Use Cases

Crystal Investigations for Tracking Ransomware Payments

by the Crystal analytics team

June 2, 2020

Crystal efficiently tracked payments from the victims of the WannaCry virus. It took four days for the virus to spread across 150 countries – it took Crystal only 3 hours to locate the online entity extorting payments from the affected users.

The Problem: Ransomware payments are a reputational and operational issue for several industries.

Our world now has new kind of cybercrime called “Ransomware.” Ransomware is a type of malware that extorts payments from users for the safe return of their files.

Ransomware works by using a virus software to encrypt the users’ files (making them inaccessible), and then requiring the user to pay a certain amount (usually in bitcoin) to get the files back. Ransomware criminal distributors often use rely on bitcoin as the preferred type of payment, so they can attempt to hide the final recipient of the payments and avoid responsibility for the crime.

According to a Cybersecurity Ventures report, global ransomware damage costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015. Ransomware targets all industries, and it can compromise much more than just computer data. Anything digital is now at risk: health care, banks, logistic operators, state organizations, motion pictures — ransomware does not discriminate.

However, the Bitcoin Blockchain itself is not anonymous, and all transactions are visible to every participant on the blockchain. All information about payers, recipients, and fund flows are there on the blockchain, immutable and readily accessible by any participant. However, each digital block may contain several transactions between different parties, who are represented on the blockchain only by their digital address — a string of letters and numbers.

Given this somewhat limited information, the main challenge is finding the real-world identity tied to digital addresses and collecting evidence of relations between victims, payments, and criminals. However, Crystal Blockchain analytics can bring further transparency and research to these bitcoin transactions.

The Case: WannaCry Attack 2017

The best-known virus attack is the WannaCry attack, which started early in the morning on Friday, May 12, 2017. Two of the first prominent victims were the UK’s National Health Service (NHS) and Telefónica, the largest telecom company in Spain.

The outbreak quickly spread across Europe and the rest of the world. By late Friday evening, it had taken root in 150 countries, including the United States (where shipping giant FedEx was infected) and China, which had the largest number of unlicensed PCs.

To date, the WannaCry ransomware attack is one of the largest we have ever seen of its kind, demonstrating how ransomware is a global problem. The estimated damage caused by WannaCry in just its initial 4 days exceeded a billion dollars, due to the massive downtime it caused to large organizations worldwide.

By the end of August 2017, the attackers had collected 53.46 BTC, (around US$200k), approximately 52 BTC of which were transferred further.

The picture below is an example of Crystal’s visualization for a chain of transactions from one of attackers’ bitcoin wallets to two withdrawal points — the Changelly and ShapeShift exchanges.

If law enforcement agencies had had the proper tool to find criminals on the Bitcoin Blockchain, they could have quickly cornered the criminals and prevented further global damage.

The Solution: Making the case crystal clear with Crystal Analytics.

With Crystal, law enforcement bodies can effectively carry out cryptocurrency investigations with digital evidence by:

  • Watching a suspect’s wallets, including where funds originate and where they go
  • Seeing the suspect’s common internet account name
  • Auto-tracing the suspect’s fund flow to a final point of destination
  • Highlighting connections between victims and the suspect

Crystal is the tool law enforcement agencies need to prevent or mitigate the effectiveness of ransomware cyberattacks like WannaCry. With Crystal, investigators could catch the perpetrators of such crimes much more efficiently, potentially preventing significant damage.

Powered by the expertise of Bitfury Group, Crystal can:

  • Help investigators identify and track criminal activities, like ransomware payments.
  • Link pseudonymous bitcoin payments to real-word entities, including exchanges, individuals, and mixer services, and reveal the real-world names of those entities in a user-friendly format.
  • Identify ownership of bitcoin wallets and the interaction of different Blockchain entities.
  • Provide substantial evidence for legal pursuance of charges.

About Crystal Blockchain analytics platform:

Crystal is the all-in-one blockchain investigative tool. As public blockchains and cryptocurrencies become more widely used, a broader set of tools is needed to track criminal behavior such as money laundering, terrorist financing, and other illicit darknet activities.

Crystal Blockchain is available as a web application, through an API, or can also be deployed on internal servers for added privacy.

Crystal supports Bitcoin, Ethereum, Bitcoin Cash, Litecoin, and Tether analytics.

See the Crystal Blockchain platform in action. Get a demo today

Similar news...