Fighting Ransomware and Crypto Crime in a Web 3 World

The panelists included David Suzuki, Blackpanda’s Managing Director of Risk and Investigations, Pasi Kostinen, Chief Information Security Officer at Coinhako, Chris Recker, Senior Associate at Duane Morris, and Ian Lee, Global Director of Partnerships at Merkle Science. 

Ransomware attacks and how to respond to them is a hot topic for businesses around the world. These attacks, hacks and other forms of cyber crime are becoming as commonplace as they are catastrophic for their victims, with over USD 600 million worth of ransomware payments made in 2021 alone. And the impact of this isn't just limited to the companies under attack. These events have a measurable detrimental effect on consumers and credibility and profit and also the profitability of industries, as well as the broader economy as well. The panel explored how expert incident response teams and technology can help businesses prevent these events, mitigate risks and protect consumers.

Ransomware Is A Security Problem

The webinar started with David Suzuki from Blackpanda debunking a common misconception.

Many believe that ransomware is an IT problem but, on a fundamental level, it is a security issue. This is because it is not a machine that is attacking, but a human threat actor who is using a machine to attack. 

Whether the threat actor is a criminal, an enemy state or a terrorist, there is a human being behind the attacking computer nonetheless. In essence, ransomware attacks work just like kidnappings in the physical world. 

David then went on to explain why conducting backups is not enough to prevent ransomware attacks, and that regular compromise assessments and incident response planning with a dedicated team are essential to limit the likelihood of such an event and reduce the impact and duration of an attack.

He reminded the audience that, typically, an attacker gains access to the target network through means such as phishing or remote desktop protocol (RDP). Initially, the threat actor may just deploy a more innocuous malware, which is able to collect intelligence on the company’s endpoints and look for other vulnerabilities that they can then exploit to deploy the ransomware payload. These malware types can also steal passwords and use them to gain elevated privileges in the IT environment. 

 As these types of ‘reconnaissance’ malware gradually escalate access to other critical parts of the system, they can prioritize targeting endpoints that have the most critical data, and then later deploy a bigger payload to infect the entire IT network.

The intended consequences of ransomware payload can vary. Many know about encryption ransomware, but depending on the variant, ransomware can lock screens, or even target the computer master boot, web servers or mobile phone applications. 

Whilst conducting frequent backups is the number one prevention measure that anyone can do to avoid incurring into the massive cost of having to make a ransomware payment, there is a tendency for for IT teams who are not trained cyber incident responders to create backups of the organization’s devices without auditing what is being recorded. This is extremely problematic as malware can be lingering in the background unnoticed, and thus be backed up together with everything else. Conducting frequent compromise assessments, in combination with backing up critical data, is thus key in eradicating malware early and avoiding catastrophic consequences.

 As cyber incident response experts, the Blackpanda team specializes in eradicating malware including ransomware, and in providing the target enterprise with the cyber response capabilities of a large corporation. 

 David also highlighted the importance of educating teams and building awareness on common attacker tactiques such as phishing to avoid human error leading to critical cyber security crises.

Crisis Management In Ransomware Attacks

Next, Pasi took over, and explained why it is key that ransomware response also takes crisis management into account, something that Blackpanda includes in its incident response offering thanks to an experienced team of publicists, negotiators and legal witnesses.

Navigating a ransomware attack is an extremely stressful time for any organization, with data loss, business interruption, and large financial losses all requiring constant management and critical decision making. And all of this does not stop once the malware has been eradicated.

Chris added that having a clear and consistent messaging is key in ensuring a smooth recovery from a ransomware attack. Essentially, one must assume that any information or statement being put out publicly will  be seen by the regulator and by third parties, and thus having the appropriate legal guidance throughout the process of releasing statements about the ransomware case is key in selecting the right materials to disclose.

All in all, managing stakeholders and public relations is essential to the viability of future business following a cyber attack, as ransomware attacks have been known to permanently shut down billion dollar businesses when communication was not handled wisely. 

 Ransomware payment was also discussed, as a complex and multifaceted problem that concerns not only finance and security but also ethics and legality.

Of course, when dealing with an attack, the primary concern is always to get business back up and running as quickly as possible. But this carries many implications, as paying ransoms means feeding the criminals, and many gangs are actually on sanction lists, so companies paying them can incur severe legal consequences.

Ultimately, there are lots of different factors that throw the scales in favor of paying or not paying. As service providers, we cannot advise a business on whether they should or should not make a payment. Still, we can make the client aware of the commercial, and potentially the criminal implications of making that payment in cases where the actor appears on a sanction list or is involved in money laundering.

It can be easy to say that one is never going to pay a ransom when they are fine, but if the cash registers are off, years of work and people’s livelihoods are on the line, making that payment can become very attractive and less blameworthy.

It is also important to consider the stakeholders’ stance when making a ransom payment decision. In many cases, ransomware not only blocks an organization’s activities, but also exfiltrates the personal data of all its clients and stakeholders. In this case, making a ransom payment might be necessary not only to keep the boat afloat, but also to prevent thousands of people’s personal information to be made available on the darknet.

Cryptocurrency In Ransomware

When talking about ransomware, cryptocurrencies immediately come to mind. David briefly outlined the history of ransomware payments, before Chris took a lead on explaining how ransomware response specialists can help businesses understand crypto and how to make a payment.

Attackers typically request that ransomware payments are fulfilled discretely and as anonymously as possible. When ransomware first started with infected floppy disks, in 1989, the demand was to pay the ransom by mailing a cheque to the attacker.

Several years later, ransom payments became a little more sophisticated technologically. PayPal became a popular mode of transacting, allowing for less traceable and faster payments. Still, such online transfers often require interaction with a financial institution. Since no criminal wants to disclose their identity, they switched to crypto payments as soon as they became an option. With crypto, an attacker can receive payment from anywhere in the world without any party having to disclose themselves.

Cryptocurrency thus now plays a big role in ransomware demands. In recent years, almost 100% of ransomware requests were stated in crypto. However, many companies do not have the expertise to make a cryptocurrency payment, and this poses a severe obstacle to obtaining their data when under time pressure from the attackers.

In fact, making a crypto payment involves converting several million dollars into Bitcoin, and then making a transaction to an anonymous wallet. In some cases, the attackers may even commit fraud and so recovering the payment on the blockchain becomes necessary. Attackers often set tight deadlines for payment, threatening the organization to release all data on criminal blogs. Relying on a team of incident responders gives businesses access to cryptocurrency experts who are able to take a lead in setting up crypto wallets and managing necessary payments. 

Ian then went on to discuss the role that blockchain analytics play in giving clarity to businesses trying to make such a difficult decision during times of incredible high pressure.

Whilst crypto facilitates attackers in maintaining anonymity when receiving ransom payments, it also offers some benefits to law enforcement perspective, because it provides us with a huge deal of data to analyze. 

 Merkle Science specializes in crypto tracing, and partners with Blackpanda in providing tracing assistance, providing insight as to where a company’s assets have gone in order to retrieve them. Oftentimes, blockchain information can even help to identify the criminal organization behind the attack, as it provides us with an immutable record of every single transaction ever conducted, which can be seen by anybody in the public space. 

When a crime happens, we can actually use the blockchain to take a look at all the historic transactions that were done by the criminal involved in the crime, and use additional intelligence to tie a real world identity to a cryptocurrency account. This is why, if you ask some law enforcement officers today, at least those that are well trained in crypto investigations, they may even say they prefer criminals to do their crime using Bitcoin and cash.

Especially when using best in class solutions to prevent crypto crime, such as CoinHako, which has received recognition from MAS in terms of their approach to compliance and consumer protection, and conducting negotiations through expert handlers such as Blackpanda’s, companies can rest assured that their crypto payments are being handled in a secure and savvy manner. 

__

The key takeaway from the discussion was that ransomware is a security problem that needs to be addressed from a multifaceted perspective. Organizations need extensive capabilities to handle incident response, ransomware negotiations, crisis management, public relations, legal compliance, and cryptocurrency payment. This kind of expertise is often unavailable in-house for smaller organizations. 

Relying on a team that is hyper-focused on ransomware response is the only way an enterprise can successfully manage such a catastrophic incident. Blackpanda is Asia’s premier digital forensics and incident response firm, and partners with best-in-class service providers to handle a cyber crisis from a holistic perspective. With our compromise assessments, we help organizations comply with local regulations and prevent large-scale attacks, and by establishing a relationship with us, your company can get access to Asia’s first and best cyber incident response focused team.

Contact us to learn more.