A day after news of the global “WannaCry” ransomware attack broke, bitcoin intelligence startup Elliptic released its ’Rapid Response to Ransomware: a four-Step Plan for Readiness, Resolution, and Identifying the Attacker’ to promote awareness about how to deal with ransomware attacks when faced with one. Microsoft also criticized the NSA for ‘stockpiling’ exploits, as the attacks seems to have spawned from the NSA’s cyberwarfare tools, leaked by the Shadow Brokers in August 2016.
Elliptics’ four-step plan on how to deal with ransomware attacks outlines easy-to-follow steps for its clients and anyone else who may be affected by this form of cybercrime.
“Through our extensive Bitcoin ransomware work in the United States, United Kingdom, and Europe, we have put together a comprehensive plan for ransomware readiness,” says Elliptics’ co-founder and CEO Dr. James Smith.
Ransomware refers to malicious software that blocks an individual's and a company’s access their own files. The software does this by encrypting the data and system files on the computer, which the user can then access only if they pay a ransom after which they are provided with a decryption key. Ransomware usually spreads through emails as downloadable attachments.
The first known ransomware attack happened in 1989 through a rudimentary software created by Joseph Popp, an AIDS researcher. He distributed thousands of floppy disks to more than 90 countries under the ruse that it was a research questionnaire. Once the computer was infected, the malware activated after 90 “starts.” Once this happened, the ransom message was displayed. Though this malware was simple, it laid the foundation for future ransomware attacks.
Since then, ransomware attacks have grown in scale, sophistication, and in the amounts demanded, with a notable surge witnessed in the last five years. According to some reports, criminals made around $1 billion in the year 2016 thanks to ransomware attacks, with most of the funds being transmitted using the pseudo-anonymous cryptocurrency bitcoin.
Hospital systems, banks, transport companies and even some governments have been victims of cyber attackers. Due to the increasing threat, bodies such as the Internet Crime Complaint Centre (IC3) and the No More Ransom alliance, composed of law enforcement agencies from countries around the world, Intel and Kaspersky Labs among others, have been created in order to stop or slow infection and to bring perpetrators to the law where possible.
The biggest ransomware attack, however, came on weekend of May 12-14 in the form of the WannaCry malware. This software has infected over 200,000 computers in over 150 countries. The sophisticated code was able to spread through emails as well as computers connected via a network. This ability to infect laterally aided its quick spread. WannaCry has claimed many victims such as the UK's National Health Service (NHS), motor company Renault, German train network Deutsche Bahn, and FedEx, among others, crippling operations and even grinding some to a halt.
Elliptic’s Response To Ransomware
UK-based Elliptic is a blockchain intelligence firm that seeks to investigate any illegal dealings that happen on the blockchain network. Since many ransomware attacks, including WannaCry, demand a payment in bitcoin, the company is increasingly proving useful to law enforcement agencies worldwide.
“We only provide our forensic investigation services in collaboration with law enforcement, and we have a very high success rate in delivering actionable intelligence on complex bitcoin investigations. We are able to connect the dots between bitcoin activity and real-world actors.” stated Elliptics co-founder and CEO Dr. James Smith.
Using its team, which is composed of both investigators with years of experience as well as computer scientists with in-depth knowledge of cybersecurity, Elliptic has created an advanced bitcoin investigation software that helps with the tracking of bitcoin wallets associated with illegal activity.
Elliptic co-founder and lead investigator Dr. Tom Robinson said:
“We actively trace proceeds of ransomware and cyber extortion, and we alert our bitcoin exchange customers if they receive illegal funds. Our goal is to defeat ransomware by making it extremely difficult to launder the proceeds of these crimes.”
The company has also created a Four Step Rapid Response Plan with regard to ransomware attacks. This four-step plan seeks to aid users to be ready in the event of an attack and how to respond in the most appropriate manner.
The first step, once infected and ransom demanded, is to evaluate how much damage has been done and if it is worth it to pay the money. In many instances of ransomware attacks, the criminals do not decrypt the files once the payment is made. Also, there may be ways to recover the encrypted files without the hackers decryption key. Using these considerations, Elliptic is able to determine whether paying the ransom is warranted or not.
If the decision to go ahead with the payment is made, Elliptic helps to facilitate the bitcoin payment. Since it is most likely that the money to be paid will be a large amount, this is usually not possible in the time frame set by the attackers. This is because of policies that many bitcoin exchanges employ.
“Most bitcoin exchanges have Know Your Customer (KYC) policies that prohibit them from selling new clients a significant amount of bitcoins. Often a company will have the cash ready to purchase bitcoins, but the exchange cannot legally open an account and complete the transaction before the ransom is due.”
“Elliptic can help clients obtain bitcoins through its network of exchanges and liquidity providers.” added Dr. Robinson
The third step is to make the payment correctly. Elliptic helps to ensure that no mistakes are made, and the money goes to the right address. “Constructing a large bitcoin transaction is a technical process. You need to define the right transaction fee, verify the destination, and sign the transaction appropriately,” said Dr. Robinson.
Lastly, Elliptic uses its investigation software in order to ascertain the identity of the people behind the bitcoin addresses. “In previous cases, we have been able to work with law enforcement to see where the funds move because ultimately the attacker wants to turn it back into a currency they want to spend," explained Smith.
It remains to be seen how much the WannaCry attackers will end up getting. As of May 16, over $68,000 has been paid in ransom payments to the criminals. But it seems that Elliptic’s blockchain expertise will be provided to law enforcement with the UK’s National Crime Agency (NCA), the FBI, Europol and Interpol collaborating to track down the perpetrators.
The three bitcoin wallets tied to #WannaCry ransomware have received 245 payments totaling 40.12509925 BTC ($68,662.82 USD).
— actual ransom (@actual_ransom) May 16, 2017