The United States Senate Committee on Homeland Security and Governmental Affairs (HSGAC), Tuesday’s hearing entitled “Rising Threats”: Ransomware attacks and ransom payments enabled by cryptocurrency. A panel of experts from the private sector discussed ransomware attacks, and how to collect and use the information needed to combat them.
Gary Peters, chairman of the Michigan Committee, introduced the Strengthening American Cybersecurity Act (February) and stated that the government does not have enough data to assess the extent of ransomware attacks. He said that attackers almost always ask for cryptocurrency payment.
To quantify the problem, several figures were used. Jackie Burns Koven, Chainalysis’ head of cyber threat Intelligence, stated that the company had identified $712 million in payments to attackers in 2021. 74% of this money went to Russian threat actors or those with connections to Russia. The median payment was $6,000. Attackers often use a Ransomware-as-a-Service business model.
Related: Making Crypto Conventional by Increasing Global Crypto Crime Investigations
Ransomware is a type of extortion and existed before cryptocurrency, Megan Stifel, chief strategy officer at the Institute for Security and Technology, and Bill Siegel, CEO of Coveware, said. Siegel said that law enforcement faces a significant challenge in determining what information to gather and organizing it.
James Lankford, a member of the Oklahoma committee said that information collection is often “a complicated mess at worst possible moments”. Multiple agencies require victims of an attack to provide data that is not identical but overlaps. The case can then be prosecuted over many years. These factors and concerns about the possibility that attackers might not release encryption keys if law enforcement is involved are some of the reasons victims hesitate to report attacks.
Stifel suggested that a single agency be designated to triage and receive data following an attack. This would help improve information collection, particularly if the agency was established with businesses prior to the attack.
Koven stated that blockchain analysis could provide an “immediate insight into a network of wallet addresses, services (e.g. exchanges, mixers etc.)”. “that facilitate the illicit actor,” in contrast to traditional financial investigations that can take a long time.
Koven said that the U.S. government sanctions against ransomware actors are very effective. As examples, she cited sanctions against Russia’s cryptocurrency exchange Garantex and trader Suex. She said that money flows “drop to almost nothing” after sanctions. Chainalysis also developed technology that can track cryptocurrency mixers and track attackers’ rebrandings.