When ransomware hit the Colonial Pipeline earlier this year, there was a wave of mass hysteria. It was probably the first time that ransomware was going to affect millions of people. The company paid the ransom within a few hours in exchange for a decryption tool to bring back the company’s billing system online. However, it proved slow, and the pipeline took nearly five days to start functioning again. While this Colonial Pipeline ransomware attack is the most famous attack of the year, it is just one among the thousands.
The evolution of cryptography is making malware all the more dreadful. Ransomware is a more conducive business opportunity than any other cybercrimes due to the absence of intermediaries and its scalable nature. This attack is a perfect example of cryptoviral extortion. Though the attack has been dreadfully interesting, the FBI’s effort to recover the ransom has been promising and hopeful for the future.
How do ransomware attacks happen?
For a ransomware attack to happen, hackers require three things. To begin with the attack, they need robust and well-implemented cryptographic techniques– for hacking to steal data, block access, or encrypt data. Additionally, hackers require the onion routing protocol or Tor Protocol to use anonymous and direct communication channels with victims. Furthermore, they use cryptocurrency to make and receive ransomware payments.
Right now, there are more than 4,000 cryptocurrencies across the world, but almost in every ransom attack, the hackers demand bitcoin. The reasons are obvious– it is anonymous, confidential, and hard to trace, despite its public ledger.
The currency operates on a public blockchain that allows anyone to view bitcoin transactions, but there is no public way to determine the actual account owner. The currency is traded at far more value than all other cryptocurrencies. That means hackers can demand very few bitcoins for a large sum of money, and hiding ten coins would be far easier than hiding a hundred.
Can bitcoins be traced?
Tracking bitcoin is not an easy task, but laundering bitcoin is as tricky as the hack itself. Each bitcoin transaction is represented by a list of inputs and outputs reflecting the bitcoins transferred to a specific address only visible to us as an alphanumeric string generated by a Bitcoin user. Users are encouraged to use different addresses to protect anonymity. Corresponding to a wallet is a key that works as a password. Bitcoin is forever lost if one loses their key or forgets it.
While bitcoin is a public ledger, and it might be easy to keep track of its movement from one wallet to another, finding out about the wallet owner is another ordeal and is almost impossible.
Some hackers launder money by switching one cryptocurrency to another or moving money from one wallet to another. Another tactic called peel-chain involves the movement of bitcoin from one wallet to new addresses through hundreds of transactions, decreasing the risk of red flags.
Chain hopping raises another struggle for investigative agencies. It moves the money through different cryptocurrencies and blockchains to escape from the public ledger and hide it in more private blockchains. The chain hopping trails go cold most of the time for investigative agencies to pursue the matter further.
Investigative agencies approach
Pursuing cryptocurrency ransoms is altogether a separate area of investigation, owing to the borderless nature of these currencies. It is almost like operating in the wild west of money.
Sometimes investigators apply several heuristics to develop and analyse transactions and group all addresses in blockchain into subsets associated with some real-world actors. The critical assumption in the process is that the same person must control two addresses associated with the same transaction.
After the Colonial Pipeline breach, the FBI deployed massive resources to catch the people responsible for it and recover ransom. However, the FBI only found that a hacking group called the DarkSide had penetrated the attack. Although it was unsuccessful in arresting them, the FBI could recover $2 million.
The FBI is yet to unravel how it cracked the private key of the wallet. According to a document presented in court, the Bureau worked its way around a maze of 20 cryptocurrency accounts and wallets to locate the account where the money was hidden. The FBI possessed the key to the account and recovered 63.7 Bitcoins of the total of 75 bitcoin that were paid in ransom.
While the ransom recovery has generated hopes for people to be a deterrent against such hacks, it is improbable that such massive efforts will be deployed for every case. Furthermore, there is currently no full-proof solution against ransomware. The existence of cryptocurrency with its rising value has been a reason for the increase in such attacks.