After more than two decades at the FBI, Gurvais Grigg was looking for something to do post-retirement. So he picked … cryptocurrency and financial crimes. Grigg is now the global public sector CTO at Chainalysis, where he spends his time working with companies and governments on financial investigations involving cryptocurrency and the blockchain. “When I looked at emerging tech and this new market space, the ability to work in a company that’s engaged in crypto-financial investigations and supporting the public sector was just the perfect combination for me,” he said.
One of Grigg’s primary focuses has been ransomware, which is one of the fastest-growing sectors of online crime. The ransomware business has hit the public consciousness thanks to the shutdown of the Colonial Pipeline and the attack on JBS, the U.S.’s largest meat manufacturer, as well as a series of other high-profile attacks. Ransomware is a huge business, and an increasingly mature one.
Grigg joined the Source Code podcast to explain the rise in ransomware, how the industry works (and its eerie parallels to the rest of the tech industry) and what governments and companies should be doing to protect themselves.
The first thing I want to do is separate fact from fiction here. It seems like, on the surface, that we are in a moment of ransomware, where it feels like it is the biggest threat in the cybersecurity world. Is that true? Or have there just been a couple of high-profile examples that are scaring people?
Well, there certainly have been a number of high-profile ransomware events that have captured the public’s attention. But this has been quietly building in the background for some time. In fact, our data shows that ransomware is the fastest-growing category of illicit use on the cryptocurrency blockchain. So you’re right, it has captured the public attention of late, but it has been building. Even through the pandemic, we were seeing ransomware attacks against health care providers, hospitals and others. And so you see this growing emergence of ransomware across the spectrum.
Why ransomware, as opposed to any of the other illicit cyber tools out there?
Frauds and scams still make up the largest percentage of illicit use on the blockchain, but ransomware is rapidly growing. So much of our life and businesses is wrapped up in the data of these companies. And because that data is designed to be hyper available, it also makes it potentially vulnerable. And criminals naturally gravitate to where they can make money and make money quickly. And there’s a whole ransomware supply chain, and this cottage industry that’s emerging, that is facilitating and perhaps fueling the acceleration of ransomware attacks.
One of the things that has amazed me, the more I’ve learned about this, is the extent to which the ransomware industry and the regular, above-board software industry are basically exactly the same. You replace a couple of nouns here and there. Can you explain that supply chain to me? How does this industry actually sort of come together?
So let’s go back. In the old days, if an individual wanted to carry out a ransomware attack, they had to have a level of sophistication themselves. They would design their tool, they would design their exfil, they would try to arrange where they could store the data that they’re going to steal. They had to make arrangements to figure out: What am I going to do with payments if I get them? How am I going to obfuscate that and launder it?
Well, now they can turn to a whole industry that can provide each of those services a la carte. I can go and find my illicit cloud provider who will store my stolen data. I can go to an administrator who can provide a series of tools that I rent from him that I can use to exfil my data and invade a system. I make arrangements with some mixers who maybe can help me launder my ill-gotten gains if I’m successful. I then make an arrangement with a cash-out point; they’ll help me turn that cryptocurrency back into fiat. And so I end up having to pay people all along the way.
And oh, by the way, you’ve got to get that in place before you conduct your attack. There are potentials, then, to move left of the event — to look at campaigns that are building as individuals put these things in place before they carry out their attack. So it isn’t just a surprise ransomware attack, you can see a campaign building.
This ransomware supply chain is global. And they access individuals in multiple jurisdictions to put all of this in place before the attack.
So basically, there’s the ransomware equivalent of AWS, and there’s the ransomware equivalent of Stripe, and there’s the ransomware equivalent of Shopify, and you can basically build your whole ransomware system without needing much technical expertise at all.
The dark net offers individuals with very limited technical capabilities to be able to carry out successful ransomware attacks, whereas before it was reserved for perhaps the most sophisticated and talented cyber actors. And there are still those, certainly, I don’t mean to undersell that point. But it has reduced the barriers to entry, which is both scary and fascinating.
What’s your sense of the size of that industry?
If we look at this year, we have over $127 million that we’ve identified so far as associated with ransomware campaigns this year. And of course, that’s only the data that we can see. And there’s always an inherent underreporting here, right? Last year was over $412 million, the previous year, $93 million. So certainly last year was a banner year for ransomware. And it remains to be seen what this year is going to look like. But if you look at that data and that volume trend, it’s certainly a growing industry, and that begins to give you a scope of the magnitude and impact that this is having.
Is bitcoin the dominant player in the space, like it is in most of the crypto space? Or are criminals, like, migrating to dogecoin or something else that’s out there?
The data that we see indicates that the vast majority, for example, of ransomware payments are still being made in bitcoin. While some have attempted to use other privacy coins, or those that offer what they believe is an additional level of anonymity, we just haven’t seen the large-scale adoption of those other coins.
Why? Because liquidity is king, and the ability to receive value, transfer that value and cash out that value is what they’re after. And the more difficult it is to do that, the less incentives there are to use other forms of value transfer. Ransomware used to use prepaid gift cards, wire transfers and other things like that! So they’re going to migrate to those things that allow them the easiest use and the most liquidity. And right now, these mainstream coins like bitcoin and other stablecoins offer that.
And how do you think about regulation more broadly right now? It seems like there is a clear sense, especially after the Colonial Pipeline hack and some of the other stuff that’s been happening recently, that this is a real, nationwide threat that the government needs to be worrying about. But I get a sense, from the folks that I’ve talked to about this, that the what and how of regulating and solving some of these problems is really tricky. What do you think they’re thinking about right now?
Well, you’re right that it is a challenge. And it’s complex. There’s no one single silver bullet that’s going to disrupt the ransomware or mitigate it, but it will take a series of coordinated actions across different government agencies. So the combined power of, let’s say, a regulatory and tax agency, combined with a Securities Exchange effort to monitor some of these activities, law enforcement work to interdict particular actors, government policy that influences jurisdictions to more fully cooperate or self-regulate those entities that are operating within their jurisdictions.
It takes the whole of government to solve nationwide problems, and in this instance, because it’s an international effort, it really is going to take a whole world of government solutions.
Do you think that can happen quickly? I admit to not having a ton of faith in the government’s ability to keep up with tech in some of this stuff. Can it keep up here?
When you look at the impact these kinds of things are having on the everyday life of citizens in these countries, it’s not just some obscure government agency who couldn’t access their data for a period of time, or some manufacturer that has such a small segment of the economy that most people didn’t notice. All parts of life are being impacted, from government agencies to critical infrastructure industries. And that means now everybody’s got a stake in this.
The higher the stakes, the more participants, the greater the energy to overcome that initial inertia that sometimes drags down efforts like this. So you saw the formation of the Ransomware Task Force announced in December, where industry researchers and others have come together to put together potential policy recommendations of how we could work as a community. You saw the White House released a statement recently calling on industry to work together more closely with the government in a public-private partnership arrangement. I think you’re going to see more of those kinds of efforts. Those in the past have demonstrated the ability to be successful if you have a unified approach, and that’s what it’s going to take.
So, having never been the victim of a ransomware attack — knock on wood — help me understand how this process goes. Is it like, I’m a company CEO, and I wake up one morning, and there’s an email in my inbox that’s like, “We have all your stuff, give us some money?”
Unfortunately, it can happen exactly like that. You wake up, and for some reason, your email server or your shared drives are not working. And the next thing you know, you get a call from your data-ops center saying, “We can’t access the data, and our backups are not available,” and the whole infrastructure begins to cascade and fall down. Those are calls that CEOs and chief security officers dread receiving, and unfortunately are happening all too often.
Then what? The answer seems to be don’t pay it, don’t negotiate with them. But if I’m a company CEO trying to deal with this stuff, the idea of not paying is sort of terrifying. So what’s step one there?
It’s to contact the authorities. Time is your friend, but it’s also your enemy. And the longer you wait to take action, and to get going, the more your options begin to narrow. Authorities announced the other day that the position was still not to pay ransoms. But if you do, please let us know. Let us know quickly.
[At Chainalysis] we don’t really have a position on that, I can just say that we do help both industry and government deal with the mitigation and fallout, and how to conduct those investigations. But more importantly, what can they do to prepare themselves so that doesn’t happen in the first place?
What do you tell companies or people or governments who are nervous about this, haven’t been victimized by ransomware yet and are trying to figure out where to start?
The first thing is to focus on the level of crypto literacy. Do you have a cryptocurrency response plan? If not, spend some time looking at how to develop one. Do you have the data you would need if an incident of that nature were to occur? Have you made the arrangements? Have you trained your staff to understand and how to watch out for that? Is that part of your overall strategy response? So we encourage organizations, whether they’re in the government or in the financial services industry, to spend some time and invest in developing cryptocurrency and ransomware mitigation strategy.
We spend a lot of time on capacity building, education and thought leadership in this space. I think there’s still more to be done there to raise awareness about the impact that these threats are having, as well as the opportunity to counter that first narrative that we began with: that, well, cryptocurrency is anonymous, and I can’t do anything about it. Once it’s gone, it can never be gotten back. That’s simply not the case in every instance. And if you have the right data, the tools, and you act quickly, there are things that can be done. And then there are things you can do. You don’t have to be a victim. And you can prepare.
It’s like putting the locks on your door, right? It won’t solve all problems, but it will solve a lot of problems. And not enough companies and governments and people have done that. And that’s one thing I hope we get to very quickly.
Agreed. It’s funny, when you do post mortems on these incidents, it doesn’t explain every scenario, but is your company updating, protecting and backing up your information? If you lose access to your information, when was your last backup? Where’s it stored? And how easy is it to be accessed? Is it also protected, or is it going to become vulnerable to the same?
If you store your backup in the same place where you live, if one goes down, the other does. Have you trained your staff? Do you have an ongoing training and refresher program? What’s your network monitoring looking like? Are you making sure you’re not becoming a victim of cryptojacking or illicit crypto-mining, actually stealing your own power to do crypto mining? Are you employing those best practices for your credential management, and making sure that you’re updating and keeping your leadership and your staff aware of your crypto response strategy?
Those are basic cyber hygiene things that you will hear about in any good cyber forum. And yet they’re oftentimes neglected in part or in whole, in some parts of our environments, and criminals look for unlocked doors.
How quickly is the ransomware industry itself changing? It has sort of exploded both in the financial impact and in public consciousness over the last 12 months. Is the industry itself going to shift a bunch as it becomes more well known, and the ways to stop it become more well known? How cat and mouse is this game going to be?
It will be cat and mouse. If we look at any other emerging threat or trend, it is a cat and mouse: One side makes a change, the other side makes a response. So we’ll see that.
The first generation of ransomware was, I come in, I lock up your data and I demand a payment. Now I come in, I lock up your data, I demand a payment, but I also maybe steal your data, resell it to someone else and get a double profit. And then the next evolution of that is, I come in, I lock up your data and demand the payment, I steal your data, I sell it to someone else, and then I also threaten you to DDoS you if you don’t pay me.
So you just see this escalation and this variation. What will that next inflection point look like? It’s interesting to postulate. I’m not sure what that’s going to be, but it will happen and it will evolve.
Audio Track / Podcast: