The collection and processing of information was a major theme at the United States Senate Committee on Homeland Security and Governmental Affairs (HSGAC) hearing titled, “Rising Threats: Ransomware Attacks and Ransom Payments Enabled by Cryptocurrency” on Tuesday. The committee hosted a panel of private-sector experts who discussed the problem of ransomware attacks and the challenges of collecting and using the information necessary to fight them.
Committee chair Gary Peters of Michigan, who introduced the Strengthening American Cybersecurity Act in February, said the government lacks sufficient data even to understand the scope of the threat posed by ransomware attacks. Attackers almost exclusively ask for payment in cryptocurrency, he added.
Several figures were trotted out to quantify the problem. Chainalysis head of cyber threat intelligence Jackie Burns Koven said the company had identified a record $712 million paid to attackers in 2021, with 74% of the money going to threat actors in Russia or with links to Russia. The average payment was $121,000, and the median payment was $6,000. Attackers often use a Ransomware-as-a-Service business model.
Ransomware is a form of extortion, and it existed before cryptocurrency, Institute for Security and Technology chief strategy officer Megan Stifel and Coveware CEO Bill Siegel said. Knowing what information to collect when an attack occurs and how to organize the information is a major challenge for law enforcement, Siegel added.
Information collection often is “a convoluted mess at the worst possible moment,” committee member James Lankford of Oklahoma said. Multiple agencies demand overlapping but not identical data from victims of attack in its aftermath — and then, prosecution of the case could take years. Those factors, along with concerns that the attackers will not release an encryption key if law enforcement becomes involved, explain much of the hesitancy of victims to report attacks.
Stifel suggested that designating a single agency to receive and triage data after an attack would improve information collection, especially if businesses established a relationship with that agency prior to the attack.
Koven said blockchain analysis can provide “immediate insight into the network of wallet addresses and services (e.g., exchanges, mixers, etc.) that facilitate the illicit actor,” in contract to the lengthy processes of traditional financial investigation.
U.S. government sanctions imposed on ransomware actors and their facilitators are highly effective, Koven continued. She pointed to sanctions against Russia-based cryptocurrency exchange Garantex and trader Suex as examples. Money flows “drop to almost zero” after sanctions, she said. In addition, blockchain analysis can track the rebranding of attackers, and Chainalysis has developed technology to track funds through cryptocurrency mixers.