FeaturedOpinion

What the blockchain tells us about the big business of ransomware

5 Mins read

Above: Illustration by Seamartini/DepositPhotos.

Shiva Bissessar and Javed Samuel of Pinaka Consulting Limited evaluate the blockchain-cryptocurrency payment regime that fuels ransomware payments. Republished with their permission. Pinaka Consulting is an Information Security based consultancy with specialization in digital currency, blockchain and Central Bank Digital Currency (CBDC).

What do the following entities have in common; ANSA McAL, Massy Group, Beacon Insurance, Attorney General’s Office Trinidad and Tobago and Telecommunications Services of Trinidad and Tobago (TSTT)? Since 2020, they’ve all fallen victim to cyber incident which resulted in impact to their service delivery. At least three of these entities have confirmed their incident was ransomware related.

In the January 2023 paper, “An Anatomy Of Crypto-Enabled Cybercrimes”, Cong et al, provides key insights into such attacks and cite sources which estimate the global damages from ransomware attacks will reach 30B USD by 2023 (https://wp.lancs.ac.uk/finec2023/files/2023/01/FEC-2023-017-Daniel-Rabetti.pdf). We use this and other sources coupled with our own insights in utilizing a commercial blockchain analytics tool from Elliptic to present a ransomware primer and insights into the economic activity associated with such attacks.

Stages of attack

The groups that carry out ransomware attacks follow a set pattern of behaviours, hence knowing their identity would indicate their methods in various stages of an attack. This would also reveal, for example, the types of tools they use to, gain initial access into the external network and then to the internal network, laterally move around in the internal network, escalate privileges within the internal network, scan internal network infrastructure and exfiltrate data.

Once these stages are executed the attacker encrypts the victims files using a key known only to them, making these files effectively useless as they can no longer be read by the victim’s systems. The attackers then attempt to extort value from the victim in return for access to a tool which can be used to decrypt the files and them useful again. Having had operations incapacitated by the loss of access to critical files the victim is faced with the choice of paying the ransom or attempting to restore their information systems from uninfected backups.

The threat of leaking data

Cong et al, notes that since 2019 a new trend of double extortion is in play where the attacker may hold additional leverage over the victim via threats to leak unencrypted files onto the dark web. At a minimum, this would be a source of embarrassment and reputational damage to the victim should the security breach become known to the public via such a leak. Data privacy of employees, clients and supply chain vendors may all be at risk should such a public exposure of data take place.

We know exactly what this looks like in the wake of the recent incident at TSTT which was carried out by the RansomEXX group where there was open public discussion of the contents of the data dump with Personal Identifiable Information (PII) of clients of the victim being exposed. The authors would like to emphasize that responsible disclosure from professionals who handle and report on such data is expected, such that victims and their stakeholders are not further aggrieved by details of their data being openly discussed in public fora. Methods to obfuscate PII of victims should be employed in reporting such incidents.

Ransom demand and possible payment

Payment is demanded in crypto currency, such as Bitcoin, given that it is easily transferable across the Internet and avoids cross-border currency challenges. Negotiations may be involved where an incident response team is hired by the victim to lend expertise and attempt to buy time and lower the ransom amount being demanded. The decision to pay is up to the victim; however, sanctions lists may play a part in the decision making process. In the case of the ransomware group Conti, after publicly declaring their allegiance to Russia in 2022, post invasion of Ukraine, potential payments to Conti took on an illicit nature given Russia’s sanctioned status. Eventually, Conti had to close up shop, but affiliates of the group are suspected to still be operating.

Blockchain Analytics In Ransomware

Once the payment is fulfilled the victim should receive decryption tools which they can use to decrypt their encrypted files; however this is not guaranteed. From the leaks which eventually follow ransomware attacks, we can infer that not all victims pay. When payment does occur the possibility exists to follow the crypto currency trail to wallets associated with the ransomware group and their affiliates.

The FBI was able to utilize blockchain analytics as part of its investigation to trace the 75 Bitcoin which was paid to Darkside in 2021 and eventually recovered 63.7 Bitcoin or 2.3M USD. This payment was related to the Colonial Pipeline attack which resulted the halting of 5500 miles of pipeline operations ultimately negatively affecting consumers on the eastern seaboard and causing a state of emergency to be declared in more than 17 US states. 45% of pipeline operation in the US was affected.

REvil/Sodinokibi

In 2020, the ransomware group REvil/Sodinokibi evaded security measures employed at ANSA McAL affecting operations in both Trinidad and Tobago and Barbados. Using a commercial blockchain analytics tool from Elliptic we can see a cluster of wallet addresses on the Bitcoin network associated with REvil/Sodinokibi, which reveals activity going back to 2019 when the group was formed.

Elliptic tool showing USD$14M of inflows and outflows to the REvil group since 2019

The value attributed to this particular cluster of wallets shows inflows of 14M USD and outflows of 13.9M USD from first transaction in June 2019 to the latest transaction in June 2021. Cong et al, attributes 282 victims to the REvil/Sodinokibi group over the period May 2020 to June 2021. They further estimate that the total USD value received by this group, for the period 2021 to 2022, places them fourth overall in terms of ransomware groups receiving such value. For the same period, the Conti group is number one, estimated to have received 50.9M USD.

If we look at some of the illicit activity identified within the Elliptic tool attributable to REvil/Sodinokibi we can highlight an 11M USD transaction from an unknown source which also had a simultaneous but much smaller 6.4K USD transaction with Conti.

On a global scale, ransomware actors are seen a serious threat to operations which rely on the Internet. In November 2021, an international law enforcement effort, carried out by 17 countries and including INTERPOL, called Operation GoldDust, resulted in the take down of REvil/Sodinokibi ransomware group and its infrastructure. Almost simultaneously, the US Department of Justice issued a 10M USD reward for information leading to the capture of leaders of REvil/Sodinokibi.

Payment to REvil (11M USD) and Conti (6.4K USD) groups from the same source

Conclusion

While seemingly defunct now, we should be concerned that the fourth largest ransomware group for 2021 to 2022 executed an attack on a large Caribbean conglomerate. The increasing number cyber incidents that we are seeing on larger entities should lead us to be apprehensive over what may be taking place at small and medium enterprises. The most recent attack by RansomEXX on TSTT is also cause for trepidation as according to TrendMicro, this group is known to specifically target its victims; evidence of this pre-planning being the victim’s names found hardcoded in binaries during post attack forensics.

These concerns must be recognized by corporate entities as they prepare their response to the increasing risk of cyber incident. Having a dedicated Information Security function within your organisation which can pay attention to not just technology, but the people and process dimensions as well, is a requirement. Awareness must be built from the ground all the way up to the C-Suite and board members as the initial access into a network can be a phishing email.

In the wake of the Colonial Pipeline incident an executive order was issued in the US demanding greater attention to national cybersecurity. Would these threats be recognised locally at the national level given these attacks can cripple critical infrastructure?

Should this be our Colonial Pipeline moment?

TATT begins digital television free to air testing

TATT begins digital television free to air testing

The transition of free-to-air television from analogue to digital will bring an enhanced quality of service to consumers, including up to 4K high-definition resolution video, access to electronic programming guides,...
Read More
New CELIA submarine cable to connect Caribbean to the US

New CELIA submarine cable to connect Caribbean to the US

CELIA will enhance connectivity in the Caribbean region, providing high-capacity and secure data transfer and very high Internet speeds with low latency.
Read More
Samsung leans in on extended reality (XR)

Samsung leans in on extended reality (XR)

Supported by the broader Galaxy ecosystem, this technology will empower and transform your everyday life in a way that only we can deliver.
Read More
What keeps regional cybersecurity experts awake at night

What keeps regional cybersecurity experts awake at night

Whether the attack comes from a successful external attempt, exploiting a vulnerability or from inside, perhaps a disgruntled employee, an exploit needs just one vulnerability.
Read More
Where hackers begin

Where hackers begin

Digital nation strategies have been released by 170 countries and regions and more than 60 countries have elevated AI in their national strategy.
Read More
Blue skies for microblogging?

Blue skies for microblogging?

Bluesky hit its current high of 23 million users faster than expected, but it’s way behind X.
Read More
Samsung Electronics Joins the Carbon Trust

Samsung Electronics Joins the Carbon Trust

Globally, connected devices currently require approximately 500 terawatt-hours (TWh) of energy annually.
Read More
The apps that thrive in Apple’s ecosystem

The apps that thrive in Apple’s ecosystem

By Apple's own yardstick an app that shares usable data across three devices is acceptable one that synchronises with four is a winner.
Read More
America’s open mic moment

America’s open mic moment

What made online pundits so effective in the US election?
Read More
The press and the president-elect

The press and the president-elect

Beyond the president-elect's often-expressed intent to retaliate against journalists he believes are unfairly attacking him is the agenda of Project 2025.
Read More
All washed up

All washed up

Dirt on its own will simply shake out of fabric. What keeps it in place is oil and grease, readily generated by human skin.
Read More
Samsung extends Knox security to its home appliances

Samsung extends Knox security to its home appliances

Knox Matrix is a security solution that comprehensively protects connected devices and networks using private blockchain technology.
Read More
bmobile and CARIRI host 3,500 children at Innovation Camp

bmobile and CARIRI host 3,500 children at Innovation Camp

In the Power Up Competition, students were challenged to develop solutions for real-world problems particularly those affecting the environment.
Read More
TATT begins digital television free to air testing TATT begins digital television free to...
New CELIA submarine cable to connect Caribbean to the US New CELIA submarine cable to connect...
Samsung leans in on extended reality (XR) Samsung leans in on extended reality...
What keeps regional cybersecurity experts awake at night What keeps regional cybersecurity experts awake...
Where hackers begin Where hackers begin
Blue skies for microblogging? Blue skies for microblogging?
Samsung Electronics Joins the Carbon Trust Samsung Electronics Joins the Carbon Trust
The apps that thrive in Apple’s ecosystem The apps that thrive in Apple’s...
America’s open mic moment America’s open mic moment
The press and the president-elect The press and the president-elect
All washed up All washed up
Samsung extends Knox security to its home appliances Samsung extends Knox security to its...
bmobile and CARIRI host 3,500 children at Innovation Camp bmobile and CARIRI host 3,500 children...

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

Related posts
Press Releases

Samsung extends Knox security to its home appliances

2 Mins read
Knox Matrix is a security solution that comprehensively protects connected devices and networks using private blockchain technology.
News Briefs

TSTT confirms Kent Western as CEO

1 Mins read
Effective October 01, 2024, TSTT has confirmed the appointment of Kent Western as Chief Executive Officer. Western has been acting…
Opinion

Emerging trends and innovations in B2B management software

4 Mins read
Blockchain provides a transparent record of transactions and makes it an attractive option for businesses who want to strengthen the trust and security of their operations
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
1 year ago

[…] Caribbean – What do the following entities have in common; ANSA McAL, Massy Group, Beacon Insurance, Attorney General’s Office Trinidad and Tobago and Telecommunications Services of Trinidad and Tobago (TSTT)? Since 2020, they’ve all fallen victim to cyber incident which resulted in impact to their service delivery. At least three of these entities have confirmed their incident was ransomware related… more […]

×
BitDepthFeatured

TSTT's dark night of the soul

1
0
Share your perspective in the comments!x
()
x