In just two months last year, the FBI watched three companies pay hackers wielding ransomware called NetWalker millions in Bitcoin to get their hacked data back. While that seems like a big win for the cybercriminals, it also gave investigators in the U.S. and elsewhere a new roadmap for tracking and prosecuting them.
Netwalker was a ransomware-as-a-service crew, similar to DarkSide and REvil, whose tools were used in the attacks on Colonial Pipeline and JBS, which led to gas and food shortages across America in the last month. The creators of NetWalker rented it out to other cybercriminals, who would find a way to break into a company and then deploy Netwalker to lock up the victims’ files. Only the key the Netwalker crew controlled could unlock that data. Since it emerged in 2019, its myriad victims included universities, healthcare bodies and government departments, making close to $50 million in that time.
In a previously-unreported court document obtained by Forbes, the FBI detailed how it tracked the cryptocurrency flowing from the three 2020 victims to the hackers, right down to naming an individual potentially linked to the criminal organization. It revealed the highest payment hit 303 bitcoin, worth $2.8 million at the time, but now over $11 million. For each victim, investigators saw a pattern: 30 minutes after the ransom was paid, the Bitcoins were split between four Bitcoin addresses (think of these simply as online addresses from which cryptocurrency can be sent and received, all of them locatable on the blockchain ledger). Those addresses included a single wallet and cluster of addresses believed to be owned by the same person that investigators referred to as a “merge.” As a way of complicating the money trail (i.e. money laundering), the funds were then rapidly transferred to a number of other merges. One of those merges, what the FBI named “Merge G,” was seen depositing funds into an account at cryptocurrency exchange Binance. That Binance account was linked to a real person, a 20-year-old female and Ukranian national. (As no charges have been filed against the Ukrainian in the U.S., and the Ukraine police hadn’t responded to a request for comment, Forbes is not naming the individual). She was seen converting $430,000 in Bitcoin into another cryptocurrency, Tether, in which each coin is worth just $1. In July 2020, the FBI seized $455,000 from the account.
That was just a fraction of the overall winnings from those hacks. But it showed that investigators had found ways to follow the Bitcoin. Half a year later, in January 2021, the Justice Department announced it had made an arrest of a Canadian who allegedly made $27.6 million by using the ransomware and extorting companies. (He is awaiting extradition hearings and has not yet made a plea regarding the U.S. charges, according to the court docket.) In the same week, authorities in Bulgaria seized a dark web site used by NetWalker ransomware affiliates to negotiate with victims and manage payments. NetWalker has all but disappeared as of today.
The Netwalker case shows how following the money can lead to the disappearance of a ransomware group, and there are a growing number of of companies helping governments with that challenge. The biggest is New York-based Chainalysis, a startup now valued at over $2 billion, which has numerous contracts with U.S. government agencies and whose tools were used in the NetWalker takedown. Its rivals include Elliptic, a London, U.K., and CipherTrace, from Menlo Park, California.
But following the money only goes so far, notes Pam Clegg, director of financial investigations at CipherTrace. Sometimes the cryptocurrency exchanges are non-compliant, meaning criminals can use them with impunity, knowing the exchange won’t provide information on them should law enforcement come knocking, she says. Darkside or its customers, for instance, liked to use Bitzlato, a Russian-based “high-risk” exchange, noted Clegg. (Bitzlato hadn’t responded to messages requesting comment at the time of publication). One of the key ways in which ransomware will be countered will be in getting the authority to get data from the whole criminal supply chain, from exchanges to hacker forums, added Chainalysis chief of government affairs Jesse Spiro.
Even when they’re compliant, exchanges can be so slow to respond, or the legal processes required to subpoena an exchange takes so long, often it’s too late: the criminals have cashed out and further laundered the money, Clegg added. Then there are those criminals who do nothing with their funds but leave them in “cold storage,” their motivations more inscrutable than the financially-motivated criminals who want to move their money as swiftly as possible. The Netwalker owners’ $24 million Bitcoin stash from their 20% cut of their clients’ ransoms, for instance, has been sitting still for much of the last year, Clegg showed Forbes.
“I can’t trace the crypto if it doesn’t move,” Clegg adds.
To more effectively disrupt the criminals, American intelligence and military agencies are being called on to be more aggressive: to hack the computers of ransomware cybercriminals regardless of where they are, especially where they’re facilitating or launching attacks that have consequences for national security or an impact on critical infrastructure. “When I was at U.S. Cyber Command, our mission was to defend the nation in cyberspace. And we talked about defending against nation state attacks,” said Brett Williams, former director of operations at the Pentagon’s U.S. Cyber Command and cofounder of IronNet Cybersecurity. “I think we’ve got to expand our view of how we use… our offensive capabilities, how we use our ability to go after the attackers where they live.”
Hack the hackers
The hackers have been hacked before. Earlier this year, the world’s “most dangerous” malware Emotet, which caused as much as $2 billion in damages globally, was taken out in a landmark law enforcement operation. Starting off life as a criminal tool for stealing people’s banking passwords, Emotet’s owners were some of the earliest to pivot to the service model, renting out access to hacked computers so cybercriminals could install whatever they wanted on victims’ PCs, ransomware being a popular choice. Schools, government departments and at least 1.6 million computers worldwide were compromised by Emotet.
But a landmark police collaboration between European and American police agencies led to the malware disappearing and arrests of two individuals (a 48-year-old and a 29-year-old, both unnamed, who had day jobs as IT experts) in Kharkiv, Ukraine, believed to be administrators of Emotet (though no charges have yet been filed, according to the Ukraine police). In an exclusive interview with Forbes after the takedown, European law enforcement agencies from the Netherlands, Germany and Europol who led the takedown, dubbed Operation Ladybird, explained how they launched an offensive on the criminals’ infrastructure. In the past, investigators would typically find key servers used by the hackers, take them offline and hope to make a dent in the malware’s operation. But the police were more patient with Emotet. In the months leading up to the malware being wiped off the web, the collaborating agencies had obtained a copy of the software on one of the crucial command and control servers. They used that copy to create a replica of the Emotet network, made up of infected PCs and the computers being used to control them, collectively known as a botnet. In their labs, the police could then test how certain hacks would disrupt the botnet. They just had to find one that took all the real Emotet servers out at once.
The Dutch police took charge of testing and deploying the hack. When asked what such hacks involved, Marijn Schuurbiers, deputy head of the Dutch High Tech Crime Unit, told Forbes his team do similar things that criminals would do, in particular, “privilege escalation,” where a computer is breached and the hacker takes over administrator privileges.”From that point, you can basically do everything that you want.” And, he added, this could be done across multiple servers at once.
As a result of their hacking efforts, several weeks before the announcement of the action against Emotet, the police had almost complete control over the botnet (a network of hacked computers) without the criminals knowing. And when global law enforcement convened at Europol in January to pull the plug on Emotet, there was a raid on a Ukrainian suspect’s home, which came with a slice of luck: his computer was open and unlocked, allowing police to do whatever they wanted with the Emotet botnet. Meanwhile, at data centers across the world, police were waiting for the green light to physically switch off servers used by Emotet, whilst the FBI had also obtained access to a critical servers used for malware distribution. And, to ensure the criminal operation stayed down, the backup servers were also seized.
Though not all Emotet’s operators were arrested, it remains offline. Its creators could simply code another malware, but as Schuurbiers noted, that would be costly. “It takes a lot of money to rebuild.” That added cost is a serious deterrent to criminals. Another deterrent is the fear of capture after an event like the Emotet takedown. “We have so much data on these guys now that it would not be wise for them to continue their actions,” Schuurbiers added. “There’s a good chance that more arrests will follow in the future.”
The Biden administration is being called on to go even further than those law enforcement bodies and use the powers of military agencies like the U.S. Cyber Command to launch offensives on cybercriminals. “If the target has a strategic impact on the country, like the Colonial Pipeline, or the healthcare system, or the banking system, it doesn’t matter whether it’s a criminal or a nation state,’’ added Williams, the former Pentagon official. “We have to stop saying our job is to go after the nation state attackers. Our job has to be to go after the attackers who have a strategic impact on our country.”
The White House may be listening. NBC News reported the Biden government was considering launching cyberattacks on criminals. On Thursday, Reuters reported that ransomware investigations are to be given a similar priority as terrorism. That move is part of a drive to make information sharing as urgent for ransomware incidents as it would be for a terror event, placing more pressure on government agencies and private organizations to alert each other to hacks as soon as they happen, and share any leads on individuals who’re operating or financing major cybercriminal groups.
That should help expedite actions against cybercriminal activity. Though it was an exercise in international collaboration, the Emotet’s end wasn’t particularly swift, investigations beginning in 2018 in Germany, with the takedown happening almost three years later.
Speed, investigators say, is increasingly essential. In a digital world in which hackers can move at the speed of light, law enforcement will have to do the same.
Sign up to The Wiretap newsletter, which has exclusive stories on real-world surveillance and cybercrime, and all the biggest cybersecurity stories of the week: https://www.forbes.com/newsletter/thewiretap