0:00:03

Luke Connolly

Welcome to the Cyber Insider, Emsisoft's podcast all about cybersecurity. Your hosts today are Brett Callow, threat analyst here at Emsisoft. And I'm Luke Connolly, partner manager. We're very excited to have Jackie Burns Coven with us today.

0:00:29

Luke Connolly

Jackie is the head of Cyber Threat Intel At Chainalysis, a blockchain intelligence company that provides cryptocurrency investigation and compliance solutions to global law enforcement agencies, regulators, and businesses. She's a member of the Ransomware Task Force and previously served in the US. Intelligence community. Welcome, Jackie, and thanks for taking the time to chat with us.

0:00:51

Jackie Koven

Thanks so much for having me.

0:00:53

Luke Connolly

I must admit to knowing relatively little about blockchain, and some of our audience may not know that much about it either. So maybe we can start by asking you maybe just to explain it in simple terms.

0:01:07

Jackie Koven

Sure. So the blockchain is a shared immutable ledger. Think of it as a database that facilitates the processing, also the recording of information. And that information can include transactions and tracking assets like cryptocurrencies. But there are certainly other assets. They can be tangible a house, a car, land or intangible, IP, patents, copyrights, branding. So virtually anything of value can be tracked and traded on a blockchain network, which reduces cost and risk for a lot of its users. So I actually fell in love with the blockchain first blockchain technology before I even encountered cryptocurrency. 

0:01:52

Jackie Koven

So I think in most minds today, people associate blockchain with cryptocurrency, but there are other use cases for it as well.  

0:02:00

Brett Callow

Is that common or is it mostly cryptocurrency?

0:02:05

Jackie Koven

Well, there are certainly enterprise networks that are using internal private blockchains for different transactions and recording. I think it's still a nascent technology that is growing in applications and adoption, for sure.

0:02:22

Brett Callow

And how does trend analysis fit into all of this?

0:02:27

Jackie Koven

Right, so we track cryptocurrency wallets, and my team specifically on the Threat Intelligence team, we're looking at attributing cryptocurrency wallets to real world entities. So my team is focused on cyber threat actors, so those that scam, extort, and steal cryptocurrency or use it for malicious purposes like child abuse materials or scams. But we're also looking at the entire kill chain. We're looking at all those tools and services leading up to that flashpoint.

0:03:00

Jackie Koven

So the crypting services and the hosting services that can be used for legitimate purposes, but we know are also leveraged for malicious cyber intrusion. So our team, we're experts in various threat typologies in mapping out those financial signatures of those different threat actors that are leveraging cryptocurrency.

0:03:22

Luke Connolly

So you mentioned cryptocurrency wallets, which are basically the cryptocurrency equivalent of a bank account, right? And then the equivalent of a bank transfer would be cryptocurrency payment or transition from one entity to another. So maybe what can you tell us about the mechanics of tracing cryptocurrency payments. How does that work?

0:03:45

Jackie Koven

Sure. So I will say that the beauty of the blockchain is that it is public and transparent, whereas a bank account transfer wouldn't be visible to others outside the network. Here we can see in cryptocurrency, you can see transactions all over the world between different entities, from exchanges to exchanges, merchant services to threat actors to darknet markets, victims to ransomware wallets.

0:04:12

Jackie Koven

And so that vibrant network gives us the visibility into both legitimate and illegitimate activity happening on chain. And part of the beauty of this network is as opposed to a simple bank transfer. So an exchange that leverages our platform can get notified about proceeds with exposure to darknet markets or proceeds of ransomware coming onto their platform and get alerted and notified of the potential suspicious activity coming onto their platform.

0:04:48

Jackie Koven

So I think it's greatly enhanced the suspicious activity report quality coming out of these services just because of the enhanced visibility in the nature of the cryptocurrency that's coming onto their platforms. Whereas in the banking industry, you don't have that transparency.

0:05:06

Brett Callow

You said that the blockchain creates openness and transparency, but what about privates like Aero? 

0:05:19

Jackie Koven

Yeah, even private blockchains are a technology that every technology is not foolproof, necessarily. And there's certainly ways to look into privacy coins as well.

0:05:36

Brett Callow

I don't know whether you'll be able to go into this. There are some instances where ransom payments have been able to be intercepted and recovered. How does that work?

0:05:47

Jackie Koven

Yeah, and also one more thing. On Renoir, we're really not seeing its adoption used, as some might have thought. While criminal actors are catching on to the fact that the blockchain is public, that bitcoin is traceable, we're still seeing the large majority of financial cryptocurrency related crime, and especially ransomware, being conducted in Bitcoin. And just the liquidity ease of use, the ability to ask victims to be able to source it in that amount and quickly, is most efficient in Bitcoin for recovery. I also say our job ends at the tracing.

0:06:31

Jackie Koven

So we can use channels, tools to be able to track the funds from point A to point Z, but other than that, recoveries in the hands of law enforcement. But our information, our data is used as evidence to help support recoveries.

0:06:51

Luke Connolly

So you mentioned one of the things that makes Bitcoin attractive to the criminals is the liquidity of it. So maybe you can help us understand. How do ransomware actors convert their cryptocurrency into cash?

0:07:05

Jackie Koven

Right. So they'll need a service like an exchange. I like to say even bad guys got to pay rent. They got to pay their bar tab. Right now, they're not doing that in Bitcoin. They have to convert to fiat in some stage. And so using a service like an exchange to convert their cryptocurrency to cash or convert it to stablecoin so that Bitcoin can hold value amidst bitcoin's volatility are typical methods. But I will say that the number of exchanges that threat actors are using to cash out has consolidated very rapidly. And that's because these exchanges play a key role in preventing bad actors from profiting.

0:08:00

Jackie Koven

Because of that transparency of the blockchain, they are getting alerts if they receive funds onto their platform with exposure to illicit activity. And so they have the ability to look into that account, potentially freeze that account as it comes onto the platform. So threat actors are finding this out too, and moving to a smaller subset of exchanges to cash out their ill gotten gain.

0:08:25

Luke Connolly

And these exchanges represent entry or exit points for the cryptocurrency. Right. So just like a port for a ship, these exchanges would be ways for the criminals to load or unload their cash from the cryptocurrency.

0:08:39

Jackie Koven

That's right. And I'll say it's been a volatile year or two in the exchange space as well. If you look back at the history of sanctions designations, law enforcement takedown, government actions, there's been really global effort in shining a spotlight on services exchanges that are providing exchange services to illicit activity. Specifically, ransomware is called out in many of these designations. So Garantex, Bit, Lotto, Chipmixer, which was a mixing or tumbling service used to obfuscate funds, there was the takedown of several Ukrainian based exchangers that were laundering dirty funds.

0:09:27

Jackie Koven

So because of this steady and unpredictable takedown and action against these exchanges that were providing laundering services for ransomware actors, ransomware actors have less and less options and places to put their funds. So in addition to exchanges, we're actually seeing more threat actors that are just holding on to the fund, just sitting on it in private wallets, whether that's because they're paranoid or unsure of trusting their funds into centralized services because of the risk of the funds getting frozen or the full service getting taken down.

0:10:10

Jackie Koven

So essentially what I'm saying is these funds sitting in private wallets is basically like stuffing cash under a mattress. There's a lot of distrust and paranoia in where to put funds. And of course, once you take down one service, just like a darknet market, many other darknet markets pop up. You take down one mixer, several other mixers pop up, there's no track record. And I think there's some anxiety of trusting their cash and trusting their livelihoods in these up and coming services, that they don't really know how the algorithms work or who's the admin behind it.

0:10:47

Brett Callow

You mentioned tumbling services. What are they?

0:10:50

Jackie Koven

Yeah, a mixing or tumbling service is used to take in funds that are deposited there and essentially just mix it up with other depositors funds so that when you withdraw funds on the other end, it's harder to tell where the funds came from or who deposited them in it. So it's just another obfuscation technique used to launder funds. But also there are some very privacy conscious folks that use mixer so it's not all illegitimate activity.

0:11:30

Brett Callow

Lots of people likely associate crypto with illicit activity. Just what percentage of transactions are legitimate versus illegitimate? Do we have any insight on that?

0:11:42

Jackie Koven

Yeah, that's a great question. So every year we calculate in our Cryptocrime report overall crime volume over overall economic activity, and it's actually a fraction of a percent. It's surprising to many because of the headlines, but last year we calculated about 0.24% of all cryptocurrency activity had an illicit high. And it's easy to have that misconception that cryptocurrency is only used for illicit purposes with the headline. 

0:12:15

Jackie Koven

But we're only able to have these headlines of these successes against those that are using cryptocurrency for malicious activities or profiting from malicious cybercrimes that leverage crypto because of the transparency of the blockchain. Whereas if these crimes were committed with cash, it'd be much harder to be able to actually come to finality and attribution on these cases.

0:12:44

Luke Connolly

So, Jackie, I have a screenshot that I've just put up of a chart from 2021 showing the most active malware strains by revenue. How does understanding this help us solve the ransomware problem? And why does it matter?

0:13:02

Jackie Koven

I love these charts. I think they tell such a great story. I think being able to look at the ecosystem and aggregate in terms of the payments is really important to show these life cycles. So this chart from 2021, we can look at anomalies like, Phoenix Crypto Locker, which was essentially like a burner strain, a one and done event, and we can see what a massive Blip, it caused one of the largest payments we saw in 2021, maybe ever in ransomware.

0:13:37

Jackie Koven

I think what's interesting to me now, looking at this in 2023 is looking at Cl0p in the yellow. So there were definitely some drawbacks with Cl0p. They had some arrests. But I think what's typical with Cl0p is we would see periods of non activity before massive payments. And as we're all dealing with move it right now, it's especially interesting to see how patient they are because they know they can be because of the big paydays for these mass victim events.

0:14:11

Jackie Koven

So it's interesting how they've rebounded in a big way. And I got to call out, the staying power of LockBit is notable on things like these. If you look at 2022's version of this and 2023's version of this, you'll see LockBit still strong in the mix. And then obviously, Conti was the apex predator at this time in pink. And how times had changed just a few months after this was published. Right.

0:14:41

Jackie Koven

We saw Conti payments drop rapidly after their professed support of the Russian Federation as Conti dwindled in that period. Hive was really the beneficiary of that. What I also love about these type of charts, I've got to call out Emsisoft for this. We started noticing black matter picking up the mantle from dark side, and it's getting a lot of steam, getting a lot of publicity and trying to wrap our heads around why aren't we seeing more ping men?

0:15:16

Jackie Koven

What's going on here? And then when you're actually able to tie that to a real world event, MSAP had published that they'd actually had a decryptor, which is pretty awesome. And we can actually see how that may have prevented tens of millions of dollars, maybe even more in ransom payment because of its existence. It's pretty awesome to see.

0:15:43

Luke Connolly

Yeah, and I'll just point out you mentioned move it. We're recording this at the end of June 2023, and just in the last couple of weeks, move It file transfer product company has had its product compromised, and there are a lot of companies that are being victims of ransomware currently because of that.

0:16:03

Brett Callow

So, just for context on that subject, do you have any guesses as to how well Cl0p is likely doing from its attempts based on their past attempts after exploiting file transfer applications?

0:16:19

Jackie Koven

Yeah, it's a little too soon to tell the totality of their success in terms of payments. But what's interesting about attacks like these is they don't have a high success rate of a number of victims paying. Just a handful of the many victims paying is a good payday, is worth the wait of weeks and months between attacks for them. And we are seeing this barbell effect in terms of average payment size. And I think this has to do with last year's decline in ransom payments.

0:16:57

Jackie Koven

Last year that we identified a 40% decline in overall ransomware revenue. And that's due to a number of factors which we can get. Its insurance providers requiring more stringent security policies, the Russia Ukraine conflict displacing, or taking certain threat actors out of commission, potentially threat actors directed to do non financially motivated cybercriminal activity, law enforcement takedown sanctions.

0:17:33

Jackie Koven

All of those have really impacted the ransomware ecosystem last year heavily. And we think as an adaptation to that, threat actors have kind of gone two paths. They've gone for softer targets, more likely to pay, and then the more sophisticated actors have gone through for the more patient mass victim events, through managed service providers or supply chain vendors, where they can rack up hundreds, if not thousands of victims. And if a small fraction of those pay, it's a pretty solid outcome for them. So when I say we're having this barbell effect, we're seeing that in the median and average payments, we're seeing a lot of very small payments on the one end, and then a lot of very large eight figure payments in some cases.

0:18:30

Jackie Koven

All that is to say is that 2023 is not 2022. Last year's decline was an anomaly, not a trend. And I think anybody in the incident response community or research community, that's not surprising at the least bit.

0:18:50

Brett Callow

The ransomware as a service model seems to be fracturing. Is that complicating matters or helping them?

0:19:00

Jackie Koven

It's interesting. So I know last year, I think probably seen some of the largest amounts of new strains emerge that I've seen, and I think that fracturing is that bearing out these new off brands, offshoots, personal projects coming out with every offshoot. We're always trying to determine Attribution on chain, so we're looking at whether this threat actor or this strain matches the financial signature of something else we've already seen, trying to determine if it's dark side and black matter related. Is black matter related to black cat alphabet?

0:19:50

Jackie Koven

And so individual as well as individual strains have financial signatures, just as you and I use different banks and you use an ATM nearby. Like threat actors have specific laundering techniques that they prefer, and those are pretty much consistent irregardless of what they call themselves.

0:20:14

Brett Callow

I'm sure you've been involved in lots of interesting cases. Do you have any favorite war story?

0:20:21

Jackie Koven

Oh, man, I think so many great successes by the community, just by the whole ecosystem and combating this problem. I think the Colonial Pipeline Fund seizure, I think was one that brought a lot of hope to the community. There's the Netwalker ransomware affiliate in Canada with the largest ever seizure of ransomware proceeds. But I think my favorite victories are the ones you don't hear about or you hear about much later when there's a decryptor, whether it's from infosys or from public sector.

0:21:11

Jackie Koven

We had a similar case this year where Hive payments are really declining. What's going on here? And then the revelation of the availability of no. Those quiet victories, I think, are the important ones that can kind of make it harder for bad actors to profit.

0:21:33

Luke Connolly

It's interesting that you mentioned Attribution. Jon DiMaggio, who we interviewed a few months ago and is the author of The Art of Cyber Warfare, was obviously really big on Attribution as well. So that's just an aside. How do you think we can solve the ransomware problem? Do you think that governments should really be focused on it?

0:21:54

Jackie Koven

I'm going to tie in that question with the attribution angle. I think blockchain forensics is an essential tool now for cyber threat intelligence analysts. It's not a niche thing anymore. At least I feel like I don't have to explain to people so much what I do anymore in the cyber community, which is nice, but I think it really does enrich different telemetry and visibilities into these threat groups. It can help plug in gaps in some cases, especially around attribution, because that is such a tricky thing, and it's such a vitally important thing to get right or at least acknowledge gaps when you have them.

0:22:38

Jackie Koven

And that's so important with ransomware, too, because we know nation state actors are playing in this game. And to your point about ransomware as a service fracturing, that's especially interesting because that had been such a nice cloak for certain nation state actors to become involved with and deploy and disguise themselves as a financially motivated actor. When perhaps it was espionage related or why not both? Why not pair your espionage with some crypto?

0:23:16

Jackie Koven

So the attribution is super important and so being able to understand when North Korea has used ransomware as a service versus where a Russian speaking actor may have deployed the same strain and understanding the differences in those financial signatures is super important. And because nation states are playing in this game, some of them using ransomware to obfuscate espionage, some of them or obfuscate wipers or create some sort of plausible deniability, we certainly need government attention on this, but not just for the nation state activity. Just this scale and scope of victims is just so vast and this year is going to be a tough one and nobody's immune to this.

0:24:17

Jackie Koven

No country is really immune to this, no size organization. And so there needs to be a concerted effort. And I think there's been great gains made by global governments on making it harder for bad actors to cash out, on identifying centers of gravity, figuring out ways to notify victims in advance, helping private and public sector entities harden their defenses, get the training they need, getting back.

0:24:56

Jackie Koven

There's been such a wave of public advisories now to share more information publicly as well as privately with victim notification. None of this can be in isolation though. When we talk about the decline in ransomware payments last year, I think I rattled off like four or five different factors that contributed to that and there was a combination of private and public sector action. And so what we really need to do is reflect on all of those factors the decryptors insurance policies, sanctions and takedowns and understand how we can harness those things to continue to adapt and rein in this problem.

0:25:45

Jackie Koven

Because threat actors have already adapted. And that's what we're seeing bear out in 2023. And our numbers are pointing trending towards this year being one of the worst, if not the worst years in ransomware.

0:25:57

Luke Connolly

Sorry, I just wanted a quick follow up, one in terms of you mentioned identifying centers of gravity. By that do you mean looking for the cybersecurity, looking for the cryptocurrency exchanges where criminals tend to frequent when they'd offload their revenue, their money?

0:26:13

Jackie Koven

I do, and I think that is being done. I think that's still playing out but we've definitely seen a succession of cryptocurrency exchanges getting designated or taken down or special measures because they've been such hubs for dirty money. But I think also remembering that I think these ransomware strains are comprised of individuals and focusing on the individual versus the strain and I think with all the rebrands and the fracturing of the ransomware as a service ecosystem, it makes focusing on the individual more important than ever before.

0:27:01

Brett Callow

People often assume that those individuals, the ransomware actors are based in Russia or Eastern Europe. But as the case of the Canadian ransomware affiliate that you mentioned shows, that's not always the case. Do you have any insights into how often people may be closer to home than we think?

0:27:24

Jackie Koven

Yeah, and I won't put my gracious hosts on the spot for their Canadian affiliate that was arrested, but I'll take some of the break. So the LockBit actor recently was arrested in the USA, isn't that right? So, I mean, it just goes to show that it could happen anywhere.

0:27:46

Brett Callow

That LockBit actor was actually arrested in Canada too, wasn't he?

0:27:50

Jackie Koven

Oh, was he really?

0:27:52

Brett Callow

I could be wrong about that.

0:27:55

Jackie Koven

Canada man, troublemakers?

0:27:59

Brett Callow

Absolutely.

0:27:59

Luke Connolly

Not only are we the source of smoke pollution in the Northeast, but apparently we have a lot of bad actors. And Brett and I, by the way, are based in Canada. If no one knows that.

0:28:11

Brett Callow

And the final question, I think, and it's one we ask all our guests. Should ransom payments be banned, or if not banned, severely restricted?

0:28:21

Jackie Koven

Yeah. So in this case, I defer to policymakers. I refer to our dear friend Allan Liska and some of his studies on what the impact is on ransom payment demands in terms of kidnapping, which he's done some interesting analysis know. My view is that whatever policymakers determine whether or not a decision is made to pay, by all means report.

0:29:02

Jackie Koven

Just report it. Report, pull some information, report to cryptocurrency, addresses all the other artifacts. I think we're rightening the ship in terms of the darth of reporting that has existed, but it's not universal. There's uneven application globally in this reporting world and this is a global problem. And so we definitely need to ensure that our partners in this fight are having the information and tools that they have to understand what is even the universe.

0:29:39

Jackie Koven

What is the scope and scale of this problem? Because that is like the time old question. We can look at it from cryptocurrency payments, we can look at it total attack volume or data leak sites, but each one of those methods is flawed in some way. And I think we're kind of using all those pieces together to try to bound the scale and cope with this.

0:30:04

Luke Connolly

And with that, I'd like to thank you, Jackie, for joining us today. It's been a very interesting conversation and helpful in understanding cryptocurrencies. And we'd also like to thank our listeners for tuning in. Stay up to date on the latest in cybersecurity by subscribing to the Cyber Insider podcast. Thank you all.

0:30:22

Jackie Koven

Thank you for having me.