Extortion never pays off in crypto. Here are some of the ways that blockchain analytics can be used to determine attribution.
Extortion (Not Ransomware)
With increasing prevalence, businesses and individuals are falling victim to extortion by organized criminal groups who often seem to act beyond the visibility of law enforcement. When discussing criminal and terrorist financial backgrounds, we can’t help but use these religious quotes.
Whatever your views on religion and belief, these texts are apt to describe society and its ills; they also show the longevity that the pursuit of greed has existed and is rejected in human society.
“For the love of money is the root of all evil; which while some coveted after, they have erred from the faith, and pierced themselves through with many sorrows.” – Timothy 5:10 (New Testament).
The quote itself is actually more about avarice and greed, but I’d add money is reflected in also the Qur’an (Surah (104) al Humazah) “Woe unto every slandering backbiter, who amasses wealth and tallies it, supposing that his wealth makes him immortal”.
Finally, the 10th Commandment – “though shalt not covet thy neighbor’s house”.
Extortion isn’t a new trend
Take or restrict something valuable from another, and demand payment – usually money, sometimes political concessions – for the return of that thing. It is a straightforward model, which most parents would recognize!
The model also has a few considerations; firstly, to be successful, one needs to know what the target cannot afford to lose; secondly, extortionists find out what they can realistically demand. This ultimately leads to one of the most common and visible clues in all ransom cases: a note with the demand and instructions for payment.
History repeats itself, but nobody listens; and to avoid making the same mistake, we would like to introduce a relevant historical example of a ransom payment example used to apprehend a kidnapper. The case study is from the 1930s.
The Lindbergh Baby Case
Charles Augustus Lindberg Jr, the 20-month-old son of Charles Lindberg, the famous aviator who made the first solo transatlantic flight between New York and Paris, was kidnapped from the family home around 9 pm on March 1, 1930. A ransom note was found on the windowsill, demanding USD $50,000, valued around USD $800,000 today.
There was very little physical evidence at the crime scene – aside from a broken ladder. Tragically, while negotiations with the kidnapper were ongoing, and the ransom increased to USD $70 000, the infant’s badly decomposed and mutilated body was discovered near the family home.
What happened?
A portion of the ransom money had been handed over to the kidnappers just prior to the discovery of the body. However, what was significant was that USD $40,000 of the money paid had been issued in gold certificates. Gold and gold certificates had been ordered to be returned by the President.
Notices were posted to many businesses and financial institutions highlighting the serial numbers of the certificates used for the ransom. Some certificates began to emerge, and the locations they were used were plotted geographically, tracking the suspect’s movements. Follow-up investigations showed that the person using the bills matched the description of the in-person negotiator.
What was the outcome?
Finally, a breakthrough was made after a bank traced a bill to a garage, where a perceptive gasoline attendant had taken the vehicle registration of the individual on the actual currency, which, when checked, gave details of one Mr. Bruno Richard Hauptmann.
Police searched Hauptmann’s home, which led to discovering ransom gold certificate bills and handwriting specimens that matched the ransom notes. As a result of the evidence against him, Mr. Hauptmann was tried, convicted, and sentenced to death for first-degree murder.
We find striking similarities between modern-day cyber-enabled ransom attacks and this case. The intent of these criminal acts is less disruptive. However, it can extort funds from the victims if something critical is withheld or stolen and thus generate income before moving on to the next target.
Most gangs work on a business model that favors quantity over quality targets. Grand heists against huge organizations happen less frequently than minor attacks against less aware businesses. In the case we just examined, Mr. Hauptmann selected the Lindberg family most likely due to their wealth and status, knowing he could make great ransom demands.
Modern Methods
The modus operandi of criminal groups is to leave notes with payment instructions – be it an email address for negotiations or a direct payment address. A thorough analysis of the ransom notes or messages is performed to determine if the group is writing in their natural language and find similarities with other attacks.
The questions that pose themselves are: is the malware the same as other attacks, and are the techniques used or targets selected the same or similar to others?
This model has been relatively effective, but with an increasingly ‘decentralized’ system of criminal gangs where activity is compartmentalized and, in some cases, traded by different elements. Attribution is complex, and as an Information Security manager, there is little point in determining attribution – the incident is an incident and will be dealt with.
Yet, attribution is essential for law enforcement or those seeking to disrupt the criminals responsible. Ultimately, this can be used to break the cycle and business model and ensure those responsible are punished.
Enter Crystal Analytics
Analytics tools such as Crystal make it possible to trace the movement of funds quite easily and generate new lines of inquiry. Interacting with ransomware groups will result in an investigation that yields customer information, such as IP addresses (the unique number that gets assigned to your connected device), photographic identification, and proof of address documents.
All transactions on open blockchains are equivalent to passing marked bills. Just as Mr. Hauptmann tried to evade detection by moving between locations, so do criminals by using mixing or high-risk services, where they feel that they are beyond the eyes of the law.
VHD Ransomware Case
According to the researchers from cyber security firm Kaspersky, the Lazarus Advanced Persistent Threat is a North Korea-linked group behind the little-known VHD ransomware used in attacks. The first reports of VHD ransomware had appeared in March of 2020.
This is a copy of a ransom note provided online, associated with VHD ransomware; separate reporting has claimed that this is related to North Korea. The ransomware calls for payment of 35 BTC.
A quick refresher for anyone who’s done attribution before; remember the ‘Pyramid of Pain’? It shows what an attacker will find easy to change, from simple hashes to complicated tactics. How the criminal group gets paid is a tactic; it will have a relationship with exchanges, either directly via “legitimate” accounts or indirectly through compromised mule accounts. The point is that these arrangements will need to be arranged well ahead of the attack.
There are several exciting clues about the individuals behind the attack and perhaps the victim looking at the note. Why are we interested in the victim? Often, ransomware cases are unreported to LEA (Law Enforcement Agency) due to the concerns that involving authorities will lead to the destruction or disclosure of the data stolen. In some cases, firms are concerned about the legal repercussions of paying ransoms – and they directly pay criminals, after all.
So who is the victim? The ransom amount is high, 35 BTC, which is a significant sum, and as of April 2021, BTC was priced around USD $50,000 per coin; that’s USD $1.75m. On the affordability scale, that’s pretty high, and the group will likely have done its affordability research – a kind of criminal credit check. We can say that this is most likely a medium-sized enterprise. Separate reports suggest that this is likely – the group behind this malware singled out high-value targets.
Money Flows
The ransom was paid at an OceanEx, a Bahamian Cryptocurrency Exchange. What we found interesting was the selection of languages supported; English, Korean, Vietnamese, and Dutch. Does this give us a clue as to the location of the target? Or was it suggested by the attacker due to a generally lower requirement for KYC, given the status of the exchange?
Entity Connections
What’s also interesting here is the relationship with exchanges; peer-to-peer platforms are reliant, such as CoinCola, a predominantly East Asian facing business. There are also strong connections to Huobi, a company that initially faced East Asian markets. Does this give us new insights into the individuals behind the ransomware? The evidence supports the idea that this ransom group was indeed based in the Asian region.
Offchain Mentions
There are also some other exciting nexus points; to illicit marketplaces, which may suggest that the group is paying for illegal services or goods. But why? Does this indicate that Advanced Persistent Threat Groups seek ‘entry’ teams access or stolen credentials for laundering funds in a ransom attack? Unfortunately, for the private investigator, the trail essentially runs cold here; however, for LEA, it is possible to begin attribution to accounts involved in the activity through subpoenas and lawful information requests.
As criminals become more sophisticated with technological advancements, so do the techniques for tracking criminal activity. Crystal developed a tracking method that makes the funds flows visible and can easily connect the dots. Our investigations team works diligently to bring the extortionists to justice and make the crypto space a safe place to do business.