While 2020 will be remembered for the beginning of the COVID-19 pandemic, 2021 may be remembered as the year when ransomware entered the collective public consciousness, courtesy of the Colonial Pipeline1 and JBS ransomware attacks.2 But ransomware has actually been around for decades.
The first ransomware attack was the AIDS Trojan attack that took place in 1989, also known as PC Cyborg, named after the corporation to which victims were directed to make payments. PC Cyborg was spread through old-fashioned floppy disks containing a survey about AIDS research, along with malware that activated after a computer powered on 90 times, hiding directories and encrypting files.3 If one wished to regain access to the system, they needed to accede to the demand for payment. The dollar amount in question? US$189. Almost 2 decades later in 2006, when the GPcode ransomware infected PCs, the total ask of victims was still only between US$100 and US$200.4 Why so low? Because large monetary transactions are potentially traceable and could trigger the filing of a Suspicious Activity Report (SAR). In some cases, ransomware operators instructed victims to purchase gift cards. But purchasing large quantities of gift cards could also raise suspicion. It was not until bitcoin's appearance in 2008 (which would be followed by other cryptocurrencies) that criminals solved this dilemma by delinking payments from the banking system, resulting in ransom payments in the millions of dollars that can be seen today.
To address cryptocurrency's role in ransomware, there is a growing push to impose traditional financial system requirements on crypto exchanges/operators (e.g., know-your-customer [KYC] requirements intended to prevent the exploitation of the financial system by criminals or terrorists). Indeed, the European Commission proposed rules in July 2021 that would require cryptocurrency exchanges to implement KYC-type rules while prohibiting anonymous crypto services such as anonymous accounts hosted by third parties.5
But there is not a cryptocurrency problem writ large so much as there is a problem with particular cryptocurrencies, crypto exchanges and unhosted cryptocurrency wallets used for illicit purposes. Just as there are legitimate financial institutions that willingly comply with regulations (and there are those that skirt traditional norms), there are legitimate cryptocurrency organizations and those for which such regulations will prove of little use. Sadly, it is the entities to which these regulatory measures would be primarily targeted—those facilitating ransomware payments—that are the least likely to comply, often located in uncooperative countries such as Russia and other Eastern European states, where enforcement of these measures would be difficult at best.
Notably, the European Commission's proposed rules would not cover person-to-person transactions (i.e., transactions where there is no intermediary crypto exchange involved), creating a significant loophole through which bad actors can continue to exchange cryptocurrency without worrying about application of KYC rules. Similarly, while China's recent push to ban financial institutions and payment companies from facilitating cryptocurrency trading will likely bolster its nascent digital-yuan, it is unlikely to deter criminal use of the currency.6 Yet the push to regulate if not outright ban cryptocurrency continues to gain traction in other large economies. For example, India's government is rumored to be preparing to introduce legislation that would both "ban the use of cryptocurrencies as a method of payment in India" and enable criminal penalties for violating such a law, potentially including "arrest without a warrant and being held without bail."7
And then, of course, there is the problem of money mules, or unscrupulous middlemen used by ransomware operators to put a layer of anonymity between them and the ransom payments, who, by design, have no contact with, nor knowledge of, the ransomware actors. Unregulated money mules were the bane of my existence in my US Department of Justice (DOJ) prosecution days, and there is still a lack of laws strong enough to effectively deter and punish such activity. In other words, regulations may help, but they will not solve the problem by themselves.
The same can be said of the US Treasury Department's September 2021 sanctions against cryptocurrency exchange Suex OTC.8 Having facilitated transactions involving illicit proceeds for at least 8 ransomware variants, and with more than 40% of its transactions linked to illicit actors, Suex certainly deserves it. And as a nested exchange—an intermediary for its clients with major cryptocurrency exchanges—there is a possibility that other major exchanges may cease to do business with Suex, effectively shutting it down.
But Suex's operators remain free to rebrand and re-enter this burgeoning industry. Indeed, something similar to this occurred after the US Treasury Department's 2020 advisory warning that it is a violation of US federal law to pay or facilitate the payment of ransom to a sanctioned individual or entity.9 Ransomware operators began shutting down and re-emerging with new names, creating plausible deniability for ransom-paying victims afraid of potential criminal or civil penalties.
The effectiveness of sanctions relies upon a number of assumptions, which may or may not be applicable in a virtual world of cryptography and anonymity.
Sanctions also presume there is adequate transparency for authorities to track and identify sanction violations, which is by no means assured given the varying levels of anonymity implicated, and the question of whether those other exchanges even have assets subject to US jurisdiction. In other words, the effectiveness of sanctions relies upon a number of assumptions, which may or may not be applicable in a virtual world of cryptography and anonymity.
In short, we cannot regulate our way out of this problem, nor can we sanction our way out. But there is hope.
As demonstrated after the Colonial Pipeline ransomware attack, the US Federal Bureau of Investigation (FBI) recouped approximately 63 of the 75 bitcoin taken.10 Ironically, had the funds been paid using the traditional banking system, it is far less likely that this money could so easily have been recovered; certainly not as quickly. And while the search warrant used by the FBI was devoid of detail as to how the FBI secured the key to the wallet, one can surmise that this occurred either through the use of a cooperating witness, or through covert electronic surveillance of 1 or more of the actors controlling the wallet.
Of course, the next logical question is what about more opaque and nontransparent cryptocurrencies, such as Monero, that are preferred by criminal elements?
Monero's selling features highlight untraceablility (e.g., omitting sender and receiver addresses from the public blockchain, splitting transactions into random groups and then grouping them with other unrelated transactions). And then, of course, there is the 25-word mnemonic seed needed to access a Monero wallet, with people directed to write down that key and put it in a safe place offline.
Much like the technological challenges that came with the movement of intellectual property (IP) crime to the peer-to-peer and the Onion router (Tor) networks, and more recently, the use of virtual worlds to launder money, each technology has vulnerabilities that can be exploited, not to mention human actors who are neither infallible nor invulnerable.
Recall that the Tor network, with its routing through a potentially infinite number of nodes (much like the layers of an onion) was supposedly a game changer for law enforcement. Eventually, however, law enforcement realized that exit points from the Tor network were vulnerable and susceptible to monitoring.
Similarly, while sender and recipient addresses in Monero are omitted from the public blockchain, people still need to communicate from a local network to engage in transactions, which involves sending packets that can be captured. Indeed, rumors have long swirled that CipherTrace, recently acquired by Mastercard, developed a tool that can trace Monero transactions for the US Department of Homeland Security (DHS) and the FBI.11
Likewise, writing down passwords, whether 1 word or 25, creates another vulnerability, susceptible to damage in the form of sneak and peak warrants or compatriots turned cooperating witnesses. And then there is infiltration of the network through traditional undercover operations, such as running an undercover crypto exchange.
There is also the fact that much of the ransomware is attributable to a small group of Ransomware-as-a-Service (RaaS) operators that publicly and willingly provide infrastructure and support to wannabe ransomware actors with whom they may not have any known preexisting relationship, rendering them susceptible to undercover infiltration.
And at the end of the day, criminals will eventually need to convert their cryptocurrency to negotiable fiat. Consider the Suex crypto exchange, which allows people to cash out in offices in the Middle East and Russia, boasting it can convert cryptocurrency "into cash and even real estate, cars and yachts."12
But to identify vulnerabilities, law enforcement professionals must dedicate resources to better understand blockchain technology, and manhours to infiltrate the networks and work their way up the criminal hierarchy. The fight against various groups that took place after the US terror attacks on 11 September 2001, was successful because resources were dedicated to understanding the infrastructure, identifying communication channels and methodologies, mapping the key players and infiltrating networks. The strategy for defeating the criminal use of cryptocurrency is the same. The June 2021 FBI seizure of bitcoin after Colonial Pipeline worked because the FBI understood the blockchain trail, used that knowledge to identify the bitcoin wallet, compromised one of the keyholders (either through electronic surveillance or with a cooperating witness), and seized the money.
The DOJ's National Cryptocurrency Enforcement Team, composed of antimoney laundering and cybersecurity experts, focused on rooting out cryptocurrency abuse and "disabl[ing] financial markets that allow cybercriminals to ‘flourish'" is a step in the right direction.13
Toward that end, on 8 November 2021, the DOJ announced the seizure of US$6.1 million in assets from an account belonging to Russian national Yevgeniy Polyanin, allegedly linked to the Revil Ransomware group, held with the FTX Trading Limited cryptocurrency exchange.14 While it is not yet clear precisely how the government traced the cryptocurrency to Polyanin's FTX account, this clearly illustrates that not all crypto exchanges are a problem, and indeed, some can actually be part of the solution. After all, the legitimate cryptocurrency exchanges have a vested interested in working with law enforcement to remove the criminal element that can potentially mar their reputation and risk the very assets upon which their livelihood and valuations depend. But there also needs to be an effort to actively pursue, apprehend, prosecute and extradite (if necessary) the actors who facilitate criminal cryptocurrency transactions, perhaps with conspiracy, aiding and abetting or other legal charges.
But to identify vulnerabilities, law enforcement professionals must dedicate resources to better understand blockchain technology, and manhours to infiltrate the networks and work their way up the criminal hierarchy.
While prosecutions have, admittedly, been less successful against nation-state hackers, many of which were indicted in absentia but have never seen the inside of a courtroom, accountants and those moving money for criminals have always been a criminal network's Achilles heel. And because cryptocurrency operators/facilitators do not have any connection to their victims, they likely assume impunity, which, in itself, can lead to lax security and more opportunities to apprehend, whether within the United States, or while traveling within the territory of a US ally willing to execute an arrest on behalf of the United States and then extradite that suspect to stand trial (assuming there is a mutual legal assistance treaty in place).
Conclusion
At the end of the day, there is no one-size-fits-all approach to combatting the use of cryptocurrency in facilitating ransomware attacks. Much like blockchain itself, cryptocurrencies will continue to evolve. By dedicating resources to understanding the unique ways that each cryptocurrency operates, identifying the associated technical and human vulnerabilities, and removing the cryptocurrency facilitators through targeted prosecutions, the costs for both ransomware actors and cryptocurrency facilitators will be raised.
Ideally, if successful, 2022 could be remembered as the year that an end is put to the use of cryptocurrency facilitation of ransomware.
Endnotes
1 Rosencrance, L.; "Colonial Pipeline Attack: Everything You Need to Know," ZDNet, 13 May 2021
2 Creswell, J.; N. Perlroth; N. Scheiber; "Ransomware Disrupts Meat Plants in Latest Attack on Critical U.S. Business," The New York Times, 3 June 2021
3 Waddell, K.; "The Computer Virus That Haunted Early AIDS Researchers," The Atlantic, USA, 10 May 2016
4 Nazarov, D.; O. Emelyanova; "Blackmailer: The Story of Gpcode," SecureList, Russian Federation, 26 June 2006
5 Bateman, T.; "EU Will Make Bitcoin Traceable and Ban Anonymous Crypto Wallets in Anti-money Laundering Drive," Euronews, 26 August 2021
6 John, A.; S. Shen; T. Wilson; "China's Top Regulators Ban Crypto Trading and Mining, Sending Bitcoin Tumbling," Reuters, 24 September 2021
7 Ahmed, A.; N. Anand; "Proposed India Bill Banning Crypto Payments Could Mean Jail for Violations - Document," Reuters, United Kingdom, 7 December 2021
8 US Department of the Treasury, "Treasury Takes Robust Actions to Counter Ransomware," USA, 21 September 2021
9 US Department of the Treasury, Ransomware Advisory, USA, 1 October 2020
10 US Department of Justice, "Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside," USA, 7 June 2021
11 CipherTrace, "CipherTrace Announces World's First Monero Tracing Capabilities for Law Enforcement, Government, and Virtual Asset Service Providers," 31 August 2020
12 Bajak, F.; E. Tucker; "White House Blacklists Russian Ransomware Payment ‘Enabler'," Associated Press, 21 September 2021
13 Bing, C.; S. Lynch; "U.S. Justice Dept Launches New Initiatives on Cryptocurrencies, Contractor Hacks," Reuters, 6 October 2021
14 Clark, M.; "An Alleged Member of the REvil Ransomware Gang has Been Arrested in Poland," The Verge, 8 November 2021
Joel Schwarz, JD, CDPSE, CIPP
Is an experienced consultant and attorney specializing in privacy, cybersecurity, cyberintelligence, electronic surveillance and compliance oversight. He is currently a director and a privacy and data protection lead for MBL Technologies and an adjunct professor at Albany Law School (New York, USA), teaching courses on cybercrime, cybersecurity and privacy. Schwarz also contributes as a cybercrime expert for a Washington, DC, USA, television news station. He previously served as the civil liberties and privacy officer (CLPO) for the US National Counterterrorism Center, was a cybercrime prosecutor for the US Department of Justice, the US State of New York Attorney General's Office, and the Counsel on E-commerce and Privacy for MetLife.