Infrastructure firms will now have to report within 24 hours if they make a ransomware payment. “This surely will be a game changer.”
2020 was a record year for ransomware payments ($692 million), and 2021 will probably be higher when all the data is in, Chainalysis recently reported. Moreover, with the outbreak of the Ukraine-Russia war, ransomware’s use as a geopolitical tool — not just a money grab — is expected to grow as well.
But, a new U.S. law could stem this rising extortionist tide. United States President Joe Biden recently signed into law the Strengthening American Cybersecurity Act, or the Peters bill, requiring infrastructure firms to report to the government substantial cyber-attacks within 72 hours and within 24 hours if they make a ransomware payment.
Why is this important? Blockchain analysis has proven increasingly effective in disrupting ransomware networks, as seen in the Colonial Pipeline case last year, where the Department of Justice was able to recover $2.3 million of the total that a pipeline company paid to a ransomware ring.
But, to maintain this positive trend, more data is needed and it has to be provided in a more timely manner, particularly malefactors’ crypto addresses, as almost all ransomware attacks involve blockchain-based cryptocurrencies, usually Bitcoin (BTC).
This is where the new law should help because, until now, ransomware victims rarely report the extortion to government authorities or others.
“It will be very helpful,” Roman Bieda, head of fraud investigations at Coinfirm, told Cointelegraph. “The ability to immediately ‘flag’ specific coins, addresses or transactions as ‘risky’ […] enables all users to spot the risk even before any laundering attempt.”
“It absolutely will aid in analysis by blockchain forensic researchers,” Allan Liska, a senior intelligence analyst at Recorded Future, told Cointelegraph. “While ransomware groups often switch out wallets for each ransomware attack, that money eventually flows back to a single wallet. Blockchain researchers have gotten very good at connecting those dots.” They have been able to do this despite mixing and other tactics used by ransomware rings and their confederate money launderers, he added.
Siddhartha Dalal, professor of professional practice at Columbia University, agreed. Last year, Dalal co-authored a paper titled “Identifying Ransomware Actors In The Bitcoin Network” that described how he and his fellow researchers were able to use graph machine learning algorithms and blockchain analysis to identify ransomware attackers with “85% prediction accuracy on the test data set.”
While their results were encouraging, the authors stated that they could achieve even better accuracy by improving their algorithms further and, critically, “getting more data which is more reliable.”
The challenge for forensic modelers here is that they are working with highly imbalanced, or skewed, data. The Columbia University researchers were able to draw upon 400 million Bitcoin transactions and close to 40 million Bitcoin addresses, but only 143 of these were confirmed ransomware addresses. In other words, the non-fraud transactions far outweighed the fraudulent transactions. With data as skewed as this, the model will either mark a lot of false positives or will omit the fraudulent data as a minor percentage.
Coinfirm’s Bieda provided an example of this problem in an interview last year:
“Say you want to build a model that will pull out photos of dogs from a trove of cat photos, but you have a training dataset with 1,000 cat photos and only one dog photo. A machine learning model ‘would learn that it is okay to treat all photos as cat photos as the error margin is [only] 0.001.’”
Put otherwise, the algorithm would “just guess ‘cat’ all the time, which would render the model useless, of course, even as it scored high in overall accuracy.”
Dalal was asked if this new U.S. legislation would help expand the public dataset of “fraudulent” Bitcoin and crypto addresses needed for a more effective blockchain analysis of ransomware networks.
“There is no question about it,” Dalal told Cointelegraph. “Of course, more data is always good for any analysis.” But even more importantly, by law, ransomware payments will now be revealed within a 24-hour period, which allows for “a better chance for recovery and also possibilities of identifying servers and methods of attack so that other potential victims can take defensive steps to protect them,” he added. That’s because most perpetrators use that same malware to attack other victims.
An underutilized forensic tool
It’s generally not known that law enforcement benefits when criminals use cryptocurrencies to fund their activities. “You can use blockchain analysis to uncover their entire supply chain of operation,” said Kimberly Grauer, director of research at Chainalysis. “You can see where they’re buying their bulletproof hosting, where they buy their malware, their affiliate based in Canada” and so on. “You can get a lot of insights to these groups” through blockchain analysis, she added at a recent Chainalysis Media Roundtable in New York City.
But, will this law, which will still take months to implement, really help? “It’s a positive, it would help,” Salman Banaei, co-head of public policy at Chainalysis, answered at the same event. “We advocated for it, but it’s not like we were flying blind before.” Would it make their forensic efforts significantly more effective? “I don’t know if it would make us a lot more effective, but we would expect some improvement in terms of data coverage.”
There are still details to be worked out in the rule-making process before the law is implemented, but one obvious question has already been raised: Which companies will need to comply? “It is important to remember that the bill only applies to ‘entities that own or operate critical infrastructure,’” Liska told Cointelegraph. While that could include tens of thousands of organizations across 16 sectors, “this requirement still only applies to a small fraction of organizations in the United States.”
But, maybe not. According to Bipul Sinha, CEO and co-founder of Rubrik, a data security company, those infrastructure sectors cited in the law include financial services, IT, energy, healthcare, transportation, manufacturing and commercial facilities. “In other words, just about everyone,” he wrote in a Fortune article recently.
Another question: Must every attack be reported, even those deemed relatively trivial? The Cybersecurity and Infrastructure Security Agency, where the companies will be reporting, recently commented that even small acts might be deemed reportable. “Because of the looming risk of Russian cyberattacks […] any incident could provide important bread crumbs leading to a sophisticated attacker,” the New York Times reported.
Is it right to assume that the war makes the need to take preventive actions more urgent? President Joe Biden, among others, has raised the likelihood of retaliatory cyber-attacks from the Russian government, after all. But, Liska doesn’t think this concern has panned out — not yet, at least:
“The retaliatory ransomware attacks after the Russian invasion of Ukraine do not seem to have materialized. Like much of the war, there was poor coordination on the part of Russia, so any ransomware groups that might have been mobilized were not.”
Still, almost three-quarters of all money made through ransomware attacks went to hackers linked to Russia in 2021, according to Chainalysis, so a step up in activity from there can’t be ruled out.
Not a stand-alone solution
Machine-learning algorithms that identify and track ransomware actors seeking blockchain payment — and almost all ransomware is blockchain enabled — will doubtlessly improve now, said Bieda. But, machine learning solutions are only “one of the factors supporting blockchain analysis and not a standalone solution.” There is still a critical need “for broad cooperation in the industry between law enforcement, blockchain investigation companies, virtual asset service providers and, of course, victims of fraud in the blockchain.”
Dalal added that many technical challenges remain, mostly the result of the unique nature of pseudo-anonymity, explaining to Cointelegraph:
“Most public blockchains are permissionless and users can create as many addresses as they want. The transactions become even more complex since there are tumblers and other mixing services which are able to mix tainted money with many others. This increases the combinatorial complexity of identifying perpetrators hiding behind multiple addresses.”
More progress?
Nonetheless, things seem to be moving in the right direction. “I think we are making significant progress as an industry,” added Liska, “and we have done so relatively fast.” A number of companies have been doing very innovative work in this area, “and the Department of Treasury and other government agencies are also starting to see the value in blockchain analysis.”
On the other hand, while blockchain analysis is clearly making strides, “there is so much money being made from ransomware and cryptocurrency theft right now that even the impact this work is having pales compared to the overall problem,” added Liska.
While Bieda sees progress, it will still be a challenge to get firms to report blockchain fraud, especially outside of the United States. “For the past two years, more than 11,000 victims of fraud in blockchain reached Coinfirm through our Reclaim Crypto website,” he said. “One of the questions we ask is, ‘Have you reported the theft to law enforcement?’ — and many victims hadn’t.”
Dalal said the government mandate is an important step in the right direction. “This surely will be a game changer,” he told Cointelegraph, as attackers will not be able to repeat the use of their favored techniques, “and they will have to move much faster to attack multiple targets. It will also reduce the stigma attached to the attacks and potential victims will be able to protect themselves better.”