2020 was a record year for ransomware payments ($692 million), and 2021 will likely be higher once all data is in, Chainalysis recently reported† Moreover, with the outbreak of the war between Ukraine and Russia, the use of ransomware as a geopolitical tool – and not just as a money grab – is expected to increase as well.
But a new US law could turn this rising tide of extortion. US President Joe Biden recently signed the Strengthening American Cybersecurity Act or the Peters Act, which requires infrastructure companies to report substantial cyberattacks to the government within 72 hours and within 24 hours upon payment of ransomware.
Why is this important? Blockchain analysis has proven increasingly effective at disrupting ransomware networks, as seen in last year’s Colonial Pipeline case, where the Department of Justice was able to to recover $2.3 million of the total paid by a pipeline company to a ransomware ring.
But to maintain this positive trend, more data is needed and provided in a more timely manner, especially the crypto addresses of malicious parties, as almost all ransomware attacks involve blockchain-based cryptocurrencies, usually Bitcoin (BTC).
This is where the new law should help, as so far ransomware victims rarely report the extortion to the government or others.
US President Joe Biden and Shalanda Young, director of the Office of Management and Budget, at the White House, March 28, 2022. Source: Reuters/Kevin Lamarque
“It will be very helpful,” Roman Bieda, Coinfirm’s head of fraud investigations, told Coin-Crypto. “The ability to instantly ‘mark’ specific coins, addresses or transactions as ‘risky’ […] allows all users to recognize the risk even before any money laundering attempt.”
“It will definitely aid in blockchain forensics analysis,” Allan Liska, senior intelligence analyst at Recorded Future, told Coin-Crypto. “While ransomware groups often switch wallets for each ransomware attack, that money eventually flows back into a single wallet. Blockchain researchers have become very good at connecting those dots.” They managed to do this despite mixing and other tactics used by ransomware rings and their Confederate money launderers, he added.
Siddhartha Dalal, professor of professional practice at Columbia University, agreed. Last year, Dalal co-authored a paper titled “Identification of Ransomware Actors in the Bitcoin Network,” which described how he and his fellow researchers were able to use graph learning and blockchain analysis algorithms to identify ransomware attackers with “85% prediction accuracy on the test dataset.” ”
While their results were encouraging, the authors stated that they could achieve even better accuracy by further improving their algorithms and, critically, “obtaining more data that is more reliable.”
The challenge for forensic modellers here is that they are working with very unbalanced or skewed data. Columbia University researchers were able to tap into 400 million Bitcoin transactions and nearly 40 million Bitcoin addresses, but only 143 of these were confirmed ransomware addresses. In other words, the non-fraud transactions were much larger than the fraudulent ones. With data this skewed, the model will either highlight a lot of false positives or omit the fraudulent data as a small percentage.
Coinfirm’s Bieda gave an example of this problem in an interview last year:
“Suppose you want to build a model that takes pictures of dogs from a wealth of cat pictures, but you have a training dataset with 1,000 cat pictures and only one dog picture. A machine learning model would learn that it’s okay to treat all pictures as cat pictures , since the margin of error is [only] 0.001.’”
In other words, the algorithm would “guess ‘cat’ all the time, which of course would render the model useless, even if it scored high in overall accuracy.”
Dalal was asked if this new US legislation would help expand the public dataset of “fraudulent” Bitcoin and crypto addresses needed for more effective blockchain analysis of ransomware networks.
“There is no doubt about it,” Dalal told Coin-Crypto. “Of course, more data is always good for any analysis.” But more importantly, under the law, ransomware payments will now be revealed within a 24-hour period, providing “a better chance of recovery as well as capabilities to identify servers and attack methods so other potential victims can take defensive steps to protect them,” he added, because most perpetrators use the same malware to attack other victims.
An underused forensic tool
It is generally not known that there are benefits to law enforcement when criminals use cryptocurrencies to fund their activities. “You can use blockchain analytics to discover their entire supply chain,” said Kimberly Grauer, research director at Chainalysis. “You can see where they buy their bulletproof hosting, where they buy their malware, their affiliate in Canada” and so on. “You can get a lot of insights for these groups” through blockchain analysis, she added at a recent Chainalysis Media Roundtable in New York City.
But will this law, which will take months to complete, really help? “It’s positive, it would help,” Salman Banaei, co-head of public policy at Chainalysis, replied at the same event. “We’ve argued for it, but it’s not like we flew blind before.” Would it make their forensic efforts significantly more effective? “I don’t know if it would make us much more effective, but we would expect some improvement in terms of data coverage.”
Details still need to be worked out in the regulatory process before the law is implemented, but an obvious question has already been asked: which companies must comply? “It’s important to remember that the bill only applies to ‘entities that own or operate critical infrastructure,'” Liska told Coin-Crypto. While that may include tens of thousands of organizations in 16 industries, “this requirement still applies to only a small fraction of organizations in the United States.”
But maybe not. According to to Bipul Sinha, CEO and co-founder of Rubrik, a data security firm, the infrastructure sectors named in the law Involving financial services, IT, energy, healthcare, transportation, manufacturing and commercial facilities. “In other words, just about everyone,” he recently wrote in a Fortune article.
One more question: should every attack be reported, even if they’re deemed relatively trivial? The Cybersecurity and Infrastructure Security Agency, which the companies will report on, recently noted that even small acts can be considered reportable. “Due to the looming risk of Russian cyber-attacks […] any incident can yield important breadcrumbs leading to a sophisticated attacker,” The New York Times reported†
Is it correct to assume that the war makes the need to take preventive measures more urgent? President Joe Biden, among others, has increased the risk of retaliatory cyber attacks by the Russian government. But Liska doesn’t think this concern has died down – not yet, at least:
“The retaliatory ransomware attacks after the Russian invasion of Ukraine do not appear to have materialized. Like much of the war, there was poor coordination on the Russian side, so any ransomware groups that may have been mobilized were not.”
Yet in 2021, nearly three quarters of all money earned from ransomware attacks went to Russia-linked hackers. according to to Chainalysis, so an increase in activity from there cannot be ruled out.
Not a standalone solution
Machine learning algorithms that identify and track ransomware actors seeking blockchain payments — and nearly all ransomware is blockchain-enabled — are now bound to improve, Bieda said. But machine learning solutions are just “one of the factors supporting blockchain analytics and not a standalone solution.” There is still a critical need “for broad industry collaboration between law enforcement agencies, blockchain research firms, virtual asset service providers and, of course, victims of blockchain fraud.”
Dalal added that many technical challenges remain, mostly a result of the unique nature of pseudo-anonymity, explaining to Coin-Crypto:
“Most public blockchains are not authorized and users can create as many addresses as they want. The transactions get even more complicated because there are tumblers and other mixing services that can mix corrupted money with many others. This increases the combinatorial complexity of identifying perpetrators hiding behind multiple addresses.”
Still, it seems to be going in the right direction. “I think we’re making significant progress as an industry,” Liska added, “and we’ve done that relatively quickly.” A number of companies have done some very innovative work in this area, “and the Treasury Department and other government agencies are also starting to see the value in blockchain analysis.”
On the other hand, while blockchain analysis is clearly making strides, “so much money is currently being made from ransomware and cryptocurrency theft that even the impact this work has pales in comparison to the overall problem,” Liska added.
While Bieda sees progress, getting companies to report blockchain fraud will still be challenging, especially outside of the United States. “Over the past two years, more than 11,000 victims of blockchain fraud have reached Coinfirm through our Reclaim Crypto website,” he said. “One of the questions we ask is: ‘Have you reported the theft to the police?’ – and many victims do not.”
Dalal said the government’s mandate is an important step in the right direction. “This will definitely be a game changer,” he told Coin-Crypto, as attackers won’t be able to repeat using their favorite techniques, “and they’ll have to move much faster to attack multiple targets. It also lessens the stigma attached to the attacks and potential victims will be better able to protect themselves.”