by Avivah Litan | December 3, 2018 | Comments Off on Ransomware indictments raise Alarms; Proof (again) Bitcoin NOT anonymous
Last Wednesday, the U.S. Department of Justice indicted two Iranians for perpetrating cyber-attacks using SamSam, an advanced variant of ransomware. SamSAM is best known for attacking the City of Atlanta’s municipal systems in March 2018, rendering many of them dysfunctional for almost a week. See Wikipedia on Atlanta SamSam attacks Other SamSam targets include; Kansas Heart Hospital, the Port of San Diego, more than 200 municipalities and more. Justice estimates these hackers caused $30 million in damage and collected around $6 million in ransom payments from their victims.
Three dimensions of this case stand out:
- U.S. Treasury put the criminal’s bitcoin addresses on the OFAC sanctions list, which is a first for crypto – meaning it’s illegal in the U.S. to transfer cryptocurrency funds to those addresses.
- The indictment clearly exposes that anonymous receipt of Bitcoin is very difficult to achieve, no matter which anonymizing services criminals use. (The Mueller indictments of Russian hackers last July already exposed this fact).
- Organizations are challenged in how to best prepare for these types of ransomware attacks.
Detecting Suspect Crypto Transactions
In the U.S., cryptocurrency exchanges must file SARs (Suspicious Activity Reports) with U.S. financial regulator FinCEN. SARs help authorities identify bad actors like the two Iranians just indicted.
Identifying suspect crypto transactions is enabled using blockchain forensic and analytics services such as those offered by Chainalysis or Elliptic. For example, Chainalysis can detect unauthorized money movements in part by leveraging its mapping of cryptocurrency blockchain addresses to the exchanges that control them. Using those maps, they can audit cryptocurrency movements across entities. They don’t go down to the user level – that is something the exchange must do based on its own KYC and customer registration processes.
Criminals will no doubt step up their already increasing use of anonymous cryptocurrencies for ransomware payments. For example, payments in ‘anonymous crypto’ such as Dash and Monero are much harder – but not impossible – to trace compared to more traditional cryptocurrencies like Bitcoin, Ethereum, Bitcoin Cash and Litecoin.
Organizations Try to Prepare
The criminals and their changing ransomware payment demands continues to plague large and small businesses. Organizations with resources try to prepare for such attacks by setting up cryptocurrency accounts from which they can make eventual ransomware payments, should they so decide.
We recently published a research note How to Prevent or Mitigate Ransomware Attacks that Demand Payment in Cryptocurrency that outlines best practices for preparing for ransomware payment demands. First and foremost we recommend IT leaders engage with their executives, ranging from the CEO, CFO, Legal and Compliance officers, and Board members, before initiating any such activities. Paying ransomware is a sticky proposition and can have adverse legal, reputational, and regulatory implications, especially when done quickly in a moment of panic.
Once executive management is on board, IT can take several steps to prepare for these damaging events. These steps are summarized in the table below, which our research note elaborates on.
Obviously the best defense is to keep the attackers out, or to render their attacks useless by having reliable timely backups readily available. Reliable backups means they are tested and that the backup operations are segregated from the network that is potentially ransom’ed. In just the past few months, two small businesses I spoke with diligently paid their IT support company for backups, only to later discover they were useless in the face of the ransomware attack.
One this is for sure, ransomware won’t go away as long as the hackers keep making money using it.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.