How Bitcoin Has Fueled Ransomware Attacks

Jun 10, 2021
Originally published on June 12, 2021 11:56 am

The problem has long plagued bank robbers and drug smugglers: how to transport and hide huge sums of ill-gotten gains without getting caught?

In the past few years, ransomware hackers have found an almost perfect solution — cryptocurrencies like Bitcoin. It's fast. It's easy. Best of all, it's largely anonymous and hard to trace.

In the latest example, the world's largest meat processor, JBS, announced Wednesday night that it recently paid $11 million in Bitcoin after a cyber attack forced the shutdown of its plants in the U.S., Canada and Australia. The FBI has blamed the attack on a Russian criminal gang.

"You now have a possibility to move millions of dollars worth of cryptocurrency across national boundaries in seconds," said Yonatan Striem-Amit, a co-founder of Cybereason, a Boston-based company that offers protection from hackers.

"It really is a very powerful tool in the hands of criminals to perform money laundering, to shift currency from one state to another in a way that's in a sense untraceable and definitely uncontrollable."

Until recently, many cyber crimes involved the small-scale theft of individual credit cards or bank accounts.

"If we were talking two years ago, we would not be talking about Bitcoin as being the dominant form of paying off ransom," said Hitesh Sheth, president of the cybersecurity company Vectra in San Jose, Calif.

Big payments, little risk

Bitcoin and other cryptocurrencies made it possible to extort huge ransoms from large companies, hospitals and city governments. And if the cyber thieves live in countries like Russia — which many do — there's virtually no chance of getting caught.

Ironically, cryptocurrency exchanges take place on what are called "public ledgers."

This means anybody can observe online. But the parties in a transaction are anonymous, disguised with a random number.

"You see exactly the way the money moves from one address, and one wallet, to another," said Striem-Amit of Cybereason. "However, there is no way for us to associate a person with these wallets. And a lot of people have not just one address, one wallet, but have dozens, hundreds."

So hackers can keep moving the currency from one anonymous account to another. That makes it very difficult — though not impossible — to trace.

Consider the case of Colonial Pipeline, which was hacked last month, leading to the shutdown of gasoline supplies in the eastern U.S. for the better part of a week.

The Justice Department said this week that the FBI recovered more than half the $4.4 million in ransom that Colonial paid to the hackers, who are known as DarkSide and believed to be based in Russia.

Deputy U.S. Attorney General Lisa Monaco, speaking on June 7, announces that the FBI has recovered most of the $4.4 million ransom that Colonial Pipeline paid to ransomware attackers last month. The attackers are believed to be based in Russia.
Getty Images

This case marked a big breakthrough. The Justice Department said this was the first time that a task force devoted to ransomware has been able to claw back some of the money.

An exception

Still, this is unlikely to become the norm any time soon. The FBI poured resources into the Colonial case because it was a high-profile attack that shut down a pipeline critical to the nation's economy.

The FBI won't be able to devote so many resources to every ransomware attack. And the cases are tough to solve.

According to court documents, the FBI worked its way through a maze of more than 20 cryptocurrency accounts to find the hackers. When it did locate the account, the bureau then sought a U.S. court order to seize the funds.

But then comes the real mystery. Even when the FBI located the computer, and had the court order, the bureau still needed the secret encryption key to unlock the account and capture the Bitcoin.

The FBI hasn't said how it did this, and this has prompted widespread speculation and a range of possible scenarios in the cybersecurity community.

The FBI discourages ransom payments, and some companies do refuse to pay. But the decision is up to the company or institution that has been hit, and many feel it's better to pay and resume operations rather than risk a protracted shutdown.

Meanwhile, private companies are realizing they need to focus more on the threat of ransomware.

"For the boards of directors of large companies, cybersecurity the last couple years has become a hot topic," said Hitesh Sheth of Vectra. "It's not just cybersecurity, like, 'Hey, how do I stop attacks?' It's really gone down to, 'What is our ransomware strategy.' It's become very specific."

Ransom insurance

The ransom demands, and the payments, have skyrocketed.

"We have now seen, with our clients, ransoms paid in excess of 10 million dollars, with demands as high as 40, 50 and 60 million dollars," said Oren Wortman, who handles cyber issues for the insurance brokerage firm Beecher Carlson.

Some insurance companies are no longer covering ransomware, or are imposing a range of restrictions, he added.

"There are insurers out there who are blanket not writing any new business," he noted. "There are insurers who are dropping business. And there are insurers who are completely excluding health care, public sector and higher education," all of which are frequent targets.

Amid all these developments, the Biden administration and some members of Congress are starting to talk about regulating cryptocurrencies. But so far, it's just talk.

Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

NOEL KING, HOST:

The world's largest meat producer, JBS, says it paid $11 million in bitcoin as ransom to cybercriminals. The company says it made that payment to prevent more disruptions after its plants in North America and Australia were shut down. Hackers typically demand payment in cybercurrency because it is very hard to trace. Here's NPR's Greg Myre.

GREG MYRE, BYLINE: The problem has long plagued bank robbers and drug smugglers - how to transport and hide large sums of ill-gotten gains without getting caught. At last, ransomware hackers have found an almost perfect solution - cryptocurrencies.

YONATAN STRIEM-AMIT: You now have a possibility to move millions of dollars' worth of cryptocurrency across nationalities in seconds.

MYRE: Yonatan Striem-Amit is a co-founder of Cybereason. It's a Boston-based company that offers protection from hackers.

YONATAN STRIEM-AMIT: It really is a very powerful tool in the hands of criminals to perform money laundering, to shift currency from one state to another in a way that's, in a sense, untraceable and definitely uncontrollable.

MYRE: Until recently, many cybercrimes involved the small-scale theft of individual credit cards or bank accounts. Hitesh Sheth runs the cybersecurity company Vectra in Northern California.

HITESH SHETH: If we were talking like this two years ago, we would not be talking about Bitcoin as being the dominant form of paying off the ransom.

MYRE: But Bitcoin and other cryptocurrencies made it possible to extort huge ransoms from large companies, hospitals and city governments. And if the thieves live in countries like Russia, which many do, there's virtually no chance of getting caught. Ironically, cryptocurrency exchanges take place on what are called public ledgers. This means anybody can watch online, but the parties in a transaction are anonymous, disguised with a random number. Yonatan Striem-Amit explains.

YONATAN STRIEM-AMIT: You see exactly all the way the money moves from one address, one wallet to another. However, there is no way for us to associate a person with these wallets. And a lot of people would have not just one address, one wallet, but can have dozens, hundreds.

MYRE: So hackers can keep moving the currency from one anonymous account to another. This makes it very difficult, though not impossible, to trace. Consider the case of Colonial Pipeline. The FBI did recover more than half of the $4.4 million in ransom the company paid to the hackers, believed to be based in Russia. This was a big breakthrough, but it's unlikely to become the norm. The FBI says it worked its way through a maze of more than 20 cryptocurrency accounts to find the hackers. Private companies are realizing they need to focus more on the threat of ransomware. Again, Hitesh Sheth.

SHETH: Cybersecurity, the last couple years, has become a hot topic. But, you know, it's not just cybersecurity as like, hey, how do I stop attacks? It's really gotten down to, what is our ransomware strategy? Right? It's gotten very specific.

MYRE: The ransom demands and the payments have skyrocketed. Oren Wortman is with the insurance company Beecher Carlson.

OREN WORTMAN: We have now seen with our clients ransoms paid in excess of $10 million with demands as high as 40, 50 and $60 million.

MYRE: Some insurance companies are no longer covering ransomware.

WORTMAN: There are insurers out there who are blanketly not writing any new business. There are insurers who are dropping business.

MYRE: With all this going on, the Biden administration is starting to talk about regulating cryptocurrencies. But so far, it's just talk.

Greg Myre, NPR News, Washington.

(SOUNDBITE OF SUBLAB AND AZALEH'S "VIDURA")

KING: And just a quick note - Cybereason, one of the companies in Greg's story, is an NPR sponsor.

(SOUNDBITE OF SUBLAB AND AZALEH'S "VIDURA") Transcript provided by NPR, Copyright NPR.