Gurvais Grigg, Chainalysis public sector CTO, and Kim Grauer, director of research at Chainalysis, review the ransomware landscape. Show Highlights:
- their backgrounds and roles at Chainalysis
- how a ransomware attack works
- what types of businesses are usually targeted in ransomware attacks
- why ransomware as a service (RAAS) is a booming business
- why Kim and Gurvais believe the hacking group REvil is becoming more sophisticated
- what characteristic of REvil hints that the group could be affiliated with Russia
- how the RAAS business model works
- how ransomware payments can be tracked
- why ransomware reporting has a data problem
- why Bitcoin is the preferred method of payment amongst ransomware attackers
- what two factors makes BTC preferable to privacy coins
- how ransomware groups teach victims to transfer BTC
- how ransomware groups cash out of their BTC
- how counter-terrorism tactics can help fight ransomware attacks
- how the Department of Justice may have partially recovered part of the Colonial Pipeline ransomware payment
- what tools and strategies governments can and will use to battle ransomware
Thank you to our sponsors!
Crypto.com: https://crypto.onelink.me/J9Lg/unchainedcardearnfeb2
Conjure: https://conjure.finance
Episode Links
People
Kim Grauer – Director of Research at Chainalysis
Gurvais Grigg – Global Public Sector Chief Technology Officer at Chainalysis
Chainalsysis Ransomware Data
- https://go.chainalysis.com/rs/503-FAP-074/images/Chainalysis-Crypto-Crime-2021.pdf
- https://blog.chainalysis.com/reports/applying-counterterrorism-strategies-to-ransomware
- https://blog.chainalysis.com/reports/eastern-europe-cryptocurrency-market-2020
Ransomware Attacks
- Kaseya
- Colonial Pipeline
- JBS Holdings
Other
- Chainalysis
- Twitter: https://twitter.com/chainalysis
- Website: https://www.chainalysis.com/
- Who is REvil?
- Combating ransomware: https://securityandtechnology.org/ransomwaretaskforce/report/
- Why Gurvais joined Chainalysis: https://blog.chainalysis.com/reports/gurvais-grigg-chainalysis
Transcript:
Laura Shin:
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host, Laura Shin, a journalist with over two decades of experience. I started covering crypto six years ago and, as a senior editor at Forbes, was the first mainstream media reporter to cover cryptocurrency full time. This is the July 20th, 2021 episode of Unchained.
My book, “The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze,” is available for pre-order on Amazon, Barnes and Noble, or any of your favorite books stores. Go to bit.ly/cryptopians and pre-order today.
Crypto.com:
The Crypto.com App lets you buy, earn and spend crypto, all in one place! Earn up to 8.5% interest on your Bitcoin and 14% interest on your stablecoins – paid weekly! Download the Crypto.com App and get $25 with the code “LAURA” – link is in the description.
Tezos:
Tezos is smart money that is redefining what it means to hold and exchange value in a digitally connected world. Discover how people are reimagining world around you on Tezos!
Conjure
Conjure brings any asset you want onto Ethereum by allowing for users to create synthetic assets which track other markets. With 0 interest loans and unlimited assets, it’s helping defi to consume tradfi. That’s conjure.finance, so check it out!
Today’s topic is ransomware. Here to discuss is Kim Grauer, director of research at Chainanalysis, and Gurvais Grigg, public sector CTO at Chainanalysis.
Ransomware has become quite the phenomenon this year, with hackers extorting $412 million from victims last year, and in the first five months of this year, obtaining $127 million. Then at the beginning of July, a group called REvil perpetrated the largest ransomware attack so far infecting more than 1 million computers. And for that, they demanded a $70 million ransom. Before we dive into all the particulars on the topic for today, why don’t you each tell us a bit about yourself and your background and how you came to learn about this topic. Why don’t we start with Gurvais.
Gurvais Grigg:
Well my name is Gurvais Grigg, as you said. I’m a 23 year veteran retired from the FBI. Before that was a stock and bond broker. I started my career in the FBI working violent crime, and then moved into white collar and advanced financial fraud and money laundering. Then 9/11 happened and I pivoted to counter terrorism. And in particular counter terrorism for terrorist financing. I spent a good bit of my career working in counter-terrorism and matters associated to that. Then I moved into the intersection of technology with that and spent the latter half of my career working advanced technology issues for the FBI. But I knew when it came time to retire, that I wanted to try to keep that passion with technology and my love of advanced financial analysis and supporting public sector. So when this opportunity with Chainanalysis came along, it was sort of the trifecta of all of those passions.
Laura Shin:
And Kim, what about you?
Kim:
I have been at Chainalysis for about four years now. I have been always just trying to figure out what is going on with our data. Oftentimes that looks like thinking about crime and what types of criminal activity are really surging in certain time periods and trying to figure out why that might be. I have a background in economics. I worked for the city of New York before I made the jump into crypto. I worked with them on a few blockchain initiatives. And I was happy to see that they have continued those efforts since then. We just finished updating some ransomware data and are working on a few other interesting research topics that are going to come out over the summer.
Laura Shin:
Great. So let’s talk about ransomware. I think most people know, but let’s just define it just to make sure everyone’s on the same page. Can you describe what happens to an organization that becomes a victim of one of these attacks?
Gurvais Grigg:
Ransomware has gone through an evolution over the years from the most original instances of that to some of the sophisticated instances that you see and the one you referenced just recently with this getting more and more complicated and larger and larger in scope. Basically an individual or group of individuals using technology and code will infect or enter into a person’s system and then hold hostage their data encrypted, or even sieze, steal it. Then they will demand payment back from the company to unlock that data or to return it, or in this case, as they’ve evolved, extort payments to not release or make publicly available that data. So you can see this evolution of extortion from first, just trying to lock up your data so you can’t access it — to all the way, stealing it and then threatening to release it or extort you if you don’t pay them in a timely fashion, they then DDoS your system and do other damage.
Laura Shin:
And so what happens when you become a victim? Is it just that whoever shows up for work first that day realizes they can’t get in the system and there’s like a pop-up?
Gurvais Grigg:
Many companies have an operations center who are monitoring the health and maintenance of their networks. And so sometimes it may begin where certain users in the company are saying, wait a minute, I can’t get access to the data that I need, or the system is sloggy, or it’s not running at optimum performance, or a pop-up comes up and says your system has been infected and we’re now holding you hostage. That is sort of that equivalent of the old days ransom note for the person that you love and care about that’s been kidnapped and we demand payment. It can take various forms, but the bottom line is it’s that uh-oh moment for the company to realize, oh my goodness, we don’t have access to our data, what’s happened to our customer records? Then they get the extortion.
Laura Shin:
And what types of organizations and industry do they typically attack?
Gurvais Grigg:
You know, it has run the gamut. Last year during the height of the pandemic, we saw healthcare providers, hospitals, and the like being attacked. You’ve seen in the news government institutions and organizations of that. We’ve seen financial institutions, food service providers, energy, critical infrastructure. It’s really beginning to spread into not just those boutique entities that most people have never heard about. And that’s one of the pernicious aspects of the ransomware campaigns as they’re evolving is it’s beginning to infect and impact large scale services that we critically depend on to run our everyday lives.
Laura Shin:
I don’t know if either of you saw this, but New York Times reported that it got a glimpse of a dashboard on the Darkside ransomware site, and apparently Darkside was forbidding its affiliates from attacking any educational, medical, or government targets. I found that kind of curious — what do you make of that?
Gurvais Grigg:
If you look back at the comparison that some have begun to draw between ransomware and counter terrorism, it is an established pattern for some terrorist group to be careful about who they attack, right? There are certain dragons you don’t want to poke and wake up. Also, there are certain entities that maybe you call off and you say, we don’t want to go there. That’s not even uncommon for mafiosos in drug gangs, where they will identify areas where they don’t want to impact, or they don’t want to raise attention by certain groups. So it’s not surprising to me that groups would create carve-outs in areas where they either want to target or want to avoid targeting.
Laura Shin:
And Kim, do you have anything to add on that?
Kim:
I’ve heard of ransomware strains, for example, last year, saying that they’re not going to attack hospitals. And I think that because of how distributed some of these affiliates networks can be, I think that we saw that actually people didn’t follow that. So they said that, and then there actually were some hospitals that were attacked by said strain. What does it mean when a ransomware strain comes out and says, I’m not going to be attacking this? Do you just trust them? Do you take them at their word?
We’ve seen them go back on what they’ve said to do in the past, especially when they said they were not going to be attacking hospitals. Echoing what Gervis said, potentially there is some desire to not really sound all the alarm bells to get everyone kind of hunting the trails of these ransomware criminals, but I don’t really know what else to make of it other than it’s just kind of signaling that, hey, maybe don’t pay too much attention to us — we’re not going to attack these terrible things. But in reality, I think they have and would if they thought they could get away with it.
Gurvais Grigg:
At the end of the day, it’s all about money, Laura. As I mentioned their own counter-terrorism, you can see groups over the years that say, Hey, we don’t attack citizens. We just attack the military and law enforcement, or we just attack government buildings. The problem is that you can’t put a bomb outside this outside of government building a non-impact the public. So you get that spill over and these people don’t always care about those collateral consequences.
Laura Shin:
Yeah. I guess you know, earlier, when you were saying you felt that they didn’t want to poke the bear, I could see that making sense for government and for medical as well in the sense that might catch the government’s attention. But educational, I kind of was just like, hmm, so maybe some kids don’t get to go to school one day, or I don’t know. I was kind of like, huh, I wonder what that’s about, but maybe it’s because once you affect children then then, I don’t know, then that also catches the government’s attention. I wasn’t sure.
So tell us a little bit more about who is behind the attacks. Are they people who are criminals in other ways, or are they more like people who just are looking for a quick buck or kind of like teenagers who don’t have a legitimate way to earn money with their computer skills? Or is it something else?
Gurvais Grigg:
Well, I know Kim can add to this, but let me just set up a part of that. The environment is really evolving. If we were to go back a number of years ago, many of the actors and players in this mission space had advanced technical skills, right? They would both design their solutions, would identify their targets, they would infiltrate their targets, exfil the data, and do that. But what has emerged over the last several years, and I think you alluded to it, is this really ransomware as a service that has come out. Where there’s this whole ecosystem that’s been built up around it. Kim has some powerful data about that we help analyze for our customers where you don’t have to do all of those things yourself. In fact, you don’t have to be particularly sophisticated. What that means is that it has lowered the barrier to entry so that more players who perhaps in previous years could not have done what they can do now are able to buy those services and get in the game. That’s both scary and profound because it broadens the aperture of players and targets that these companies, governments, and entities have to defend against. It really raises the amplitude.
Kim:
I would say that we’re getting really good at starting to try to create more elaborate profiles of who some of these ransomware criminal gangs really are through a variety of methods that mostly involve data analysis, but bringing a lot of different stakeholders together to look at the same data with different means. And what I mean is we’re getting good at this is because not only are we kind of a data platform where we can see all these different ransomware strains and how active they are, but we can also see what types of services they are using. What types of darknet marketplaces are they using to potentially purchase access? Are there certain languages that are used on the off-ramps that they’re choosing to send the stolen funds to? We’re getting really good at profiling these criminal gangs. Let’s look at the actual malware. There’s been some research on strains that say, hey, don’t attack certain regions. And we put out some research recently saying a majority of the top strains active today have a code baked into the actual attack malware that says don’t attack CIS countries. So don’t attack Russian speaking countries mostly.
So we can put all these things together to start to profile who they might be, get a lot of good leads for law enforcement. In terms of why do people turn to ransomware? I’ll echo a lot of what Gurvais said. It’s probably a more complicated answer that has a regional dimension as well and kind of depends on which gang you’re looking at in which context they’re coming out in. But we have the tools to kind of profile each of these strains in a better way going forward, at least for us.
Laura Shin:
Before we get a little bit more into the ransomware, as a service, which is just so fascinating to me, I do want to know a little bit more about REvil — the group behind the largest ransomware attack so far. Can you tell us some more about this group? Obviously they’re the ones behind the headlines in recent weeks.
Kim:
What I can tell you about REvil is that since it is an ongoing investigation, of course, we can’t get into too many details of what is going on. But we can look at how has REvil changed over time, how have they evolved, what services are they using? One thing that struck us when we were looking at the data, the whole time series of data surrounding REvil, is the almost exponential growth in the size of payments that are being demanded of this organization. To me, that typically signifies a growing sophistication of a certain bad actor, because they’re probably have a more sophisticated target.
They probably have more resources to carry out this attack. So we’re seeing that with this particular strain. REvil is a prolific user of mixers and more advanced technologies to move funds as well. We have been able to triangulate and see all the different kinds of methods that REvil is using and how they’re changing over time. I personally don’t know who they are, but all of this data is actually really helpful to paint this bigger picture of what’s going on with this strain.
Laura Shin:
Is your sense that they originate in Russia.
Kim:
REvil — they are one of the many groups that are affiliated with Russia. And they have that code that I had mentioned before around the do not tax/attack CIS countries. So that is leading. Interpret that how you will. But to me, it is kind of established that if there’s not a definite connection, then it’s like a strongly assumed connection. CIS is for Commonwealth Independent States — Russian speaking.
Laura Shin:
Why is it that so many of these cyber criminal gangs do originate in that region?
Gurvais Grigg:
That’s a good question. What we can see is where you have lax jurisdictional control or where the authorities either lack the ability or lack the willpower to do something about it — that creates an opportunity for those types of environments to flourish. That’s not uncommon in the money laundering sector and other types of frauds and scams, where you have the weak infrastructure or a governmental position that either takes no position or chooses not to take a position, then that can breed an environment where those kinds of actors feel safe to operate with impunity or above or outside the law. And we see that in some of those kinds of CIS environments, as well as other places around the world where some of this ransomware strain infrastructure is choosing to position itself.
Laura Shin:
So now let’s dive into this full-on business model, which is so fascinating because it seems like it’s plucked straight out of a Silicon valley playbook. As you talked about, they follow this ransomware as a service model, which is similar to any other, software’s as a service or SAAS model such as corporate email, that’s powered by Gmail or something, and then there are affiliates. So just describe what this whole structure is, how it works, and how the different groups within this business model each make their money.
Gurvais Grigg:
So it is kind of an interesting evolution from a technology perspective, to see how criminals have adapted to the SAAS model. That comes as no surprise given that criminal organizations and criminals themselves are oftentimes very innovative. They operate in a brutally competitive market where the advantages have to be pursued. They also don’t have some of the constraints that legitimate actors have to worry about. Privacy, legality and so forth. They’re somewhat freed and unfettered. Additionally, because they have proceeds derived from their illicit activities, they’re able to quickly pivot and buy things. We used to see that when I was working on the Southern border, where the drug cartels would quickly pivot to new technologies that sometimes took a while for the government institutions to adopt and get their arms around.
So they quickly will gravitate to new capabilities. And when you look at this, if you’re a purveyor of malware and ransomware, you want as many people as possible using your stuff so that you get your cut. If you want to get into the space and be able to make some money, but you lack the technical sophistication or you don’t know how to do that entirely, this provides you a way through the dark market to find those vendors who can sell you those services. So this is sort of way it looks like. Say you want to conduct a ransomware attack. Obviously you go out there and you find a vendor who can provide you that technical service, right? The tools and data and software techniques. Then you’ve got to look and say, well, who can provide me cloud hosting services. So when I steal all this data, I’ve got to put it somewhere. So you find an elicit cloud provider who will allow you to host the stolen data. Then you also, as Kim said, you’ve got to find someone who can maybe help you with the mixing and the obfuscation and the laundering of those funds to try to obfuscate where they came from. And then you also, of course, and most importantly, you need somebody to help you exfil that and turn that back into Fiat. So you need someone who can help you offload that and off ramp that money.
So if you’re doing this across this ransomware service. And one of the unique things that is both a strength, but a vulnerability is, how are they paying all these people along that ransomware supply chain? They’re paying them with cryptocurrencies. So cryptocurrency and the blockchain become one of those unifying datasets that allow authorities and those attempting to blunt the impact of ransomware, the ability to identify that strain. That’s where Kim and her team really shines because they can pull together that data and give us a better picture of the crypto and ransomware ecosystem. In fact, you’ll probably get into it later in our broadcast about how a lot of those things consolidate to a surprisingly few number of addresses. I won’t steal her thunder on that, but I was taken aback when I learned about it.
Laura Shin:
Kim, do you wanna tell us more about that?
Kim:
The cool thing about this… I think Gurvais covered a lot of really interesting ground. The first is that there is no kind of central data source with US dollars where you can see where all the illicit money is going. There’s just no data set like that. It’s very siloed. Each investigation is very specific and takes into account many different cross jurisdictional pieces of information. You have to coordinate with different — especially when it comes to cross border investigations. And so this dataset does allow us to have a really strong sense of what is going on overall. When it comes to the ransomware as a service business model, we see this happening a lot. You hear about this in the news. The cool thing is we can put data to this phenomenon. We can see the amount of volume, the amount of cryptocurrency that is moving from ransomware strains to these other kinds of illicit cyber networks that allow the activity to continue and to go on to darknet marketplaces, or to purchasing infrastructure as a service.
What we noticed, and it didn’t actually make it into our crime report, what we did notice is that the share of overall ransomware proceeds going to the infrastructure has been growing pretty fast. And to me, that means that more of the actual kind of supply chain of crime is coming on the blockchain. So you have less need to cash out to go pay your web hosting provider. You’re doing it on the blockchain.
So that means there are maybe fewer opportunities to catch these people, because that fiat conversion is a really good opportunity to sweep in and get the identity. But we’re modeling out the business model, the business infrastructure, in a way that you just can’t do without this dataset. We’re seeing more money flowing between ransomware strains to these off-ramps. And then we can look at the money laundering as well. And what Gurvais was pointing out is that we said, where are all these ransom funds winding up? What services? That’s the key, getting them at that off-ramp. That’s when maybe you’ll be able to freeze the funds, maybe you’ll be able to catch the person. If you’re kind of a researcher like me, I’m like, then I can see what’s going on and how many bad guys there are.
Ransomware, of all the types of criminal activity, was the most concentrated on the number of off-ramps both in terms of services and deposit addresses receiving those funds. It was by far the most concentrated. So of all the other types of illicit activity, which were a little bit more dispersed among different services, ransomware went to the fewest services and the fewest deposit addresses on those services. To us, that echoes this kind of of the concentration definitely. But the money laundering infrastructure that criminals will use who carry out many different ransomware attracts attacks, will then use the same laundering infrastructure to move their funds. And to us, that shows that, hey, these, these groups are connected and this is them purchasing almost the money laundering portion of their attack in this whole ransomware as a business infrastructure process.
Gurvais Grigg:
And Laura, why that is significant from an investigator’s perspective. I remember with my time in the FBI, when we were looking to dismantle a criminal organization, one of that was to look at their hierarchy — how they operate, how they communicate, how they move money. If you could find those central nodes that were critical to maintaining their network infrastructure of how they do a business, and you could isolate and eliminate those by arresting or seizing funds or denying them the ability to perform those actions, you could really impact the viability of that whole network and in some cases completely dismantle it or really set them back. And they would have to go to extraordinary means to route around that. Like if you’re on an island and there’s only one highway to get to either side of the island and there’s a rock slide, nobody’s going anywhere until you can build a new road or get rid of the rocks. And that’s when this kind of information can become so powerful for investigators to understand and map that ecosystem so they can identify those network nodes and those operators to take them down to dismantle the ability for these campaigns to continue and propagate.
Laura Shin:
Kim, earlier, when you were talking about kind of the small number of places where these payments are being made, you tell me if this interpretation is correct, that even though there are different strains of ransomware that are going around, based on the movement of those payments, it appears that multiple of them are actually perpetrated by the same groups? Or that the same service providers are working with multiple groups and so like certain payments will always end up in the same places. Is that kind of where you were going with that?
Kim:
Those both could be true depending on the strain. I’ll give you an example.
We’ve identified a really large laundering service. We know this a laundering service. They’re receiving funds from multiple disconnected strains that are not considered to be written by the same operator. How did they all wind up using the same laundering infrastructure? Potentially there’s an affiliate. An affiliate is someone who is associated with a ransomware strain, and they’re really behind the attack. And affiliate might be migrating between multiple strains and then using their contacts to send the money to the money-laundering person. I mean we know in money-laundering rings using US dollars or fiat, there are many different people who are responsible for different parts of moving the money. There’s not one person who’s the money launderer. There are runners around around the world and whatnot. And so there are people who are connected connecting multiple strains together. And so the takeaway for me is that this ecosystem is maybe a little bit smaller than you would have thought otherwise.
Laura Shin:
We’re going to talk about that in a second. But first I wanted to ask, and I’m not sure if there is a figure on this, but do you have a sense of what percentage of victim organizations do pay the ransom?
Kim:
So my answer to that is that… There’s a data problem with ransomware, that we’re working really hard right now to overcome with initiatives like being a participant in the ransomware task force, which is bringing lots of different stakeholders together to say, how can we all work together to combat this problem? There’s a data problem because there’s an under-reporting problem. People are attacked and maybe they just want to pay the ransom and have this be done with. Or they just ignore it. There’s a lot of reasons why people don’t don’t report their ransomware attack.
We only have data on the people who actually reported their ransomware attacks. So we can’t actually probably give you a good estimate. Not to mention the number of people who maybe where there was a phishing attack attack that could have led to a ransomware infection, but the, the InfoSec, weeded that out. So does that count? How does that count?
So we are really trying to navigate this to get better data, to figure out how big this problem is. And that’s why having a central data source and putting out these numbers where over a hundred million dollars in ransomware payments year to date is really important, so we can size the problem up. But that’s a long way of saying that I’m not quite sure.
Laura Shin:
Do you guys have a recommendation on whether or not victim organization should pay the ransom? Or just in general, what would you say is the best protocol for them?
Gurvais Grigg:
We don’t really have a position where we advocate whether pay or don’t pay. I can tell you what the authorities say and recommend is to not to pay, but if you do, please let us know as soon as possible. That’s kind of the message that you hear repeated oftentimes out of the authorities. They recommend not paying because it further funds the next attack, because the money received from this attack only propagates into the next one. And so the exploitation cycle continues and you want to break the chain, no pun intended, but they do say if you do, and you make that business decision, then please let us know because time is not your friend by delaying.
Laura Shin:
So in a moment, we’re going to dive more into the cryptocurrency aspects of this whole situation, but first, a quick word from the sponsors who make the show possible.
Crypto.com:
With over 10 Million users, Crypto.com is the easiest place to buy and sell over 90 cryptocurrencies. Download the Crypto.com App now and get $25 with the code: “LAURA.” If you’re a Hodler, Crypto.com Earn pays industry-leading interest rates on over 30 coins, including Bitcoin, at up to 8.5% interest and up to 14% interest on your stablecoins. When it’s time to spend your crypto, nothing beats the Crypto.com Visa Card, which pays you up to 8% back instantly and gives you a 100% rebate for your Netflix, Spotify, and Amazon Prime subscriptions. There are no annual or monthly fees to worry about! Download the Crypto.com App and get $25 when using the code “LAURA” – link is in the description.
Tezos:
Tezos lets you easily exchange smart money throughout our digital world. A self-upgradeable blockchain with a proven track record, Tezos seamlessly adopts tomorrow’s innovations without disruptions today. Because of this adaptability, engineers, conservationists, entrepreneurs, collectors, game develeopers, and artists from around the world are building, creating, and using Tezos everyday. Discover how people are reimagining the world around you on Tezos.
Conjure
Do you want to trade gold, currencies or even bananas on Ethereum?
Conjure opens access to the global financial market for Ethereum by allowing for permissionless, user created Synthetic Assets. Conjure allows you to create, borrow and trade synthetic assets which track the value for any conceivable asset, real or abstract using any price feed you want.
Asset creators are able to earn fees on every mint, and scale revenue with direct use for their assets. Synths are minted by providing Ether to collateralize the asset as %0 interest loans.
Conjures helping to bring tradfi to defi and turn Ethereum into the real global financial settlement layer.
Trade Synths for USD, gold, BTC or make your own! Check it out at conjure.finance.
Laura Shin:
Back to my conversation with Gurvais Grigg and Kim Grauer. So let’s talk more about the cryptocurrency aspect of this phenomenon. The perpetrators are demanding cryptocurrency as a ransom. Why is it that this is their preferred way of being paid?
Kim:
I think it’s the preferred way of getting paid because to some degree it’s easier to tell victims to go to a certain known exchange, and it’s easier to onboard people onto Bitcoin. So there’s a lot of really user-friendly ways for people to acquire cryptocurrency. So you can imagine your regular victim of a ransomware attack might have never really heard of Bitcoin.
So what you’re going to teach them how to download all of this to use Monero or something? So there’s a little bit of the fact that it’s easier. These criminals are asking for millions and millions of dollars. The most recent one was asking for $70 million. Using some privacy coins, you might have a little bit of a liquidity problem. How do you off load that money? Increasingly exchanges are thinking of those currencies as being riskier. So those are two reasons why people might prefer Bitcoin. I don’t know. Gurvais do you have other ideas?
Laura Shin:
Even also to just take a step back — why would they prefer cryptocurrency rather than just normal US dollars?
Gurvais Grigg:
At the end of the day, they want to get paid and they want to get paid as quick as possible in a manner that is as fungible as possible. And to the degree that it allows them a level of anonymity or perceived anonymity they’re going to pursue that right. Drop the cash in a brown paper bag at the corner of walk/don’t walk near the dark alley and drive away. They don’t want to be detected.
This is one of things we’ve written about, there is this perception that cryptocurrencies are anonymous. At best they’re pseudo anonymous, but there is that perceived anonymity associated with it. And to Kim’s point, the ease of use and the speed — because cryptocurrency can move across jurisdictions in a moment. Then they can quickly move it from there to another, into another.
Back in the day when some of the romance scams and other things were happening, and the little lady had to go into the bank to pay this money, she had to interact with the bank managers and the bank managers asking her, well, Mrs. Jones, why are you withdrawing $10,000 and want to wire it to country X. So there were a lot of barriers to entry? Whereas here, with this, Ms. Jones never has to leave her home. Now that was in a fraud example, but the same thing is true here for the company. There’s that lowered barrier to entry without some of the perceived checks and balances that help protect our financial institutions and systems. Many of these criminals are opting to cryptocurrency because of that both perceived anonymity and speed and ease of access. We even see them demanding them to go to a local cryptocurrency ATMs and do it right through there.
Laura Shin:
So they’re directing people just to go directly to a Bitcoin ATM?
Gurvais Grigg:
In some cases, right now, these large scale things, you’re not going to go and do $70 million transaction in the cryptocurrency ATM near your local convenient store. But you can see the availability of these. There are over 15,000 in the United States alone, and they’re growing by the day. And so that offers opportunities for individuals to engage in the cryptocurrency market space. But it also facilitates some of these types actors because it’s ease of access for them.
Laura Shin:
And so Kim was implying that they tend to gravitate toward Bitcoin, but why is that over a privacy coin? Just because of the liquidity aspect? I would think… obviously, we all know that Bitcoin is pretty well traceable. Are we seeing them gravitate more toward privacy coins?
Kim:
We have seen some using privacy coins, but there are the limitations that we suggested. At the end of the day, it really is just what’s the fastest way to get me paid now, so I can cash that out into a usable currency. I think Bitcoin is at least perceived to be the most effective way to get there.
Gurvais Grigg:
Fungibility, speed, ease of use, are big factors.
Laura Shin:
I would imagine that if they do turn a privacy coins in a large-scale way, then that would make much more difficult for people like you to follow the funds.
Gurvais Grigg:
I think we’ve seen a positive impact in certain jurisdictions around the world where they have taken hard looks at privacy coins and exchanges. For example, South Korea recently required that these privacy coins to be moved off of their exchanges in their country. And so you can see some of that regulatory pressure happening to free up and make available a safer transaction space. A lot of these privacy coins are looked upon in a negative light from a regulatory stance. Many of those countries have implemented are or are implementing safeguards for that.
Laura Shin:
Interesting.
Are we finding that for a lot of these victim organizations that they have an easy time following the instructions to pay their crypto? I’m sure we’re all quite well aware that most everyday people do not really know how to transact with this stuff. How do they ensure that they actually do get paid — the criminals?
Kim:
I’ve seen detailed instructions of how to make an account on an exchange. I think I saw one on Local Bitcoins. I’ve seen them pointing you to certain exchanges and giving you step-by-step instructions on what to do — detailed instructions on exactly how to acquire a Bitcoin and where to send it to. There’s also the flip side. I think the bigger ransomware payments, they tend to contract out someone to actually handle the whole process of the ransomware payments.
So they’ll hire someone to negotiate and to ultimately pay the ransomware. So they of course have more expertise. Those tend to be for the really large attacks where there’s lots of money — up to multi-millions of dollars that are asked for in cryptocurrency. But other than that, I mean, maybe there are some times where people just couldn’t figure it out and didn’t pay it and then rolled the dice and hoped they got their funds back. But we can only kind of guess on what’s happening with them.
Laura Shin:
You mean they got their files back — their data?
Kim:
We can only guess. If they couldn’t figure it out and didn’t pay, did they get their files back? We don’t know unless they reported it.
Laura Shin:
I would imagine they probably don’t.
Kim:
If they don’t pay, I would imagine that they really just don’t get them back.
Laura Shin:
But then out of curiosity, when people actually do pay the ransom, do the criminals actually decrypt the files for them.
Kim:
I’ve seen both happen. I’ve heard of both happening. I’ve heard people paid and they didn’t get files decrypted. I’ve heard people pay and they did. I’ve even heard of people finding universal decryptors, not paying, and getting out of it that way. I think it really depends on your circumstances and who was attacking you.
Laura Shin:
Once attackers have the ransomware payment, assuming that they do get paid, how do they cash out? You’ve kind of alluded to these money laundering as a service providers. How many are there, where are they located, et cetera?
Kim:
The first thing we do to answer that question is we look at all of the wallets that are controlled by the different strains. Then we just look at where they go after they leave the wallet. That’s where we’re going to see them going to the infrastructure as a service that we mentioned, the dark net marketplaces to support further attacks, but also services where they can convert those funds to either other cryptocurrencies or to fiat. What we’re seeing there is the funds moving through sometimes one wallet, sometimes thousands of wallets, to potentially obfuscate detection, and then winding up on a few services. With blockchain transactions in many exchanges, a lot of the trades that happen are on order books and they kind of manage those order books, We can only kind of guess what happened after that, but at least we know where to look, where to direct law enforcement. So this exchange, this deposit address, and then from there, the next step would be a subpoena where you could say, hey, what do I know about the person managing this deposit address? It looks like it’s actually a service or an OTC broker or an individual, and piece together, all of those other pieces with that off-chain intelligence that we don’t personally have.
Laura Shin:
Is your sense that there are many such services like these? And if so, is that why they are still able to proliferate? Like you said, if it’s something where you can identify an account and get a subpoena to get more information on that, I would imagine that that would be a very natural kind of vector for law enforcement to go after.
Kim:
There are not very many deposit addresses that are receiving the illicit funds. It’s surprisingly concentrated on a few, very large, deposit addresses that mostly do criminal activity. Sometimes one of the cool things you could do, you can say, okay, let’s these look at the services that are, or the deposit addresses on exchanges that are receiving elicit funds — what other types of things are they doing? Are they doing 5% ransomware, 95% derivatives trading? That can get you a profile of who these deposit addresses are. From there you could say, oh, it looks like this deposit address receives 50% funds from these three different strains. The rest of their funds is really large transfers, rounded amounts of cryptocurrency that looks like maybe a poorly regulated OTC broker that’s operating off of these few services.
And yeah, there are opportunities for disruption. There are things that can be done. This is an ongoing thing that we’re dealing with as an industry, is what do we do about it? Profiling these deposit addresses has been something that has been proven to be really extremely interesting because we can get into the weeds of who these organizations are. Is it one ransomware transfer then they shut down? Or are there consistent ransomware transfers over the past five years. And those types of questions, you can start to situate the deposit addresses into different categories, which helps you profile them even more.
Gurvais Grigg:
And to Kim’s point on that, it shows the ability that it takes a multi-faceted solution approach. You need not only your law enforcement agencies working, but you’ve got your regulators as well. So that whole of government solution to dismantle these ransomware capabilities.
Laura Shin:
One thing I was thinking about was Kim’s earlier comment in the episode, where she said that increasingly they’re not actually cashing out to fiat and kind of transacting more in cryptocurrency. It frankly makes me think… not only does that mean that then there are fewer points at which law enforcement maybe could get more insight into these groups and have ways to kind of intercede. It also makes me think that as the wider world adopts crypto, then there will be more opportunities for them to perpetrate these attacks and get paid without having to worry so much about law enforcement. But who knows, maybe by then law enforcement will have new tools.
So one thing in terms of tools that Gurvais you mentioned earlier was you said in the blog post that the ransomware phenomenon has parallels to terrorism… what are those parallels?
Gurvais Grigg:
You heard national leaders draw that comparison. I think part of that came from that sense of urgency and need for national unity to pull together a whole of government solution for it. It clearly is a threat because it’s impacting people’s daily lives. When you disrupt fuel supply for a major portion of a large country, like the United States, or you impact food production, or you disrupt a major healthcare provider, or banking and your ability to access your funds, you’re affecting people’s lives. That’s creating terror and fear and sowing that kind of distrust in the system. The analogy is clearly there to draw between counter-terrorism and ransomware.
What I was expanding on in that article was, is, well, what are some of the solutions that we’ve implemented successfully over the past several decades to counter the terrorism threat and what are their potential analogies to ransomware?
Clearly, of course, you’ve got to do a good bit on awareness and communication to sort of bring people up to speed on what is this threat. We talked about the whole of government solutions that you need — both integrated coordination between national policy makers, law enforcement, intel, regulatory entities. There’s also a resourcing to the problem, right? This problem takes resources to address. And resources are not just from the government. If you look into the private industry, when you look at the cyber hygiene of some of these companies, and some of those that became victims to it, perhaps some of the cyber advisors would say there were things they can do to prevent that from happening next time. So it’s a real complicated, but understandable problem.
Laura Shin:
When you were talking about the whole ecosystem, this ransomware as a service, and then all the other actors involved… You mentioned that it’s sort of creating this little industry with these players and there’s consolidation happening and you said that actually represents ransomware’s biggest vulnerability. So how can that be exploited to prevent further attacks?
Gurvais Grigg:
Building on what Kim was talking about there is understanding who are the key players, what are those nodes in this ransomware supply chain where maybe the key mixing services, the key offloading and money laundering services, who are the big purveyors of some of these exploits and tools that they’re leveraging, or their web hosting or cloud providers? Then going after those. Recently I shared this analogy with a friend about a vehicle — there’s a current backlog on a number of vehicles here in the US. Why? Because the chips that go into those vehicles are on backlog. So you have this complex machine, that’s has thousands of moving parts, is enormous, weighs two thousand pounds, yet the whole production is dismantled and delayed for a small little chip, right? And that’s analogous to ransomware. If you can understand how all those parts fit together in the ransomware and to be strategic about your targeting and going after those nodes, you can really affect the whole network.
And so what I mean by that, and that’s some of the counter-terrorism strategies that have been applied successfully is identifying the leadership, the funding, how they travel, how they radicalize and recruit. Well, those same kind of analogies can work in ransomware and some of the things that Kim talked about. I think that’s a framework that government agencies across the world can pursue to reduce the impact ransomware is having on us. But I think you’re right, we are going to see it continue to grow because currently there’s nothing to de-incentivize this activity. So many of them are moving forward.
Laura Shin:
It seems like the same playbook that REvil used, but in reverse because they attacked Kaseya, which had all of these companies that were relying on its information. So if you do the reverse to them, it would have the same effect.
Let’s actually talk a little bit about Colonial Pipeline. In May, hackers ransomed the systems of that company, which is one of the largest pipeline operators in the US, and they requested 75 Bitcoins as ransom. 63.7 of those were paid to the hacker. The rest presumably went to Darkside, which was the ransomware as a service provider, as a commission. And the US DOJ was able to seize those 63.7 BTC. It’s not known exactly how they did so. What do you think are the most likely theories?
Gurvais Grigg:
Well, I hate to disappoint, but I’m really not in a position to talk about that particular instance or case. What I can say is, I think it illustrates the need for raising the crypto literacy and capabilities of government agencies, because it’s not enough just to defend against an attack, nor to push it back, or to find the people responsible, but you also want to return the money back to the victims. And then of course, potentially never let them become a victim in the first place, by some of the proactive things we talked about earlier in the broadcast. And I think that is one of the takeaways from that type of an incident.
Laura Shin:
I will mention that there was an analysis by Galaxy Digital’s research arm and a couple of theories were first that maybe DOJ was able to serve a warrant to an onshore exchange or OTC desk, who then complied with law enforcement. The second theory could be that DOJ got access to a compromised computer that had access to that wallet. And Darkside had said previously that its servers had been compromised. And then another theory was that maybe the FBI had apprehended, someone who was with the hackers who had access to that private key. That’s just for listeners who are wondering how that was able to happen. It’s not necessarily that Bitcoin itself was compromised.
At the moment we are seeing quite a lot of movement or at least talk by the government. What would you say are the best tools that the government can use to prevent and combat ransomware?
Gurvais Grigg:
This is going to lead quickly into Kim’s strength, but let me just set the stage. First, it begins with data. You’ve got to have the right data to both understand the ecosystem that you’re dealing with, as well as who the players and actors are, and what those transactions are moving across. The blockchain of course, is a publicly available ledger, and anyone can look at it, but having the right tools to interpret that data really becomes important — and being able to do that at the speed crypto moves at. And I think that’s where you’re going to see a lot of growth in this market space of both making the right data available and the tools to help quickly reduce the time to insight and to follow it.
Kim:
I would echo first and foremost: data is the most important. At least if you’re thinking about if you’re a victim who has paid a ransom — what’s your best shot of getting your funds back? Then you have the bigger question of, okay, ransomware is picking up. We called 2020 the year of the ransomware because there was over 300% growth and probably more now. 2021, right now, on the track that we’re on right now, is going to just far exceed 2020 in terms of the funds going to ransomware. This is something that’s growing really fast. I think the industry solution is probably multi-pronged around education and info security, but also awareness of how we can see every player that we have data on. We can see what they’re doing. We can see their operations, and we can see where they’re cashing out.
The fact that the money laundering infrastructure is smaller than we had originally anticipated, I think it actually makes it feel a little bit more manageable, to me at least, then, oh my gosh, there’s ransomware happening every single day, millions of attacks. But actually like, this is the size of it. These are how many different groups we’re tracking, and these are the off-ramps that they use. That level of transparency makes a really scary problem feel more manageable. But other than that, it’s going to be a multi-pronged approach to tackling this problem.
Laura Shin:
Maybe the fact that it’s very much an international problem will also help because when you have so many different countries, industries that are affected I imagine that maybe that will be more motivating to people to kind of band together and act. Do you get a sense of that?
Gurvais Grigg:
So international cooperation, right? Public-private partnerships. There’s probably some legislative changes that are needed to strengthen the consequences and legislation around ransomware and those that perpetrate those types of cyber events. That increased focus on asset recovery and sanctions. Work that can be done to raise the cyber fences, if you will, among critical industry and infrastructure providers to make them less vulnerable for exploitation. And then as we talked about, literally going after with a focus dismantlement campaign to identify those key players, actors, and nodes on that network and go after them from a regulatory perspective, from a law enforcement perspective, and the like.
Laura Shin:
All right, well, I guess we’ll have to see how the rest of this year plays out. Hopefully it won’t you know, snowball into something even bigger, but it sort of looks that way at the moment.
Well, where can people learn more about each of you and Chainanalysis?
Kim:
You can find our research on our blog. We have a section that details all of the research we’ve put out. You can get you can subscribe to our newsletter so you can get insights into what types of new research we’re putting out and what we’re paying attention to. We’re always doing new research topics right now. We’re focusing on the geography of cryptocurrency, which is the other 99% of activity that isn’t illicit — what’s going on there.
Gurvais Grigg:
As Kim said, you can go to our website. Kim and I are routinely publishing information there and updates along with others from the company. And we’d welcome you to give us a visit.
Laura Shin:
Thanks so much for joining us today. To learn more about Gurvais and Kim, check out the show notes for this episode. Unchained is produced by me, Laura Shin, with help from Anthony Yoon, Daniel Nuss, and Mark Murdock. Thanks for listening.