Ransomware is growing quickly but Chainalysis expects arrests soon

It’s no secret that crypto-ransomware has become a huge problem for cybersecurity over the last few years. The powerful tools typically encrypt files on an infected computer, and extort a bitcoin ransom from victims.

In 2015, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program, Joseph Bonavolonta, said that “the ransomware is that good” that the agency “often advise people just to pay the ransom.”

In a report released this June, Kaspersky Lab claims that the number of users attacked with encryption ransomware “is soaring.” The international software security group found that 718,536 users were affected between April 2015 and March 2016, a 5.5 fold increase compared to the same period in 2014-2015.

It’s not only PC users who are in danger. The number of users attacked by ransomware targeting Android-based devices has increased four-fold in just one year, hitting at least 136,000 users globally.

“The irreversible consequences of this kind of malware infection, along with the high value data that is being encrypted by ransomware tempts victims to pay for decryption, which in turn draws more cybercriminals into the business.”
— – Kaspersky

Check Point Software Technologies Ltd. recently published an expose on the growing ransomware-as-a-service industry. The 60-page report details a particularly malicious form of ransomware, Cerber. Checkpoint states that Cerber was responsible for about 150,000 infections in July alone, generating a total of $195,000 for the month.

The company says that unskilled actors, lacking “technical knowledge,” can easily connect with developers in various closed forums. “For a small payment, the would-be attackers obtain an undetected ransomware variant. Then, they easily manage their active campaigns with a basic web interface.”

A Symantec report states that Cerber has made a significant impact since it emerged in March. “It is now possible for someone with relatively little skill to pay for a ransomware executable and access to a user interface to track their victims,” Symantec explained. “The RaaS creators then sit back and wait for their customers to distribute the malware, earning a percentage of the profits.”

A recent report from Artic Wolf states that victims paid $24 million dollars in 2015, “it’s become a rapidly growing business for cybercriminals. Experts agree that stopping ransomware is nearly impossible, so the best defense today is rapid detection, response and remediation.”

A recent Censuswide quiz of 250 IT and security specialists in UK shows that 33 percent of the companies surveyed are “stockpiling Bitcoins to pay up,” in the event of a ransomware attack.

“Expect to see some arrests soon as law enforcement agencies wrap up their investigations into several ransomware operations.”
— – Michael Grønager, Chainalysis CEO & Co-Founder

Chainalysis is a New York company founded by three digital currency veterans; Kraken advisor and former COO Michael Grønager, former Mycelium engineer Jan Møller, and Coinometrics CEO Jonathan Levin.

The company is one of several bitcoin forensics ventures, including Elliptic, Block Seer, and Skry. There are also several free and paid self-service forensics tools like BitIodine and Numisight.

“Our products allow financial institutions to develop trust lines between them as well as identify malicious actors,” states the company. “Our mission is to create tools that respect user privacy and prevent abuse of our financial system.”

The startup raised $1.6 million in seed round funding last February. The only blockchain forensics company to raise more, Elliptic, raised $5 million in March. Although Elliptic has partnered with global accounting firm KPMG and Blythe Masters’ Digital Asset holdings, the newer firm is still playing catch-up.

Chainalysis started to gain customers among the banking industry during a Barclays accelerator program for fintech startups last year. The top British Bank and Techstars, an incubator firm, both put their weight behind the startup and it doesn’t appear that they’ve had any trouble finding clients since.

“Working with Barclays has taught us how to engage with the enterprise market.”
— – Michael Grønager

The startup is an official investigator of the lost MtGox bitcoins, works with Europol in Europe, and the FBI in the US. The company was part of the take-down of an infamous cyber extortion gang known as DD4BC, or “DDoS for bitcoin,” last January.

The extortion ring had been charging bitcoin for targeted Denial of Service attacks since at least late 2014, and their highly-distributed attack design made it very hard to trace the perpetrators directly. Europol turned to Chainalysis so that they could follow the money.

“Bitcoin transactions used to be anonymous, but our software is capable of linking the source and recipient,” Grønager states. “In effect, bitcoin has become less anonymous than cash.”

Grønager claims that the recent theft of the $66 million worth of bitcoins from Bitfinex account holders was a mistake. “Whoever took those bitcoins has a bit of a problem because the minute they use them, we will be able to trace them,” Grønager explained to Computer Weekly. “It is a bit like sitting on a pile of marked banknotes.”

“The ransomware industry is probably worth more than $100bn (£76bn) a year, but hopefully our technology will help to reduce and contain that as people are arrested and sent to jail.”
— – Michael Grønager

Chainalysis also does more than track stolen coins. A controversial alert service API determines the “activity associated to the source or destination of Bitcoin funds in real time.” A separate product aims to improve banking relations. Businesses can use it as an independent source, ”to verify what your customers are doing with their bitcoins.”

“Banks needed a monitoring tool to identify money-laundering activities and verify if bitcoin transactions were attached to legitimate business activities,” Grønager explains. Coinvalidation offered a similar service in 2013. The companies “blacklisting” service was widely criticised as potentially damaging to bitcoin’s fungibility.

When two or more things are inter-changeable, can be substituted for each other, or are of equal value, they are described as fungible. It’s one of the defining characteristics of a useful currency.

In the case of bitcoin, fungibility can become an issue due to the open nature of the payment system’s transaction ledger. In theory, all bitcoins should be considered equal. However, problems could occur if someone decides that they don’t want to receive bitcoins that have been used in illegal or controversial transactions.

The largest bitcoin wallet provider at the time, Blockchain.info, quickly offered a free service to fight Coinvalidation and the blacklist was eventually scrapped. No vendor has ever turned down a bitcoin due to it’s history, such as one proven to be from a Silk Road vendor.