Unchained - How Ransomware Evolved Into a Big Business - Ep.256
Episode Date: July 20, 2021Gurvais Grigg, Chainalysis public sector CTO, and Kim Grauer, director of research at Chainalysis, review the ransomware landscape. Show Highlights: their backgrounds and roles at Chainalysis how a... ransomware attack works what types of businesses are usually targeted in ransomware attacks why ransomware as a service (RAAS) is a booming business why Kim and Gurvais believe the hacking group REvil is becoming more sophisticated what characteristic of REvil hints that the group could be affiliated with Russia how the RAAS business model works how ransomware payments can be tracked why ransomware reporting has a data problem why Bitcoin is the preferred method of payment amongst ransomware attackers what two factors makes BTC preferable to privacy coins how ransomware groups teach victims to transfer BTC how ransomware groups cash out of their BTC how counter-terrorism tactics can help fight ransomware attacks how the Department of Justice may have partially recovered part of the Colonial Pipeline ransomware payment what tools and strategies governments can and will use to battle ransomware Thank you to our sponsors! Crypto.com: https://crypto.onelink.me/J9Lg/unchainedcardearnfeb2 Tezos: https://tezos.com/discover?utm_source=laura-shin&utm_medium=podcast-sponsorship-unconfirmed&utm_campaign=tezos-campaign&utm_content=hero Conjure: https://conjure.finance Episode Links People Kim Grauer - Director of Research at Chainalysis https://www.linkedin.com/in/kimberly-grauer-a9501144 Gurvais Grigg - Global Public Sector Chief Technology Officer at Chainalysis https://www.linkedin.com/in/gurvais-grigg-b1027a153/ Chainalsysis Ransomware Data https://go.chainalysis.com/rs/503-FAP-074/images/Ransomware-2021-update.pdf https://go.chainalysis.com/rs/503-FAP-074/images/Chainalysis-Crypto-Crime-2021.pdf https://blog.chainalysis.com/reports/applying-counterterrorism-strategies-to-ransomware https://blog.chainalysis.com/reports/eastern-europe-cryptocurrency-market-2020 Ransomware Attacks Kaseya https://decrypt.co/75246/what-the-revil-ransomware-attack-means-for-crypto https://www.abc.net.au/news/2021-07-03/ransomware-attack-us-revil/100265656 Colonial Pipeline https://ciphertrace.com/ransomware-seizure-blockchain-analytics-helps-us-authorities-seize-over-2-million-in-darkside-ransom-paid-by-colonial-pipeline/ https://www.elliptic.co/blog/us-authorities-seize-darkside JBS Holdings https://www.wsj.com/articles/jbs-paid-11-million-to-resolve-ransomware-attack Other Chainalysis Twitter: https://twitter.com/chainalysis Website: https://www.chainalysis.com/ Who is REvil? https://fortune.com/2021/07/07/what-is-revil-ransomware-attack-kaseya/ https://unit42.paloaltonetworks.com/revil-threat-actors/ Combating ransomware: https://securityandtechnology.org/ransomwaretaskforce/report/ Why Gurvais joined Chainalysis: https://blog.chainalysis.com/reports/gurvais-grigg-chainalysis Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I'm your host, Laura Shin, a journalist with over two decades of experience. I started Kevin Crypto six years ago and as a senior editor at Forbes was the first mainstream media reporter to cover cryptocurrency full-time. This is the July 20th, 2021 episode of Unchained.
My book The Cryptopians, Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Crays,
is available for pre-order on Amazon, Barnes & Noble Bookshop, or any of your favorite bookstores.
Go to Bitley-S-C-T-L-L-Y-C-R-Y-P-T-O-P-A-N-N-S.
The Crypto.com app lets you buy, earn, and spend crypto, all in one place.
Earn up to 8.5% interest on your Bitcoin, and 14% interest on your state.
PAYBELCOins. Paid weekly. Download the Crypta.com app and get $25 with the code Laura.
The link is in the description. TASOS is smart money that's redefining what it means to hold an
exchange value in a digitally connected world. Discover how people are reimagining the world around
you on TASOS. Conjure brings any asset you want onto Ethereum by allowing for users to create
synthetic assets which track other markets. With zero interest loans and unlimited assets,
it's helping defy to consume tradfi.
That's C-O-N-J-U-R-E-D-FINCE. Check it out.
Today's topic is Ransomware.
Here to discuss our Kim Grower, Director of Research at Chainalysis, and Gervis Grig, Public
Sector C-T-O at Chainalysis.
Welcome, Kim and Gervis.
Hi.
Hello.
So ransomware has become quite the phenomenon this year, with hackers extorting $412 million
from victims last year, and then in the first five months of this year, obtaining $127 million.
And then at the beginning of July, a group called Reval, I believe it's pronounced, perpetrated the largest
ransomware attack so far, infecting more than one million computers. And for that, they demanded a $70 million
ransom. Before we dive into all the particulars on the topic for today, why don't you each tell us a bit
about yourself and your background and how you came to learn about this topic. And actually,
why don't we start with Gervis? Okay, sure. Thanks, Laura. Well, my name is Gervis, Greg, as you said.
I'm a 23-year veteran retired from the FBI. Before that was a stock and bond broker, but
started my career in the FBI working violent crime and then moved into white collar and advanced
financial fraud and money laundering. Then 9-11 happened and I pivoted to counterterrorism.
And in particular counterterrorism or terrorist financing, spent a good bit of my career
working counterterrorism and matters associated to that and then moved into the intersection
of technology with that and spent the latter half of my career working advanced technology
issues for the FBI.
But I knew when it came time to retire that I wanted to try to keep that passion with technology
and my love of advanced financial analysis and supporting public sector.
And so when this opportunity with chain analysis came along, it was so.
So they're sort of the trifecta of all of those passions.
Right.
And Kim, what about you?
I have been a chain analysis for about four years now.
And I have been always just trying to figure out what is going on with our data.
And oftentimes that comes that looks like thinking about crime and what types of criminal activity are really surging in certain time periods and trying to figure out why that might be.
I have a background in economics. I worked for the city of New York before I made the jump into
crypto and worked with them on a few blockchain initiatives. And I was happy to see that they have
continued those efforts since then. And right now, we just finished updating some ransomware data
and are working on a few other interesting research topics that are going to come out over the
summer. Great. So let's talk about ransomware.
And let's just make sure I think most people know, but let's just define it just to make sure everyone's on the same page.
And describe what happens to an organization that becomes a victim of one of these attacks.
Sure.
So, you know, ransomware has gone through an evolution over the years from the most original instances, that to some of the sophisticated instances that you see.
And the one you referenced just recently with this getting more and more complicated and larger and larger in scope.
But basically is an individual or group of individuals using technology and code will infect or enter into a person's system and then hold hostage their data, encrypt it or even seize it, steal it.
And then they will demand payment back from the company to unlock that data or to return it.
Or in this case, in some other cases now, as they've evolved, extort payments to not release or make publicly available that data.
So you can see this evolution of extortion from first just trying to lock up your data so you can't access it to all the way stealing it and then threatening to release it or extort you if you don't pay them in the timely fashion they do to then dedos your system and do other damage.
And so what happens when you become a victim?
Like is it just that whoever shows up for work first that day realizes they can't get in the system and there's like a pop up or how does that happen?
And, you know, obviously, many companies have their operations center who are monitoring the health and maintenance of their networks.
And so sometimes it may begin where certain users in the company are saying, wait a minute, I can't get access the data that I need.
Or the system is sloggy or it's not running at optimum performance.
Or a pop-up comes up and says your system has been infected and we're now holding you hostage.
Sort of that equivalent of the old day's ransom note.
You know, the person that you love and care about has been kidnapped and we demand payment.
And so it can take various forms, but the bottom line is it's that uh-oh moment for the company to realize,
oh, my goodness, we don't have access to our data, what's happened to our customer records,
and then they get the extortion.
And what types of organizations and industry do they typically attack?
You know, it has run the gamut.
Last year, during the height of the pandemic, we saw healthcare providers, hospitals, and the like being attacked.
You've seen in the news government institutions and organizations of that.
We've seen financial institutions, food service providers, energy, critical infrastructure.
It's really beginning to spread and not just those boutique entities that most people have never
heard about.
And that's one of the pernicious aspects of the ransomware campaigns as they're evolving
is it's beginning to infect and impact large-scale services that we critically depend on
to run our everyday lives.
I don't know if either of you saw this, but.
The New York Times reported that it got a glimpse of a dashboard on the Darkside ransomware site.
And apparently, Darkside was forbidding its affiliates from attacking any educational,
medical, or government targets.
I found that kind of curious.
What do you make of that?
Well, you know, if you look back at the comparison that some have begun to draw between ransomware and counterterrorism,
it is an established pattern for some terrorist group to be careful about who they attack, right?
I mean, there are certain dragons you don't want to poke and wake up.
Also, there are certain entities that maybe you call off and you say, we don't want to go there.
I mean, that's not even uncommon for mafiosos and drug gangs where they will identify areas where they don't want to impact or they don't want to raise attention by certain groups.
So it's not surprising to me that groups would create carve outs in areas where they either want to target or want to.
to avoid targeting.
And Kim, do you have anything to add on that?
I've heard of ransomware strains, for example, last year saying that they're not going to
attack hospitals.
And I think that because of how distributed some of these affiliates networks can be,
I think that we saw that people didn't follow that.
So they said that and then there actually were some hospitals that were attacked by said strain.
So, you know, how, what does it mean when a ransomware strain comes out and says, I'm not going to be attacking this?
Can you, do you just trust them?
I mean, is this like, do you take them at their word?
We've seen them go back on what they've said to do in the past, especially when they said they were not going to be attacking hospitals.
So potentially, you know, echoing what Gerva said, potentially there is some, there's some desire to not really sound all the alarm bells to get everyone kind of hunting.
the trails of these ransomware criminals, but I don't really know what else to make of it other than
it's just kind of signaling that, hey, maybe don't pay too much attention to us. We're not going
to attack these terrible things. But in reality, I think they have and would if they thought they
could get away with it. Yeah. At the end of the day, it's all about money, Laura. And using, as I mentioned,
their own counterterrorism, you can see groups over the years that say, hey, we don't attack
citizens, we just attack the military and law enforcement, or we just attack government building.
The problem is that you can't put a bomb outside this, you know, outside of government
building and not impact the public, right? And so you get that spillover. And these people don't
always care about those collateral consequences. Yeah, I guess, you know, earlier when you were saying
you felt that they didn't want to poke the bear, I could see that making sense for government and
and for medical as well in the sense that that might, you know,
catch the government's attention, but educational.
I kind of was just like, hmm, so maybe some kids don't get to go to school one day.
I don't know.
I was kind of like, huh, I wonder what that's about.
But maybe it's because once you affect children, then, yeah, I don't know.
Then that also catches the government's attention.
I wasn't sure.
Well, so tell us a little bit more about who is behind the attacks.
Are they people who are criminals in other ways, or are they more like people who just are
looking for a quick buck or kind of like teenagers who don't have a legitimate way to earn money
with their computer skills or is it something else?
Well, I know Kim can add to this, but let me just set up a part of that.
You know, the environment is really evolving.
If we were to go back a number of years ago, many of the actors and players in this mission space had advanced technical skills, right?
They would both design their solutions.
They would identify their targets.
They would infiltrate their targets, exfiel the data and do that.
But what has emerged over the last several years, and I think you alluded to it, is this really ransomware as a service that has come out where there's this whole ecosystem that's been built up around it.
Kim has some powerful data about that that we help analyze for our customers.
where you don't have to do all of those things yourself. In fact, you don't have to be particularly
sophisticated. And what that means is that has lowered the barrier to entry so that more players
who perhaps in previous years could not have done what they can do now are able to buy those
services and get in the game. That's both scary and profound because it broadens the aperture of
players and targets that these companies, governments, and entities have to defend against.
it really raises the amplitude.
Yeah, and I wouldn't, I would say that we're getting really good at starting to try to create more elaborate profiles of who some of these ransomware criminal gangs really are through a variety of methods that mostly involve data analysis, but bringing a lot of different stakeholders together to look at the same data with different in different means.
And what I mean is we're getting good at this is because not only are we kind of a data platform where we can see all these different ransomware strains and how active they are, but we can also see what types of services are they using?
What types of dark net marketplaces are they using to potentially purchase access?
Are there certain languages that are used on the off ramps that they're choosing to send the stolen funds to?
And so we're getting really good at profiling these criminal gangs.
Let's look at the actual malware.
There's been some research on strains that say, hey, don't attack certain regions.
And we put out some research recently saying a majority of the top strains active today have a code baked into the actual attack malware that says don't attack CIS country.
So don't attack Russian-speaking countries mostly.
So we can put all these things together to start to profile who they might be, get a lot of good leads for law enforcement.
In terms of why do people turn to ransomware, you know, I'll echo a lot of what Gervis said.
It's probably a more complicated answer that has a regional dimension as well and kind of depends on which gang you're looking at and which context they're coming out in.
but we have the tools to kind of profile each of these strains in a better way going forward, at least for us.
All right.
So before we get a little bit more into the ransomware of service, which is just so fascinating to me,
I do want to know a little bit more about Reville, the group behind the largest ransomware attack so far.
And I did see...
I actually think it is our evil.
Oh, it's our evil.
Yeah.
Okay.
Because, yeah, I heard a security researcher, I think it was from Cisco or somewhere, say, are evil. And I used that in the last show. But then I heard Terry Gross calling it Reefel. And I was like, hmm. So, okay. Okay. So are evil. But also, they go by another name. So do you know. Can't even. So do no Keevi? Is that a Russian word or? I don't know. I'm not sure. Okay. So, yeah, tell us some more.
about this group. Obviously, they're the ones behind the headlines in recent weeks.
Well, what we do, what I can tell you about our evil is that since it is an ongoing
investigation, of course, we can't get into too many details of what is going on. But we can
look at how has Reval or our evil, how has our evil changed over time, how have they evolved,
what services are they using? And one thing that struck,
us when we were looking at the data, the whole time series of data surrounding our evil is the
almost exponential growth in the size of payments that are being demanded of this organization.
And so to me, that typically signifies a growing sophistication of a certain bad actor because
they're probably targeting, have a more sophisticated target.
They probably have more resources to carry out this attack.
And so we're seeing that with this particular strain.
There's also our evil is a prolific user of mixers and more advanced technologies to move funds as well.
And so we have been able to triangulate and see all the different kind of methods that our evil are using and how they're changing over time to, to, I don't know, like we don't know.
I personally don't know, you know who they are, but all this data is actually really helpful to.
who paint this bigger picture of what's going on with this with this strain.
And is your sense that they originate in Russia?
Our evil is is one of the many, they are one of the many groups that are affiliated with Russia.
And they have that code that I had mentioned before around the do not attack CIS countries.
So, you know, that is leading, you know, interpret that how you will.
but to me it is kind of established that if there's not a definite connection, then it's like a strongly assumed connection.
Yeah, and I'm just blinking.
CIS is for Commonwealth something, but it's a independent state.
It's Russian speaking.
Okay.
Okay.
And why is it that so many of these cyber criminal gangs do originate in that region?
Yeah, that's a good question.
You know, what we can see is where you have.
lacks jurisdictional control or where the authorities either lack the ability or lack the willpower
to do something about it, that creates an opportunity for those types of environments to flourish.
That's not uncommon in the money laundering sector and other types of frauds and scans where you have
weak infrastructure or a governmental position that either takes no position or chooses not to take a
position. Then that can breed an environment where those kinds of actors feel safe.
to operate with impunity or above or outside the law.
And we see that in some of those kinds of CIS environments as well as other places around the world,
where some of this ransomware strain infrastructure is choosing to position itself.
Okay.
So now let's dive into this full-on business model, which is so fascinating because it seems like it's plucked straight out of a Silicon Valley playbook.
So as you talked about, they follow this.
Ransomware as a service model, which is similar to any other software as a service or SaaS
model, such as corporate email that's powered by Gmail or something.
And then there are affiliates.
So just describe what this whole structure is and how it works and how the different groups
within this business model each make their money.
Sure.
So it is kind of an interesting evolution from a technology perspective,
to see how criminals have adapted to this SaaS model.
That comes as no surprise given that criminal organizations and criminals themselves
are oftentimes very innovative.
I mean, they operate in a brutally competitive market where the advantages have to be pursued.
They also don't have some of the constraints that legitimate actors have to worry about,
privacy, legality, and so forth and so on.
So they're somewhat freed and unfettered.
Additionally, because they have proceeds derived from their illicit activities,
they're able to quickly pivot and buy things.
We used to see that when I was working on the southern border,
where the drug cartels would quickly pivot into new technologies,
that sometimes it took a while for the government institutions to adopt and get their arms around.
So they quickly will gravitate to new capabilities.
And when you look at this, if you're a purveyor of malware and ransomware,
you want as many people as possible using your stuff so that you get your cut, right?
And if you want to get into the space and be able to make some money,
but you lack the technical sophistication and you don't know how to do that entirely,
this provides you a way through the dark market to find those vendors who can sell you those
services. So this is sort of way it looks like. So you want to conduct a ransomware attack.
Obviously, you go out there and you find a vendor who can provide you that technical service,
right, the tools and data and software techniques. Then you've got to look and say, well,
who can provide me cloud hosting services? So when I steal all this data, I've got to put it somewhere.
So you find an illicit cloud provider who will allow you to host the stolen data.
Then you also, as Kim said, you've got to find someone who can maybe help you with the mixing
and the obfuscation and the laundering of those funds to try to obfuscate where they came from.
And then you also, of course, and most importantly, you need somebody to help you exfil that and turn that back into Fiat.
So you need someone who can help you offload that and off-ramp that money.
And so you're doing this across this ransomware service.
And one of the unique things that is both a strength but a vulnerability is,
How are they paying all these people along that ransomware supply chain?
They're paying them with cryptocurrencies.
So cryptocurrency and the blockchain become one of those unifying data sets that allow authorities
in those attempting to blunt the impact of ransomware, the ability to identify that strain.
And that's where Kim and her team really shines because they can pull together that data
and give us a better picture of the crypto and ransomware ecosystem.
In fact, you'll probably get into it later in our broadcast about how a lot of those things
consolidate to a surprisingly few number of addresses.
I won't seal her thunder on that, but I was taken aback when I learned about it.
Yeah, Kim, do you want to tell us?
Tell us more about that.
Yeah, well, just a few kind of, the cool thing about this is, I think Gervis covered a lot
of really interesting grounds.
The first is that, yeah, there is no kind of central data source with the U.S. dollars
where you can see where all the illicit money is going.
There's just no data set like that.
You can't, it's very siloed.
Each investigation is very specific and takes into account many different cross-durisdictional pieces of information.
You have to coordinate with different, especially when it comes to cross-border investigations.
And so this data set does allow us to have a really strong sense of what is going on overall.
And when it comes to the ransomware as a service business,
model, yeah, we see this happening a lot. You hear about this in the news. And the cool thing is we can
put data to this phenomenon. So we can see the amount of cryptocurrency that is moving from
ransomware strains to other kind of illicit cyber networks that allow the activity to continue and to go
on, so to darknet marketplaces or to purchasing infrastructure as a service. And what we noticed,
and it didn't actually make it into our crime report,
but what we did notice is that the share of overall ransomware proceeds
going to this infrastructure has been growing pretty fast.
And to me, that means that there are more of the actual kind of supply chain of crime
is coming on the blockchain.
So you have less need to cash out to go pay your web hosting provider.
You're doing it on the blockchain.
So that means there are maybe fewer opportunities.
to catch these people because that Fiat conversion is a really good opportunity to sweep in and
get the identity.
But we're modeling out the business model, the business infrastructure in a way that you just
can't do without this data set.
So we're seeing more money flowing between ransomware strains to these off ramps.
And then we can look at the money laundering as well.
And what Gervis was pointing out is that we said, where are all these ransom funds winding up?
what services, because that's the key, getting them at that off-ramp, that's when maybe you'll be able to freeze the funds.
Maybe you'll be able to catch the person.
And if you're kind of a researcher like me, I'm like, then I can see what's going on and how many bad guys there are.
So ransomware of all the types of criminal activity was the most concentrated on the fewest number of off-ramps,
both in terms of services and deposit addresses receiving those funds.
It was by far the most concentrated.
So of all the other types of illicit activity, which were a little bit more dispersed,
among different services, ransomware went to the fewest services and the fewest deposit
addresses on those services. And to us, that echoes this kind of, the concentration,
definitely, but the money laundering infrastructure that criminals will use who carry out many
different ransomware attacks will then use the same laundering infrastructure to move their funds.
And to us, that shows that, hey, these groups are connected. And there's, this is them purchasing,
almost the money laundering portion of their attack.
And this whole ransomware as a business infrastructure process.
And Laura, why that is significant from an investigator's perspective.
I remember with my time in the FBI, when we were looking to dismantle a criminal organization,
one of that was to look at their hierarchy, how they operate, how they communicate, how they
move money.
And if you could find those central nodes that were critical to maintaining their network
infrastructure of how they do a business, and you could isolate and eliminate those by arresting
or seizing funds or denying them the ability to perform those actions, you could really impact
the viability of that whole network and in some cases completely dismantle it or really set them back
and they would have to go to extraordinary means to route around that. Just like if you're on an
island, there's only one highway to get to either side of the island and there's a rock slide,
nobody's going anywhere until you can build a new road or get rid of the rocks. And that's
where this kind of information can become so powerful for investigators to understand and map
that ecosystem so they can identify those network nodes and those operators to take them down
to dismantle the ability for these campaigns to continue and propagate.
Kim, earlier when you were talking about kind of the small number of places where these payments
are being made, what you're saying is, or you tell me if this interpretation is correct,
that even though there are different strains of ransomware that are going to,
around. Based on the movement of those payments, it appears that multiple of them are actually
perpetrated by the same groups or that the same service providers are, you know, working with
like many or not many, but, you know, with multiple groups. And so even then at certain points,
like certain payments will always end up in the same places. Is that kind of where you were going
with that? Yeah. Those both could be true depending on
the strain, but I'll give you an example. We've identified a really large laundering service.
We know this is a laundering service. And they're receiving funds from multiple disconnected strains
that are not considered to be written by the same operator. And so how did they all wind up
at the same, using the same laundering infrastructure? Potentially, there's an affiliate.
An affiliate is someone who is associated with a ransomware strain and they're really behind
the attack. An affiliate might be migrating between multiple strains and then using their kind of
contacts to send the money to the money laundering person. I mean, we know in money laundering
rings using US dollars or fiat, there are many different people who are responsible for
different parts of the, of moving the money. And so there's not one person who's the money
or there's, you know, runners around the world and whatnot.
And so there are people who are connected, connecting multiple strains together.
And so the takeaway for me is that this ecosystem is maybe a little bit smaller than
you would have thought otherwise.
And thereby potentially more vulnerable.
Yeah, we're going to talk about that in a second.
But first, I wanted to ask, and maybe I'm not sure if there is a figure.
on this, but do you have a sense of what percentage of victim organizations do pay the ransom?
My answer to that is that we, there's a data problem with ransomware that we're working really
hard right now to overcome with initiatives like being a participating in the ransomware task force,
which are bringing lots of different stakeholders together to say, how can we all work together to
combat this problem? There's a data problem because people are not,
there's an under-reporting problem. People are attacked and maybe they just want to pay the ransom and have this be done with. Or they have, or they just ignore it. There's a lot of reasons why people don't report their ransomware attack. And so we are only having, we only have data on the people who, who actually reported their ransomware attack. So we can't actually probably give you a good estimate, not to mention the number of people who maybe were,
there was a fishing attack that could have led to a ransomware infection, but the infosec, we did that out.
So how does that count as like, how does that count?
So we're really trying to navigate this to get better data, to figure out how big this problem is.
And that's why having like a central data source and putting out these numbers where, you know, over $100 million in ransomware payments year to date is really important.
So we can size the problem up.
But that's a long way of saying that I'm not quite sure.
But do you guys have a recommendation on whether or not victim organization should pay the ransom?
Or just in general, what would you say is the best protocol for them?
You know, we don't really have a position where we advocate whether pay or don't pay.
I can tell you what the authorities say and recommend is that not to pay.
But if you do, please let us know as soon as possible.
And that's kind of the message that you hear repeated oftentimes out of the authorities is they recommend not paying because it further funds the next attack because the money received from this attack only propagates into the next one.
And so the exploitation cycle continues and you want to break the chain, no pun intended.
But they do say if you do and you make that business decision, then please let us know because time is not your friend by delaying.
All right.
So in a moment, we're going to dive more into the cryptocurrency aspects of this whole situation.
But first, a quick word from the sponsors who make this show possible.
With over 10 million users, crypto.com is the easiest place to buy and sell over 90 cryptocurrencies.
Download the crypto.com app now and get $25 with the code Laura.
If you're a hodler, crypto.com earn pays industry leading interest rates on over 30 coins,
including Bitcoin, at up to 8.5% interest and up to $4.4.4.
15% interest on your stable coins.
When it's time to spend your crypto, nothing beats the crypto.com visa card, which pays you up to 8%
back instantly and gives you 100% rebate for your Netflix, Spotify, and Amazon Prime subscriptions.
There is no annual or monthly fees to worry about.
Download the crypto.com app and get $25 when using the code Laura.
L-A-U-R-A.
The link is in the description.
Do you want to trade gold, currencies, or even bananas on Ethereum?
Conter opens access to the global financial market for Ethereum by allowing for
permissionless user-created synthetic assets.
Conter allows you to create, borrow, and trade synthetic assets which track the value
for any conceivable asset, real or abstract, using any price feed you want.
Asset creators are able to earn fees on every mint and scale revenue with direct use for
their assets.
Synths are minted by providing Ether to collateralize.
the asset as 0% interest loans.
Hunters helping to
Defi and turn Ethereum
into the real global financial
settlement layer.
Trade synths for USD,
gold, BTC, or make your own.
So why not check out
C-O-N-J-U-R-E dot finance
and see what's possible.
TASOS lets you easily exchange
smart money throughout our digital world.
A self-upgradable blockchain with a proven
track record, TASO seamlessly
adopts tomorrow's innovations without network disruptions today. Because of this adaptability,
engineers, conservationists, entrepreneurs, collectors, game developers, and artists from around the world
are building, creating, and using TASOS every day. Discover how people are reimagining the world around
you on Tazos. Back to my conversation with Gervis Grig and Kim Grauer. So let's talk more about
the cryptocurrency aspect of this phenomenon, the perpetrators are demanding cryptocurrency as
their ransom. Why is it that this is their preferred way of being paid?
I think it's the preferred way of getting paid because to some degree, it's easier to tell
victims to go to a certain known exchange and it's easier to onboard people onto Bitcoin.
So there's a lot of really user-friendly ways for people to acquire cryptocurrency.
So you can imagine your regular victim of a ransomware attack might have never really
heard of Bitcoin.
So what you're going to teach them, how to download all of these to use a Benaro or something.
So there's a little bit of the fact that it's easier.
There's also these criminals are asking for millions and millions of dollars,
what the most recent one was asking for $70 million.
dollars and using some privacy coins, you might have a little bit of a liquidity problem.
How do you offload that money? Increasingly exchanges are thinking of those currencies as being
riskier. So those are two reasons why people might prefer Bitcoin. I don't know, Gervis,
do you have other ideas? Well, but even also to just take a step back, like why would they
prefer cryptocurrency rather than, you know, just normal U.S. dollars?
Yeah. So at the end of the day, they want to get paid and they want to get paid as quick as possible in a manner that is as fungible as possible. And to the degree that it allows them a level of anonymity or perceived anonymity, they're going to pursue that, right? Drop the cash in a brown paper bag at the corner of walk and don't walk near the dark alley and drive away, right? They don't want to be detected. So there is, and this is one of things we've written about, is
is this perception that cryptocurrencies are anonymous.
And at best, they're pseudo-anonymous.
But there is that perceived anonymity associated with it.
And to Kim's point, the ease of use in the speed,
because cryptocurrency can move across jurisdictional in a moment, right?
And then they can quickly move it from there to another and to another.
Back in the day when some of the romance scams and other things were happening,
you know, and the little old lady had to go into the bank to pay this money,
you know, she had to interact with the bank manager.
The bank managers was asking, well, Mrs. Jones, why are you withdrawing $10,000 and wanting to wire it to country X? And so there were a lot of barriers to entry, whereas here in this, Mrs. Jones never has to leave her home. Now, that was in a fraud example, but the same thing is true here for the company. There's that lowered barrier to entry without some of the perceived checks and balances that help protect our financial institutions and systems. And so many of these criminals are opting to cryptocurrency because of that, both perceived anonymity,
and speed in ease of access.
We even see them demanding them to go to a local cryptocurrency ATMs, right?
And do it right through there.
Oh, wow.
So they're directing people just to go directly to a Bitcoin.
In some cases, right?
Now, these large-scale things, you're not going to go and do $70 million transaction
in the cryptocurrency ATM near your local convenience store.
But you can see the availability of these.
and they're, you know, over 15,000 in the United States alone, and they're growing by the day.
And so that offers opportunities for individuals to engage in the cryptocurrency market space,
but it also facilitates, you know, some of these types of actors because it's, you know,
ease of access for them.
And so Kim was implying that they tend to gravitate toward Bitcoin, but why is that over a privacy
coin just because of the liquidity aspect? Or, you know, I would think, you know, obviously we
all know that Bitcoin is pretty well traceable. So are we seeing them gravitate more toward privacy
coins? We have seen some using privacy coins, but there are there are the limitations that
we suggested. And at the end of the day, it really is just what's the fastest way to get me
paid now so I can cash that out into a usable currency. And I think Bitcoin is at least perceived
to be the most effective way to get there.
fungibility, speed, ease of use, big factors.
Interesting.
So you don't foresee, because I would imagine that if they do turn to privacy coins in a large-scale way,
then that would make it much more difficult for people like you to follow the funds.
Well, you can see, and I think we've seen a positive impact in certain jurisdictions around the world,
where they have taken hard looks at privacy coins and exchanges, for example,
South Korea recently required that these privacy coins be moved off of their exchanges in their
country.
And so you can see some of that regulatory pressure happening to free up and make available
a safer transaction space.
And so a lot of these privacy coins are looked upon in a negative light from a regulatory stance.
And many of those countries have implemented or are implemented.
safeguard for that.
Interesting.
So are we finding that for a lot of these victim organizations that they have an easy time following
the instructions to pay in their crypto because, you know, I'm sure we're all quite well
aware that most everyday people do not really know how to transact with this stuff.
So how do they ensure that they actually do get paid, the criminals?
I've seen detailed instructions of how to make an account on local or like an exchange.
I've seen it on various, I think I saw one on local bitcoins.
I've seen them pointing you to certain exchanges and giving you step-by-step instructions on
what to do, detailed instructions on exactly how to acquire Bitcoin and where to send it to.
So there's also the flip side.
I think these really the bigger ransomware payments, they tend to,
contract out someone to actually handle the whole process of the ransomware payment. So they'll
hire someone to negotiate and to pay ultimately pay the ransomware. So they, of course,
have more expertise. But those tend to be for the really large attacks where there's
lots of money up to multi-millions of dollars that are asked for in cryptocurrency. But other than that,
I mean, maybe there are some times where people just couldn't figure it out and didn't pay it and then rolled the dice and hoped they got their funds back.
But we can only kind of guess on what's happening with them.
You mean they got their files back, their data?
Yeah, yeah.
We can only guess.
Like if they couldn't figure it out and didn't pay, did they get their files back?
We don't, we don't know unless they reported it.
Well, yeah, I mean, I don't know.
I would imagine they probably don't, right?
If they don't pay, I would imagine that they really just don't get them back.
But then out of curiosity, when people actually do pay the ransom to the criminals, then actually
decrypt the files for them?
I've seen both happen.
I've heard of both happening.
I've heard people paid and they didn't get their files decrypted.
I've heard people pay and they did.
I've even heard of people finding universal decryptors not paying and getting out of it that way.
I think it really depends on your source.
circumstances and who was attacking you.
Okay.
So once the attackers do have the ransomware payment, assuming that they do get paid,
how do they cash out?
You've kind of alluded to these money laundering as a service providers.
So how many are they?
Are there?
Where are they located, et cetera?
So the first thing we do to answer that question is we look at all of the wallets that are
controlled by different strains.
and then we just look at where they go after they leave the wallet.
And that's where we're going to see them going to the infrastructure as a service that we mentioned,
the darknet marketplaces to support further attacks,
but also services where they can convert those funds to either other cryptocurrencies or to fiat.
And what we're seeing there is the funds moving through,
sometimes, sometimes one wallet, sometimes thousands of wallets to potentially obfuscate detection,
and then winding up on a few services where they, we can only, since we kind of, our eyes,
we stop when we see with blockchain transactions and many exchanges, a lot of the trades that
happen are on order books and they kind of manage those order books. We can only kind of guess what
happened after that, but at least we know where to look, where to direct law enforcement.
So this exchange, this deposit address, this, and then from there, you would get, the next step would be a subpoena where you could say, hey, what do I know about the person managing this deposit address?
It looks like it's actually a service or an OTC broker or an individual and pieced together all of those other pieces with that off-chain intelligence that we don't personally have.
And is your sense that there are many such services like these? And if so, you know, is that why they are still able to proliferate? Because, you know, like you said, if it's something where you can identify an account and get a subpoena to get more information on that, I would imagine that that would be a very natural vector for law enforcement to go after.
There aren't very many.
There are not very many deposit addresses that are receiving the illicit funds.
It's surprisingly concentrated on a few very large deposit addresses that mostly do criminal activity.
Sometimes one of the cool things you can do is you can say, okay, let's these look at the services that are or the deposit addresses on exchanges that we're receiving illicit funds.
What other types of things are they doing?
Are they doing 5% ransomware, 95% derivatives trading?
And that can get you a profile of who these deposit addresses are.
And then from there, you could say, oh, it looks like this deposit address receives 50% funds from these three different strains.
And the rest of their funds is really large transfers, rounded amounts of cryptocurrency.
that looks like maybe a poorly regulated OTC broker that's operating off of these few services.
And yeah, there's opportunities for disruption there.
There's things that can be done.
I mean, this is an ongoing thing that we're dealing with as an industry.
What do we do about this?
And profiling these deposit addresses has been something that has been proven to be really
extremely interesting because we can get into the weeds of who the, who the,
these organizations are? Is it one ransomware transfer and then they shut down or consistently
ransomware transfers over the past five years? And those types of questions, you can start to
situate the deposit addresses into different categories, which helps you profile them even more.
And to Kim's point on that, it shows the ability that it takes a multifaceted solution approach.
You need your not only your law enforcement agencies working, but you've got your regulators
as well, right? So that whole of government's solution to dismantle these ransomware capabilities.
Yeah, one thing I was thinking about was Kim's earlier comment in the episode where she said that
it kind of increasingly they're not actually cashing out to Fiat and kind of transacting more in
cryptocurrency. It frankly makes me think, so not only does that mean that then there are fewer
points at which law enforcement maybe could get more insight into these groups, but then,
you know, have ways to kind of intercede. But it also makes me think that as the wider world
adopts crypto, then there will be more opportunities for them to perpetrate these attacks
and get paid without, you know, having to worry so much about law enforcement. But who knows,
maybe by then law enforcement will have new tools.
So one thing in terms of tools that Gervis, you mentioned earlier,
was that you said in a blog post that the ransomware phenomenon has parallels to terrorism.
And what are those parallels?
Yeah.
You heard national leaders draw that comparison.
And I think part of that came from that sense of urgency and need for national unity
to pull together a whole of government solution for it.
It clearly is a threat because it's impacting people's daily lives.
When you disrupt fuel supply for a major portion of a large country like the United States,
or you impact food production, or you disrupt major health care providers or banking and your ability to access your funds,
you're affecting people's lives.
And that's creating terror and fear and sowing that kind of distrust in the system.
So the analogy is clearly there to draw between counterterrorism and ransomware.
What I was expanding on that article was, is, well, what are some of the solutions that we've
implemented successfully over the past several decades to counter the terrorism threat?
And what are their potential analogies to the ransomware?
Clearly, of course, you've got to do a good bit on awareness and communication to sort of bring
people up to speed on what is this threat.
We talked about the whole of government solutions that you need, both integrated coordination
between national policymakers, law enforcement, intel, regulatory entities.
There's also a resourcing to the problem, right?
I mean, this problem takes resources to address, and that resources are not just from the government.
If you look into the private industry, when you look at the cyber hygiene of some of these
companies and some of those that became victims to it, there were perhaps some of the
cyber advisors would say there were things they can do to prevent that from happening next time.
So it's a real complicated but understandable problem.
So when you were talking about kind of the whole ecosystem, the ransomware is a service and
then all the other actors involved, and you mentioned that it's sort of creating this
little industry with these players and there's consolidation happening.
And you said that that actually represents ransomware's biggest vulnerability.
So how can that be exploited to prevent further attacks?
Right. Building on what Kim was talking about there is understanding who are the key players,
what are those nodes in this ransomware supply chain where maybe the key mixing services,
the key offloading and money laundering services, who are the big purveyors of some of these
exploits and tools that they're leveraging or their web hosting or cloud providers?
and then going after those.
You know, recently I shared this analogy with a friend about a vehicle.
There's a current backlog on a number of vehicles here in the U.S.
Why?
Because the chips that go into those vehicles are on backlog.
So you have this complex machine that's got lots of thousands of moving parts is enormous
weighs 2,000 pounds.
And yet the whole production is dismantled and delayed for a small little chip, right?
And that's analogous to, I mean, to, you know, to,
even to the ransomware. So if you can understand how all those parts fit together in the
ransomware and then be strategic about your targeting and going after those nodes, you can really
affect the whole network. And so what I mean by that, and that's some of the counterterrorism
strategies that have been applied successfully is identifying the leadership, the funding, how they
travel, how they radicalize and recruit. Well, those same kind of analogies can look at here at ransomware
and some of the things that Kim talked about. And I think that's a framework that government agencies
across the world can pursue to reduce the impact ransomware is having on us.
But I think you're right.
We are going to see it continue to grow because currently there's nothing to de-incentivize
this activity.
And so many of them are moving forward.
It seems like the same playbook that are evil used, but in reverse, because they attacked
Kasea, which had all of these companies that were relying on its information.
And so if you do the reverse to them, it would have the same effect.
So now let's actually talk a little bit about colonial pipeline in May hackers ransom the systems of that company, which is one of the largest pipeline operators in the U.S.
And they requested 75 Bitcoins as ransom. And 63.7 of those were paid to the hacker. The rest presumably went to Darkside, which was the ransomware as a service provider as a commission. And the U.S. Department of Justice was able to seize those 63.7 BTC. And it's not.
known exactly how they did so. So what do you think are the most likely fairies?
Well, I hate to disappoint, but I'm really not in a position to talk about that particular
instance or case. What I can say is, I think it illustrates, though, the need for raising the
crypto literacy and capabilities of government agencies, because it's not enough just to defend
against an attack, nor to push it back or to find the people responsible. But you also want to
return the money back to the victims. And then, of course, potentially never let them become a
victim in the first place by some of the proactive things we talked about earlier in the broadcast.
And I think that is one of the takeaways from that type of an incident.
Okay. I will mention that there was an analysis by Galaxy Digital's research arm.
And there, a couple of theories were first that maybe DOJ was able to serve a warrant to an
onshore exchange or OTC desk, who then complied.
with law enforcement.
The second theory could be that DOJ got access to a compromised computer that had access to that wallet.
And Darkside had said previously that its servers had been compromised.
And then another theory was that maybe the FBI had apprehended someone who was affiliated
with the hackers who had access to that private keys.
So that's just for listeners who are wondering how that was able to happen.
It's not necessarily that Bitcoin itself is compromised.
All right.
So, you know, at the moment, we are seeing quite a lot of movement or at least talk about the government.
So what would you say are the best tools that the government can use now to prevent and combat ransomware?
Yeah. Well, this is going to lead quickly into Kim's strength. But let me just set the stage.
You really, first, it begins with data. You've got to have the right data to both understand the ecosystem that you're dealing with, as well as who the players and actors are and what those transactions are moving across.
The blockchain, of course, is a public available ledger and anyone can look at it.
But having the right tools to interpret that data really becomes important and be able to do that at the speed crypto moves at.
And I think that's where you're going to see a lot of growth in this market space of both making the right data available and the tools to help quickly reduce the time to insight and to follow it.
Kim.
I would echo first and foremost data is most important, at least if you're thinking up.
about if you're a victim who has paid a ransom, what's your best shot of, you know,
getting your funds back? And then you have the bigger question of, okay, ransomware is picking up.
We called 2020 the year of the ransomware because there was over 300% growth and probably
more now. And 2021 right now on the track that we're on right now is going to just far exceed 2020
in terms of the funds going to ransomware.
This is something that's growing really fast.
And so I think the industry solution is probably multi-pronged around education, info security,
but also awareness of how we can see every player that we have data on.
We can see what they're doing.
We can see their operations and we can see where they're cashing out.
And the fact that the fact that it's smaller than the money laundering infrastructure is
smaller than we had originally anticipated, I think it's actually makes it feel a little bit more
manageable, to me at least, than, oh my gosh, there's ransomware happening every single day,
millions of attacks. But actually, like, this is the size of it. These are how many
different groups we're tracking. And these are the off-ramps that they use. And so kind of that level
of transparency makes a really scary problem feel more manageable. But other than that,
I think just it's going to be a multi-pronged approach to tackling this, this problem.
Yeah, and maybe the fact that it's very much an international problem will also help
because when you have so many different countries and industries that are affected,
I imagine that maybe that will be more motivating to people to kind of ban together and act.
Or do you get a sense that that helps?
Oh, yeah.
So international cooperation, public, private.
partnerships. There's probably some legislative changes that are needed to strengthen the consequences
and legislation around ransomware and those that perpetrate those type of cyber events that
increase focus on asset recovery and sanctions, work that can be done to raise the fences,
the cyber fences, if you will, among critical industry and infrastructure providers to make
them less vulnerable for exploitation. And then as we talked about, literally going after with a
focus dismantlement campaign to identify those key players, actors, and nodes on that network
and go after them from a regulatory perspective, from a law enforcement perspective, and the like.
All right. Well, I guess we'll have to see how the rest of this year plays out.
Hopefully it won't snowball into something even bigger, but it sort of looks that way at the moment.
All right. Well, where can people learn more about each of you and chain analysis?
You can find our research on our blog.
We have a section that details all of the research we've put out.
And you can subscribe to our newsletter so you can get insights into what types of new research we're putting out and what we're paying attention to.
And yeah, we're always doing new research topics right now.
We're focusing on the geography of cryptocurrency, which is, you know, the other 99% of activity that isn't illicit.
You know, what's going on there?
So, yeah.
Yeah, as Kim said, you can go to our website and Kim and I routinely publish information there and updates along with others from the company.
And we'd welcome you give us a visit.
Okay, great.
All right, well, thank you both so much for coming on Unchained.
Thank you so much, Laura.
Thank you.
Thanks so much for joining us today.
To learn more about Gervis and Kim, check out the show notes for this episode.
Unchained is produced by me, Laura Shin, with help from Anthony Yun, Daniel Ness, and Mark Murdoch.
Thanks for listening.
Thank you.