While government officials advise against making ransomware payments, victims still often will acquiesce. But in doing so, they risk more than emboldening cyber criminals — they could inadvertently engage in sanctions violations. Forensic Risk Alliance’s Meredith Fitzpatrick and Peter Bott share blockchain-inspired mitigation methods.
Ransomware is a constantly evolving and pervasive threat to individuals, organizations and institutions across the world. Chainalysis estimates ransomware actors extorted at least $456.8 million globally in 2022, and are on pace for their second biggest year ever, having extorted at least $449.1 million through June.
Ransomware actors have grown more sophisticated in their pre-attack reconnaissance and targeting efforts and strategically select victims who rely on the availability of their systems to operate and are thus more likely to pay, such as critical infrastructure, or victims with immature cybersecurity postures. If careful due diligence is not practiced with these payments, victims or any other entity involved in facilitating the payment can be exposed to additional regulatory risks, should the ransomware actors be designated in a sanctions regime.
In the past two years the U.S. Office of Foreign Assets Control (OFAC) and UK Office of Financial Sanctions Implementation (OFSI) have issued specific guidance regarding sanctions risks in ransomware payments, including imposing civil penalties for sanctions violations.
Given the rise of ransomware payments and the continued prolificity of Russian and North Korean state-sponsored cyber crime, regulators likely won’t soften their stance on ransomware payments anytime soon. Any entity considering making a ransomware payment would benefit from enhancing their sanctions compliance programs with basic blockchain analytic techniques.
The official position of OFAC, OFSI and most other government agencies is to not pay ransomware actors to dissuade future attacks. If a victim opts for payment, both OFAC and OFSI endorse implementing strong, traditional risk-based compliance programs for entities affected by ransomware attacks to mitigate violating sanctions programs. This includes any party involved in the attack or payment facilitation process — the victims, financial institutions, cyber insurance institutions and digital forensic or incident response firms.
Both OFAC and OFSI may impose civil penalties for sanctions violations based on strict liability, making an individual or organization culpable even if they did not know or have reason to know they were engaging in a prohibited transaction. Penalties range in severity and can include monetary fines and both public and non-public enforcement responses. To reduce this liability, affected parties in a ransomware attack are directed to voluntarily self-report both when attacks occur and when payments occur.
Blockchain analytics as a screening tool
While OFAC and OFSI offer this guidance to reiterate the importance of strong compliance programs and underscore the severity of violating sanctions when making payment to ransomware actors, they do not provide any specific guidance regarding the use of blockchain analytics as a means to screen for connections to sanctioned entities.
Blockchain technology is, in essence, a transparent, publicly distributed ledger that enables any user with the applicable knowledge to examine current and historical data regarding a particular address, transaction or currency. Leveraging this increased transparency can permit individuals or entities to further examine a ransomware actor’s past payment information to identify potential connections to sanctions programs.
If you are a victim of ransomware and want to ensure that you’re not paying a sanctioned entity, it can be hard to know where to start. Often the only concrete identifier that a victim has to go off is the cryptocurrency wallet address provided by the ransomware actor to receive their payment. There are four ways a victim can investigate if they’re paying a sanctioned entity:
- Traditional screening against lists
- Basic heuristic screening
- Advanced analysis of risk exposure
- Jurisdictional risk screening
It used to be commonplace for the ransomware actors to provide the bitcoin address in the ransom note left on the victim’s computer. However, as it has become more well-known that law enforcement conducts blockchain analysis when investigating ransomware actors, it has become more common for ransomware actors to provide an email address to contact, only providing a bitcoin wallet address once the victim has agreed to pay. Once the bitcoin wallet address is furnished by the ransomware actors, it can be compared against OFAC’s specially designated nationals and blocked persons list or OFSI’s consolidated list.
However, it is trivial for a ransomware actor to generate a new bitcoin wallet address within seconds, and ransomware actors commonly generate a new wallet address per victim. Therefore, it is not enough to simply check the provided bitcoin wallet address against the above lists.
There is baseline heuristic screening one can do by using an open source blockchain explorer such as Blockchain.com. Bitcoin is an unspent transaction output-based blockchain (UTXO), meaning that coins are stored or aggregated as a list of unspent transactions received by users on the blockchain. One can therefore trace a specific UTXO forward and reverse transaction history.
Like cash, UTXOs are not divisible. For example, if you have a $20 bill and you purchase a $3 item, you don’t cut part of your $20 bill and hand that to the cashier. You’ll pay with your $20 bill and you’ll likely receive one ten-dollar bill, one five-dollar bill and two one-dollar bills back as change. Later in the day you take your change and purchase an $11 item. You’ll likely use your ten-dollar bill and a one-dollar bill to make the purchase. This is similar to how bitcoin works on the blockchain. Whole notes must be exchanged for an item, and change is returned back to the sending party.
In bitcoin transactions, seeing multiple input addresses in a transaction typically indicates that all the sending addresses are controlled by a single individual or entity, much like the above example where the bills were used to purchase an item.
Similarly, analysis of transaction behaviors on UTXO blockchain can be used to detect “change addresses.” Again, like cash, UTXOs are not divisible. If an individual sending bitcoin is making a transaction less than the UTXO amount, such as if they need to send 3.5 BTC but have 5 BTC in their wallet, a change address will be generated to send the change, the 1.5 BTC, back to the sender. Looking at the transaction on the blockchain, it will appear that the sending address (containing the 5 BTC) sent 3.5 BTC address to one wallet address and 1.5 BTC to another wallet address, when in reality, the wallet addresses containing the 5 BTC and 1.5 BTC are controlled by the same entity. Identifying these change addresses can be done by looking at address type, input amount and output amount.
Armed with this knowledge, there is basic blockchain analysis you can undertake to “cluster” additional addresses to a specific address controlled by an individual or entity.
Advanced analysis of risk exposure
There’s also advanced blockchain tracing and proprietary heuristics you can leverage to conduct advanced analysis of risk exposure, to include indirect sending and receiving exposure of an address. Let’s build off the concept of clustering. This process can also be used to cluster addresses known to be associated with entities such as virtual asset service providers (VASPs), peer-to-peer exchanges, cryptocurrency ATMs, ransomware variants, sanctioned entities, terrorist organizations and cryptocurrency mixers with additional wallet addresses.
Advanced blockchain analysis tools can also be used to analyze indirect sending and receiving exposure of a wallet address or cluster of addresses. As it is trivial to create a new bitcoin wallet address, it is important to consider the indirect sending or receiving exposure when assessing the risk profile of a wallet address.
In the context of ransomware, it would be important to assess if a wallet address provided by a ransomware actor has exposure to wallets on the SDN list via one or several intermediary wallets. Addresses directly or indirectly sending or receiving funds with sanctioned addresses increases the risk of enforcement should payments be made, as it is increasingly likely that the address is involved in the larger network used by the sanctioned entity. Additionally, should an address provided by a ransomware actor be clustered with another address appearing on a sanctions list, the address provided would also be subject to sanctions enforcement should payment occur.
Jurisdictional risk screening
“Off-chain” checks can also provide clues as to whether a bitcoin wallet address or ransomware variant is a sanctioned entity or has ties to a sanctioned entity. Research on additional data points, such as any IP addresses associated with the actor, open-source intelligence, public-facing reports by the government, or victim reporting sites like Chainabuse, would also bolster a risk assessment of any potential ransomware payment.
That being said, ransomware variants are increasingly using “false flag” operations to appear to originate from another area of the world. A false-flag operation is when cybercrime actors go to great lengths to impersonate a different or novel group, leveraging a host of different techniques to obfuscate the actual entity behind the attack. These techniques can be technical in nature, such as utilizing different IP addresses, ransomware variants or specific penetration procedures. They can also be more socially driven, such as using different group titles, languages or content of communications themselves to denote different regions of operation. Of note, Russian state-sponsored groups have an established record of using false-flag operations to obfuscate their origins.
Should a sanctioned entity engage in a false-flag operation, it may be more difficult to assess at the attack level. However, blockchain analytics provides an additional avenue to vet an attack, should the false-flag attack use the same cryptocurrency infrastructure as the sanctioned entity behind the attacks.
OFAC and OFSI are actively using their authorities in the cryptocurrency space. In the past two years, OFAC has sanctioned a number of cryptocurrency wallet addresses associated with nation-state actors and other parts of the illicit cryptocurrency ecosystem including ransomware actors, darknet markets and cryptocurrency mixers.
Blockchain analysis can play an active role in preventing payments to sanctioned entities and reducing the monetary resources of the most severe illicit actors. Given the currency cybercrime and geopolitical landscape, ransomware incidents will likely continue to grow in quantity and complexity. However, with the right combination of cryptocurrency expertise and blockchain analysis capabilities, compliance teams should feel empowered to operate in this evolving environment.