2020 was a record year for ransomware payments ($692 million), and 2021 is likely to be even higher after all the data has gone in, Chainalysis recently reported. Moreover, with the outbreak of war between Ukraine and Russia, it is also expected that ransomware will be increasingly used as a geopolitical tool, and not just for profit.
But a new US law could stem this growing wave of power outages. US President Joe Biden recently signed the US Cyber Security Enhancement Act, or Peters Act, which requires infrastructure companies to report significant cyber attacks to the government within 72 hours, and within 24 hours if a ransom is paid.
Why is it important? Blockchain analytics are becoming increasingly effective in disrupting ransomware networks, as we saw in the Colonial Pipeline case last year, when the DOJ managed to recover $2.3 million of the total amount the pipeline company paid for the ransomware episode.
But to maintain this positive trend, more data is needed and it needs to be delivered in a timely manner, especially malicious cryptographic addresses, since almost all ransomware attacks involve blockchain-based cryptocurrencies, usually Bitcoin (BTC).
This is where the new law should help, because until now, ransomware victims have rarely reported ransomware to government agencies or others.
US President Joe Biden, White House Chief of Staff and Budget Director Shalanda Young, March 28, 2022. Source: Reuters/Kevin Lamarck.
“That would be very helpful,” Roman Beda, head of fraud investigations at Coinfirm, told Cointelegraph. “The ability to ‘identify’ certain currencies, addresses, or transactions locally as ‘risk’ […] allows all users to detect risks even before money laundering attempts.”
“This will definitely help with blockchain forensic analysis,” said Alan Liska, senior intelligence analyst at Recorded Future. “While ransomware groups often exchange wallets for each ransomware attack, the money ends up flowing into one wallet. Blockchain researchers have connected these dots very well.” They managed to do so despite the confusion and other tactics used by extortion orders and their Confederate money launderers.
Siddhartha Dalal, Professor of Professional Practice at Columbia University, agrees. Last year, Dalal co-authored a paper titled “Identifying Ransomware Actors in the Bitcoin Network,” which described how he and his colleagues were able to use graphical machine learning algorithms and blockchain analysis to identify ransomware attackers with “85% predictive accuracy.” when testing.” datasets”. .
Although their results were encouraging, the authors stated that they could achieve greater accuracy by further improving the algorithms and, most importantly, “getting more and more reliable data.”
The problem with forensic models here is that they work with highly unbalanced or skewed data. Columbia University researchers were able to take advantage of 400 million bitcoin transactions and almost 40 million bitcoin addresses, but only 143 of them are verified ransomware addresses. In other words, there are many more non-fraudulent transactions than there are fraudulent transactions. With such skewed data, the model will either flag many false positives or miss the fraudulent data as a smaller percentage.
Bede from Coinfirm gave an example of this problem in an interview last year:
“Let’s say you want to create a model that extracts dog images from a set of cat images, but you have a training dataset with 1000 cat images and only one dog image. The machine learning model will teach you that it’s a good idea to treat all images as cat images because the margin of error is 0.001 [only]. ”
In other words, the algorithm will “guess the word ‘cat’ all the time, which of course renders the model useless even if it scores high at full accuracy.”
Dalal was asked if this new US legislation would help expand the public dataset of “rogue” bitcoin addresses and cryptocurrencies needed to better analyze the blockchain in ransomware networks.
“There is no doubt about that,” Dalal told Cointelegraph. “Of course, more data is always useful for any analysis.” But most importantly, by law, ransom payments will now be disclosed within 24 hours, giving “a greater chance of recovery, as well as the ability to identify servers and attack methods so that other potential victims can take defensive steps to protect them.” he added. This is because most attackers use the same malware to attack other victims.