What’s the best way to stop ransomware? Make it riskier and less lucrative for cyber criminals. Nearly all intruders prefer to collect a ransom in cryptocurrency. But it’s a double-edged sword since even crypto leaves a money trail. Recovering ransomware payouts could lead to a sharp decline in exploits.

Ransomware is still today’s top attack type, according to IBM Security’s latest research published in the tenth annual X-Force Threat Intelligence Index. It nets millions of dollars for nefarious actors and disrupts businesses, supply chains and entire industries.

Still, not all hope is lost. Using a multi-pronged approach, it’s possible to recover ransomware payments. In the long run, this could make a big difference in cyber crime reduction.

Recovering ransomware payments

Some still believe that cryptocurrency ransom payments can’t be recovered. This is far from the truth. For example, the Colonial Pipeline cyberattack resulted in the company paying a $4.4 million ransom in Bitcoin in early May 2021. But by early June 2021, the FBI recovered more than $2 million of the ransom paid.

In this case, a federal judge in the Northern District of California granted a warrant, and the feds seized proceeds from the crypto wallet that held the ransom. The warrant authorized the seizure of 63.7 bitcoin, or $2.3 million, per the exchange rate at the time of seizure.

The bureau obtained the private key for the wallet address, which enabled the FBI to confiscate the bitcoin from the wallet. Officials did not reveal how the FBI got the key.

Sanctioning the partners in crime

Threat actors have evolved quickly into offering Ransomware-as-a-Service. And like any other as-a-service project, it involves multiple affiliates. For example, if an attacker collects a ransom in bitcoin or ether, they need a cryptocurrency exchange to launder the money.

In September, the U.S. Department of the Treasury added the exchange Suex to its list of sanctioned entities due to laundering ties with ransomware attackers. Sanctions mean all property and interests of the target subject to U.S. jurisdiction are blocked. Also, U.S. persons are prohibited from engaging in transactions with sanctioned entities.

The sanctions also cover any entities 50% or more owned by one or more designated persons. Financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions as well, or be subject to an enforcement action.

Ransom recovery and arrests

In February 2022, the National Cryptocurrency Enforcement Team ran an investigation that led to the arrest of criminals conspiring to launder $4.5 billion worth of cryptocurrency. Allegedly, attackers stole the funds during the 2016 Bitfinex cryptocurrency exchange breach. As a result of law enforcement efforts, more than $3.6 billion in cryptocurrency was recovered. It was the largest Department of Justice (DOJ) crypto coin seizure to date.

In this case, the attackers laundered about 25,000 stolen bitcoin out of their wallet via an intricate process. It included automated money laundering transactions and sending stolen funds to a variety of exchanges and darknet markets. The attackers also converted ransomed bitcoin into other forms of virtual currency, including anonymity-enhanced virtual currency, in a practice known as chain hopping.

Despite this complex scheme, the DOJ caught and arrested the ones responsible. Commenting on the case, Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division said, “Today, federal law enforcement demonstrates once again that we can follow [the] money through the blockchain, and that we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system.”

Tracing Bitcoin ransom payments

Law enforcement uses cryptocurrency, computer scientists, blockchain analysts and crypto-tracers to recover ransoms, according to Jeremy Sheridan, assistant director of investigations in the U.S. Secret Service within the Department of Homeland Security.

Crypto tracers enable law enforcement to aggregate and curate millions of open-source and private references, deception data and human intelligence. Harvested data points can include account types, account holders, contract types, contract owners and other metadata. Crypto tracing can also indicate illicit fund destinations, such as a wallet or an exchange. Crypto tracing solutions generate risk scores by profiling hundreds of global exchanges, ATMs, mixers, money laundering systems, gambling services and known criminal addresses.

Reporting ransomware

Another important measure in the fight against ransomware is incident reporting. Sadly, some organizations fear that reporting an attack could damage their good name. However, reporting adds valuable information to threat intelligence and can assist with ransom recovery efforts.

In light of this, the U.S. Congress recently approved the Strengthening American Cybersecurity Act, which applies to federal agencies and critical infrastructure. If signed into law, this new legislation mandates the reporting of attacks within 72 hours. In addition, it requires agencies to report ransomware payments within 24 hours.

Should I pay ransomware?

By far the most effective way to ‘recover’ ransomware payments is to not pay them at all. While some victims may feel they have no choice, consider these facts:

  • Even if you pay the ransom, the threat actors may not give you the decryption key to unlock your files
  • Even if the attackers give you the keys, your files may not be fully restored to their original state
  • After paying the ransom, attackers often threaten to leak or sell sensitive data on the darknet (‘double extortion’).

Instead, it’s best to have a solid anti-ransomware strategy. This includes:

  • Digital file backups to let you restore encrypted data
  • Segment network operations to prevent malware from spreading
  • Identity access management and zero trust solutions to secure the modern perimeter-less organization.

Ransomware isn’t going away anytime soon. Still, there are ways to recover ransomware payouts. Recovery success depends on the combined effort of advanced technology, law enforcement and the cooperation of both private and public organizations.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today