FBI's Recovery Of Colonial Pipeline Bitcoin Ransom Highlights How The 'Ban Crypto To Stop Ransomware' Cries Were Wrong Again

from the that's-not-how-it-works dept

Last month we highlighted what seemed like a fairly silly Wall Street Journal op-ed arguing that banning cryptocurrency was the best way to stop ransomware, in response (mainly) to the well publicized ransomware attack on Colonial Pipeline, which resulted in the company shutting down the flow of oil while it sorted things out. As we pointed out, not only was the idea of banning cryptocurrency unworkable, it was unlikely to do much to stop ransomware. Unfortunately, it appears that a number of other cryptocurrency haters jumped on this moment to push the idea even further, claiming that "society has a Bitcoin problem."

Of course, part of the key narrative in all of these pieces is that cryptocurrency and Bitcoin in particular, somehow make it easier for criminals to "get away" with these kinds of ransom demands, highlighting that it is somewhat easier to move around large values of Bitcoin than cash. However, as we noted in our original piece, the idea that cryptocurrency allows criminals to "get away" seemed extremely overblown, as we've seen plenty of cases where criminals using cryptocurrency were caught. And, as if to put an exclamation point on all of this, soon after the huge moral panic, the FBI announced that it had recovered over half of the money Colonial Pipeline had paid.

And, as the FBI special agent's affidavit showed, this was done in part by tracking how the money flowed across the public ledger. The NY Times ran an article noting that the FBI's recovery of the money here "upends the idea that Bitcoin is untraceable." A bunch of long time Bitcoin/cryptocurrency followers scoffed at the NY Times article, because they've long known that Bitcoin's public ledger has always made it so that transactions are traceable. But it's actually important for people not deeply in the Bitcoin space to understand this as well. And the problem with so many of the "ransomware is really a cryptocurrency problem" articles, was that they implied otherwise -- that cryptocurrency was somehow totally and completely untraceable.

As the NY Times article explains, what's important here is that it demonstrates that for all the hand wringing about cryptocurrencies and ransomware, the reality is that law enforcement is evolving with the times, and using the same kind of law enforcement detective work it's supposed to use to solve crimes.

Yet for the growing community of cryptocurrency enthusiasts and investors, the fact that federal investigators had tracked the ransom as it moved through at least 23 different electronic accounts belonging to DarkSide, the hacking collective, before accessing one account showed that law enforcement was growing along with the industry.

That’s because the same properties that make cryptocurrencies attractive to cybercriminals — the ability to transfer money instantaneously without a bank’s permission — can be leveraged by law enforcement to track and seize criminals’ funds at the speed of the internet.

That's an important point and one that often gets lost in the FUD surrounding new technologies (such as encryption) that might make law enforcement's job slightly more complex in the short run. But, at the same time, law enforcement needs to learn to adapt, not by undermining these technologies, but understanding how they work, and understanding how to do the actual legwork to trace those abusing the technology for criminal purposes.

So rather than jumping to the conclusion that we need to ban this or that technology because it makes it slightly more challenging for law enforcement, this is actually an example showing how if law enforcement does their job properly, the technology is not the problem.

Filed Under: bitcoin, cryptocurrency, detective work, fbi, law enforcement, ransomeware, recovery
Companies: colonial pipeline

Homeland Security Adviser Pins Wannacry Attack On North Korea In Wall Street Journal Op-Ed

from the so-that's-the-way-we're-doing-things-now dept

With politically-expeditious timing, Homeland Security Advisor Tom Bossert has pinned the Wannacry attacks on North Korea. The delivery method for the news was odd as well: a "commentary" piece in the Wall Street Journal's op-ed pages.

Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.

The attack spread indiscriminately across the world in May. It encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes. While victims received ransom demands, paying did not unlock their computers. It was cowardly, costly and careless. The attack was widespread and cost billions, and North Korea is directly responsible.

We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.

While it's nice to hear this is "based on evidence" and that a "careful investigation" was performed, the op-ed piece still raises questions. Attribution is always difficult, but there seems to be info missing.

Wannacry was ransomware, but nowhere in Bossert's piece is there any indication North Korea turned a profit. The article says Wanncry "cost" billions, but it doesn't say anything about North Korea suddenly being awash in illicitly-obtained cash.

Also glossed over in Bossert's tough-talking attribution announcement/cybersecurity muscle flexing is the original source of the Wannacry ransomware: purloined NSA exploits. There are all kinds of problems with Bossert's announcement, as Marcy Wheeler points out:

The guy who — well after it was broadly known to be wrong — officially claimed WannaCry was spread by phishing is now offering this as his evidence that North Korea is the culprit:

We do not make this allegation lightly. It is based on evidence.

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

None of this necessarily adds up to the US government pinning the attacks on the wrong entity, but given the pedigree of the mouthpiece and the administration's desire to minimize reports of Russian government-directed cyberattacks, pinning this on the President's favorite Twitter punching bag (MSM notwithstanding) seems more convenient than accurate.

Even if it's 100% accurate, there had to have been better ways to deliver this news than with a threat of actual, physical war appended. Bossert's piece -- after glossing over the NSA's inadvertent contribution to the worldwide ransomware attack and throwing some shade at the previous administration -- wraps everything up with this:

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

Using cyberattacks as an excuse for IRL attacks is a scary idea. The Trump Administration seems willing to draw down on North Korea at any moment, which isn't good news for anyone anywhere in the world. And it follows the newly-minted tradition established by the Obama Administration: mixing and matching war metaphors to treat cyberattacks like Pearl Harbor.

Filed Under: attribution, north korea, ransomeware, tom bossert, wannacry