It might be the worst-kept secret in all of cybersecurity: the FBI says don’t pay ransomware gangs. But corporations do it all the time, sending millions every year in Bitcoin to recover data that’s been taken “hostage.” Sometimes, federal agents even help victims find experienced virtual ransom negotiators.
That’s what Art Ehuan does. During a career that has spanned the FBI, the U.S. Air Force, Cisco, USAA, and now the Crypsis Group, he’s found himself on the other side of numerous tricky negotiations.
And he’s only getting busier. According to Sophos, roughly half of U.S. corporations report being attacked by ransomware last year. The gangs are becoming more organized, and the attacks are getting more vicious. The days where victims could simply pay ransom for an encryption key, unscramble their data, and move on are ending. Now that some companies have managed to avoid paying ransom by restoring from backup, the gangs have upped their game. Their new trick is to extract precious company data before encrypting it, so the attacks pack a one-two punch — they threaten embarrassing data breaches on top of crippling data destruction.
(If you are new here, I am a visiting scholar at Duke University this year and I am hosting occasional email dialogs on important issues of technology, ethics, and privacy called “In Conversation.” Here’s a link to an earlier “In Conversation” about contact tracing apps. And here’s one about Facial Recognition).
Ransomware gangs also attack companies when they are at their most vulnerable — during Covid-19, they have stepped up their attacks on health care firms, for example, adding a real life-or-death component to an already stressful situation. By the time Ehuan gets involved, victims just want to put their computers and their lives back together as quickly as possible. That often means engaging the gang that’s involved, reaching a compromise, making a payment, and trusting the promise of a criminal.
It can sound strange, but during a recent lecture at Duke University, Ehuan said there were “good” cybercriminals — gangs that have a reputation for keeping those promises. After all, it’s their business. If they were to take the Bitcoin and run, security firms would stop making payments. On the other hand, you can’t trust every criminal — only the “good” ones.
This is the murky world where Ehuan works. During his lecture, Ehuan talked in broad strokes about the major issues facing companies trying to stay safe in an increasingly dangerous digital world. During this “In Conversation,” we’re going peel back the curtain on this world. David Hoffman and Shane Stansbury, two Duke professors, join us, as well as cybersecurity consultant John Reed Stark.
To: Art Ehuan
cc: David Hoffman, Shane Stansbury, John Reed Stark
Art, as you were talking at Duke about controversial cybersecurity issues like offensive capabilities (hack-back) or paying ransomware gangs, I was really struck your sense of pragmatism.
So I’d like to hear more: What is it like to really like to negotiate with a crime gang? Who makes the first move? Are you sending emails? Talking on the phone? How do you know which criminals to “trust?” How do you gain their trust? Do they ever accuse you of being law enforcement? To whatever degree you can, give us a blow-by-blow.
To: Bob, David, John, Shane
When the malware is deployed there is also information provided on how to contact (the crime gang) to pay the fee that they are looking for and receive the key to unencrypt the data.
Our firm, and others like it, will then have a discussion with the client and counsel to decide if they will pay and how much they are willing to pay. Once authorized by counsel/client, contact is made with the TA (gang) on the dark web to advise them that systems are impacted and we would like to discuss getting our data back, or data not being released to public sites, etc. We provide them with a known encrypted file to make sure they are able to unencrypt and provide us back the known file to ensure that actually have the decryptor. We have a discussion with the TA over the dark web to lower price due to funds the client has available, etc.,
There is good success in negotiating a fee lower than what was initially asked by these groups. Once the fee is agreed and payment made, most often than not by bitcoin, TA sends the decryptor that is then tested in an isolated environment to make sure that it does what it is supposed to do and not potentially introduce other malware into the environment. Once evaluated, it is provided to the client for decryption of their data. If the negotiation is for them not to release the data, they will provide proof of the files being deleted on their end (we have to take their word for it that they haven’t kept other copies). Sometimes this takes several days due to the time difference between U.S. and Eastern Europe when communicating.
Even with the decryptor, unencrypting the data is a painful and costly experience for a company. My continuous message to clients is to secure and segment their infrastructure so these attacks are not as successful. That is cheaper than the response efforts that occur with a breach.
Hopefully, this provides at a high-level process that is taking place.
From: John Reed Stark
To: Art, David, Bob, Shane
How to stop or at least stall the exponential growth of ransomware attacks? Since we can rarely identify, let alone charge, extradite and prosecute ransomware attackers, we need to get innovative and aggressive — by hitting attackers off where they feel it most — their digital wallets.
How do most corporate victims of ransomware attacks pay the ransoms demanded? Bitcoin of course — it’s fast, reliable, verifiable, subject to little regulation and virtually untraceable. Bitcoin has become ideal for ransomware extortion schemes. Attackers can simply watch the public blockchain to know if and when a victim has paid up. They can even create a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address.
Unlike the sequence of events during a kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, ransomware attackers can facilitate pseudo-anonymity and instantaneous payment via a simple, rapid and global bitcoin transaction process. Hence, rarely is there ever even an arrest, let alone a successful prosecution, of a ransomware attacker. Law enforcement remains virtually powerless and has even fallen victim to ransomware extortion schemes.
In the history of financial innovation, modernization and invention, there has always existed one constant: Whatever the product, criminals will attempt to exploit its application. Bitcoin dramatically illustrates this axiom.
And in addition to the treacherous reality of Bitcoin’s predominant use, Bitcoin still thrives despite a litany of hurdles, including: liquidity risk, price volatility, cybersecurity vulnerabilities, commission fees, anti-money laundering implications, ethical dilemmas, tax burdens, entanglement mishaps and many other obstacles.
Bitcoin has essentially evolved into a highly resilient and resistant toxic virus in and of itself.
Make no mistake, the innovative community of Blockchain developers and entrepreneurs deserves congratulations, admiration and encouragement — but their good work has been hijacked by a dangerous legion of criminals. And while blockchain technology may very well have extraordinary potential, there exists no responsible gatekeeper to keep the process and the players honest.
Sadly, too many of the shamelessly self-anointed fintech attorneys, who claim to practice within the crypto space, are of little help and have at times actually exacerbated an already dire situation. Some not only blindly facilitate the criminal norms of the cryptocurrency marketplace, but their law firms also blithely encourage cryptocurrency transactions by accepting bitcoin as a form of payment for their legal services. It seems that some lawyers and their firms have become so desperate for fees that accepting bitcoin blood money seems somehow justifiable.
This last point about lawyers and cryptocurrency hits home and bothers me the most. Because when ransomware gets worse — which it will — and people die as a result — which they will — someone somewhere will undoubtedly ask: Where were the lawyers?
This damning question has been repeated in every major financial scandal since it was first formulated by the legendary Stanley Sporkin about corporate misdeeds decades ago when he was head of the U.S. Securities and Exchange Commission’s Division of Enforcement in the 1970s, and then as U.S. federal district judge from the mid-80s onward.
To: Art, John, Bob, David
This really is a fascinating industry, and I’m eager for the first really good Hollywood movie depicting a ransomware negotiation. (Perhaps Liam Neeson is already on it?)
As I listened to Art’s talk, I couldn’t help but think back to my days as a prosecutor when I handled some international kidnapping cases, which as Art knows falls within the scope of the FBI’s work. Most of my cases involved journalists (sorry, Bob). And, as in the cyber world, the FBI’s position in the physical world was always “no ransoms.”
Of course, as is the case now, the FBI never really could control what other people do. So if, say, a victim’s family wanted to pay (or, more indirectly, to facilitate a third-party payment), there really was not a whole lot the Bureau could do about it. But the difference now, it seems, is the scale and anonymity involved. There is just so much of this activity that it is virtually impossible to establish a norm of crime doesn’t (literally) pay. Companies and municipalities being held hostage have to get back to business quickly, and the consequences of not paying are just too high — especially with the new techniques that Art described, and which Bob noted.
And, as John rightly points out, cryptocurrencies (and the internet in general) allow the criminals to stay hidden (no need to meet at the park bench to receive the briefcase) and to obtain payment in a form that suits all of their needs. Is outlawing Bitcoin, as John suggests, the answer? I don’t know. Would that mean we end up criminalizing victims who currently have no other recourse (similar to outlawing cash payments in unmarked bills)? Would a U.S. law have sufficient impact? Would the downsides (e.g., for developing economies) outweigh the upsides? I certainly agree that the largely unregulated flow of cryptocurrency is unworkable and ultimately brings more harm than good. I find myself saying over and over these days: It is a good time to be a cybercriminal.
Art, I’d also love to hear about some of these negotiations. How are they different from dealing with traditional kidnappers, and do they tell us anything about the way forward? Is John’s suggestion the only option?
To: Bob, David, Shane, John
The world has certainly become more complex and dynamic since I was in the FBI and conducted extortion and bank robbery investigations. The anonymity of the Internet, cryptocurrency and the lack of international cooperation between the U.S. and certain countries have in my opinion really hampered the ability of law enforcement/ prosecutors to take any real meaningful action to identify and prosecute these OC (organized crime) and nation-state actors. Thus, since this avenue is a long shot to dissuade threat actors, it is up to companies to do a better job of protecting themselves. This is one area that is still quite amazing for me to see that companies are not doing their due diligence in defending their assets. There is a mentality that “It won’t happen to me,” “I am too small who would care,” “I have great security because I provide all the resources that the CIO asks for,” etc., etc.. This narrative is partially responsible for the success of the threat actors.
You frequently hear that nation-state actors are using sophisticated attacks when targeting companies and, ‘How can I even defend against that type of actor”? The reality is that nation-state groups/OC groups don’t need any advanced techniques. They are using the old, time-tested phishing, unpatched systems, etc., not rocket science stuff that you often hear about.
I find that the FBI has really done a great job in assisting companies that are being victimized. They don’t tell victim companies that they cannot pay ransom. They understand the business imperatives of getting back and running especially if you are in the critical infrastructure sector. They assist with matters by providing malware signatures when in a number of ransomware cases have been very useful in identifying further threat actor activity. At the end of the day, the Bureau, DHS, and the other agencies are overwhelmed the number of matters that are being investigated. At the end of the day this is a governance and oversight issue due to, IMHO, the lack of these measures at the board level.
From my experience, and I came into the Bureau when folks robbed banks the old fashioned way, with notes and guns — the bank robbers of the past are not the brightest people and thus leave a lot of trace/forensic evidence that is very valuable in identifying and prosecuting an individual. The modern bank robber is a brighter individual and typically part of an OC team, or in the case of North Korea and their hacking of financial services firms, very well trained and sophisticated in their approach.
In 20+ years now of investigating cyber-related crime, this is the busiest I have ever been. I anticipate it will be even worse in 2021. As a FBI friend of mine recently said to me, “Why would they quit, there is so much more money to be made?”
To: Bob, David, Art, Shane
Tendering ransomware payments has evolved into yet another dirty little secret of corporate operations — just like U.S. corporate foreign bribes prior to the enactment of the Foreign Corrupt Practices Act or U.S. business dealings with terrorists prior to the enactment of the USA Patriot Act. Except this time, there may not exist a statutory remedy for the current ransomware payment scourge – and this time one cannot help but sympathize with the excruciating suffering endured by ransomware victims.
In the opus side, the private sector (including insurance companies) have stepped up, becoming remarkably inventive. Hence the genesis of a new and cottage industry of so-called “ransomware payment facilitators,” typically data recovery, digital forensics, or other incident response firms who, by negotiating and transacting with the ransomware attackers, will attempt to recover ransomware victim’s files for a fee. But how?
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle bitcoin, getting it funded, and figuring out how to pay other people with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional. By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction.
Ransomware attackers may portray the entire ransomware payment process as more akin to an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable Bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate.
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) – and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination — almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
• Payment is the least costly option;
• Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
• Payment can avoid being fined for losing important data;
• Payment means not losing highly confidential information; and
• Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
• Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
• Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
• Payment can do damage to a corporate brand;
• Payment may not stop the ransomware attacker from returning;
• If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
• Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers – and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers – and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Even under the best-case scenario, where a victim has maintained archives and can keep their business alive, the victim companies will incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motel, where data checks in but it can’t check out.
From where I sit, companies struggling with ransomware threats should apply the same lessons to ransomware protection used for employee protection: Be prepared (e.g. deploy back-ups and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. never underestimate the impact of ransomware and never take the threat lightly).
To: Shane, Art, John, Bob
Ransomware has now become a life and death issue. Last Friday, German prosecutors opened a negligent homicide investigation for a ransomware attack. An attack on the University of Dusseldorf’s hospital caused a patient to be diverted to another hospital 20 miles away. The patient later died and prosecutors allege that the ransomware attack was a contributing factor in the death.
Payment systems that preserve anonymity (like Bitcoin) have a number of important and legitimate uses like allowing political dissidents to organize. However, providing a payment mechanism for illegal acts that could result in death should cause us to question whether these payment systems need to be regulated to allow for law enforcement officials to adequately prosecute cybercriminals. This does not need to be a ban on anonymous transactions, but instead could require electronic payment systems to design into their systems an ability for law enforcement, acting with a warrant, to trace the transactions back to people receiving the funds.
This may sound similar to the policy discussions of the past 20 years about giving law enforcement access to encrypted communications sent over the internet or stored on a phone. However, in those cases the argument against giving law enforcement that capability has been that introducing that access would enter cybersecurity weaknesses into foundational technology that would create opportunities for criminals to attacks systems including those used by government and critical infrastructure. A requirement to de-anonymize electronic transactions would not have such wide sweeping effects. While it is possible the keys could be compromised to allow others parties to understand who is conducting the transactions, this might be a reasonable compromise to deal with the increasingly dangerous wave of ransomware attacks.