Elliptic’s Rapid Response to Ransomware: A 4-step Plan for Readiness Resolution and Identifying the Attacker
- 15.05.2017 09:15 am
Friday's cyberattack on tens of thousands of computers around the world revealed businesses' and other organizations' vulnerability to ransomware and extortion. Elliptic (www.elliptic.co) is a Bitcoin intelligence firm that can guide banks and corporations through the ransomware process and work with law enforcement to identify the attackers.
“Through our extensive Bitcoin ransomware work in the United States, United Kingdom, and Europe, we have put together a comprehensive plan for ransomware readiness,” says Dr. James Smith, Elliptic’s co-founder and CEO.
“Most ransomware attacks follow the same general pattern,” explains Elliptic co-founder and lead investigator Dr. Tom Robinson. “The victim is given a Bitcoin (or other cryptocurrency) payment address, and a deadline to make payment. Most people incorrectly assume there is nothing that can be done to identify the perpetrator after payment is made.”
Elliptic works with clients to deploy a four-step plan for ransomware readiness and response, including measures to identify the attacker.
1. Assess the risk
Not all ransomware is worth paying. Elliptic's team of experts may be able to decrypt the ransomware; or there may be indications that the attacker will not decrypt your machine even after payment. In the case of last week’s WannaCry attack, there is no evidence at the time of writing that the attacker will ever decrypt the compromised machines.
Based on its deep experience and extensive network in ransomware investigations, Elliptic provides clients with an expert recommendation on whether to proceed with the ransomware payment.
2. Obtain the Bitcoins
Ransomware operations usually demand payment quickly, sometimes in as little as 24 hours. It can be difficult for a company to secure large quantities of Bitcoins at short notice. “Most Bitcoin exchanges have Know Your Customer (KYC) policies that prohibit them from selling new clients a significant amount of Bitcoins," explains Dr. Robinson. "Often a company will have the cash ready to purchase Bitcoins, but the exchange cannot legally open an account and complete the transaction before the ransom is due.”
Elliptic helps its clients draw up a plan to rapidly access large volumes of Bitcoins and other cryptocurrencies in case of a ransomware attack. Elliptic can help clients obtain Bitcoins through its network of exchanges and liquidity providers.
3. Make the payment
Large Bitcoin payments can be confusing for companies that are not used to dealing in cryptocurrencies. “Constructing a large Bitcoin transaction is a technical process. You need to define the right transaction fee, verify the destination, and sign the transaction appropriately.”, explains Dr. Robinson. “Too low a fee and your transaction might never clear; send it to the wrong address and your Bitcoins are gone forever. It’s also important that the ransomer knows which of their victims is making the payment.”
Elliptic will prepare and execute your transaction, or we can also dispatch one of our experts to your location to perform the transaction on the premises.
4. Identify the attacker
Bitcoin transactions are difficult but not impossible to trace. Elliptic has developed advanced Bitcoin investigation software and employs a team of investigators with advanced degrees in computer science and decades of experience in the world’s top law enforcement agencies. Elliptic’s software and investigators have delivered actionable intelligence to identify ransomware and cyber-extortion attackers in the US, UK, and EU. “We are able to connect the dots between Bitcoin activity and real world actors,” says Dr. Smith. “We only provide our forensic investigation services in collaboration with law enforcement, and we have a very high success rate in delivering actionable intelligence on complex Bitcoin investigations.”
Dr. Robinson adds: “We actively trace proceeds of ransomware and cyber extortion, and we alert our Bitcoin exchange customers if they receive illegal funds. Our goal is to defeat ransomware by making it extremely difficult to launder the proceeds of these crimes.”