Addressing the ransomware threat: Cyber expert Jonathan Levin

In this episode of “Intelligence Matters,” host Michael Morell speaks with Jonathan Levin, a thought leader on cryptocurrencies and the chief strategy officer at Chainalysis, a leading anti-money laundering firm. Morell and Levin discuss the growing, global threat from ransomware and how criminal gangs’ tactics have evolved to target a variety of vulnerable sectors. Levin also explains how cryptocurrencies and blockchain work, and how both can help investigators trace the origins of illicit financial activity.  

Highlights  

On the global growth of ransomware: “I think it’s important to understand all of ransomware as a business and in fact, a lot of cybercrime that’s not ransomware you can think of really as a business. And so ransomware is just one of the ways that cyber criminals are actually monetizing the access that they get into people’s networks, into corporations, et cetera.” 

Confronting ransomware attacks: “I think that we must think about moving at the speed of the technology and appealing to maybe not only the traditional sort of government mechanisms, but really be innovative about what rapid response looks like. And we’ve started to see that in business email compromise, which is a massive market in terms of financially motivated cyber[crime] — still sort of bigger, actually, than ransomware. But we need to do the same in ransomware and make sure that we are able to respond internationally at the speed of the technology and reaching out and spending a lot of time thinking about that as well.” 

Future of cryptocurrency: “The way that I think about this is there are technologies that exist that have inevitable impacts on the world, the ability for people to program money and form communities over the Internet and build much better and more secure means of exchanging value will inevitably have a huge impact on the way that corporations around the world function, the way that governments around the world function. And so ultimately, I see this as one of the true inevitabilities in the 21st century.” 

Download, rate and subscribe here: iTunesSpotify and Stitcher.


INTELLIGENCE MATTERS TRANSCRIPT – Jonathan Levin

Producer: Olivia Gazis

MICHAEL MORELL: Jonathan, welcome to the show. Welcome to Intelligence Matters.

JONATHAN LEVIN: Thanks so much for having me.

MICHAEL MORELL: So, Jonathan, you and I have something in common. We were both trained as economists with an initial thought of spending a lifetime in academia. But we both we both ended up doing something else. We both ended up, I think, doing something more interesting. Can you just describe your story in that regard?

JONATHAN LEVIN: Yeah, for sure. So I started out as an economist by training, really focusing in on environmental economics and quickly realized that, you know, the thing that was going to change the world, obviously, the climate crisis was something that was impacting the world. But the thing that I found to be less well understood was the impact that technology was going to have on the world. And actually, economists in general are not always the best forecasters and also just not very good at predicting what the impact, the long run of some of these technologies will be on the world.

And so then when I came across cryptocurrencies in my spare time, while I was in Oxford, I realized that actually this was a technology that was going to ask a lot of the best fundamental questions about how the Internet is going to be structured and how corporations will get built in the future. And who, in the world, is going to have the authority and power to issue money and form communities.

And so I took that as sort of this quest where people always told me you should focus on asking the right questions. And it felt to me like this technology was going to ask all the right questions. And you can do that for the long run. And so the switch from environmental economics to starting a company to try and answer the question about how and why our cryptocurrency is actually being used in the world.

MICHAEL MORELL: So you start this company called Chainalysis. What does it do?

JONATHEN LEVIN: So we are a data company. We build a data set that matches cryptocurrency transactions to the real world purposes behind them and then repackage that information up and provide investigation software to government agencies, law enforcement and corporations. And we help all of the businesses that are active in cryptocurrencies to meet their regulatory obligations around anti-money laundering and counterterrorist financing.

MICHAEL MORELL: So, Jonathan, because of your work and because crypto plays such an important role in ransomware attacks, I know you pay a lot of attention to those attacks and I want to spend some time talking about that with you. Let me start by saying that I ran across some data in the last few days. And according to a company called SonicWall, a cybersecurity company last year, 2020, there was nearly five trillion cyber intrusion attempts, five and a half billion malware attacks and 300 million ransomware attacks. That’s about 820,000 ransomware attacks a day, which is obviously a huge number, which is up significantly in the last couple of years. And I know it’s growing again this year.

So let me ask you two questions about about ransomware attacks, if I can. One is, can you explain for our listeners exactly how such an attack works? And two, can you give us a sense why you think there’s been such a huge growth in those attacks?

JONATHAN LEVIN: Yeah, for sure. So what happens when an intruder gets into a network? I think it’s important to understand all of ransomware as a business and in fact, a lot of cybercrime that’s not ransomware you can think of really as a business. And so ransomware is just one of the ways that cyber criminals are actually monetizing the access that they get into people’s networks, into corporations, et cetera.

And the way that they get into these networks is oftentimes through some form of phishing attack where someone pretends to be another employee of a company or someone who’s selling something to a company. And someone clicks on a link and downloads a bit of malware onto that device. And now the attackers are into the network. And historically, there’s been different ways to monetize that access to networks.

And so one thing that people steal is other passwords, that personally identifiable information that can be used to commit credit card fraud and bank fraud. But there’s now, you know, with ransomware and it started in the early 90s, you know, far, far before cryptocurrency, there’s been extortion attempts on preventing access to networks. That actually has been a way to monetize this intrusion.

And what we’ve seen in recent years is it’s become a lot more popular to use ransomware as the main vehicle for actually monetizing this intrusion. And so I think when you think about ransomware attacks, you have to think about the business decisions that people are making on the other side of this. And it’s an industry where there’s different options of monetization. And so when credit card fraud companies become much more sophisticated at preventing that type of fraud, there needs to be new angles for these cyber criminals to to raise to increase their revenue. And what we’ve seen is that actually ransomware has taken off in terms of the amount of money that can be generated by the attacks that you mentioned.

And I think that it’s fair to say that there’s been a widespread sort of understanding and payment of these ransoms, which has led to sort of more attacks. And that has gone up considerably and there’s considerably more interest as far as cryptocurrency have become more prevalent. And so that’s something that that has maybe contributed to it. But it’s definitely been sort of the primary driver of this is just the need to increase revenue for these cybercrime gangs that have been operating in this space already since since the beginning of the Internet, but specifically the financially motivated cyber criminals that are looking to generate income today.

MICHAEL MORELL: So, Jonathan, is the typical attack the encryption of the data on the network and then the asking for a ransom to provide a key for that encryption? Is that the typical approach?

JONATHAN LEVIN: Yeah. So, again, I would break it down into access to the network is coming through some form of phishing attack or network intrusion attack some vulnerability in the network, and then they download the software that encrypts a lot of files and that can be a decryption key that the attacker is then saying that it will give you the the decryption key to unlock all your files if you pay a specific set of the ransom. And then typically this is now, especially at the top end, lots of negotiation that happens between the attacker and victim.

MICHAEL MORELL: And do the attackers focus on particular sectors or are the attacks sort of evenly distributed across sectors, and sectors don’t really matter to the attackers?

JONATHAN LEVIN: So actually the sectors really do matter to the attackers. And actually, as of today, we’ve seen sort of an ability to actually trace some of these actors based on some of the policies that they’re setting and some of the targets that they’re going after. And so different ransomware gangs will have different policies. And we’ve actually seen this change dramatically over the last, I would say, several months, where initially some ransomware gangs and some ransomware strains, for example, would go in and detect whether the language of the machine was in Russian. And then would you know, if it did detect that, then it wouldn’t actually encrypt the files.
And then we’ve seen sort of ransomware gangs chatting and some of the forums like XSS and Exploit. And they have actually said that we don’t attack healthcare or we don’t attack specific parts of critical infrastructure in order to sort of comply with the rules that are actually being set by some of these underground forums.

So definitely different actors are going off to different types of businesses. I would say that, you know, the thing that’s kind of common across these more sophisticated ransomware gangs is that they are really looking at the revenues of different corporations and building target lists the same way as you do for a normal business that’s, you know, building a business to business software company.

MICHAEL MORELL: And then the perpetrators of the attacks. We hear a lot about Russian organized crime and they are indeed a major player. But who else is in this game in a big way?

JONATHAN LEVIN: Yeah, so I think there’s several parts of this I think that there’s a global affiliate program of these ransomware strains and authors where there actually is an ability for people now to know if they have more local access to specific companies or networks in different regions, they can actually monetize that type of access by, sort of, they don’t need to write the ransomware themselves. They can actually get it from one of these ransomware authors, which a lot of it comes from Russian organized crime.

But effectively, they can spread their influence even more by having these affiliates go out and give them access to specific corporate networks in different parts of the world. And so I think one of the main takeaways that we’ve seen, and particularly if you look at that, was a case that involved a network, which was a particular ransomware strain. And there was a big affiliate based up in Canada that actually was allowing network to really blossom in North America. And, you know, that was taken down by the FBI with some assistance from Chainalysis. And the ability to go after those affiliates and make examples of that is going to be crucial to making sure that that global industry that surrounds the enablement and growth of this is quickly shut down and disrupted.

MICHAEL MORELL: Jonathan, let’s dig a little deeper into how people pay ransoms when they’ve been attacked. Nearly every time you read about an attack in the media. You read that the attacker is asking for payment in cryptocurrency. And I’m wondering, is that true? Is that the preferred payment method? Is that the only payment method? How do you think about that?

JONATHAN LEVIN: Yeah, so and this goes back to the to the early ’90s when ransomware began. People at that time asked for bank wires to be sent and so that floppy disks could be shipped. You know, that was kind of the beginning of of ransomware and extortion attacks where the people are going to go with the most low friction option to actually make these payments.

And so what typically is happening today is ransom is largely being demanded in crypto currencies, the vast majority largely in Bitcoin, although sometimes we’re starting to see some demands also in Monero. And effectively, companies are engaging in a negotiation, usually with an incident response firm that is helping them navigate the attack. And they then engage in a negotiation with the authors.

And the payment is often made either by an instant response firm or some some form of third party that can gain access to that much Bitcoin, because clearly domestically, there’s still a lot of barriers from a compliance point of view for corporations being able to just simply go ahead and buy that much cryptocurrency. So there are specialist firms that allow corporations to gain access to large amounts of Bitcoin at short notice to be able to make those payments.

MICHAEL MORELL: And is there a difference between Bitcoin and Monero when it comes to these kinds of payments?

JONATHAN LEVIN: I think there’s a question of access and ease, so there’s clear regulation that came from FinCEN, which is the financial crime regulator, which talks about the need to check for sanctions compliance when you’re making these types of payments. And the ability to do that in in Bitcoin is that we provide that type of screening and monitoring of these payments to various providers that are making these payments. And I think it’s very important that there continues to be that level of visibility into these payments. I would say that the visibility on the Monero side is much more limited.

MICHAEL MORELL: So, Jonathan, before we continue with the ransomware story here and how it relates to crypto, I’d like to take a little digression and ask you about cryptocurrency and illicit finance in general, which is something that you and I’ve talked a lot about. The conventional wisdom, right, that you see is that the use of cryptocurrency is dominated by illicit finance. True? Not true?

JONATHAN LEVIN: It’s not true. So the dominant use of cryptocurrency is for legitimate purposes, in fact, more than 99 percent of the flows that we see in crypto currencies are being used for regular commerce. Cross-border payments, there’s still a high degree of speculation and and really market making inside crypto currencies that tend to dominate the the actual flows that we see in crypto currencies.

And just to your point is that even if you take this ransomware problem, The ability to have full visibility into the payments that are being made actually has helped in a lot of these instances. And you can point to SamSam ransomware, which was an Iranian strain of ransomware that came out several years ago, being able to detect some of these payments and look at the financial infrastructure that’s being used as cash-out points has been critical in causing disruption to what is, you know, inevitably always going to exist as a threat.

And so I think that there’s a growing appreciation that not only cryptocurrency use have generally a really good purpose in providing new types of financial infrastructure and greater financial inclusion, but also actually that the government agencies that are dealing with the ransomware threat have to be able to track and trace it in order to be able to dismantle this type of infrastructure.

MICHAEL MORELL: Jonathan, we were talking about that conventional wisdom, right, that the use of crypto is dominated by illicit finance. Where do you think that comes from? What’s the source of that conventional wisdom?

JONATHAN LEVIN: I think that the origins of some of these narratives come from like the very early days of crypto currencies and some of these narratives just perpetuate based on sort of anecdotal coverage in media outlets. But really, I think you can trace back to the genesis to, you know, crypto currencies were a challenge to the existing financial order. And, you know, it was very early days, like similar to the days in the early Internet where people were very nervous about the Internet being used for bad purposes. And your whole life didn’t depend on apps that you have on your phone. And you didn’t send the email at the time and you didn’t, your whole life wasn’t sort of enhanced by the Internet in the early days of the Internet.

Similar thing happens with cryptocurrency, is that these narratives start out in the very early days of the technology where really those benefits will take 20 to 30 years to fully transform industries and fully become just sort of accepted as the way that the entire world works. And, we’re 10 years into cryptocurrency, so, you know, a few, maybe a few more.

And those use cases are starting to blossom now. And that narrative is changing, but it will take some time before everyone realizes that, you know, their lives and their children’s lives have been sort of impacted in a positive way from cryptocurrency. And that is, in my mind, just an inevitability, the same way that the Internet was an inevitability about the cost of information transfer and the speed of information transfer just dropping to zero.

MICHAEL MORELL: So you, Jonathan, touched a little bit on on the ability to trace these transactions. And I’d love to dive into that a little bit more. And before we do that, maybe you could just explain to people. What the blockchain? How does it work? Why is it important to cryptocurrency? And then we can get into to how the blockchain can be used to actually trace some of these transactions. But what is the blockchain? How does it work?

JONATHEN LEVIN: Yeah, so the blockchain is really the core technology that sits behind cryptocurrencies and effectively it is a record of all the transactions that have happened in cryptocurrency. And the reason why that’s so important is because there is no central party behind Bitcoin or any of these cryptocurrencies. There is only an agreement between everyone about which transactions have happened in the past.

And that is what the technology is and what creates these currencies and means of payment is just that everyone in the world can look at the Bitcoin transaction record and agree that these are the full amount of transactions that have ever happened. And so the fact that these records are there, it means that a company like Chainalysis can look through that to firstly, verify that there’s no other Bitcoin transactions that have ever happened. So we have the complete set of information. And then what we can do is we can build a data set that explains to people what is the purpose behind those transactions, which are the services that exist in the world that actually put those transactions into the blockchain, into the record.

And so what we’ve been doing for the last seven years is building that most comprehensive picture of which of the services have been putting those transactions into the blockchain. And that allows us to then have a complete view of all of the purposes behind these transactions, which then allows people to be able to track and trace. And so we can say which transactions have been associated with ransom payments and which transactions have been associated with regulated industry service providers like the exchanges that exist.

MICHAEL MORELL: So maybe, Jonathan, if you could take us a little bit deeper- how do you identify these illicit actors right on the blockchain?

JONATHAN LEVIN: Yeah. So the nice thing about, you know, the blockchain is that we have this complete record of all transactions that have happened. And so there’s part of this, which is some machine learning and pattern recognition that we have developed. But there’s part of this which is just simple intelligence gathering that we can actually look at reporting information from some of these actors on forums, or we might get some information from some of our customers about which ransom payments they are making on behalf of their customers.

And it allows us to have this picture of information about which of the ransom payments are actually being made on the blockchain. So we depend quite a lot on the ability for people to share information. And I think that is one of the one of the key areas that we actually still need to continue to press on and improve how people share information relating to cryptocurrency payments when it comes to ransom in order to in order to fuel greater disruption.

MICHAEL MORELL: So, Jonathan, can you go beyond just identifying an illicit transaction and actually identifying the illicit actors themselves?

JONATHAN LEVIN: Yeah, so I think that there’s a couple of different ways to think about this. And when it comes to the ability to tie even a single attack back to the actors themselves, we actually are able to do this just because we have the complete picture of what is happening on the blockchain. And so even if we do not get informed that it was a particular ransomware strain that was responsible, you know, oftentimes we’ve been able to just take a payment of interest and tie it back to some previous activity that the actor has been involved in.

And so the interesting thing here is that by creating greater information sharing procedures and protocols, we’re actually going to be able to assemble a much better picture of which attackers are responsible, by which actors and then the question is, well, can you move from that actor and understanding into some real world identities?
And the way in which we’ve seen that happen is through collaborating with industry on being able to get some identifying information, either from the merchant services side of this industry. And when I say merchant services, I mean a lot of the profits from ransomware are being reinvested in cyber infrastructure for further attacks. And actually some of these payment companies are global. Some of them are based here in the United States or in foreign jurisdictions. And there’s really an ability through good the classic sort of law enforcement work to actually find some of these further indicators and build a better picture of who these actors are.

And so one of the things that we have in this country, as well as in friendly jurisdictions, is, you know, cryptocurrency exchanges are regulated and have to comply with AML requirements. And so if it is going to one of those exchanges in a friendly jurisdiction, there’s really good ability to actually get information about one of the identities that are behind those transactions by serving those entities with legal process.

MICHAEL MORELL: And for my listeners who don’t know, AML is anti money laundering. So, Jonathan. A couple of recent cases, we’ve actually seen the ransom that was paid, recovered. So how does that happen and does blockchain analysis play a role there?

JONATHAN LEVIN: Yeah, so I think in all of the cases that involve ransomware, blockchain is going to be crucial to understand the financial network of payments in order to be able to understand the actors that are involved, altering the actors that are spreading it, and the full global network that now exists. And the fortunate thing is, is that with the power of the blockchain, you have the potential to create that full network and really understand where it’s most vulnerable and structure a disruption strategy around it.

And in the case that we saw of the recovery of the payment associated with Colonial Pipeline, the ability to do that really is just about understanding the full network and finding pieces of vulnerability. And so that’s what I think is is critical, is that whenever there are these payments, that there is a full analysis of not only the payment itself, but all other related payments and payments that those actors are making to other people to further their aims and ambitions. And through doing all of that, you start to assess, where can there be vulnerabilities? And in that case, you may actually be able to recover some of the ransom and send a strong message that actually this country does have the capabilities around how to follow payments after a ransomware attack and be able to and actually be able to to disrupt the financial reward that’s on the back end. And I think that this is a big focus of where we should be on the policy side, is this thinking about what are those options of disruption and how can we best maximize the potential for them moving forward?

MICHAEL MORELL: And do you see the attackers learning from the capabilities that we’ve been discussing and have they reacted to that learning?

JONATHAN LEVIN: So I’m sure they’re avid listeners of your podcast, and so, you know, I don’t doubt that the people are learning a lot through the great advances in technology. And it’s clear that this is always going to be a game where the capacity and the capabilities of government agencies to meet their mission is going to continue to increase with a lot more investment. But then the attackers will change.

And I think that there is something fundamental about being able to have this complete picture of the blockchain that in my experience, even though the level of sophistication of some of the actors has changed and they’ve, you know, created some obfuscation strategies and other types of things, we had chances of continue to invest in being able to detect some of this activity and help assist law enforcement in creating some of these cases that we’ve seen. So, you know, I do see it as sort of a continuous sort of proverbial cat and mouse game. But I think it’s something that is just inevitable.

MICHAEL MORELL: So, Jonathan, just maybe a couple of last questions here. And you touched on this a little bit, but maybe a little bit bigger picture. How do we get our arms around the ransomware problem? What should we be doing?

JONATHAN LEVIN: So I think, you know, from our perspective analysis and you know, my personal perspective, I think that the narrative that has been prevailing that you need to treat this with a counterterrorism mindset and consistently put more resources on coordinating a whole government approach and a real assessment of which of the authorities and agencies will be able to disrupt different parts of the ransomware supply chain and cryptocurrency play a really crucial part in enabling the government to actually understand that financial network and map it out.

So to find the most vulnerable parts of that supply chain and engage in strategies to actually disrupt that and create a deterrent from some of the more sort of financially motivated bystanders that are helping facilitate that.
I think there’s a huge international component to this where a lot of the Internet infrastructure that is being leveraged in these attacks is actually sitting in friendly countries. And there are payments being made where there are some real wins in being able to understand and map this out again. I think this is an international coordination problem and we need to we need to be better at forming these international task forces and bodies.
And then finally, I think there’s capacity building and rapid information sharing programs that do already exist and in various forms and in both cyber security and financial intelligence, I think it’s about determining which are the right channels. And we have some really concrete suggestions about which actual pieces of information can be shared with protecting victims from further attack and and vulnerability that would further sort of, again, the potential for disruption, the potential to actually maybe also issue some sort of financial notifications, blacklists, sanctions on some of these entities to to raise the deterrent and damage the financial returns.

And I think that we must think about moving at the speed of the technology and appealing to maybe not only the traditional sort of government mechanisms, but really be innovative about what rapid response looks like. And we’ve started to see that in business email compromise, which is a massive market in terms of financially motivated cybercrime, still sort of bigger, actually, than ransomware. But we need to do the same in ransomware and make sure that we are able to respond internationally at the speed of the technology and reaching out and spending a lot of time thinking about that as well.

MICHAEL MORELL: So, Jonathan, we have about 45 seconds left here. One more question. The long term future of cryptocurrency. Are you a bull or a bear?

JONATHAN LEVIN: I’m a bull. The way that I think about this is there are technologies that exist that have inevitable impacts on the world, the ability for people to program money and form communities over the Internet and build much better and more secure means of exchanging value will inevitably have a huge impact on the way that corporations around the world function, the way that governments around the world function. And so ultimately, I see this as one of the true inevitabilities in the 21st century.

MICHAEL MORELL: Jonathan, thank you. Thanks for joining us. Some fascinating insights. Thanks for taking the time.

JONATHAN LEVIN: Thanks so much for having me.