Ransomware, malicious software that encrypts computers and keeps them “locked” until a ransom is paid, is the world’s fastest-growing cyber threat, according to Coinfirm. Recent attacks on critical national infrastructure, like the Colonial Pipeline incursion that crippled oil and gas deliveries for a week along the U.S. East Coast, have set off alarms. Ransom payments are almost always made in Bitcoin or other cryptocurrencies.
But while many were shaken by May’s Colonial Pipeline attack — the Biden administration issued new pipeline regulations in its aftermath — relatively few are aware of that drama’s final act: Using blockchain analysis, the FBI was was able to follow the ransom payments fund flow and recover about 85% of the Bitcoin paid to ransomware group DarkSide.
In fact, blockchain analysis, which can be further enhanced with machine learning algorithms, is a promising new technique in the battle against ransomware. It takes some of crypto’s core attributes — e.g., decentralization and transparency — and uses those properties against malware miscreants.
While crypto’s detractors tend to emphasize its pseudonymity — and attractiveness to criminal elements for that reason — they tend to overlook the relative visibility of BTC transactions. The Bitcoin ledger is updated and distributed to tens of thousands of computers globally in real time each day, and its transactions are there for all to see. By analyzing flows, forensic specialists can often identify suspicious activity. This could prove to be the Achilles’ heel of the ransomware racket.
An underused means
“The blockchain ledger on which Bitcoin transactions are recorded is an underutilized forensic tool that can be used by law enforcement agencies and others to identify and disrupt illicit activities,” Michael Morrell, former acting director of the U.S. Central Intelligence Agency, declared in a recent blog, adding:
“Put simply, blockchain analysis is a highly effective crime fighting and intelligence gathering tool.[…] One expert on the cryptocurrency ecosystem called blockchain technology a ‘boon for surveillance.’”
Along these lines, three Columbia University researchers recently published a paper, “Identifying Ransomware Actors in the Bitcoin Network,” describing how they were able to use graph machine learning algorithms and blockchain analysis to identify ransomware attackers with “85% prediction accuracy on the test data set.”
Those on the frontlines of the ransomware struggle see promise in blockchain analysis. “While it may at first seem like cryptocurrency enables ransomware, cryptocurrency is actually instrumental in fighting it,” Gurvais Grigg, global public sector chief technology officer at Chainalysis, tells Magazine, adding:
“With the right tools, law enforcement can follow the money on the blockchain to better understand and disrupt the organization’s operations and supply chain. This is a proven successful approach as we saw in January’s ‘takedown’ of the NetWalker ransomware strain.”
Whether blockchain analysis alone is enough to thwart ransomware incursions or whether it needs to be joined with other tactics, like bringing political/economic pressure to bear on foreign countries that tolerate ransomware groups, is another question.
Clifford Neuman, associate professor of computer science practice at the University of Southern California, believes that blockchain analysis is an underutilized forensic tool. “Many people, including criminals, assume Bitcoin is anonymous. In fact, it is far from being so in that the flow of funds is more visible on the ‘public’ blockchain than it is in almost any other kinds of transactions.” He adds: “The trick is to tie the endpoints to individuals, and blockchain analysis tools can sometimes be used to do this linking.”
A valid means for unmasking ransomware attackers? “Yes, absolutely,” Dave…