nymcss oct 14 2021
TRANSCRIPT
![Page 1: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/1.jpg)
Fighting Ransomware
New York Metro Joint Cyber Security CoalitionOctober 14, 2021
![Page 2: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/2.jpg)
Proprietary and Confidential
Chainalysis builds trust in cryptocurrency
2
FINANCIAL INSTITUTIONS
CRYPTOCURRENCY BUSINESSES
LAW ENFORCEMENT & REGULATORS
Growing partner network: 500+ customers across 60 countries
![Page 3: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/3.jpg)
Proprietary and Confidential
Chainalysis maps addresses to entities
3
What you see on the blockchain What you see in Chainalysis
Coinify Bitstamp
Services can have thousands to tens of millions of addresses
![Page 4: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/4.jpg)
Proprietary and Confidential 4
Fraud ShopRansomware
Threat Actor
Infrastructure as a Service
![Page 5: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/5.jpg)
Proprietary and Confidential
Tracing donation to extremists
Netwalker Ransomware
Takedown
$1B+ seizure connected to darknet market Silk
Road
Terrorist Financing
Case
SamSam Ransomware
Alphabay & Hansa - largest darknet
market takedown
Investigation of BTC-e crypto
exchange
Attribution & Disruption in Action
2014 2015 2016 2017 2018 2019 2020 2021
Force & Bridges case - Silk Road Investigation
Corruption
North Korea Crypto Hackers
Charged
Shutdown of largest child pornography
website
Twitter Hack Scam
U.S. Gov targets Russian Influence
Operations
Mt. Gox investigation leads to Chainalysis
Reactor
U.S. sanctions Russian exchange laundering
ransomware proceeds
![Page 6: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/6.jpg)
Proprietary and Confidential
Increase in overall Ransomware revenue
Increase in average ransom payment demanded
Increase in unique threat actors engaging in the ransomware ecosystem
Ransomware Trends
![Page 7: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/7.jpg)
Proprietary and Confidential
Thriving underground supply chain
● Incidents are not monolithic - threat actors outsource components of an attack to underground professionals
● Easy-to-deploy OOTB tools enable amateurs to leapfrog to sophistication
● Attackers scout for additional talent & tools to make illicit campaigns more devastating
Payment card data
Bank logs
Routing numbers
Bulletproof hosting
Translation services
Advertising
Phishing kits
TOR cloud hosting
Storage and migration
Web development
Access as a Service
Emails and Passwords
Brute-forcing tools
Servers
DDoS-for-Hire
Banking trojans
Customer Service
Call service
Mixing/Cashout services
Exploits
Compromised accounts
CYBER INCIDENT
![Page 8: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/8.jpg)
Proprietary and Confidential
Blockchain Meets Cyber Kill Chain
8Lockheed-Martin Cyber Kill Chain
RECONNAISSANCE INSTALLATIONCOMMAND & CONTROL
ACTIONS ON OBJECTIVES
Infostealer
Network access
Scanning Tools
Pentesters
Botnets
Exploit kits
Malware
Phishing kits
Affiliates
Domains
Bulletproof hosting
Exploits
Brute forcing tools
RATs
Tools (Cobalt Strike)
Miners
C2 Infrastructure
Stolen creds
Threat actors use cryptocurrency to propel cyber intrusions through each stage of the kill chain
Ransomware
Cryptojacking
Data encryption/ exfiltration
Account takeover
WEAPONIZATION DELIVERY EXPLOITATION
![Page 9: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/9.jpg)
Proprietary and Confidential
Prevention: Stay ahead of the threat
9
● Prioritize appropriate measures (such as patching)
● Eliminate vulnerabilities before an attack even takes place
(and the news)
![Page 10: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/10.jpg)
Proprietary and Confidential
Adversary infrastructure
10
Bulletproof hosting (BPHS) MaaS and Exploit Kits
![Page 11: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/11.jpg)
Proprietary and Confidential
Initial Access Brokers
![Page 12: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/12.jpg)
Proprietary and Confidential
Affiliates’ divided loyalty
![Page 13: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/13.jpg)
Proprietary and Confidential
Mixers & Monero
Screenshot of the DarkSide admin’s Exploit.in forum post seeking affiliates for DarkSide 2.0
Screenshot of a REvil /Sodinokibi ransom note demanding payment in Monero
![Page 14: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/14.jpg)
Proprietary and Confidential 14
Identify the ‘Who’ and ‘How’
TTPs of BuyerSelling Access Buyer Identified
![Page 15: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/15.jpg)
Proprietary and Confidential
How does it work?
Take an address 13AM4VW2dhx... What other addresses does it control? Where does the wallet send or source its funds?
What about the “Who”?
![Page 16: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/16.jpg)
Proprietary and Confidential
Victim Threat Actor
Exchange
16
Exchanges are cryptocurrency services that play vital roles in attributing and disrupting the ransomware supply chain.
Financially-motivated cyber criminals eventually need to move their crypto into fiat currency.
This means that, more than likely, they must interact with an exchange.
Role of Exchanges
![Page 17: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/17.jpg)
Proprietary and Confidential 17
Case Study
![Page 18: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/18.jpg)
Proprietary and Confidential
NetWalker Ransomware
18
● Operated as a Ransomware- as-a-Service (RaaS) model
● Garnered at least $78 million in ransom proceeds since becoming active in August 2019
● Impacted at least 305 victims from 27 countries, including 203 in the U.S.
● While NetWalker publicly claimed not to target hospitals, they’ve attacked healthcare facilities in Philadelphia, Atlanta, and Canada
![Page 19: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/19.jpg)
Proprietary and Confidential
Investigation & Disruption
19
NetWalker ransomware affiliate and Canadian national Vachon-Desjardins arrested and charged in January 2021
● Allegedly responsible for at least 91 attacks, and received $14 million worth of bitcoin at the time of receipt
● Nearly $500,000 seized
Affiliates are responsible for finding access to victim networks and ultimately deploying the ransomware. Hence, affiliates receive the lion’s share of the profits-- typically 76-80% commissions for NetWalker affiliates as shown in Chainalysis Reactor.
![Page 20: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/20.jpg)
Proprietary and Confidential
During a ransomware event
20
PaymentMade
A ransomware payment is made by
or on behalf of a victim in response to
an attack
Tracked by investigators
Professional investigators follow the money and track
attempted laundering
Criminal attempts to cash out
The threat actor moves funds to an exchange we work
with regularly
Chainalysis alerts exchange
Chainalysis representative alerts exchange that a live
ransomware payment has landed
in their system to stop the movement
of funds
Compliance actions taken
The compliance team takes whatever
actions their compliance team
deems correct. OFAC guidance is to contact
law enforcement immediately and report to OFAC.
Ransomware disincentivized
The profitability of ransomware schemes is reduced. We make it much more difficult
for criminals to launder their ill gotten
gains.
![Page 21: NYMCSS oct 14 2021](https://reader031.vdocuments.us/reader031/viewer/2022012514/618dcc3d795bcb7fb64f5640/html5/thumbnails/21.jpg)
Proprietary and Confidential
Thank you!Questions?
2121
Chainalysis.com