Ransomware and Blockchain Forensics

By Jordan Cortado on December 12, 2024

Introduction

From individuals and small businesses to bigger organizations, one of the most prevalent threat types that society needs to be aware of is ransomware. It is a growing threat that continues to gain traction as adversaries continue to see success. It is estimated that there are 1.7 million ransomware attacks everyday, meaning 19 attacks happen every second [3]. To add insult to injury, the nature and complexities of the internet can make it hard to identify the attackers. A key tool commonly used in ransomware is cryptocurrency payment, which safeguards attackers’ identity and promotes evasion efforts [8]. This article discusses the intertwine between ransomware, cryptocurrency, and blockchain analysis.

Background

According to the Federal Bureau of Investigation (FBI), ransomware is defined as a type of malware that prevents the victim from accessing computer files, systems, or networks while demanding the victim pay a ransom in exchange for their return [5]. Despite the severity, it is advised that ransoms are never paid out for several reasons because there is no guarantee that the attacker will be truthful, even after payment. And paying a ransom funds the criminals, encouraging future attacks.

Cryptocurrency and Blockchain

The relationship between cryptocurrency and blockchain is that of peas to a pod. Blockchain is technology that allows cryptocurrency to exist and function securely. It is a decentralized technology that represents a public ledger, recording transactions across a network of computers in a way that ensures transparency, security, and immutability [1]. The type of currency used in blockchain transactions is cryptocurrency, a digital or virtual currency that is secured through cryptographic techniques, hence the name. Blockchain transactions are publicly visible, but the identities of the parties involved are obscured by cryptographic addresses, creating a pseudonymous environment [1].

Why Ransomware Prefer Crypto?

Ransomware requests most commonly demand payments in bitcoin or another form of cryptocurrency. By using crypto, adversaries can leverage the nature of crypto and blockchain environments. First off, cryptocurrencies do not require any form of identification [1, 2]. Therefore, transactions do not directly link to real-world identities, making it ideal for conducting cybercrime. The decentralized nature of blockchain transactions leads to an absence in central authority, meaning there is no authoritative figure that can freeze or reverse transactions [1]. Additionally, transactions are irrefutable and once completed, there is no charge back. Lastly, cryptocurrencies are accessible, fungible, and can be fully automated [2]. The combination of pseudonymity, decentralization, accessibility, and automation easily allow cybercriminals to flock towards cryptocurrency for ransom payments and other money laundering activities. However this has not stopped attackers from creating new evasion techniques. Some of these include [7, 9]:

  • Mixer/Tumbler: An evasion tactic that cybercriminals use by mixing their funds with another user’s funds, dispersed in a transaction in an effort to obscure.
  • Cross-chain: Transferring digital assets from one blockchain to another. Making the true origins of the transaction arcane.
  •  CoinJoin: A variation of a mixer where bitcoin transactions from multiple users are summed together and returns multiple outputs of identical values.

Digital Forensics and Ransomware

When a ransomware attack occurs, digital forensic investigators are called upon to examine affected systems and networks. The investigation aims to piece together a report that documents an accurate timeline of the attack. To do this, investigators require a specialized skill set and tools to conduct blockchain forensics, sometimes referred to as cryptocurrency or crypto forensics [7]. It focuses on tracking and analyzing transactions within the blockchain while requiring a deep knowledge in blockchain, crypto, and forensic methods [6]. The key details blockchain forensics experts are looking for is identifying the attacker and the location of funds. Several analysis techniques can be conducted [1, 7, 9]:

  • Transaction Analysis & Mapping: An examination of the transactions to track the movement of funds, addresses involved, and establish connections between cryptocurrency wallets. Together, transactional data can be converted into visual maps and flowcharts for attribution.
  • Wallet Analysis: Extracting wallets to recover private keys needed for crypto transactions. Private keys are usually shared from attackers who conduct multiple transactions. By obtaining a private key, forensic experts can identify all the transactions involving the perpetrator.
  • Address Cluster Analysis: Discovering and grouping multiple addresses that are related and found to be controlled by the same entity (a cluster). As a result, investigators have a better understanding of an entity’s cryptocurrency activity.
  • Attribution Data Analysis: Identifying and collecting information from thousands of entries that can be attributed to criminal(s) and/or criminal group(s). This analysis requires pattern recognition and anomaly detection on all potential attributing aspects of malicious transactions, including transaction history, user information, withdrawal/deposit patterns, blockchain metadata, publicly available information, exchange data, and more with a goal of uncovering ransomware attackers.

Mastery and practice of these analyses enables forensic experts to deanonymize ransomware transactions, entities, and victims.

Conclusion

With organizations constantly on the news for being victims of ransomware attacks, it is imperative that digital forensic investigators are aware of the techniques needed to trace their transactions and unmask the criminals behind them. By leveraging blockchain forensics, organizations and law enforcement can enhance their ability to detect, disrupt, and deter ransomware operations, making it fundamental in the fight against cybercrime and reinforcing cybersecurity posture.

References

[1] Bachchas, K. S. (2024, July 10). Digital Forensics in the Age of Cryptocurrency: Investigating Blockchain and Crypto Crimes . LevelBlue. https://levelblue.com/blogs/security-essentials/digital-forensics-in-the-age-of-cryptocurrency-investigating-blockchain-and-crypto-crimes

[2] Bursztein, E., Invernizzi, L., & McRoberts, K. (2017, August). How to trace ransomware payments end-to-end – an overview. ELiE. https://elie.net/blog/security/how-to-trace-ransomware-payments-end-to-end

[3] Crowe, J. (2024, October 29). Must-Know Ransomware Statistics, Trends and Facts. NinjaOne. https://www.ninjaone.com/blog/must-know-ransomware-statistics/

[4] Cryptocurrency Forensics & Asset Tracing. Hudson Intelligence. (n.d.). https://www.fraudinvestigation.net/cryptocurrency/tracing

[5] FBI. (n.d.). How We Can Help You | Ransomware. Federal Bureau of Investigation. https://www.fbi.gov/how-we-can-help-you/scams-and-safety

[6] icmscyber. (2024, May 4). The Importance of Digital Forensics in Ransomware Investigations. ICMS Cyber Solution – Providing Solutions To Protect Your Business. https://icmscyber.com/2024/05/04/the-importance-of-digital-forensics-in-ransomware-investigations/

[7] Joshi, M. (n.d.). Cryptocurrency Forensics: The Ultimate Guide to 6 Important Aspects. Indiaforensic. https://indiaforensic.com/cryptocurrency-forensics/

[8] National Cybersecurity Centre. (n.d.). A guide to ransomware. NCSC. https://www.ncsc.gov.uk/ransomware/home

[9] Zborg, M. (2023, June 28). Blockchain Forensics: How Investigators Track Cryptocurrencies. Forensics Colleges. https://www.forensicscolleges.com/blog/blockchain-forensics

Related Posts