Source Code: Your daily look at what matters in tech.

source-codesource codeauthorDavid PierceNoneWant your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.64fd3cbe9f
×

Get access to Protocol

Your information will be used in accordance with our Privacy Policy

I’m already a subscriber
People

How the ransomware business boomed — and where it goes next

Chainalysis CTO Gurvais Grigg on the rise in ransomware, and what companies should be doing to protect themselves.

How the ransomware business boomed — and where it goes next
The ransomware dilemma: To pay or not to pay?
Photo: Alexander Ryumin\TASS via Getty Images

After more than two decades at the FBI, Gurvais Grigg was looking for something to do post-retirement. So he picked … cryptocurrency and financial crimes. Grigg is now the global public sector CTO at Chainalysis, where he spends his time working with companies and governments on financial investigations involving cryptocurrency and the blockchain. "When I looked at emerging tech and this new market space, the ability to work in a company that's engaged in crypto-financial investigations and supporting the public sector was just the perfect combination for me," he said.

One of Grigg's primary focuses has been ransomware, which is one of the fastest-growing sectors of online crime. The ransomware business has hit the public consciousness thanks to the shutdown of the Colonial Pipeline and the attack on JBS, the U.S.'s largest meat manufacturer, as well as a series of other high-profile attacks. Ransomware is a huge business, and an increasingly mature one.

Grigg joined the Source Code podcast to explain the rise in ransomware, how the industry works (and its eerie parallels to the rest of the tech industry) and what governments and companies should be doing to protect themselves.

You can listen to our full conversation on this episode of the Source Code podcast. (Subscribe to the show: Apple Podcasts | Spotify | Overcast | Pocket Casts) Below are excerpts from our conversation, lightly edited for length and clarity.

The first thing I want to do is separate fact from fiction here. It seems like, on the surface, that we are in a moment of ransomware, where it feels like it is the biggest threat in the cybersecurity world. Is that true? Or have there just been a couple of high-profile examples that are scaring people?

Well, there certainly have been a number of high-profile ransomware events that have captured the public's attention. But this has been quietly building in the background for some time. In fact, our data shows that ransomware is the fastest-growing category of illicit use on the cryptocurrency blockchain. So you're right, it has captured the public attention of late, but it has been building. Even through the pandemic, we were seeing ransomware attacks against health care providers, hospitals and others. And so you see this growing emergence of ransomware across the spectrum.

Why ransomware, as opposed to any of the other illicit cyber tools out there?

Frauds and scams still make up the largest percentage of illicit use on the blockchain, but ransomware is rapidly growing. So much of our life and businesses is wrapped up in the data of these companies. And because that data is designed to be hyper available, it also makes it potentially vulnerable. And criminals naturally gravitate to where they can make money and make money quickly. And there's a whole ransomware supply chain, and this cottage industry that's emerging, that is facilitating and perhaps fueling the acceleration of ransomware attacks.

One of the things that has amazed me, the more I've learned about this, is the extent to which the ransomware industry and the regular, above-board software industry are basically exactly the same. You replace a couple of nouns here and there. Can you explain that supply chain to me? How does this industry actually sort of come together?

So let's go back. In the old days, if an individual wanted to carry out a ransomware attack, they had to have a level of sophistication themselves. They would design their tool, they would design their exfil, they would try to arrange where they could store the data that they're going to steal. They had to make arrangements to figure out: What am I going to do with payments if I get them? How am I going to obfuscate that and launder it?

Well, now they can turn to a whole industry that can provide each of those services a la carte. I can go and find my illicit cloud provider who will store my stolen data. I can go to an administrator who can provide a series of tools that I rent from him that I can use to exfil my data and invade a system. I make arrangements with some mixers who maybe can help me launder my ill-gotten gains if I'm successful. I then make an arrangement with a cash-out point; they'll help me turn that cryptocurrency back into fiat. And so I end up having to pay people all along the way.

And oh, by the way, you've got to get that in place before you conduct your attack. There are potentials, then, to move left of the event — to look at campaigns that are building as individuals put these things in place before they carry out their attack. So it isn't just a surprise ransomware attack, you can see a campaign building.

This ransomware supply chain is global. And they access individuals in multiple jurisdictions to put all of this in place before the attack.

So basically, there's the ransomware equivalent of AWS, and there's the ransomware equivalent of Stripe, and there's the ransomware equivalent of Shopify, and you can basically build your whole ransomware system without needing much technical expertise at all.

The dark net offers individuals with very limited technical capabilities to be able to carry out successful ransomware attacks, whereas before it was reserved for perhaps the most sophisticated and talented cyber actors. And there are still those, certainly, I don't mean to undersell that point. But it has reduced the barriers to entry, which is both scary and fascinating.

What's your sense of the size of that industry?

If we look at this year, we have over $127 million that we've identified so far as associated with ransomware campaigns this year. And of course, that's only the data that we can see. And there's always an inherent underreporting here, right? Last year was over $412 million, the previous year, $93 million. So certainly last year was a banner year for ransomware. And it remains to be seen what this year is going to look like. But if you look at that data and that volume trend, it's certainly a growing industry, and that begins to give you a scope of the magnitude and impact that this is having.

Is bitcoin the dominant player in the space, like it is in most of the crypto space? Or are criminals, like, migrating to dogecoin or something else that's out there?

The data that we see indicates that the vast majority, for example, of ransomware payments are still being made in bitcoin. While some have attempted to use other privacy coins, or those that offer what they believe is an additional level of anonymity, we just haven't seen the large-scale adoption of those other coins.

Why? Because liquidity is king, and the ability to receive value, transfer that value and cash out that value is what they're after. And the more difficult it is to do that, the less incentives there are to use other forms of value transfer. Ransomware used to use prepaid gift cards, wire transfers and other things like that! So they're going to migrate to those things that allow them the easiest use and the most liquidity. And right now, these mainstream coins like bitcoin and other stablecoins offer that.

And how do you think about regulation more broadly right now? It seems like there is a clear sense, especially after the Colonial Pipeline hack and some of the other stuff that's been happening recently, that this is a real, nationwide threat that the government needs to be worrying about. But I get a sense, from the folks that I've talked to about this, that the what and how of regulating and solving some of these problems is really tricky. What do you think they're thinking about right now?

Well, you're right that it is a challenge. And it's complex. There's no one single silver bullet that's going to disrupt the ransomware or mitigate it, but it will take a series of coordinated actions across different government agencies. So the combined power of, let's say, a regulatory and tax agency, combined with a Securities Exchange effort to monitor some of these activities, law enforcement work to interdict particular actors, government policy that influences jurisdictions to more fully cooperate or self-regulate those entities that are operating within their jurisdictions.

It takes the whole of government to solve nationwide problems, and in this instance, because it's an international effort, it really is going to take a whole world of government solutions.

Do you think that can happen quickly? I admit to not having a ton of faith in the government's ability to keep up with tech in some of this stuff. Can it keep up here?

When you look at the impact these kinds of things are having on the everyday life of citizens in these countries, it's not just some obscure government agency who couldn't access their data for a period of time, or some manufacturer that has such a small segment of the economy that most people didn't notice. All parts of life are being impacted, from government agencies to critical infrastructure industries. And that means now everybody's got a stake in this.

The higher the stakes, the more participants, the greater the energy to overcome that initial inertia that sometimes drags down efforts like this. So you saw the formation of the Ransomware Task Force announced in December, where industry researchers and others have come together to put together potential policy recommendations of how we could work as a community. You saw the White House released a statement recently calling on industry to work together more closely with the government in a public-private partnership arrangement. I think you're going to see more of those kinds of efforts. Those in the past have demonstrated the ability to be successful if you have a unified approach, and that's what it's going to take.

So, having never been the victim of a ransomware attack — knock on wood — help me understand how this process goes. Is it like, I'm a company CEO, and I wake up one morning, and there's an email in my inbox that's like, "We have all your stuff, give us some money?"

Unfortunately, it can happen exactly like that. You wake up, and for some reason, your email server or your shared drives are not working. And the next thing you know, you get a call from your data-ops center saying, "We can't access the data, and our backups are not available," and the whole infrastructure begins to cascade and fall down. Those are calls that CEOs and chief security officers dread receiving, and unfortunately are happening all too often.

Then what? The answer seems to be don't pay it, don't negotiate with them. But if I'm a company CEO trying to deal with this stuff, the idea of not paying is sort of terrifying. So what's step one there?

It's to contact the authorities. Time is your friend, but it's also your enemy. And the longer you wait to take action, and to get going, the more your options begin to narrow. Authorities announced the other day that the position was still not to pay ransoms. But if you do, please let us know. Let us know quickly.

[At Chainalysis] we don't really have a position on that, I can just say that we do help both industry and government deal with the mitigation and fallout, and how to conduct those investigations. But more importantly, what can they do to prepare themselves so that doesn't happen in the first place?

What do you tell companies or people or governments who are nervous about this, haven't been victimized by ransomware yet and are trying to figure out where to start?

The first thing is to focus on the level of crypto literacy. Do you have a cryptocurrency response plan? If not, spend some time looking at how to develop one. Do you have the data you would need if an incident of that nature were to occur? Have you made the arrangements? Have you trained your staff to understand and how to watch out for that? Is that part of your overall strategy response? So we encourage organizations, whether they're in the government or in the financial services industry, to spend some time and invest in developing cryptocurrency and ransomware mitigation strategy.

We spend a lot of time on capacity building, education and thought leadership in this space. I think there's still more to be done there to raise awareness about the impact that these threats are having, as well as the opportunity to counter that first narrative that we began with: that, well, cryptocurrency is anonymous, and I can't do anything about it. Once it's gone, it can never be gotten back. That's simply not the case in every instance. And if you have the right data, the tools, and you act quickly, there are things that can be done. And then there are things you can do. You don't have to be a victim. And you can prepare.

It's like putting the locks on your door, right? It won't solve all problems, but it will solve a lot of problems. And not enough companies and governments and people have done that. And that's one thing I hope we get to very quickly.

Agreed. It's funny, when you do post mortems on these incidents, it doesn't explain every scenario, but is your company updating, protecting and backing up your information? If you lose access to your information, when was your last backup? Where's it stored? And how easy is it to be accessed? Is it also protected, or is it going to become vulnerable to the same?

If you store your backup in the same place where you live, if one goes down, the other does. Have you trained your staff? Do you have an ongoing training and refresher program? What's your network monitoring looking like? Are you making sure you're not becoming a victim of cryptojacking or illicit crypto-mining, actually stealing your own power to do crypto mining? Are you employing those best practices for your credential management, and making sure that you're updating and keeping your leadership and your staff aware of your crypto response strategy?

Those are basic cyber hygiene things that you will hear about in any good cyber forum. And yet they're oftentimes neglected in part or in whole, in some parts of our environments, and criminals look for unlocked doors.

How quickly is the ransomware industry itself changing? It has sort of exploded both in the financial impact and in public consciousness over the last 12 months. Is the industry itself going to shift a bunch as it becomes more well known, and the ways to stop it become more well known? How cat and mouse is this game going to be?

It will be cat and mouse. If we look at any other emerging threat or trend, it is a cat and mouse: One side makes a change, the other side makes a response. So we'll see that.

The first generation of ransomware was, I come in, I lock up your data and I demand a payment. Now I come in, I lock up your data, I demand a payment, but I also maybe steal your data, resell it to someone else and get a double profit. And then the next evolution of that is, I come in, I lock up your data and demand the payment, I steal your data, I sell it to someone else, and then I also threaten you to DDoS you if you don't pay me.

So you just see this escalation and this variation. What will that next inflection point look like? It's interesting to postulate. I'm not sure what that's going to be, but it will happen and it will evolve.

Protocol | Fintech

Amazon wants a crypto play. Its history in payments is not encouraging.

It missed chances to be PayPal, Square and Stripe — so is this its chance to miss being Coinbase, too?

Amazon wants to be a crypto player.

Image: NurPhoto/Getty Images

The news that Amazon was hiring a lead for a new digital currency and blockchain initiative sent the price of bitcoin soaring. But there's another way to look at the news that's less bullish on bitcoin and bearish on Amazon: 13 years after Satoshi Nakamoto's whitepaper appeared on the internet, Amazon is just discovering cryptocurrency?

That may be a bit unkind, but the truth is sometimes unkind. And the reality is that Amazon has a long history of stumbles and missed opportunities in payments, which goes back more than two decades to the company's purchase of internet payments startup Accept.com.

Keep Reading Show less
Owen Thomas

Owen Thomas is a senior editor at Protocol overseeing venture capital and financial technology coverage. He was previously business editor at the San Francisco Chronicle and before that editor-in-chief at ReadWrite, a technology news site. You're probably going to remind him that he was managing editor at Valleywag, Gawker Media's Silicon Valley gossip rag. He lives in San Francisco with his husband and Ramona the Love Terrier, whom you should follow on Instagram.

Over the last year, financial institutions have experienced unprecedented demand from their customers for exposure to cryptocurrency, and we've seen an inflow of institutional dollars driving bitcoin and other cryptocurrencies to record prices. Some banks have already launched cryptocurrency programs, but many more are evaluating the market.

That's why we've created the Crypto Maturity Model: an iterative roadmap for cryptocurrency product rollout, enabling financial institutions to evaluate market opportunities while addressing compliance requirements.

Keep Reading Show less
Caitlin Barnett, Chainanalysis
Caitlin’s legal and compliance experience encompasses both cryptocurrency and traditional finance. As Director of Regulation and Compliance at Chainalysis, she helps leading financial institutions strategize and build compliance programs in order to adopt cryptocurrencies and offer new products to their customers. In addition, Caitlin helps facilitate dialogue with regulators and the industry on key policy issues within the cryptocurrency industry.
Protocol | Enterprise

How Google Cloud plans to kill its ‘Killed By Google’ reputation

Under the new Google Enterprise APIs policy, the company is making a promise that its services will remain available and stable far into the future.

Google Cloud CEO Thomas Kurian has promised to make the company more customer-friendly.

Photo: Michael Short/Bloomberg via Getty Images 2019

Google Cloud issued a promise Monday to current and potential customers that it's safe to build a business around its core technologies, another step in its transformation from an engineering playground to a true enterprise tech vendor.

Starting Monday, Google will designate a subset of APIs across the company as Google Enterprise APIs, including APIs from Google Cloud, Google Workspace and Google Maps. APIs selected for this category — which will include "a majority" of Google Cloud APIs according to Kripa Krishnan, vice president at Google Cloud — will be subject to strict guidelines regarding any changes that could affect customer software built around those APIs.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is Protocol's enterprise editor, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire, and served as executive editor of Gigaom and Structure.

Amazon job opening points to plan to accept crypto payments

The news sparked a rally in the values of bitcoin and other cryptocurrencies.

Amazon may be planning to let customers pay for orders with cryptocurrencies.

Photo: David Ryder/Getty Images

Amazon is looking to hire a digital currency and blockchain expert suggesting a plan to let customers accept cryptocurrencies as payments.

The tech giant's job opening says Amazon is looking for "an experienced product leader" to help develop the company's "digital currency and blockchain strategy and roadmap" Amazon is looking for product leader with expertise in blockchain, distributed ledger, central bank digital currencies and cryptocurrency.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Protocol | Policy

Big Tech tried to redefine terrorism online. It got messy fast.

The Global Internet Forum to Counter Terrorism announced a series of narrow steps it's taking that underscore just how fraught the job of classifying terror online really is.

Erin Saltman is GIFCT's director of programming.

Photo: Paul Morigi/Flickr

A little over a month after the Jan. 6 riot, the tech industry's leading anti-terrorism alliance — a group founded by Facebook, YouTube, Microsoft and Twitter — announced it was seeking ideas for how it could expand its definition of terrorism, which had for years been more or less synonymous with Islamic terrorism. The group, called the Global Internet Forum to Counter Terrorism or GIFCT, had been considering such a shift for at least a year, but the rising threat of domestic extremism, punctuated by the Capitol uprising, made it all the more clear something needed to change.

But after months of interviewing member companies, months of considering academic proposals and months spent mulling the impact of tech platforms on this and other violent events around the world, the group's policies have barely budged. On Monday, in a 177-page report, GIFCT released the first details of its plan, and, well, a radical rethinking of online extremism it is not. Instead, the report lays out a series of narrow steps that underscore just how fraught the job of classifying terror online really is.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Latest Stories