The German city of Munich recently hosted two security conferences which, for different reasons, could turn into globally significant reference points for years to come.
The first, the annual high-level Munich Security Conference at which senior politicians discussed the crisis in Ukraine, made headlines across the world under the stirring beacon “unlearning helplessness.”
Ironically, unlearning helplessness would have been the perfect framing for the second, less well-covered, event held in the city in the same week: the Munich Cyber Security Conference (MCSC), which offered intriguing news regarding that other big geo-political tension, cybercrime.
The main announcement by U.S. Deputy Attorney General Lisa Monaco was that the FBI is setting up the Virtual Asset Exploitation Team (VAXU), a new cyber-unit to track and seize cryptocurrencies connected to criminality.
It might sound bureaucratic, but it’s potentially a big deal in the battle against ransomware.
Follow the Money
Ransomware depends on three things for success:
- The ability to compromise business networks
- The willingness of organizations to pay ransoms when they do
- The ability to receive these ransoms via cryptocurrency
Traditional cyber defense tends to focus on the first two, but the third is where, in theory at least, the criminals themselves are weak. No matter how successful their attacks, if the bad guys can’t reliably receive ransoms, they’re out of business.
That means figuring out where ransoms disappear to. Until recently, it was assumed the blockchain made this difficult, until the U.S. Government was able to retrieve $2.3 million of the $4.4 million ransom paid as part of last May’s Colonial Pipeline attack.
That incident was the first time such a recovery had been conducted–or at least that’s what everybody thought. Last week, cryptocurrency research company Chainalysis reported that not only had it helped the U.S. Government in the Colonial Pipeline recovery, but that the Feds also recently seized $30 million of ransomware proceeds related to the NetWalker gang.
So cryptocurrencies can be tracked after all, with the result that for the first time since commercial ransomware surged a decade ago, some of the money extorted by ransomware is flowing back toward its victims.
“Following the money. It’s what led us to Al Capone in the 30s, it helped us destroy La Cosa Nostra in the 60s, and it took down terrorist financing networks in the early 2000s,” Monaco told the Munich conference.
“The currency might be virtual, but the message to companies is concrete: if you report to us, we can follow the money and not only help you, but hopefully prevent the next victim.”
Hit Them First
Monaco made another significant announcement: the U.S. is now seriously considering pre-emptive action against cybercriminals, including ransomware gangs. She wasn’t specific about details beyond saying “We should consider the use of all available tools. When I say all tools, I mean disruptive capabilities, sanctions and export controls… This is especially true when threat actors seek safe haven in rogue countries or work on behalf of a foreign government.”
This, presumably, is a dig at Russia and countries in its orbit, as well as Iran and North Korea.
Ransomware pre-emption has been debated for years. It was always rejected as risky because it can be difficult to distinguish innocent infrastructure from the malicious. But after years of talk, it seems that the chaos of ransomware has finally tipped the scales toward action. Law enforcement isn’t judged on fine speeches, but if U.S. agencies make good on even some of these promises, 2022 might yet be the long overdue moment ransomware met its match.