Imagine going to your car, and finding that you are unable to unlock the doors or start the engine. Then you notice a message on your phone. It’s a ransom note indicating that your automobile has been locked down and taken hostage. You are required to send bitcoin to an unknown address if you want to release your car. Sound crazy? It shouldn’t. According to security expert Jason Ingalls, Founder and CEO of Ingalls Information Security, this scenario is not too far off from our current reality.
Bitcoin and other cryptocurrencies are fueling a wave of ransomware attacks to the tune of $1.4 billion in the U.S. Hackers encrypt the victim’s data and then require the victim to pay a fee in bitcoin or certain other cryptocurrencies to obtain the decryption key needed to release the data. According to Coveware, which helps companies remediate ransomware, in Q4 2019, victims who paid a ransom to receive decrypting software successfully decrypted 97% of their encrypted data.
Ransomware isn’t new. The first ransomware attack was reported more than thirty years ago. But crypto makes it easier for the bad guys. “Cryptocurrency serves an important role in ransomware’s international chain of wealth transfer from victim to criminal,” says Ingalls.
Privacy coins like Zcash and Monero may get a bad rap for enabling criminal activity, but they are not as prevalent as people think. In fact they represent only 1% of the ransom paid. According to Liat Shetret, senior advisor for crypto policy and regulation for Elliptic, a blockchain analytics company, privacy coins do not spur ransomware. She explains, “privacy coins are not the crypto asset of choice for ransomware because bitcoin is easier to obtain. With privacy coins, the cash-out options are more limited, and that minimizes the hackers ability to mobilize their money.”
Ransomware is the first scalable cybersecurity threat. Ingalls warns that the bad guys are operating at scale. They are organized and there is an ecosystem of cyber criminal activity. According to Ingalls, access experts operate together with ransomware crews on message boards and forums on the dark web. Once they have successfully launched an attack, they remove access to all the data onsite, and hold the keys to recovery. Then the keys are sold to victim businesses, governments, and other organizations for millions in ransom.
Attorney Alex Kanen, whose legal practice is focused on the intersections of real estate, private equity and blockchain, has had clients who received ransom notices that their data had been encrypted. “Their initial response is usually quiet panic,” he explains. “They feel the need to respond to the hackers quickly because the ransom fee usually grows if deadlines are not met, and with little fanfare so as not to draw attention to the security breach. In these situations, a quick response and the right resources are imperative to regain control of the systems and data” he adds. But this is no easy task.
According to Kanen, clients should think twice about dealing with hackers on their own. “Often the stakes are high and you need to bring in an experienced intermediary with the technical know-how to make sure that all of the data is verified and safely recovered.” Kanen advises that there can be legal concerns as well. Clients shouldn’t send crypto to a random wallet. “What if that wallet is associated with terrorists or you are seen as financing illegal activity?” he offers. The intermediary creates a protective layer between the victim and the bad actor.
Maddie Kennedy, communications director at Chainalysis, the blockchain analysis company, encourages victims of ransomware to contact law enforcement. But many victims do not want to call attention to their fraught situation and, therefore, seek to handle the situation privately. According to Kennedy, ransomware is underreported, so it is difficult to quantify the problem. “Anecdotally, you know it is bad,” she says. “Entire cities are held for ransom!” One trend she reports is ‘ransomware as a service,’ or RaaS, where developers of ransomware make their ransomware available to others on the dark web for a fee. This leads to further proliferation of ransomware by a whole new swath of less technical bad actors who may target smaller organizations and individuals. No one is immune.
Since the onset of COVID-19, much of the workforce has shifted from offices to homes. This was done out of necessity and without much notice. Most employers have not considered the security implications of working remotely, nor have they assessed the related security risks.
Hackers also appear to be in a state of transition. Ingalls says, “the ransomware ecosystem has had to adapt to the shifting landscape. Now that we are all working remotely, the bad guys are off doing their research to identify our most vulnerable points. A wave of attacks is coming.”
According to Chainalysis, on-chain data suggests ransomware payments have been stable or even decreased in early March when much of the world was locked down. Kennedy adds that hospitals are still being attacked. “Some attackers said they would lay off hospitals. But that has not happened. They have always been a target” she explains. “When a hospital’s records are held hostage, lives are put in danger. They are more likely to pay.”
For many small businesses, government agencies, non-profits, and even some large companies who haven’t been targeted, their current level of cybersecurity measures are likely unable to protect against ransomware. Ingalls offers that there are four pillars of security: firewalls, patch management, antivirus and backups. The problem is that these traditional pillars crumble in the face of ransomware. Firewalls can’t see ransomware enter or data leave because it is encrypted. Antivirus software is typically unable to detect these modern threats, and in some cases it is being used to deploy the ransomware that encrypts the data. Patch management is useless against user-driven commands to install and run malware, or stolen credentials. And the backups are hunted down and destroyed before ransomware is used to encrypt everything.
Most ransomware attacks start as phishing email attacks. Hackers bombard employees until one succeeds. It only takes one.
Ingalls relays that one hospital client received ransom notes from two distinct ransom crews that had infiltrated the hospital’s computer’s systems. The hackers had auctioned off access to the hospital twice! The criminals were in-fighting over who would get paid first. Ingalls and his team frantically deployed tools to contain the intrusion and prevent further damage.
Sooner or later the hackers have to cash out their crypto. Sometimes, this is where they get caught. Bitcoin is not anonymous – it is pseudonymous. This means transactions can be traced and tracked. “Bad guys can convert the bitcoin to an alternative cryptocurrency, and completely wash the currency through multiple altcoin transfers, and then move it back to bitcoin,” says Ingalls, “there are so many different ways to wash the currency.”
Not necessarily. Law enforcement can track down bad actors by analyzing their end-to-end transactions across currencies and crypto exchanges. This is not an easy task and it only works when crypto exchanges have KYC/AML (Know Your Customer/Anti-Money Laundering) controls for all of the digital assets that they list. “With transparency into the digital asset on the blockchain, you can immediately identify where the money came from and where it is going,” Shetret explains. “It is not enough (and it is not helpful),” she continues, “for an exchange to have KYC/AML controls for only bitcoin when the the exchange has multiple assets.” In the U.S., crypto exchanges are required to have the same types of KYC/AML controls as banks. Other jurisdictions, however, may not, and this could lead to a concentration of nefarious crypto-related activity in unregulated and under-regulated jurisdictions.
In this time of pandemic, the last thing we want to worry about is cyberthreats. But ransomware is real, and it can infiltrate our lives. Ransomware has been around for years, and crypto is the latest accelerant. It won’t be the last. With more devices coming online, the threat only grows. So what can we do? Stay vigilant. Don’t click on that link.