Please read this entire article in full before making any ransom payment in Bitcoin
Prevention and Importance
Ransomware has become increasingly prevalent over the last few years, and not just because of the COVID-19 pandemic, which has caused cybercrime incidents to increase dramatically and has caused the number of ransomware incidents to explode. A recent report suggests a 715% increase in detected ransomware attacks from 2019 to 2020 and a ransomware attack now occurs on average once every 11 seconds. This has also resulted in a dramatic rise in ransomware investigations.
The best (and by far the cheapest) option is to spend the time bolstering security and operational practices so that a ransomware attack isn’t successful, and if it is, to significantly mitigate the damage the ransomware could do. If an organization succumbs to a ransomware attack, there are a plethora of costs they face depending on whether or not they pay the ransom.
If the ransom is not paid:
- Equipment replacement costs.
- Costs (primarily labour) to rebuild critical infrastructure and systems affected.
- Downtime, lost productivity and lost revenue.
- If the attacker was not only able to encrypt data or hard drives but was also able to obtain private and confidential data, whether customer data or non-customer data, that data could also be leveraged, used or sold by the attacker. This in turn can lead user accounts being hacked, identity theft, and opens the organization up to legal liability in some cases, particularly if they were negligent with regards to their security.
If the ransom is paid:
- The ransom itself, which is often in the hundreds or thousands, or for larger organizations, in the millions of US dollars, albeit typically paid in Bitcoin.
- Limited downtime, lost productivity, and lost revenue if the attackers hold up their end of the deal more often than not. Although there is no guarantee that attackers will hold up their end of the deal, historically, they have ‘honoured’ their commitment in most cases.
It’s always best to prevent a ransomware attack from occurring in the first place rather than trying to deal with once it happens. There are various steps organizations should take, which would eliminate the vast majority of ransomware attacks. Still, most organizations seem to either not care until it happens to them, can’t “afford” to take the necessary steps or fail to execute these steps properly and still have woefully inadequate security. Instead, they’ll look up how to pay ransomware with Bitcoin and proceed to pay it if they feel the ransom will be less costly than being locked out of infected devices indefinitely.
Permissions & Tiered Access
A critical aspect of systems security is appropriately isolating and segregating systems from one another so that if one device is affected, it doesn’t cripple an organization’s entire infrastructure. Security, accessibility permissions and controls need to be in place that restricts devices and systems from sharing data with one another that isn’t necessary, limiting the effectiveness of any ransomware attack.
Security Software Suites and Firewalls
Security suites, anti-virus software, firewalls, and mail filtering are all important security components most organizations should have. While they can sometimes help to prevent or mitigate ransomware attacks, there are plenty of occasions where they fail to do so. Just as importantly, these security features create a false sense of security to employees that any ransomware attack will be unsuccessful. In reality, it’s not difficult for a ransomware operator to get around anti-virus software, but these security features do offer some minor roadblocks for attackers.
Competent Security Professionals
Organizations need to have competent security professionals and Sysadmins on staff who design and maintain security infrastructure and control access. Just as importantly, they need to have appropriate decision-making authority over all of an organization’s digital security. If they first need to get permission from a C-level executive who, let’s face it, probably won’t have a clue about such security, that’s not very effective.
A Security-first Culture
By far the most challenging thing organizations must improve to prevent succumbing to a ransomware attack is the knowledge and mindset employees have about security. The human element is the weakest link and the factor that can be most easily exploited, given how many people don’t even employ the most basic security practices.
We all know those at our company that haven’t a clue how to use a computer, much less understand the basics of computer security, which makes them highly susceptible to clicking on a phishing link that leads to a ransomware attack. A small and lean organization might be better able to ensure all employees are adequately technically adept and security-focused, but it’s an impossible feat for larger organizations.
Nonetheless, educating and ensuring that employees have a security-focused mindset is essential. This isn’t limited to telling employees not to click sketchy links or running batch files downloaded from who knows where. It involves educating employees about fraud and cybersecurity. Education on how to detect a spoofed email. Social engineering training. Got a call/email ordering you to do something from a higher-up at the company? Ok, how have you verified it’s them who ordered it? It’s very, very easy to spoof an email or phone call.
Training employees to question everything and be so inquisitive is difficult, because as humans, we tend to be more trusting. It is very tough for employers to get employees to adopt a security-oriented culture, but this is what needs to be done if organizations want to avoid succumbing to a ransomware attack.
Backing up Data and Systems
It’s crucial for organizations to regularly back up their systems and data. Those backups must, of course, remain segregated from other systems given how easily ransomware can spread in an organization’s computer network. Should a ransomware attack occur, having systems and data adequately backed up allows an organization to more easily not justify paying the ransom, and to simply discard infected devices if they cannot be decrypted — something that’s considerably cheaper than paying the ransom the vast majority of the time. Usually, the data contained on the machines and the threat of that being exposed are both far more economically damaging to an organization than the cost of replacing the equipment itself.
Retention of Customer Data
Carefully consider what client data and personal information you really need to collect and/or retain – most organizations don’t need the vast majority of customer information they choose to collect. Do you really need their phone number? Why not implement app-based 2FA for customer logins (if applicable) so that such data doesn’t need to be retained. What about their full name, date of birth, photo ID, etc. The data can’t be stolen or leaked if you don’t retain customer data. Don’t collect private client information if you don’t need to, and if you do collect it, expect to bear the consequences of any breach if found negligent, which could include lawsuits down the road.
Improve How Data is Stored and Secured
Just as important as what data is stored is how it’s stored, and who has access. In some ransomware attacks, apart from devices becoming locked, attackers are sometimes often able to steal data on these systems. That could include passwords, credit card details, etc. This data must be safely and securely encrypted to reduce the potential fallout of any breach.
By now, I think everyone reading that has been the victim of a database breach and has had a username/password of theirs exposed. Sometimes organizations are dumb enough to store this information in plaintext (like Equifax for example), allowing attackers to see the email/username and password combinations of those customers (and sometimes a lot more), which they’ll proceed to utilize elsewhere when breaching individual user accounts (or will sell the data to someone who will, likely on the dark web).
When an organization is breached and passwords/details are exposed, organizations will sometimes say that all passwords were encrypted and that the attackers only have hashes of passwords. Thus, users are allegedly ‘safe’ since the hackers cannot decrypt those hashes. And that’s a heaping pile of bullshit.
Hackers possess massive databases of passwords that have been used before. And I’m not just talking about ‘pass1234’ common. It can be millions, or even billions of passwords. These passwords are then run through multiple hashing algorithms — SHA-1, SHA-3, MD5, and SHA-256 producing applicable hashes for each password. Well, guess what? When a hacker obtains encrypted passwords, they only need to compare the hash to the hashes they have in their hash table, and if they have a match, voila, they have your (unencrypted) password which they can use to login. So much for your password still being ‘secure’ because it’s ‘encrypted.’
Encrypting customer data is a basic security precaution that must be taken, but it’s very much still dangerous if exposed. One defence against this that organizations need to take is to force users to use long, complex and unique passwords; that way, if the password hashes are exposed, it’s unlikely that those hashes will be the hacker’s hash table. Regardless, companies also need to control how this data can be accessed, including by employees — not just external actors.
The rest of this article pertains to organizations that have failed to appropriately secure their infrastructure and have become victims of a ransomware attack.
The Importance of Investigating
Ransomware attacks wouldn’t happen if ransoms were never paid or if organizations never succumbed to such ransomware attacks due to having a more security-minded culture. But the reality is that some organizations choose to pay the ransom because the consequences for not doing so often far outweigh the ransom’s cost.
Ransomware attacks always involve a cost-benefit analysis, both for the organization but also for the attacker. From the attacker’s perspective, the financial costs of conducting the attack are quite low. The benefits, meanwhile, are quite high. Organizations are willing to pay out the ransom all too often, despite the high price tag. And when organizations choose to do so, they create a greater incentive for such attacks to occur in the future.
Ransomware attacks have become so common that it’s now fairly common for many organizations, both private, not-for-profit, and government organizations to purchase cyber insurance. The proposition is fairly simple; as part of the cyber insurance policy, the insurance company will offer to pay out a ransom, should an attack happen, up to the liability limit (with exceptions of course).
The rise of cyber insurance has greatly increased the frequency of ransomware payouts, have caused the average ransomware payment to increase considerably, and most importantly, are the biggest contributor to the rise in ransomware attacks for a simple reason; they reward the attacker and all too often do nothing to investigate the matter. Organizations can also more easily justify having lax security since they’re ‘insured’ from an attack. Cyber insurers see it as a cost of doing business and move on. They fail to understand the consequences of issuing payout after payout, while at the same time taking little to no action to identify the attackers so they can be prosecuted, even though from a financial perspective, it’s often a ‘profitable’ decision for cyber insurers to pursue the attackers with the appropriate professional assistance.
One additional factor attackers must weigh is the risks of getting caught, prosecuted, and ultimately going to jail, while at the same time being required to return the funds. That’s a crucial part of the equation and why it’s so important to investigate the attackers who initiate ransomware attacks; it changes the equation so that fewer ransomware attacks occur in the future. And at CipherBlade, we feel that any organization that willingly pays out a ransom has a moral obligation to report it and properly investigate the incident so fewer attacks happen in the future instead of there being more. And one of the best ways of doing that is by ‘following the money’ so to speak.
But if an organization ends up paying out a ransom, the reasons for conducting a ransomware investigation aren’t just altruistic (to prevent more attacks in the future). It typically makes sense from a financial perspective as well. The cost of an investigation, whether 5k USD, 20k USD, or somewhere in between, is peanuts compared to the multi-million dollar ransom. It’s also peanuts compared to what can be recovered.
It’s not hard to come out financially ahead if there’s a professional investigation, compared to the choice to not investigate at all. In many cases, not all funds are recovered. However, even if only 40% of funds are recovered, that still puts the organization in a much better financial position, even after the investigative costs, than if 0% is recovered. Unfortunately, law enforcement agencies often lack the necessary investigative skills, knowledge, experience, and tools to investigate these types of cybercrime cases on their own. As we note below, there are two primary ways cryptocurrency funds can be recovered in such instances.
Funds Recovery After Ransomware Attacks
When cybercriminals launch ransomware attacks, they often insist on being paid in Bitcoin. Once they’ve received the funds, the next step is laundering the money (or attempting to). At CipherBlade, we’ve generally found two approaches cybercriminals use when doing so; they either try to do it very quickly, or they wait a while, in the hopes that it will be forgotten, and then try and do so. The former is the more common of the two.
Identification and Prosecution of Attacker
Ultimately, the attackers need to be brought to justice for funds to be recovered in most cases, although funds recovery certainly isn’t the only reason to conduct an investigation. In order to do that, the attackers first need to be identified, or key intelligence needs to be uncovered that leads to their identity. In ransomware cases, most key intelligence that ultimately leads to the identity of the attackers is found by ‘following the money’ or as we call it more professionally, blockchain forensics.
Law enforcement’s involvement is critical, but law enforcement often lacks the expertise, tools, skills, and knowledge to properly investigate such crimes. The odds of identifying an applicable suspect, or uncovering key intelligence that ultimately leads to the identity of a suspect is improved immensely with external professional assistance.
Recovery is typically not a quick process here given the involvement of multiple law enforcement agencies, courts, and in some cases, banks. After a suspect is identified, additional relevant entities need to be queried or subpoenaed. Information and intelligence needs to be assessed, additional investigative work needed to be conducted, law enforcement agencies need to correspond with one another, the suspect(s) need to be charged, and prosecuted. Such charges (or the threat of them) or a court order itself is ultimately what can lead to funds recovery. Ultimately, the threat of going to jail, or going to jail for a longer period of time if the perpetrator isn’t cooperative is quite a powerful incentive to get them to turn over the criminally acquired funds.
The alternative way that funds can be recovered after a ransomware attack is by intercepting funds when the attackers attempt to liquidate, launder, or cash out funds out through various services and exchanges. Whether or not funds can be intercepted depends on a variety of factors, including the exchange or service in question, and how quickly the right people are notified (which is why CipherBlade has direct lines of communication with many exchanges, the customer service people on the generic support emails typically don’t have the authority to do anything in such matters, and one can’t wait for hours or days for a response either).
That being said, there are limitations. For one, it’s unlikely that a ransomware attacker will attempt to liquidate all the funds at once on a service or exchange. They normally try to do it in smaller amounts at a time instead of ‘putting all their eggs in one basket,’ so it’s highly unlikely to result in all the funds being recovered solely through interception.
Secondly, law enforcement agencies are simply not well equipped to attempt to intercept funds like this. It involves near real-time assessment as soon as a transaction occurs, which law enforcement doesn’t generally have resources for. Professional assistance is usually needed, and time is very much of the essence. Furthermore, given that perpetrators often try to launder funds quickly after they are received, it’s critical for an organization to have already engaged professional assistance before they even send the ransom (if they plan on doing so) so that funds can be attempted to be intercepted. If they wait a few weeks to hire a professional investigative agency, in all likelihood most or all of the funds will have already been laundered through various services so that they can no longer be easily intercepted (granted, there could still of course be on-chain leads that could lead to the identity and prosecution of the suspect as noted in option #1).
But What about Mixers?
A lot of people incorrectly assume that attackers simply send the Bitcoin into a mixer like Wasabi, Chipmixer, or BitcoinFog, and the funds are then untraceable. There are multiple incorrect assumptions made here.
- While mixer involvement is not uncommon to see in ransomware cases, there are plenty of cases we’ve seen where there’s been zero mixer involvement.
- If there is mixer involvement, it’s rare for 100% of funds to go to mixers. More often, only a portion of funds are sent into the mixer, leaving plenty of other ways that funds can be traced even if not attempting to trace “through” the mixer. The goal is not necessarily to find where all the funds are currently; rather, the goal is to uncover intelligence on who the perpetrators are, which can be uncovered by determining services or other individuals they interacted with, among other ways.
- People sometimes assume that all mixers are the same, and all are equally untraceable. Not true at all. Mixers are designed quite differently from one another with regards to the mixing algorithms that are utilized. Simply put, some are better at concealing funds than others. Whether or not funds can be traced ‘through’ a mixer depends on several factors, including which mixer was used. There are a variety of factors which make funds sent into mixers more or less traceable as well, but that’s not something we’ll elaborate on here, since we already know that ransomware attackers will be reading this, and we certainly don’t want to help them launder funds. What is true, however, is it does take considerably more time (and thus costs) to trace ‘through’ a mixer, thus, such work can only be warranted for losses of at least mid-6-figures, otherwise it just doesn’t make financial sense. There will likely be easier paths that can better lead to the identity of the attacker.
Eastern European Perpetrators and Feasibility of Pursuance
A notable portion of ransomware attacks have been linked to Eastern European attackers. Some people incorrectly assume an investigation is a futile endeavour since if the suspect(s) is Eastern European, people sometimes assume the individual won’t be prosecuted due to a lack of cooperation from local law enforcement. While this can be true in some instances, in many cases, this perception is misconstrued. In reality, it depends on several factors:
- The country that the suspect(s) resides in. People sometimes paint all Eastern countries with the same brush and assume they all will have the same level of perceived low cooperation. Not true at all. Countries like Ukraine, Romania, and Russia are all very, very different. Law enforcement in many Eastern European countries can be very cooperative, particularly with the right connections.
- It depends on the victim organization’s country too. Since ransomware cases involve cooperation of typically at least 2 law enforcement agencies, the relationship the two countries have with one another is another factor to consider. Let’s take the US and Russia, for example. The FBI doesn’t have as good of a relationship with Russia, compared to other Eastern European countries like Ukraine, Romania, and Bulgaria for obvious reasons. This is not to suggest a case is dead in the water if the victimized organization is US-based while the suspect is Russian. It’s just harder to get such a case to be pursued but it does happen – in fact, Russian nationals involved in cryptocurrency exchange hacks were just indicted yesterday by the US Department of Justice. In contrast, if the victimized organization was based in France, it would work in its favour and be even easier to pursue.
- The size of the ransom paid. The higher the ransom is, the easier it is for law enforcement to justify spending the resources to pursue the matter. It’s harder for law enforcement to justify attackers behind a 50k USD ransom than a 500k USD ransom. And when ransoms reach the millions of dollars, there’s a lot of pressure for law enforcement to pursue even when the jurisdiction is ‘less appealing’ as with the US-Russia example.
- Professional assistance, or lack thereof. The reality is the vast majority of law enforcement agencies lack the tools, skills, knowledge, and expertise to investigate this type of cybercrime properly. Many law enforcement agencies have ZERO capabilities in this regard. Some law enforcement agencies like the FBI do have capabilities, but they are incredibly understaffed, are there are only a small number of people in the FBI that are capable of actually investigating this type of crime, and even then, some are more qualified than others. The reality is that having external professional assistance considerably helps to improve the odds of both identifying and apprehending a suspect, as well as recovering ransomware funds, or at least a portion of them.
- Keep in mind that in order to recover Bitcoin by intercepting funds when the suspect attempts to liquidate on an exchange or service, the suspect doesn’t need to even be identified, much less prosecuted, nor does local law enforcement need to even get involved in that instance. What is needed, however, is cooperation from the exchange or service. If an exchange or service is immediately notified of ransomware funds being laundered by a suspect through their platform, what would they do about it? The answer should be to request details on the ‘source of funds’ from the account holder and to request that the account holder undergo KYC if they have not already done so prior to the funds being released. If the account holder acquired the funds legitimately, it should be easy for them to provide details on the source of funds, after which point the exchange/service releases the funds. This is Compliance 101. But there are, of course some shady exchanges and services that couldn’t give a damn about such funds being laundered through their platform, even when they are notified of it as it’s happening. And that, of course, can open them up to legal liability.
- Finally, keep in mind that a good portion of attackers are NOT based in Eastern Europe. Sometimes attackers are North American, Western European or from a country in Asia. And in some cases, attackers have been Nation-state actors, as was the case with WannaCry, where North Korea’s Lazarus Group was found to be the likely culprit.
Case Study: CWT
Given the misconception about what happens to the Bitcoin in any ransomware payment, and how that Bitcoin is laundered in such cases, we thought it would be useful to conduct a case study, so we’ve chosen the recent ransomware attack involving CWT, who paid a 414 BTC (~$4.5 Million USD) ransom after succumbing to a ransomware attack.
The transaction whereby CWT (or their agent) paid the 414 BTC was never publicly disclosed, but it wasn’t exactly hard for us to find. We know the hackers wrote the note demanding the ransom of 414 BTC July 27th, and that payment occurred by July 28. Looking at the Bitcoin blockchain, there aren’t many transactions that fit the bill. The few transactions that do but they are primarily intra-exchange transactions (and thus not ransomware related). But there is one address that receives 414 BTC that fits the profile in that timeframe; 13nmJ3SsNB5pSyQrmX3e6zveY9kHGw8Vs3 ‘CWT Ransomware Attacker’.
This address first receives 1 BTC in tx 58a22a5a40a8cb98df8398567f33402c577affbb8d3d0c993fa17289c24d2bc6, presumably as a ‘test transaction’ (not uncommon), then receives the remaining 413 BTC in tx eb4a367416e02d1fd77d78d530a0f7f1ff7f84cffb3b595deeb7d5ea399d9100 20 minutes later.
CipherBlade has a policy of not publicly discussing cybercrime cases we are/were engaged on, with extremely limited exceptions, but as we were not engaged on the CWT case, and as we’ll show, no other qualified firm was either, we thought it would be helpful to publicly outline what happened, and where CWT failed big-time. To do so, start by taking a good look at the attached blockchain forensics graph we produced below:
As you can see in the above graph, 414 BTC is sent from the victim, who is either CWT or their designated agent, to the address provided by the ransomware, labelled as ‘CWT Ransomware Attacker’. From there, funds start to flow in a few general directions.
First, a small portion of the funds makes its way to Exchange 1 Deposit 1, which is a deposit address associated with ‘Exchange 1’. We have decided it would not be suitable to give the names of these exchanges here, so instead have labelled exchanges as ‘Exchange 1’, ‘Exchange 2’, etc. Exchange 1 Deposit 1 appears to be likely controlled by an OTC broker, rather than the ransomware attacker themselves.
Second, a small amount of funds end up at ‘Exchange 1 Deposit 2’, a deposit address that directly receives funds from two well-known investment scams, ‘Expasset.com’ and ‘Futurenet.com.’ More work needs to be done to better determine if the account associated with this deposit address belongs to the attacker or not. Some funds also make their way to ‘Exchange 1 Deposit 3’, which appears to be associated with another OTC broker. A small amount of funds also go to Exchange 4 Deposit 1. We would also like to briefly note that are indications that funds are sent to Bitcoin mixers in the upper portion of this graph — that’s not something we included here, and it’s not a focal point of our discussion here as there are other more actionable paths to pursue. As previously mentioned, the goal isn’t necessarily to identify precisely where all 414 BTC went, but rather uncover the most useful intelligence that can lead to the identity of the attacker.
Third, a large amount of funds are sent to 2 deposit addresses associated with ‘Exchange 2’ along what we call a ‘peel chain.’ 155.25 BTC is sent to 1QBeY5C1QepVt5uWPZda2gTfJcVTnKFZuD in tx a40eac7ec02cdd336d99fca9212bdcd65607e3cdd14cb5f54af04dd45f0a2174. A mere 24 minutes later (keeping in mind average Bitcoin block time is 10 minutes) 1.82 BTC is sent to Exchange 2 deposit 1 in tx ac421812930bb2a93d5276b68e1630806816a71f4b0d7001b222b32aa68f4d63. The remaining balance is sent as ‘change’ to 1Loq46Fp3uTAr4uWutsQAfKbhWsaEoM22q (which is controlled by the sender), and this is the start of the so-called ‘peel chain’. This deposit address only ever receives a total of 10 BTC transactions, all of which are present in this forensics graph, which suggests this exchange account may have been created for the express purpose of laundering these funds.
After these 10 deposits, funds continue to be laundered, this time through ‘Exchange 2 Deposit 2’ which appears to be controlled by the same individual that controls ‘Exchange 2 Deposit 1’. ‘Exchange 2 Deposit 2’ does have some receiving history that is not part of the ransom itself, and actually pre-dates the ransomware attack, primarily from ‘P2P Exchange 1’.
So one obvious question is whether or not these account(s) at Exchange 2 belong to the ransomware attacker(s) or whether they belong to another entity. More investigative work ultimately needs to be done here, but there are some good reasons that suggest it may be the attacker. For one, the attacker sends the bulk of the funds to wallet cluster 3H8SUm6J8Z5Zpz7Yx1k7VMghe17sBrn9TL. While it’s conceivable that another entity could control this wallet cluster, it’s sure a lot of eggs to ‘put in one basket’ so to speak. Less than 6 hours after funds are sent to this wallet cluster, 155.25 BTC is sent in tx a40eac7ec02cdd336d99fca9212bdcd65607e3cdd14cb5f54af04dd45f0a2174 to 1QBeY5C1QepVt5uWPZda2gTfJcVTnKFZuD after which this wallet starts to immediately send funds to Exchange 2. CipherBlade observes that generally speaking, deposits to Exchange 2 tend to occur roughly 30 minutes after one another, give or take, not days or weeks apart, and the deposits start on 7/28 in the early AM UTC and conclude later that day. That’s very little time for the ransomware attacker to have tried to find a mule or set up laundering with a shady OTC broker. Thus, there’s good reason to believe the attacker performed these transactions themselves, presumably to accounts they controlled themselves given the receiving history.
The big failing on the part of CWT is that much of these funds could have been intercepted if it had been promptly determined and assessed that these deposit addresses were associated with accounts belonging to the attacker, ultimately allowing for recovery, with the help of law enforcement of course. As per standard AML policies, exchanges don’t just turn over funds just because someone claims the funds are theirs. In this hypothetical scenario (if CWT hired a professional firm, which they clearly didn’t), the deposits would have been immediately discovered and details on ‘source of funds’ would have been requested from the suspect. If the suspect provides such details, funds would have been promptly released. In reality, we suspect it’s highly unlikely the account owner would have provided details on the source of the funds they received if it had been requested from them, and they most likely would have instead written the funds off as a ‘loss’.
CipherBlade can already ascertain that CWT didn’t hire investigative professionals here, or at least not competent ones, otherwise, these deposits would have been noticed as they happened, the exchange would have been notified through the appropriate channels, the suspect would have been unable to withdraw those funds (at least temporarily), and they presumably would have stopped depositing to that deposit address after a few transactions in each case.
For a moment, let’s assume the ransomware attacker themselves does not control the accounts associated with these ‘Exchange 2’ deposit addresses; something that’s not outside of the realm of possibility. What would the significance of this be if true? Well, the entity that controls 1QBeY5C1QepVt5uWPZda2gTfJcVTnKFZuD sent a total of 18 transactions to Exchange 2, all roughly 30 minutes apart from one another, give or take. What legitimate reason would an individual have for sending so many transactions to the same 2 deposit addresses in quick succession? I can’t think of a single non-nefarious reason. Peel-chains can naturally occur due to how change addresses work, but legitimate transactions would often be spaced days, weeks, or months apart depending on how active the individual is. The most likely reason for sending 18 transactions to an exchange like this is less than a day is for nefarious purposes. They want to make sure they can get funds out after every few transactions and don’t want to put all their eggs in one basket by sending all the funds they want to send there all at once.
Hypothetically, if these exchange accounts belonged to another entity, such as an OTC broker, that broker should have conducted appropriate due diligence on the counterparty. But there’s undoubtedly a chance that they failed to do so, which could open up either the buyer or OTC broker to liability depending on the circumstances and the jurisdiction, for engaging in money laundering among a slew of other possible charges. In this hypothetical scenario, if there was indeed a buyer who purchased the funds legitimately (or what he thought was legitimately), the buyer would not have transacted in this manner by making 18 deposits so quickly. This, of course, suggests that either the exchange accounts belong to an individual that knows it came from an illicit source and was purposely laundering those funds, or more likely that the exchange accounts belong to the attacker(s) themselves.
Another pertinent question is whether or not the account owners of Exchange 2 Deposit 1 and Exchange 2 Deposit 2 can be identified through KYC, which as previously mentioned, may belong to the attacker. There are multiple ways to identify individuals that own an account on a given cryptocurrency exchange, and KYC data is the easiest, but not all exchanges require KYC, and many only implement it after certain thresholds are exceeded. With regards to whether or not KYC had been conducted on Exchange 2 in particular, there are two main possibilities:
- KYC was not conducted. If so, the suspect would have been limited with regard to how much he/she would have been able to withdraw in a given time frame on this exchange. In the end, this would have allowed the vast majority of funds to be temporarily frozen by the exchange (if they wanted to, and were promptly notified as such) until the source of funds had been provided. This is because of the applicable withdrawal limits set by the exchange for non-KYC’d users. This could have, in turn, led to the recovery of the vast majority of these funds in particular.
- KYC was conducted. If so, the suspect would have been able to withdraw the funds much more quickly and more often, but the account owner’s identity would be known.
- KYC was conducted but it was done so under the name of a different person apart from the attacker (i.e. KYC for the account was purchased, bypassed with fake KYC documentation)
Finally, some funds are sent to wallet cluster 1JcPv7iUsAmvfaL8sP6pHzsyozJr2ameBK. From there, most of the funds go to 1cYNNXe7uqUXqkY8Bozx773srpGpL3EHu cluster, where they are then sent to Exchange 2 Deposit 3, Exchange 3 Deposit 1, and Exchange 1 Deposit 3, the latter of which, as we previously mentioned, appears to be an OTC broker. 14.7 BTC is also sent to ‘Eastern European Exchange 1’. It just so happens that the applicable deposit address of this Eastern European Exchange also receives an additional 3.45 BTC in the exact same block, block number 647622 on 9/10, which suggests the entity that sent both these transactions is the same. Records CipherBlade can see indicate this Eastern European exchange received only 25 deposits the entire day as the exchange is quite low volume. CipherBlade identified 18.25 BTC that was withdrawn from the exchange to ‘Exchange 3 Deposit 1’ on 9/11 which of course almost exactly matches the 18.15 BTC deposited. With most exchanges, such a finding would be insignificant. But CipherBlade observes a total of 5 withdrawals from the exchange the entire day, which begs the question ‘what are the chances’? And to a deposit address that other funds are sent to no less. CipherBlade suspects the withdrawal was from the same account for these reasons, but the best way of finding out for sure is by querying the applicable exchange.
As you can probably tell by now, the entities behind ransomware attackers very much can be identified and brought to justice and that can, in turn, lead to at least partial funds recovery in many cases with the help and dedication of law enforcement around the world. Blockchain forensics is a critical aspect of any ransomware investigation, but certainly not the only aspect. Threat actor research and off-chain intelligence often play an important role, even though we have not delved into that in this case study.
CipherBlade has not cherry-picked an ‘easy’ ransomware case for this case study. There are undoubtedly some ransomware cases that are ‘harder’ than this, but there are plenty that are easier as well, and this case study is somewhat representative of what could be expected in a ransomware case now — involvement of some OTC brokers, a quick attempt to launder funds, and some signs of Eastern European involvement. There are also a variety of on-chain attribution points not included in the graph above or discussed, but which we’ve avoided mentioning to make the length of the analysis more reasonable.
As you can probably guess, law enforcement is woefully ill-equipped to investigate this type of cybercrime. Law enforcement agencies often lack the expertise and knowledge to properly investigate these types of crimes themselves, and of course are almost always extremely short on resources, which is why it’s typically advisable for victims and law enforcement to work with professional investigators. Presumably, CWT has reported the incident to the FBI as they are U.S. based. Has the FBI identified many of the same findings I have? Maybe some, depending on who at the FBI is working on the case, but I’d be willing to bet the majority of these findings would be news to law enforcement personnel working on the case.
Note: Nothing in this article shall be construed as legal advice