When a police officer in Durham, N.H., opened an innocuous looking email last spring, the small New England department became victims of a totally new kind of crime – one that it had no idea how to solve.
Criminal hackers had seized the department’s entire network of 28 computers, locking police out of the system that keeps arrest records, outstanding warrants, and incident reports for 24 hours. The culprit: ransomware, a form of malicious software that encrypts a victim's computer files until they pay a fee via the virtual currency bitcoin.
Fortunately, Durham Police Chief Dave Kurz and his team had a backup server in place, allowing information technology teams to quickly restore access to the locked files. That’s not always the case, as ransomware victims risk losing their files for good if they don’t meet hackers’ demands.
“We would have had to explored paying a ransom,” Chief Kurz says. “It would have been a nightmare.”
To date, ransomware attackers have operated largely without fear of being caught, thanks to their use of encryption and the decentralized cryptocurrency bitcoin, which enables users to mask their identity during transactions.
Now, with attacks on the rise, (the cybersecurity firm Kaspersky has tracked 718,536 ransomware incidents since the Durham hack) security researchers are tracking down suspected ransomware hackers by borrowing an old technique from law enforcement: watching where the money flows. It's an investigative tactic so new that police in Durham wouldn't have been able to use it to track down the people who hacked them.
But now, says Caleb Fenton, a researcher at the cybersecurity firm Sentinel One, “You can actually follow the money.”
All bitcoin transactions are stored on a public ledger called the blockchain, where anyone can view transactions between bitcoin users. Though the blockchain users preserve their anonymity by using screen names, the public websites where payments are logged can serve as clues for investigators trying to track down ransomware criminals.
In fact, Mr. Fenton used the blockchain to gather a tremendous amount of data, including bitcoin addresses and amounts paid, as part of his own investigation into a new ransomware variant dubbed CryptXXX. That strain can also infect backup files, and hackers have already used it to extort $50,000 in bitcoin payouts from nearly 70 organizations in the past month. Fenton says he was able to determine the number of victims by tracking the payments on the blockchain.
Fenton says he’s found a new bitcoin wallet, used to store and access the currency, associated with CryptXXX. Since the CryptXXX-related bitcoin address first popped up in the beginning of June, Fenton says it's likely a new address dedicated to the campaign.
“What I think we’re going to start seeing is more and more technology that allows you to trace bitcoin transactions,” he said. “Once they figure out where the command-and-control servers are, they can do a lot of information gathering tactics to figure out what [internet protocol addresses] were used, what the domains were, and who registered them.”
Fenton has only been able to tie the payments to blockchain screen names, not specific people, since users often utilize different addresses for each transaction. What’s more, sophisticated criminals can better anonymize their bitcoin by laundering the funds through Altcoin and other cryptocurrencies that are variants to bitcoin.
Still, blockchain is the type of tool that experts hope will eventually lead to more arrests. Investigators could track the extortion payments to physical bitcoin exchange locations, where users convert the virtual currency to cash, and apprehend suspects, or catch them on surveillance footage, suggests Peter Van Valkenburgh, director of research at Coin Center, a Washington think tank focused on bitcoin and blockchain technology.
“Old fashioned police work is always going to be the main method of investigation,” said Mr. Van Valkenburgh. “Anonymity is not the tool that makes bitcoin palatable to criminals. It’s just very fast, it’s reversible, and it’s a lower cost to use than other payments systems, like mailing pre-paid credit cards.”
Bitcoin has become the most popular currency used to fund transactions on the Dark Web, the hidden criminal underbelly of the internet, since the popular online drug market known as the Silk Road emerged in 2011. Today, though conversion rates vary, bitcoins can sell for more than $600 each. The virtual currency remains in use by other drug markets, legitimate online retailers, venture capitalists, and is being explored for use by the British government.
US government investigators are on the case, too. The Department of Justice briefly disrupted the ransomware scheme known as CryptoLocker, and identified the suspects who allegedly stole more than $100 million as part of the scheme. That single ransomware variant may have infected as many as 260,000 computers around the world, according to Richard Downing, US acting deputy assistant attorney general.
“Despite these many challenges, law enforcement is actively working to disrupt and defeat ransomware schemes,” Mr. Downing said at a Senate Judiciary Committee hearing in May. “The FBI currently has over 30 active investigations into different ransomware variants.” The FBI did not respond to requests for comment on this story.
Government investigators also leveraged bitcoin payments as part of the Silk Road investigation. After agents apprehended Silk Road founder Ross Ulbricht, they accessed his computer to find sizable transactions to two unknown sources. Authorities say both of those trails led to corrupt federal agents who, along with investigating the Silk Road, also appeared to be taking bitcoin for themselves.
“The mere existence of these corrupt government agents was determined to be true by the blockchain,” said Coin Center's Van Valkenburgh.
Success like that has led to a small marketplace of bitcoin intelligence firms cropping up all over the world, attracting a significant influx of cash from the venture capital world. British blockchain firm Elliptic has already raised $5 million for services to monitor the platform for criminal investigations. And the firm Chainanalysis has raised $1.6 million, and will help assisting Europol in investigations.
“You’re putting your transactions on an immutable ledger that will never disappear," says Van Valkenburgh. "You can’t eliminate that feature of the blockchain – you’re potentially exposing your entire criminal conspiracy to an audit."