We will continue to crack down on malicious actors.”
These new measures are the Biden administration’s most significant move to curb the wave of ransomware attacks that have only become more frequent over the course of the COVID-19 pandemic. In May, one of the US’s largest fuel delivery pipelines, Colonial Pipeline, was taken offline after a cyberattack that requested a ransom. Colonial paid more than $4 million to turn the system back on. That payment was partially recovered by US authorities.
Last year, the Treasury Department issued a pair of advisories warning companies against paying cybercriminals demanding ransoms.
U.s. presses crypto exchanges to block ransomware profits
In the example from Kafeine, we found that the ransomware could deliver the message in French or English.
On a technical level, the code in this strain of CryptoLocker has been enhanced in several ways:
1. This new version possessed vastly improved communication capabilities.
It included a modified protocol that enabled it to avoid being detected, even by 2nd generation enterprise firewall solutions. This lowered detection rates significantly compared to the already successful CryptoWall 3.0 attacks.
Yaroslav Vasinskyi and Yevgeniy Polyanin.
A representative for blockchain analytics firm Chainalysis told The Block, “Chatex has received at least $77.5M in Bitcoin since it began operating in September 2018, including more than $17M in illicit funds, including from darknet markets (primarily Hydra), scams (primarily TheFiniko and QubitTech.ai), and various ransomware strains.”
The Department of State also announced a $10 million reward for information leading to leaders of the Sodinokibi/REvil ransomware-as-a-service gangs.
In a note that seems to reach out to the crypto industry, the Treasury’s announcement explains:
“While most virtual currency activity is licit, virtual currency remains the primary mechanism for ransomware payments, and certain unscrupulous virtual currency exchanges are an important piece of the ransomware ecosystem.
The U.S. government sanctioned the cryptocurrency exchange SUEX for moving money for ransomware actors. In essence, that means U.S. citizens and corporate entities are banned from using it.
The statement, released in September, is part of a wider effort to boost crypto security and “disrupt criminal networks and currency exchanges”.
The First Crypto Security Sanction
The Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury justified this decision on the grounds that SUEX had “facilitated transactions involving illicit proceeds from at least eight ransomware variants”.
It also noted that 40% of the cryptocurrency exchange’s transactions involved illicit actors.
Treasury announced the moves amid a rise in ransomware attacks, in which cyber criminals demand payment — often in the form of digital currency — from their victims. The ransomware hack of the Colonial Pipeline in May led to the shutdown of one of the largest fuel delivery sources in the U.S.
for nearly a week and caused supply disruptions along the East Coast. Colonial paid a ransom that was partially recovered by U.S. authorities.
“The majority of virtual currency exchanges are dealing in predominantly legal activity and have improved their compliance regimes over the last few years,” Treasury Deputy Secretary Wally Adeyemo said.
The battle against cyber attacks
The United States is engaged in a real battle against cyber attacks. For this reason, the authorities urge peoplenot to give in to blackmail: never pay.
Secondly, it is essential toprotect oneself against threats. This concerns private but also institutional actors.
In addition, it is necessary toreport and cooperate with law enforcementagencies to identify those responsible for attacks.
This is not a war confined to the United States.
Cyber threats were also discussed at the recent G7 summit in June. The world’s leaders agreed to join forces to counter cyber attacks, not least because of the risks involved in the financial sector.
Malware creators have also made changes in the text message dropped on infected systems. The files were called:
HELP_YOUR_FILES.TXT HELP_YOUR_FILES.HTML HELP_YOUR_FILES.PNG
Here is an example of such a text: C: \ Documents and Settings \ User \ Desktop \ HELP_YOUR_FILES.TXT
As you can see, the message used an obviously condescending tone.
It also includes an FAQ with answers directed to the victim.
3. CryptoWall 4.0 now encrypts not only the data in your files, but the file names as well.
This social engineering technique confuses the victims even more. It also enhances the pressure of wanting to retrieve their data as fast as possible.
Consequently, this increases the “success” ratio of how many victims see the message versus how many pay the ransom.
This reliance has prompted several cybersecurity experts to call for either tighter regulations on the use of cryptocurrency or to altogether ban the use of crypto.
Ari Redbord, head of legal and government affairs at crypto forensics company TRM Labs and former senior adviser to the Treasury Department’s terrorism and financial intelligence unit, said Treasury’s actions show there’s a way for the government to put limits on the digital currencies without hurting everyday crypto users.
“This actually really shows the opposite: that law enforcement and regulators can go after the illicit actors who take advantage of crypto without sort of going after the technology itself,” said Redbord, who is also a former assistant U.S. attorney general.
The Suex cryptocurrency exchange is incorporated in the Czech Republic but operates in Russia.
U.S. infrastructure. Administration officials have met with business leaders to discuss ways to combat growing cyber threats, launched a whole-of-government ransomware fighting strategy in July that includes weekly meetings to discuss ransomware threats and have looped in international partners to tackle the problem together.
But the Treasury Department’s move is the first that hits at the crux of the issue: “Criminals operate in the space because it’s profitable,” Anne Neuberger, the White House’s deputy national security adviser focused on cyber issues, told reporters.
Ransomware criminals have come to rely on Bitcoin and other digital currencies to have victims pay what could be upwards of millions of dollars to decrypt their files and prevent future leaks of stolen data from an attack.
Cryptowall is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.
CryptoWall is an advanced piece of malware, a variant of the previous CryptoLocker, which has been taken down in 2015 by a number of security companies and state agencies across the world. Nevertheless, we all expected a comeback, which took place with CTB Locker followed by CryptoWall 3.0, which launched a massive attack on German users at the time.
How does it spread?
Like most data-stealing malware and ransomware, CryptoWall spreads mainly through phishing and spam campaigns that invite users to click a malicious link or access an e-mail attachment.
The case of SUEX
The first exchange to fall victim to this new approach isthe OTC platform SUEX. Itreportedly facilitated transactions carried out by hackersresponsible for ransomware attacks, in at leasteight cases of as many variants.
SUEX appears to be a popular platform for such transactions.
In fact, the Treasury Department writes:
“Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors. SUEX is being designated pursuant to Executive Order 13694, as amended, for providing material support to the threat posed by criminal ransomware actors”.
Being “designated” means that both the exchange and its users are banned from operating.
It also triggers a property freeze. Violators are also subject to penalties.