The Evolution of Ransomware

Ransomware has existed for many years now. One of the first instances of encryption malware can be traced to the PC Cyborg virus in 1989 . And the ransom payment for the decryption process began in 2005 and continued in several different strains. But, in 2011, cryptocurrencies began to emerge which allowed for global payments outside of the traditional banking processes. The rise of Bitcoin and other cryptocurrencies led to a rise in the ransomware attacks because the payment of the ransom could be conducted with relative ease and anonymity.

The general response to ransomware by companies has been greater IT security and multiple backups to enable recovery from ransomware in a relatively short period of time. Offline backups have become particularly important because they should be insulated from encryption malware and can help companies recover without having to pay a ransom to the attackers. The response from companies has been so good though, ransomware attackers have turned to a different method of attack – extortion.

Several groups of ransomware attackers now exfiltrate information from networks before the encryption process begins. The exfiltration of the data allowed the attackers to capture, review, and threaten exposure of potentially sensitive data even if the company were able to recover from the encryption attack by using their offline backups.

Bitcoin Used by Terrorists

Over the past year there have been many reports of government seizures of cryptocurrency which were being used by terrorist groups. In August the Department of Justice (DOJ) announced the largest seizure of terrorist organizations crypto currency assets. The seizure was part of an investigation into three different terrorists’ networks: the al-Qassam Brigades, al-Qaida, and Islamic State of Iraq and the Levant (ISIS). Each of the organizations was using cryptocurrency to solicit donations from around the world and to move money and pay assets around the world.

In September, the French police arrested 29 people tied to cryptocurrency transactions designed to finance Islamist extremists.

In January 2020 the MIT Technology Review reported that criminals had laundered about $2.8 Billion through the use of Bitcoin in 2019.

And Advanced Persistent Threat actors (APT32) was recently caught deploying cyber espionage software along with cryptocurrency miner software.

The rise of cryptocurrency has allowed millions of dollars to move around the globe outside of traditional financial markets. Bitcoin accounts for only 0.04% of the world’s money, but it is roughly worth $106 Billion dollars . Although the percentage of total money is small, the amount of money that can be moved outside the purview of traditional banking is quite substantive. Criminal groups, nation-state actors, and terrorists have all seen the possibilities of moving money outside of the traditional market to hide the source, nature, destination and use of the money.

While Bitcoin itself is the currency, the currency is moved and tracked using blockchain technology and cryptocurrency wallets. The blockchain uses wallet addresses to move the money to keep track of the balances of the total amount of cryptocurrency, the balances of each wallet, and the total transactions which take place. Because the blockchain and wallets use anonymous addresses, most users and people believe that the owner of the wallets are anonymous as well. But investigations into the use of the wallets and the addresses associated with the wallets often result in the attribution of the wallet to a person in many instances. Bitcoin wallets can be traced on the Dark Web and can be identified through classified sources and methods.

Because Bitcoin uses the blockchain to maintain the public ledger, once one transfer can be traced to a Bitcoin wallet and attributed to an individual, then all transfers made to the same wallet can be traced as well. All ransom payments would be able to be tracked and traced using this same method.

The OFAC Memorandum

The continued rise of seizure of cryptocurrencies from terrorists’ groups and the rise of money movement outside the normal financial channels lead OFAC to issue their memorandum. The memorandum is a five-page explanatory memo interpreting the sanctions laws and regulations as they apply to ransomware payments.

The memo outlines several key points for the application of payments to ransomware:

First, ransomware threat actors, wallet addresses, and email addresses have been added to the OFAC Specified Designated National (SDN) list for the past several years. As the number of ransomware attacks have grown and payments have grown, there has been increased intelligence that money has been traced to groups engaged in the types of activities which are subject to bans. OFAC has added names and identifiers for people and addresses involved in attacks such as the Cryptolocker, SamSam, WannaCry, Evil Corp and others.

Second, ransomware itself and payments to the threat actors are a threat to national security. Research and intelligence have shown that money is being funneled to and used by terrorists groups, organized crime, and others acting against the interests of the United States. The payment of the ransom only feeds these activities and emboldens the criminals to conduct more of these attacks. The continued payment of ransoms only ensures the continued criminal activity.

Third, facilitating payments may be a violation of OFAC regulations. Facilitation can be any transaction, including transactions by non-US persons that cause a payment, either directly or indirectly, to individuals or organizations on the SDN list may be a violation. In addition, any transaction or act which causes a person to violate the regulations is also prohibited.

Fourth, organizations should adopt a risk-based approach to ransomware attacks and account for the possibility that a payment may violate OFAC regulations. This advice or guidance is for any company involved in the response to a cyber-attack including cyber insurance companies, digital forensics, and incident response organizations. Knowing the process to search the SDN list may prevent an organization from unknowingly violating the sanctions. As OFAC states, a violation of the sanctions is a strict liability crime and does not require knowledge that someone is on the list; the payment to someone on the SDN list is a violation.

Finally – and this may be the most important part of the memo – OFAC highly encourages the cooperation with law enforcement and investigative officials. The cooperation with law enforcement will be considered a “significant mitigating factor.” OFAC will also consider the “full and timely cooperation … a significant mitigating factor when evaluating possible enforcement outcome.” During a presentation regarding this memo by members of the Department of Justice and the Department of Treasury, the presenters were quick to point out that no companies have been prosecuted for paying a ransom to a threat actor on the SDN list, but cooperation with law enforcement will ensure your organization is not the first.

Planning Ahead

According to Robert Mueller there are two kinds of companies; those that have been hacked and those that are about to be hacked. And according to the Cisco CEO John Chambers, there are two kinds of companies; those that have been hacked and those that don’t know it yet. Given the recent hack of FireEye through the compromise of SolarWinds, there are most likely many companies that have yet to know that they have been compromised. As the analysis continues on the scope of the attack, there will be many more organization filing breach notifications. But there are actions an organization can take to minimize the effect and cost of a hack.

To protect themselves, OFAC encourages organizations to perform a risk-based analysis and keep regular backups to protect themselves from ransomware. Secure, offline backups are the key to recovering from ransomware attacks. Perform due diligence on the threat actors before payment. Notify and cooperate with law enforcement. This includes knowing who to contact and how to contact law enforcement. Institute and maintain a risk-based compliance program which includes a management commitment, risk assessments, internal controls, auditing and training. The key to dealing with ransomware is planning – have a plan based on a risk-based approach and practice, practice, practice that approach.