybercriminals watching.”
But privacy coins can be traced too, though it’s more difficult to do because, unlike Bitcoin, privacy coins hide users’ addresses and transaction amounts. Some jurisdictions, too, have cracked down on privacy coins, or are thinking of doing so. Japan banned privacy coins in 2018, for instance. But there’s a practical problem too. Ransomware victims facing a payment deadline often have trouble finding exchanges that will convert their fiat currency into XMR within the required time period to pay their extortionists and unlock their computers, Bieda tells Magazine. Privacy coins aren’t nearly as well supported by crypto exchanges as Bitcoin. Jevans says “Bitcoin is simply the easiest cryptocurrency to acquire,” adding:
“It is unlikely that ransomware actors will ever completely stop using Bitcoin because of its liquidity and the accessibility of Bitcoin to fiat off-ramps in comparison to other privacy-enhanced cryptocurrencies.”
Most regulated exchanges do not offer Monero trading, adds Carlisle. “Victims may negotiate with the attackers and persuade them to accept payment in Bitcoin, but attackers will then typically demand a fee of 10%–15% for Bitcoin payments above what they would require for a Monero payment — which reflects their concern that Bitcoin’s traceability leaves them vulnerable.”
Is banning crypto a solution?
Recently, former Federal Reserve Bank of New York Supervisor Lee Reiners suggested in a Wall Street Journal opinion piece that “There is a simpler and more effective way to stop the ransomware pandemic: Ban cryptocurrency.” After all, he added, “Ransomware can’t succeed without cryptocurrency.”
“This sounds like a solution that would be even worse than the problem,” comments Benjamin Sauter, a lawyer at Kobre & Kim LLP. “However, it does reflect a perception, particularly among many policy makers in the U.S., that cryptocurrency offers a haven for criminals that needs to be restricted,” he tells Magazine.
“The profitability for the threat actors that are carrying our ransomware attacks would certainly decrease if cryptocurrency did not exist, as laundering fiat is inherently more costly,” Bill Siegel, co-founder and CEO of ransomware recovery firm Coveware, tells Magazine. “These attacks would still happen though.”
“I do not think it makes sense to ban cryptocurrency,” Neuman adds. “The existing laws that are on the books in the U.S. require information to be collected on certain kinds of payment instruments for transactions over a certain threshold, and we can apply those rules to cryptocurrency as well. If we ban cryptocurrency, criminals will simply shift their payment demands to other instruments.”
A “cat and mouse game”
Moving forward, ransomware groups will have to live with the increasing risk of getting caught by using Bitcoin, says Liska, “or decide if they are willing to accept significantly lower ransom payments to better preserve their anonymity.”
This remains “a game of cat and mouse between the criminals and law enforcement,” adds Cartwright, “and recent successes of law enforcement are more because the criminals got sloppy or made mistakes [rather] than a fundamental flaw in the [criminals’] business model.”
A global effort may be required to turn the tide on ransomware. All countries need to regulate crypto exchange platforms, says Carlisle, “otherwise attackers will continue to have easy avenues for laundering their proceeds of crime,” while Bieda predicts that crypto will continue to be used for ransom payments “until stringent global and regional regulations such as harsh penalties for lackluster KYC are introduced.”
Tracing Colonial Pipeline #bitcoin #ransom to DarkSide to FBI seizure:
▸5/8 Colonial Pipeline pays 75 BTC
▸5/9 DarkSide affiliate withdraws 63.75 BTC
▸5/27 63.75 BTC moved to another wallet, private key “was in the possession of the FBI”
▸6/8 BTC in the wallet seized by FBI pic.twitter.com/RAebpn3P3H
— elliptic (@elliptic) June 10, 2021
It’s important to put ransomware in context, too. “Ransomware is simply the most recent method used by criminals to monetize their exploits,” says Neuman. “At some point it might cease to be called ransomware, but attacks on computer systems will take other forms.” Adds Sauter: “Everyone would win if there were an industry-based solution.”
In sum, people tend to overestimate Bitcoin’s anonymity and underestimate its transparency. “There will always be bad actors,” as Jevans notes, but ransomware groups will realize that crypto payments are traceable, leaving them vulnerable and perhaps even inciting them to find other means by which to pursue their perfidious trade.
Meanwhile, “Continued advancements in blockchain analytics will provide investigators with more and even better insights over time,” says Carlisle. And as law enforcement agencies become increasingly adept in their use of these analytic tools, “We can expect to see more, and bigger, [ransomware] seizures over time.”