Prevention and Importance
Ransomware has become increasingly prevalent over the last few years, and not just because of the COVID-19 pandemic, which has caused cybercrime incidents to increase dramatically and has caused the number of ransomware incidents to explode. A recent report suggests a 715% increase in detected ransomware attacks from 2019 to 2020 and a ransomware attack now occurs on average once every 11 seconds. This has also resulted in a dramatic rise in ransomware investigations.
The best (and by far the cheapest) option is to spend the time bolstering security and operational practices so that a ransomware attack isn’t successful, and if it is, to significantly mitigate the damage the ransomware could do. If an organization succumbs to a ransomware attack, there are a plethora of costs they face depending on whether or not they pay the ransom.
If the ransom is not paid:
- Equipment replacement costs.
- Costs (primarily labour) to rebuild critical infrastructure and systems affected.
- Downtime, lost productivity and lost revenue.
- If the attacker was not only able to encrypt data or hard drives but was also able to obtain private and confidential data, whether customer data or non-customer data, that data could also be leveraged, used or sold by the attacker. This in turn can lead user accounts being hacked, identity theft, and opens the organization up to legal liability in some cases, particularly if they were negligent with regards to their security.
If the ransom is paid:
- The ransom itself, which is often in the hundreds or thousands, or for larger organizations, in the millions of US dollars, albeit typically paid in Bitcoin.
- Limited downtime, lost productivity, and lost revenue if the attackers hold up their end of the deal more often than not. Although there is no guarantee that attackers will hold up their end of the deal, historically, they have ‘honoured’ their commitment in most cases.
It’s always best to prevent a ransomware attack from occurring in the first place rather than trying to deal with once it happens. There are various steps organizations should take, which would eliminate the vast majority of ransomware attacks. Still, most organizations seem to either not care until it happens to them, can’t “afford” to take the necessary steps or fail to execute these steps properly and still have woefully inadequate security. Instead, they’ll look up how to pay ransomware with Bitcoin and proceed to pay it if they feel the ransom will be less costly than being locked out of infected devices indefinitely.
Permissions & Tiered Access
A critical aspect of systems security is appropriately isolating and segregating systems from one another so that if one device is affected, it doesn’t cripple an organization’s entire infrastructure. Security, accessibility permissions and controls need to be in place that restricts devices and systems from sharing data with one another that isn’t necessary, limiting the effectiveness of any ransomware attack.
Security Software Suites and Firewalls
Security suites, anti-virus software, firewalls, and mail filtering are all important security components most organizations should have. While they can sometimes help to prevent or mitigate ransomware attacks, there are plenty of occasions where they fail to do so. Just as importantly, these security features create a false sense of security to employees that any ransomware attack will be unsuccessful. In reality, it’s not difficult for a ransomware operator to get around anti-virus software, but these security features do offer some minor roadblocks for attackers.
Competent Security Professionals
Organizations need to have competent security professionals and Sysadmins on staff who design and maintain security infrastructure and control access. Just as importantly, they need to have appropriate decision-making authority over all of an organization’s digital security. If they first need to get permission from a C-level executive who, let’s face it, probably won’t have a clue about such security, that’s not very effective.
A Security-first Culture
By far the most challenging thing organizations must improve to prevent succumbing to a ransomware attack is the knowledge and mindset employees have about security. The human element is the weakest link and the factor that can be most easily exploited, given how many people don’t even employ the most basic security practices.
We all know those at our company that haven’t a clue how to use a computer, much less understand the basics of computer security, which makes them highly susceptible to clicking on a phishing link that leads to a ransomware attack. A small and lean organization might be better able to ensure all employees are adequately technically adept and security-focused, but it’s an impossible feat for larger organizations.
Nonetheless, educating and ensuring that employees have a security-focused mindset is essential. This isn’t limited to telling employees not to click sketchy links or running batch files downloaded from who knows where. It involves educating employees about fraud and cybersecurity. Education on how to detect a spoofed email. Social engineering training. Got a call/email ordering you to do something from a higher-up at the company? Ok, how have you verified it’s them who ordered it? It’s very, very easy to spoof an email or phone call.
Training employees to question everything and be so inquisitive is difficult, because as humans, we tend to be more trusting. It is very tough for employers to get employees to adopt a security-oriented culture, but this is what needs to be done if organizations want to avoid succumbing to a ransomware attack.
Backing up Data and Systems
It’s crucial for organizations to regularly back up their systems and data. Those backups must, of course, remain segregated from other systems given how easily ransomware can spread in an organization’s computer network. Should a ransomware attack occur, having systems and data adequately backed up allows an organization to more easily not justify paying the ransom, and to simply discard infected devices if they cannot be decrypted — something that’s considerably cheaper than paying the ransom the vast majority of the time. Usually, the data contained on the machines and the threat of that being exposed are both far more economically damaging to an organization than the cost of replacing the equipment itself.
Retention of Customer Data
Carefully consider what client data and personal information you really need to collect and/or retain – most organizations don’t need the vast majority of customer information they choose to collect. Do you really need their phone number? Why not implement app-based 2FA for customer logins (if applicable) so that such data doesn’t need to be retained. What about their full name, date of birth, photo ID, etc. The data can’t be stolen or leaked if you don’t retain customer data. Don’t collect private client information if you don’t need to, and if you do collect it, expect to bear the consequences of any breach if found negligent, which could include lawsuits down the road.
Improve How Data is Stored and Secured
Just as important as what data is stored is how it’s stored, and who has access. In some ransomware attacks, apart from devices becoming locked, attackers are sometimes often able to steal data on these systems. That could include passwords, credit card details, etc. This data must be safely and securely encrypted to reduce the potential fallout of any breach.
By now, I think everyone reading that has been the victim of a database breach and has had a username/password of theirs exposed. Sometimes organizations are dumb enough to store this information in plaintext (like Equifax for example), allowing attackers to see the email/username and password combinations of those customers (and sometimes a lot more), which they’ll proceed to utilize elsewhere when breaching individual user accounts (or will sell the data to someone who will, likely on the dark web).
When an organization is breached and passwords/details are exposed, organizations will sometimes say that all passwords were encrypted and that the attackers only have hashes of passwords. Thus, users are allegedly ‘safe’ since the hackers cannot decrypt those hashes. And that’s a heaping pile of bullshit.
Hackers possess massive databases of passwords that have been used before. And I’m not just talking about ‘pass1234’ common. It can be millions, or even billions of passwords. These passwords are then run through multiple hashing algorithms — SHA-1, SHA-3, MD5, and SHA-256 producing applicable hashes for each password. Well, guess what? When a hacker obtains encrypted passwords, they only need to compare the hash to the hashes they have in their hash table, and if they have a match, voila, they have your (unencrypted) password which they can use to login. So much for your password still being ‘secure’ because it’s ‘encrypted.’
Encrypting customer data is a basic security precaution that must be taken, but it’s very much still dangerous if exposed. One defence against this that organizations need to take is to force users to use long, complex and unique passwords; that way, if the password hashes are exposed, it’s unlikely that those hashes will be the hacker’s hash table. Regardless, companies also need to control how this data can be accessed, including by employees — not just external actors.
The rest of this article pertains to organizations that have failed to appropriately secure their infrastructure and have become victims of a ransomware attack.
The Importance of Investigating
Ransomware attacks wouldn’t happen if ransoms were never paid or if organizations never succumbed to such ransomware attacks due to having a more security-minded culture. But the reality is that some organizations choose to pay the ransom because the consequences for not doing so often far outweigh the ransom’s cost.
Ransomware attacks always involve a cost-benefit analysis, both for the organization but also for the attacker. From the attacker’s perspective, the financial costs of conducting the attack are quite low. The benefits, meanwhile, are quite high. Organizations are willing to pay out the ransom all too often, despite the high price tag. And when organizations choose to do so, they create a greater incentive for such attacks to occur in the future.
Ransomware attacks have become so common that it’s now fairly common for many organizations, both private, not-for-profit, and government organizations to purchase cyber insurance. The proposition is fairly simple; as part of the cyber insurance policy, the insurance company will offer to pay out a ransom, should an attack happen, up to the liability limit (with exceptions of course).
The rise of cyber insurance has greatly increased the frequency of ransomware payouts, have caused the average ransomware payment to increase considerably, and most importantly, are the biggest contributor to the rise in ransomware attacks for a simple reason; they reward the attacker and all too often do nothing to investigate the matter. Organizations can also more easily justify having lax security since they’re ‘insured’ from an attack. Cyber insurers see it as a cost of doing business and move on. They fail to understand the consequences of issuing payout after payout, while at the same time taking little to no action to identify the attackers so they can be prosecuted, even though from a financial perspective, it’s often a ‘profitable’ decision for cyber insurers to pursue the attackers with the appropriate professional assistance.
One additional factor attackers must weigh is the risks of getting caught, prosecuted, and ultimately going to jail, while at the same time being required to return the funds. That’s a crucial part of the equation and why it’s so important to investigate the attackers who initiate ransomware attacks; it changes the equation so that fewer ransomware attacks occur in the future. And at CipherBlade, we feel that any organization that willingly pays out a ransom has a moral obligation to report it and properly investigate the incident so fewer attacks happen in the future instead of there being more. And one of the best ways of doing that is by ‘following the money’ so to speak.
But if an organization ends up paying out a ransom, the reasons for conducting a ransomware investigation aren’t just altruistic (to prevent more attacks in the future). It typically makes sense from a financial perspective as well. The cost of an investigation, whether 5k USD, 20k USD, or somewhere in between, is peanuts compared to the multi-million dollar ransom. It’s also peanuts compared to what can be recovered.
It’s not hard to come out financially ahead if there’s a professional investigation, compared to the choice to not investigate at all. In many cases, not all funds are recovered. However, even if only 40% of funds are recovered, that still puts the organization in a much better financial position, even after the investigative costs, than if 0% is recovered. Unfortunately, law enforcement agencies often lack the necessary investigative skills, knowledge, experience, and tools to investigate these types of cybercrime cases on their own. As we note below, there are two primary ways cryptocurrency funds can be recovered in such instances.
Funds Recovery After Ransomware Attacks
When cybercriminals launch ransomware attacks, they often insist on being paid in Bitcoin. Once they’ve received the funds, the next step is laundering the money (or attempting to). At CipherBlade, we’ve generally found two approaches cybercriminals use when doing so; they either try to do it very quickly, or they wait a while, in the hopes that it will be forgotten, and then try and do so. The former is the more common of the two.
Identification and Prosecution of Attacker
Ultimately, the attackers need to be brought to justice for funds to be recovered in most cases, although funds recovery certainly isn’t the only reason to conduct an investigation. In order to do that, the attackers first need to be identified, or key intelligence needs to be uncovered that leads to their identity. In ransomware cases, most key intelligence that ultimately leads to the identity of the attackers is found by ‘following the money’ or as we call it more professionally, blockchain forensics.
Law enforcement’s involvement is critical, but law enforcement often lacks the expertise, tools, skills, and knowledge to properly investigate such crimes. The odds of identifying an applicable suspect, or uncovering key intelligence that ultimately leads to the identity of a suspect is improved immensely with external professional assistance.
Recovery is typically not a quick process here given the involvement of multiple law enforcement agencies, courts, and in some cases, banks. After a suspect is identified, additional relevant entities need to be queried or subpoenaed. Information and intelligence needs to be assessed, additional investigative work needed to be conducted, law enforcement agencies need to correspond with one another, the suspect(s) need to be charged, and prosecuted. Such charges (or the threat of them) or a court order itself is ultimately what can lead to funds recovery. Ultimately, the threat of going to jail, or going to jail for a longer period of time if the perpetrator isn’t cooperative is quite a powerful incentive to get them to turn over the criminally acquired funds.
The alternative way that funds can be recovered after a ransomware attack is by intercepting funds when the attackers attempt to liquidate, launder, or cash out funds out through various services and exchanges. Whether or not funds can be intercepted depends on a variety of factors, including the exchange or service in question, and how quickly the right people are notified (which is why CipherBlade has direct lines of communication with many exchanges, the customer service people on the generic support emails typically don’t have the authority to do anything in such matters, and one can’t wait for hours or days for a response either).
That being said, there are limitations. For one, it’s unlikely that a ransomware attacker will attempt to liquidate all the funds at once on a service or exchange. They normally try to do it in smaller amounts at a time instead of ‘putting all their eggs in one basket,’ so it’s highly unlikely to result in all the funds being recovered solely through interception.
Secondly, law enforcement agencies are simply not well equipped to attempt to intercept funds like this. It involves near real-time assessment as soon as a transaction occurs, which law enforcement doesn’t generally have resources for. Professional assistance is usually needed, and time is very much of the essence. Furthermore, given that perpetrators often try to launder funds quickly after they are received, it’s critical for an organization to have already engaged professional assistance before they even send the ransom (if they plan on doing so) so that funds can be attempted to be intercepted. If they wait a few weeks to hire a professional investigative agency, in all likelihood most or all of the funds will have already been laundered through various services so that they can no longer be easily intercepted (granted, there could still of course be on-chain leads that could lead to the identity and prosecution of the suspect as noted in option #1).
But What about Mixers?
A lot of people incorrectly assume that attackers simply send the Bitcoin into a mixer like Wasabi, Chipmixer, or BitcoinFog, and the funds are then untraceable. There are multiple incorrect assumptions made here.
- While mixer involvement is not uncommon to see in ransomware cases, there are plenty of cases we’ve seen where there’s been zero mixer involvement.
- If there is mixer involvement, it’s rare for 100% of funds to go to mixers. More often, only a portion of funds are sent into the mixer, leaving plenty of other ways that funds can be traced even if not attempting to trace “through” the mixer. The goal is not necessarily to find where all the funds are currently; rather, the goal is to uncover intelligence on who the perpetrators are, which can be uncovered by determining services or other individuals they interacted with, among other ways.
- People sometimes assume that all mixers are the same, and all are equally untraceable. Not true at all. Mixers are designed quite differently from one another with regards to the mixing algorithms that are utilized. Simply put, some are better at concealing funds than others. Whether or not funds can be traced ‘through’ a mixer depends on several factors, including which mixer was used. There are a variety of factors which make funds sent into mixers more or less traceable as well, but that’s not something we’ll elaborate on here, since we already know that ransomware attackers will be reading this, and we certainly don’t want to help them launder funds. What is true, however, is it does take considerably more time (and thus costs) to trace ‘through’ a mixer, thus, such work can only be warranted for losses of at least mid-6-figures, otherwise it just doesn’t make financial sense. There will likely be easier paths that can better lead to the identity of the attacker.
Eastern European Perpetrators and Feasibility of Pursuance
A notable portion of ransomware attacks have been linked to Eastern European attackers. Some people incorrectly assume an investigation is a futile endeavour since if the suspect(s) is Eastern European, people sometimes assume the individual won’t be prosecuted due to a lack of cooperation from local law enforcement. While this can be true in some instances, in many cases, this perception is misconstrued. In reality, it depends on several factors:
- The country that the suspect(s) resides in. People sometimes paint all Eastern countries with the same brush and assume they all will have the same level of perceived low cooperation. Not true at all. Countries like Ukraine, Romania, and Russia are all very, very different. Law enforcement in many Eastern European countries can be very cooperative, particularly with the right connections.
- It depends on the victim organization’s country too. Since ransomware cases involve cooperation of typically at least 2 law enforcement agencies, the relationship the two countries have with one another is another factor to consider. Let’s take the US and Russia, for example. The FBI doesn’t have as good of a relationship with Russia, compared to other Eastern European countries like Ukraine, Romania, and Bulgaria for obvious reasons. This is not to suggest a case is dead in the water if the victimized organization is US-based while the suspect is Russian. It’s just harder to get such a case to be pursued but it does happen – in fact, Russian nationals involved in cryptocurrency exchange hacks were just indicted yesterday by the US Department of Justice. In contrast, if the victimized organization was based in France, it would work in its favour and be even easier to pursue.
- The size of the ransom paid. The higher the ransom is, the easier it is for law enforcement to justify spending the resources to pursue the matter. It’s harder for law enforcement to justify attackers behind a 50k USD ransom than a 500k USD ransom. And when ransoms reach the millions of dollars, there’s a lot of pressure for law enforcement to pursue even when the jurisdiction is ‘less appealing’ as with the US-Russia example.
- Professional assistance, or lack thereof. The reality is the vast majority of law enforcement agencies lack the tools, skills, knowledge, and expertise to investigate this type of cybercrime properly. Many law enforcement agencies have ZERO capabilities in this regard. Some law enforcement agencies like the FBI do have capabilities, but they are incredibly understaffed, are there are only a small number of people in the FBI that are capable of actually investigating this type of crime, and even then, some are more qualified than others. The reality is that having external professional assistance considerably helps to improve the odds of both identifying and apprehending a suspect, as well as recovering ransomware funds, or at least a portion of them.
- Keep in mind that in order to recover Bitcoin by intercepting funds when the suspect attempts to liquidate on an exchange or service, the suspect doesn’t need to even be identified, much less prosecuted, nor does local law enforcement need to even get involved in that instance. What is needed, however, is cooperation from the exchange or service. If an exchange or service is immediately notified of ransomware funds being laundered by a suspect through their platform, what would they do about it? The answer should be to request details on the ‘source of funds’ from the account holder and to request that the account holder undergo KYC if they have not already done so prior to the funds being released. If the account holder acquired the funds legitimately, it should be easy for them to provide details on the source of funds, after which point the exchange/service releases the funds. This is Compliance 101. But there are, of course some shady exchanges and services that couldn’t give a damn about such funds being laundered through their platform, even when they are notified of it as it’s happening. And that, of course, can open them up to legal liability.
- Finally, keep in mind that a good portion of attackers are NOT based in Eastern Europe. Sometimes attackers are North American, Western European or from a country in Asia. And in some cases, attackers have been Nation-state actors, as was the case with WannaCry, where North Korea’s Lazarus Group was found to be the likely culprit.
Case Study: CWT
Given the misconception about what happens to the Bitcoin in any ransomware payment, and how that Bitcoin is laundered in such cases, we thought it would be useful to conduct a case study, so we’ve chosen the recent ransomware attack involving CWT, who paid a 414 BTC (~$4.5 Million USD) ransom after succumbing to a ransomware attack.
The transaction whereby CWT (or their agent) paid the 414 BTC was never publicly disclosed, but it wasn’t exactly hard for us to find. We know the hackers wrote the note demanding the ransom of 414 BTC July 27th, and that payment occurred by July 28. Looking at the Bitcoin blockchain, there aren’t many transactions that fit the bill. The few transactions that do but they are primarily intra-exchange transactions (and thus not ransomware related). But there is one address that receives 414 BTC that fits the profile in that timeframe; 13nmJ3SsNB5pSyQrmX3e6zveY9kHGw8Vs3 ‘CWT Ransomware Attacker’.
This address first receives 1 BTC in tx 58a22a5a40a8cb98df8398567f33402c577affbb8d3d0c993fa17289c24d2bc6, presumably as a ‘test transaction’ (not uncommon), then receives the remaining 413 BTC in tx eb4a367416e02d1fd77d78d530a0f7f1ff7f84cffb3b595deeb7d5ea399d9100 20 minutes later.