Ransomware, malicious software that encrypts computers and keeps them “locked” until a ransom is paid, is the world’s fastest-growing cyber threat,
Ransomware, malicious software that encrypts computers and keeps them “locked” until a ransom is paid, is the world’s fastest-growing cyber threat, according to Coinfirm. Recent attacks on critical national infrastructure, like the Colonial Pipeline incursion that crippled oil and gas deliveries for a week along the U.S. East Coast, have set off alarms. Ransom payments are almost always made in Bitcoin or other cryptocurrencies.
But while many were shaken by May’s Colonial Pipeline attack — the Biden administration issued new pipeline regulations in its aftermath — relatively few are aware of that drama’s final act: Using blockchain analysis, the FBI was was able to follow the ransom payments fund flow and recover about 85% of the Bitcoin paid to ransomware group DarkSide.
In fact, blockchain analysis, which can be further enhanced with machine learning algorithms, is a promising new technique in the battle against ransomware. It takes some of crypto’s core attributes — e.g., decentralization and transparency — and uses those properties against malware miscreants.
While crypto’s detractors tend to emphasize its pseudonymity — and attractiveness to criminal elements for that reason — they tend to overlook the relative visibility of BTC transactions. The Bitcoin ledger is updated and distributed to tens of thousands of computers globally in real time each day, and its transactions are there for all to see. By analyzing flows, forensic specialists can often identify suspicious activity. This could prove to be the Achilles’ heel of the ransomware racket.
An underused means
“The blockchain ledger on which Bitcoin transactions are recorded is an underutilized forensic tool that can be used by law enforcement agencies and others to identify and disrupt illicit activities,” Michael Morrell, former acting director of the U.S. Central Intelligence Agency, declared in a recent blog, adding:
“Put simply, blockchain analysis is a highly effective crime fighting and intelligence gathering tool.[…] One expert on the cryptocurrency ecosystem called blockchain technology a ‘boon for surveillance.’”
Along these lines, three Columbia University researchers recently published a paper, “Identifying Ransomware Actors in the Bitcoin Network,” describing how they were able to use graph machine learning algorithms and blockchain analysis to identify ransomware attackers with “85% prediction accuracy on the test data set.”
Those on the frontlines of the ransomware struggle see promise in blockchain analysis. “While it may at first seem like cryptocurrency enables ransomware, cryptocurrency is actually instrumental in fighting it,” Gurvais Grigg, global public sector chief technology officer at Chainalysis, tells Magazine, adding:
“With the right tools, law enforcement can follow the money on the blockchain to better understand and disrupt the organization’s operations and supply chain. This is a proven successful approach as we saw in January’s ‘takedown’ of the NetWalker ransomware strain.”
Whether blockchain analysis alone is enough to thwart ransomware incursions or whether it needs to be joined with other tactics, like bringing political/economic pressure to bear on foreign countries that tolerate ransomware groups, is another question.
Unmasking criminals?
Clifford Neuman, associate professor of computer science practice at the University of Southern California, believes that blockchain analysis is an underutilized forensic tool. “Many people, including criminals, assume Bitcoin is anonymous. In fact, it is far from being so in that the flow of funds is more visible on the ‘public’ blockchain than it is in almost any other kinds of transactions.” He adds: “The trick is to tie the endpoints to individuals, and blockchain analysis tools can sometimes be used to do this linking.”
A valid means for unmasking ransomware attackers? “Yes, absolutely,” Dave Jevans, CEO of crypto intelligence firm CipherTrace, tells Magazine. “Using effective blockchain analytics, cryptocurrency intelligence software” — the sort his firm produces — “to track where ransomware actors are moving their funds can lead investigators to their true identities as they attempt to off-ramp their crypto to fiat.”
David Carlisle, director of policy and regulatory affairs at analytics firm Elliptic, tells Magazine: “Blockchain analysis is already a proven valuable technique for enabling law enforcement to disrupt the activities of these networks, as the Colonial Pipeline case made clear.”
Within days of the May 8 ransom payment by Colonial Pipeline, Elliptic was able to identify the Bitcoin wallet that received the payment. Further, “It [the wallet] had received Bitcoin payments since March totaling $17.5 million,” recounts law firm Kelley Drye & Warren LLP. Elliptic was helped by the fact that the malefactors had used no “mixers” to further obscure…
cointelegraph.com