People

How the ransomware business boomed — and where it goes next

Chainalysis CTO Gurvais Grigg on the rise in ransomware, and what companies should be doing to protect themselves.

How the ransomware business boomed — and where it goes next
The ransomware dilemma: To pay or not to pay?
Photo: Alexander Ryumin\TASS via Getty Images

After more than two decades at the FBI, Gurvais Grigg was looking for something to do post-retirement. So he picked … cryptocurrency and financial crimes. Grigg is now the global public sector CTO at Chainalysis, where he spends his time working with companies and governments on financial investigations involving cryptocurrency and the blockchain. "When I looked at emerging tech and this new market space, the ability to work in a company that's engaged in crypto-financial investigations and supporting the public sector was just the perfect combination for me," he said.

One of Grigg's primary focuses has been ransomware, which is one of the fastest-growing sectors of online crime. The ransomware business has hit the public consciousness thanks to the shutdown of the Colonial Pipeline and the attack on JBS, the U.S.'s largest meat manufacturer, as well as a series of other high-profile attacks. Ransomware is a huge business, and an increasingly mature one.

Grigg joined the Source Code podcast to explain the rise in ransomware, how the industry works (and its eerie parallels to the rest of the tech industry) and what governments and companies should be doing to protect themselves.

You can listen to our full conversation on this episode of the Source Code podcast. (Subscribe to the show: Apple Podcasts | Spotify | Overcast | Pocket Casts) Below are excerpts from our conversation, lightly edited for length and clarity.

The first thing I want to do is separate fact from fiction here. It seems like, on the surface, that we are in a moment of ransomware, where it feels like it is the biggest threat in the cybersecurity world. Is that true? Or have there just been a couple of high-profile examples that are scaring people?

Well, there certainly have been a number of high-profile ransomware events that have captured the public's attention. But this has been quietly building in the background for some time. In fact, our data shows that ransomware is the fastest-growing category of illicit use on the cryptocurrency blockchain. So you're right, it has captured the public attention of late, but it has been building. Even through the pandemic, we were seeing ransomware attacks against health care providers, hospitals and others. And so you see this growing emergence of ransomware across the spectrum.

Why ransomware, as opposed to any of the other illicit cyber tools out there?

Frauds and scams still make up the largest percentage of illicit use on the blockchain, but ransomware is rapidly growing. So much of our life and businesses is wrapped up in the data of these companies. And because that data is designed to be hyper available, it also makes it potentially vulnerable. And criminals naturally gravitate to where they can make money and make money quickly. And there's a whole ransomware supply chain, and this cottage industry that's emerging, that is facilitating and perhaps fueling the acceleration of ransomware attacks.

One of the things that has amazed me, the more I've learned about this, is the extent to which the ransomware industry and the regular, above-board software industry are basically exactly the same. You replace a couple of nouns here and there. Can you explain that supply chain to me? How does this industry actually sort of come together?

So let's go back. In the old days, if an individual wanted to carry out a ransomware attack, they had to have a level of sophistication themselves. They would design their tool, they would design their exfil, they would try to arrange where they could store the data that they're going to steal. They had to make arrangements to figure out: What am I going to do with payments if I get them? How am I going to obfuscate that and launder it?

Well, now they can turn to a whole industry that can provide each of those services a la carte. I can go and find my illicit cloud provider who will store my stolen data. I can go to an administrator who can provide a series of tools that I rent from him that I can use to exfil my data and invade a system. I make arrangements with some mixers who maybe can help me launder my ill-gotten gains if I'm successful. I then make an arrangement with a cash-out point; they'll help me turn that cryptocurrency back into fiat. And so I end up having to pay people all along the way.

And oh, by the way, you've got to get that in place before you conduct your attack. There are potentials, then, to move left of the event — to look at campaigns that are building as individuals put these things in place before they carry out their attack. So it isn't just a surprise ransomware attack, you can see a campaign building.

This ransomware supply chain is global. And they access individuals in multiple jurisdictions to put all of this in place before the attack.

So basically, there's the ransomware equivalent of AWS, and there's the ransomware equivalent of Stripe, and there's the ransomware equivalent of Shopify, and you can basically build your whole ransomware system without needing much technical expertise at all.

The dark net offers individuals with very limited technical capabilities to be able to carry out successful ransomware attacks, whereas before it was reserved for perhaps the most sophisticated and talented cyber actors. And there are still those, certainly, I don't mean to undersell that point. But it has reduced the barriers to entry, which is both scary and fascinating.

What's your sense of the size of that industry?

If we look at this year, we have over $127 million that we've identified so far as associated with ransomware campaigns this year. And of course, that's only the data that we can see. And there's always an inherent underreporting here, right? Last year was over $412 million, the previous year, $93 million. So certainly last year was a banner year for ransomware. And it remains to be seen what this year is going to look like. But if you look at that data and that volume trend, it's certainly a growing industry, and that begins to give you a scope of the magnitude and impact that this is having.

Is bitcoin the dominant player in the space, like it is in most of the crypto space? Or are criminals, like, migrating to dogecoin or something else that's out there?

The data that we see indicates that the vast majority, for example, of ransomware payments are still being made in bitcoin. While some have attempted to use other privacy coins, or those that offer what they believe is an additional level of anonymity, we just haven't seen the large-scale adoption of those other coins.

Why? Because liquidity is king, and the ability to receive value, transfer that value and cash out that value is what they're after. And the more difficult it is to do that, the less incentives there are to use other forms of value transfer. Ransomware used to use prepaid gift cards, wire transfers and other things like that! So they're going to migrate to those things that allow them the easiest use and the most liquidity. And right now, these mainstream coins like bitcoin and other stablecoins offer that.

And how do you think about regulation more broadly right now? It seems like there is a clear sense, especially after the Colonial Pipeline hack and some of the other stuff that's been happening recently, that this is a real, nationwide threat that the government needs to be worrying about. But I get a sense, from the folks that I've talked to about this, that the what and how of regulating and solving some of these problems is really tricky. What do you think they're thinking about right now?

Well, you're right that it is a challenge. And it's complex. There's no one single silver bullet that's going to disrupt the ransomware or mitigate it, but it will take a series of coordinated actions across different government agencies. So the combined power of, let's say, a regulatory and tax agency, combined with a Securities Exchange effort to monitor some of these activities, law enforcement work to interdict particular actors, government policy that influences jurisdictions to more fully cooperate or self-regulate those entities that are operating within their jurisdictions.

It takes the whole of government to solve nationwide problems, and in this instance, because it's an international effort, it really is going to take a whole world of government solutions.

Do you think that can happen quickly? I admit to not having a ton of faith in the government's ability to keep up with tech in some of this stuff. Can it keep up here?

When you look at the impact these kinds of things are having on the everyday life of citizens in these countries, it's not just some obscure government agency who couldn't access their data for a period of time, or some manufacturer that has such a small segment of the economy that most people didn't notice. All parts of life are being impacted, from government agencies to critical infrastructure industries. And that means now everybody's got a stake in this.

The higher the stakes, the more participants, the greater the energy to overcome that initial inertia that sometimes drags down efforts like this. So you saw the formation of the Ransomware Task Force announced in December, where industry researchers and others have come together to put together potential policy recommendations of how we could work as a community. You saw the White House released a statement recently calling on industry to work together more closely with the government in a public-private partnership arrangement. I think you're going to see more of those kinds of efforts. Those in the past have demonstrated the ability to be successful if you have a unified approach, and that's what it's going to take.

So, having never been the victim of a ransomware attack — knock on wood — help me understand how this process goes. Is it like, I'm a company CEO, and I wake up one morning, and there's an email in my inbox that's like, "We have all your stuff, give us some money?"

Unfortunately, it can happen exactly like that. You wake up, and for some reason, your email server or your shared drives are not working. And the next thing you know, you get a call from your data-ops center saying, "We can't access the data, and our backups are not available," and the whole infrastructure begins to cascade and fall down. Those are calls that CEOs and chief security officers dread receiving, and unfortunately are happening all too often.

Then what? The answer seems to be don't pay it, don't negotiate with them. But if I'm a company CEO trying to deal with this stuff, the idea of not paying is sort of terrifying. So what's step one there?

It's to contact the authorities. Time is your friend, but it's also your enemy. And the longer you wait to take action, and to get going, the more your options begin to narrow. Authorities announced the other day that the position was still not to pay ransoms. But if you do, please let us know. Let us know quickly.

[At Chainalysis] we don't really have a position on that, I can just say that we do help both industry and government deal with the mitigation and fallout, and how to conduct those investigations. But more importantly, what can they do to prepare themselves so that doesn't happen in the first place?

What do you tell companies or people or governments who are nervous about this, haven't been victimized by ransomware yet and are trying to figure out where to start?

The first thing is to focus on the level of crypto literacy. Do you have a cryptocurrency response plan? If not, spend some time looking at how to develop one. Do you have the data you would need if an incident of that nature were to occur? Have you made the arrangements? Have you trained your staff to understand and how to watch out for that? Is that part of your overall strategy response? So we encourage organizations, whether they're in the government or in the financial services industry, to spend some time and invest in developing cryptocurrency and ransomware mitigation strategy.

We spend a lot of time on capacity building, education and thought leadership in this space. I think there's still more to be done there to raise awareness about the impact that these threats are having, as well as the opportunity to counter that first narrative that we began with: that, well, cryptocurrency is anonymous, and I can't do anything about it. Once it's gone, it can never be gotten back. That's simply not the case in every instance. And if you have the right data, the tools, and you act quickly, there are things that can be done. And then there are things you can do. You don't have to be a victim. And you can prepare.

It's like putting the locks on your door, right? It won't solve all problems, but it will solve a lot of problems. And not enough companies and governments and people have done that. And that's one thing I hope we get to very quickly.

Agreed. It's funny, when you do post mortems on these incidents, it doesn't explain every scenario, but is your company updating, protecting and backing up your information? If you lose access to your information, when was your last backup? Where's it stored? And how easy is it to be accessed? Is it also protected, or is it going to become vulnerable to the same?

If you store your backup in the same place where you live, if one goes down, the other does. Have you trained your staff? Do you have an ongoing training and refresher program? What's your network monitoring looking like? Are you making sure you're not becoming a victim of cryptojacking or illicit crypto-mining, actually stealing your own power to do crypto mining? Are you employing those best practices for your credential management, and making sure that you're updating and keeping your leadership and your staff aware of your crypto response strategy?

Those are basic cyber hygiene things that you will hear about in any good cyber forum. And yet they're oftentimes neglected in part or in whole, in some parts of our environments, and criminals look for unlocked doors.

How quickly is the ransomware industry itself changing? It has sort of exploded both in the financial impact and in public consciousness over the last 12 months. Is the industry itself going to shift a bunch as it becomes more well known, and the ways to stop it become more well known? How cat and mouse is this game going to be?

It will be cat and mouse. If we look at any other emerging threat or trend, it is a cat and mouse: One side makes a change, the other side makes a response. So we'll see that.

The first generation of ransomware was, I come in, I lock up your data and I demand a payment. Now I come in, I lock up your data, I demand a payment, but I also maybe steal your data, resell it to someone else and get a double profit. And then the next evolution of that is, I come in, I lock up your data and demand the payment, I steal your data, I sell it to someone else, and then I also threaten you to DDoS you if you don't pay me.

So you just see this escalation and this variation. What will that next inflection point look like? It's interesting to postulate. I'm not sure what that's going to be, but it will happen and it will evolve.

Climate

The minerals we need to save the planet are getting way too expensive

Supply chain problems and rising demand have sent prices spiraling upward for the minerals and metals essential for the clean energy transition.

Critical mineral prices have exploded over the past year.

Photo: Andrey Rudakov/Bloomberg via Getty Images

The newest source of the alarm bells echoing throughout the renewables industry? Spiking critical mineral and metal prices.

According to a new report from the International Energy Agency, a maelstrom of rising demand and tattered supply chains have caused prices for the materials needed for clean energy technologies to soar in the last year. And this increase has only accelerated since 2022 began.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Sponsored Content

Why the digital transformation of industries is creating a more sustainable future

Qualcomm’s chief sustainability officer Angela Baker on how companies can view going “digital” as a way not only toward growth, as laid out in a recent report, but also toward establishing and meeting environmental, social and governance goals.

Three letters dominate business practice at present: ESG, or environmental, social and governance goals. The number of mentions of the environment in financial earnings has doubled in the last five years, according to GlobalData: 600,000 companies mentioned the term in their annual or quarterly results last year.

But meeting those ESG goals can be a challenge — one that businesses can’t and shouldn’t take lightly. Ahead of an exclusive fireside chat at Davos, Angela Baker, chief sustainability officer at Qualcomm, sat down with Protocol to speak about how best to achieve those targets and how Qualcomm thinks about its own sustainability strategy, net zero commitment, other ESG targets and more.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.

Enterprise

The 911 system is outdated. Updating it to the cloud is risky.

Unlike tech companies, emergency services departments can’t afford to make mistakes when migrating to the cloud. Integrating new software in an industry where there’s no margin for error is risky, and sometimes deadly.

In an industry where seconds can mean the difference between life and death, many public safety departments are hesitant to take risks on new cloud-based technologies.

Illustration: Christopher T. Fong/Protocol

Dialing 911 could be the most important phone call you will ever make. But what happens when the software that’s supposed to deliver that call fails you? It may seem simple, but the technology behind a call for help is complicated, and when it fails, deadly.

The infrastructure supporting emergency contact centers is one of the most critical assets for any city, town or local government. But just as the pandemic exposed the creaky tech infrastructure that runs local governments, in many cases the technology in those call centers is outdated and hasn’t been touched for decades.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Entertainment

'The Wilds' is a must-watch guilty pleasure and more weekend recs

Don’t know what to do this weekend? We’ve got you covered.

Our favorite things this week.

Illustration: Protocol

The East Coast is getting a little preview of summer this weekend. If you want to stay indoors and beat the heat, we have a few suggestions this week to keep you entertained, like a new season of Amazon Prime’s guilty-pleasure show, “The Wilds,” a new game from Horizon Worlds that’s fun for everyone and a sneak peek from Adam Mosseri into what Instagram is thinking about Web3.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Workplace

Work expands to fill the time – but only if you let it

The former Todoist productivity expert drops time-blocking tips, lofi beats playlists for concentrating and other knowledge bombs.

“I do hope the productivity space as a whole is more intentional about pushing narratives that are about life versus just work.”

Photo: Courtesy of Fadeke Adegbuyi

Fadeke Adegbuyi knows how to dole out productivity advice. When she was a marketing manager at Doist, she taught users via blogs and newsletters about how to better organize their lives. Doist, the company behind to-do-list app Todoist and messaging app Twist, has pushed remote and asynchronous work for years. Adegbuyi’s job was to translate these ideas to the masses.

“We were thinking about asynchronous communication from a work point of view, of like: What is most effective for doing ambitious and awesome work, and also, what is most advantageous for living a life that feels balanced?” Adegbuyi said.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Latest Stories
Bulletins