[Senate Hearing 117-575]
[From the U.S. Government Publishing Office]
S. Hrg. 117-575
RISING THREATS: RANSOMWARE ATTACKS
AND RANSOM PAYMENTS ENABLED BY CRYPTOCURRENCY
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
JUNE 7, 2022
__________
Available via the World Wide Web: http://www.govinfo.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
50-846 PDF WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Alan S. Kahn, Chief Investigative Counsel
Stephanie T. Rosenberg, Investigative Counsel
Victoria G. Kelley, Reseach Assistant
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
William H.W. McKenna, Minority Chief Counsel and Chief Investigator
Patrick T. Warren, Minority Investigative Counsel
Laura W. Kilbride, Chief Clerk
Thomas J. Spino, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Peters............................................... 1
Senator Portman.............................................. 3
Senator Hawley............................................... 13
Senator Rosen................................................ 15
Senator Lankford............................................. 18
Senator Hassan............................................... 20
Senator Sinema............................................... 23
Prepared statements:
Senator Peters............................................... 29
Senator Portman.............................................. 31
WITNESSES
Tuesday, June 7, 2022
Megan Stifel, Chief Strategy Officer, Institute for Security and
Technology..................................................... 4
Bill Siegel, Chief Executive Officer, Coveware................... 7
Jackie Burns Koven, Head of Cyber Threat Intelligence,
Chainalysis.................................................... 9
Alphabetical List of Witnesses
Koven, Jackie Burns:
Testimony.................................................... 9
Prepared statement........................................... 48
Siegel, Bill:
Testimony.................................................... 7
Prepared statement........................................... 44
Stifel, Megan:
Testimony.................................................... 4
Prepared statement........................................... 33
APPENDIX
Senator Peters Majority Report................................... 74
Senator Portman Minority Report.................................. 126
Palma Statement for the Record................................... 177
RISING THREATS: RANSOMWARE ATTACKS
AND RANSOM PAYMENTS ENABLED BY CRYPTOCURRENCY
----------
TUESDAY, JUNE 7, 2022
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m., via
Webex and in room SD-342, Dirksen Senate Office Building, Hon.
Gary Peters, Chairman of the Committee, presiding.
Present: Senators Peters, Hassan, Sinema, Rosen, Ossoff,
Portman, Johnson, Lankford, Scott, and Hawley.
OPENING STATEMENT OF CHAIRMAN PETERS\1\
Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Peters appears in the
Appendix on page 29.
---------------------------------------------------------------------------
I would first like to say thank you to our witnesses for
joining us here. Today's hearing will provide a very important
opportunity to discuss the rising threat posed by ransomware
attacks, and the role that cryptocurrencies play in enabling
these harmful cybercrimes.
In recent years, we have seen a scourge of increasingly
complex and sophisticated ransomware attacks on both public and
private networks, where the attackers prevent access to an
entity's computer systems or threaten to release stolen data
unless a ransom is paid.
From the Kaseya ransomware attack that affected between 800
and 1,500 small businesses, to alarming attacks on our critical
infrastructure that caused gas shortages across the East Coast
and temporarily shut down processing plants for the world's
largest meat supplier, ransomware attacks have caused
significant disruptions to daily life and imposed serious
economic costs.
A single ransomware attack can force businesses to close
their doors permanently, even if they pay the ransom demand.
Cybercriminals may shut down computer systems, expose sensitive
data, or erase data entirely, causing significant disruption to
business continuity. Some of the longer-term impacts may
include lost revenues, reduced profits, damage to brand
reputation, employee layoffs, and loss of customers.
These malign actors almost exclusively demand
cryptocurrencies when extorting large sums of money, because
they can take steps to obscure their transactions and
circumvent regulatory scrutiny, making payments more difficult
to trace.
In 2020, according to a Chainalysis study, malicious
hackers received at least $692 million in cryptocurrency
extorted as part of ransomware attacks, up from $152 million in
2019, and over a 300 percent increase year-over-year. These
figures are likely a drastic underestimation of the actual
number of attacks and ransomware payments made by victims.
While Bitcoin and many other cryptocurrencies provide a
public ledger of transactions, known as a ``blockchain,''
cryptocurrency wallets are not tied to an individual person,
meaning account holders can take steps to conceal their
identity to avoid being held accountable for criminal
activities.
Anti-money laundering and other banking regulations that
are meant to prevent criminal use of currency, including
cryptocurrency, are also often inconsistently enforced,
particularly in foreign jurisdictions, where many attackers are
based.
For example, last year, according to Chainalysis,
approximately 74 percent of global ransomware revenue went to
entities either likely located in Russia, or controlled by the
Russian government. Attacks from Russia-based entities are only
expected to increase, especially as the United States continues
its support of Ukraine against Russia's illegal and immoral
invasion.
Last month, I released a report examining the role
cryptocurrencies play in incentivizing and enabling ransomware
attacks, and the resulting harm these attacks have on victims.
I will now move to introduce this report\1\ as part of the
hearing record, and hearing no objection, this report will be
entered into the record.
---------------------------------------------------------------------------
\1\The Majority Report appears in the Appendix on page 74.
---------------------------------------------------------------------------
My investigation found that the Federal Government lacks
sufficient data and information on ransomware attacks and the
use of cryptocurrency as ransom payment in these attacks, and
must collect better data to understand the scope of the threat.
The cyber incident reporting law that Ranking Member
Portman and I authored and passed earlier this year marks a
significant first step to getting the information the
government needs to combat this growing threat. The legislation
will require critical infrastructure owners and operators to
report cyberattacks within 72 hours and ransomware payments
within 24 hours, and I look forward to working with the
Administration to ensure it is swiftly and effectively
implemented.
The more information we have, the better suited we will be
to combat ransomware attacks. That means continuing to build
off our bipartisan cyber incident reporting legislation by
holding foreign adversaries and cybercriminals accountable, and
finding ways to reduce the incentives to conduct these attacks
in the first place, including by examining their use of
cryptocurrency.
While I am grateful to the many Federal law enforcement and
regulatory agencies that have taken steps to address
cybercriminals and the rising threat of ransomware attacks,
more must be done to ensure cryptocurrencies are monitored
appropriately, like their non-digital counterparts.
Finally, in addition to addressing ransomware attacks and
the use of cryptocurrency as ransom payment in those attacks,
Congress must examine other criminal activity involving
cryptocurrency that threatens our nation's national and
economic security, such as human trafficking, the flow of
illicit drugs across our borders, and other serious crimes.
I look forward to our hearing today and to hear from panel
of expert witnesses who can further elaborate on the uses of
cryptocurrency in ransomware attacks, and provide answers to
ensure we have the necessary tools and resources to tackle this
issue head on.
With that I would like to recognize our Ranking Member of
this Committee, Ranking Member Portman, for his opening
comments.
OPENING STATEMENT OF SENATOR PORTMAN\1\
Senator Portman. Thank you, Mr. Chairman, and I thank you
to our witnesses for being with us today, some in person, some
virtually. We are going to hear from a private sector panel of
cybersecurity professionals and incident responders who are
going to provide us with a unique perspective, in each case, on
what can be done to combat ransomware.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Portman appears in the
Appendix on page 31.
---------------------------------------------------------------------------
Obviously, the frequency and severity of ransomware attacks
continues concern us because it continues to grow. Ransomware
groups have professionalized their operations using a business
model often now called ransomware-as-a-service, which involves
ransomware developers selling or delivering their malware to
individuals called ``affiliates'' who actually carry out the
attack. It is a business model. This allows ransomware gangs to
conduct more attacks with broader impact.
In March of this year, I released a report\2\ documenting
the experiences of three American companies victimized by the
most notorious Russian ransomware gangs, called REvil . The
companies profiled in the report are from different business
sectors and vary significantly in size, revenue, and their
information technology (IT) resources. This was done on
purpose, to try to show that this is affecting companies of
every size and sophistication. Despite these differences, all
of these companies fell victim to REvil. This underscores the
broad threat ransomware presents and the proactive steps all
organizations must take to implement cyber best practices.
---------------------------------------------------------------------------
\2\ The Minority Report appears in the Appendix on page 126.
---------------------------------------------------------------------------
REvil was largely believed to be offline following the
arrests of several key members last fall, but public reports
indicate the gang may be resuming operations. We know it is
common for ransomware criminals to claim retirement only to
``rebrand'' and reemerge under a new name.
About a year ago, this Committee held a hearing on the
Colonial Pipeline ransomware attack. That incident was a
painful reminder to many Americans that these attacks have
real-world consequences impacting everybody.
Recognition of this challenge is one of the reasons
Chairman Peters and I drafted cyber incident reporting
legislation, which I am proud to say became law a couple of
months ago. This law will enhance our nation's visibility into
cyberattacks against the United States and will enable a more
effective response including warning potential victims. It is
really important that Cybersecurity and Infrastructure Security
Agency (CISA) works with industry experts and stakeholders to
implement this law immediately.
We know ransomware attacks will continue to be a national
security threat for the foreseeable future. As the committee of
jurisdiction over cybersecurity, we will continue to work to
identify solutions that address the threats associated with
ransomware attacks and the ways we can fortify our defenses.
Today we are going to have testimony from some real experts
to ensure that we are making steps in the right direction, and
I look forward to that testimony.
Thank you, Mr. Chairman.
Chairman Peters. Thank you, Ranking Member Portman.
It is the practice of the Homeland Security and
Governmental Affairs Committee (HSGAC) to swear in witnesses.
If each of you will please stand and raise your right hand,
including folks joining us online.
Do you swear that the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you, God?
Ms. Stifel. I do.
Mr. Siegel. I do.
Ms. Koven. I do.
Chairman Peters. Everyone has answered affirmatively. You
may be seated.
Our first witness is Megan Stifel, Chief Strategy Officer
(CSO) at the Institute for Security and Technology (IST), a
partnership that provides public and private sector guidance on
security and technology. In 2021, IST released a comprehensive
report on combating ransomware.
Ms. Stifel previously served as an attorney in the National
Security Division at the Department of Justice (DOJ), where she
also spent time detailed as a Director for International Cyber
Policy on the National Security Council (NSC). She also
previously served as a Senior Policy Counsel for Global Cyber
Alliance.
Welcome, Ms. Stifel. You may now proceed with your opening
remarks.
TESTIMONY OF MEGAN H. STIFEL,\1\ CHIEF STRATEGY OFFICER,
INSTITUTE FOR SECURITY AND TECHNOLOGY
Ms. Stifel. Chairman Peters, Ranking Member Portman,
distinguished Members of the Committee, thank you for the
opportunity to testify today about the critical importance of
information about ransomware attacks and associated payments
combating the ongoing ransomware scourge.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Stifel appears in the Appendix on
page 33.
---------------------------------------------------------------------------
My name is Megan Stifel and I am the Chief Strategy Officer
at the Institute for Security and Technology. We are a Bay
Area-based nonprofit organization focused on staying ahead of
security challenges resulting from our increasing dependence on
technology. Our current work focuses on nuclear command and
control, artificial intelligence (AI), digital cognition and
democracy, and most relevant for today's purposes, information
security.
Early last year, in response to the growing threat posed by
the escalating rise in ransomware incidents targeting critical
infrastructure, IST convened the Ransomware Task Force (RTF),
and I had the privilege of being a co-chair. The task force
included participants from industry, academia, civil society,
and governments, including the United States, the United
Kingdom (UK), and Canada, as well as multilateral organizations
such as Europol. In total, 60-plus organizations participated,
including the organizations represented by my fellow witnesses.
In a span of four months, this coalition worked to identify
measures to help all stakeholders better deter, disrupt,
prepare, and respond to ransomware. As noted, we published a
report last spring, including four goals, five priority
recommendations, and a series of recommended actions, and
totaling 48. The priority recommendations included the need for
a sustained, coordinated, U.S.-led, multi-stakeholder
collective action to meaningfully reduce the ransomware threat;
an intelligence-driven anti-ransomware campaign, including
support for operational collaboration with industry; the
establishment of ransomware response and recovery funds,
frameworks for preparation and mandated reporting of payments;
as well as closer international regulation of the
cryptocurrency sector that enables ransomware crime.
As noted just after the report's publication several high-
profile ransomware attacks occurred, leading to the disruption
of fuel and meat production, distribution, as well as health
care. These incidents formed pivotal moments in which
significant progress has been made in countering ransomware.
Much of this progress aligns with the task force's
recommendations.
Still, much work remains. I will focus my testimony today
on the task force's recommendations related to information
about ransomware incidents, especially payments, and helping
government and industry effectively combat ransomware.
Before I address the essential role of information in the
ransomware lifecycle I have to pause and emphasize that
ransomware is a symptom of a broader problem, and that problem
originated decades ago through a confluence of factors, each of
which must be addressed to put a significant dent in the
ransomware-related cybercrime, but also in all aspects of
cybersecurity risk and resulting cybercrime.
Ransomware is 21st-century extortion, but extortion is not
a 21st-century invention. New forms of extortionware are
emerging. Thus, in examining collective measures by industry
and government to combat ransomware, we are not just targeting
today. We are working to better secure tomorrow against
wherever these criminals turn next.
In my testimony before the House last year, I noted the
task force's recommendations, but the scope and quality of
information about ransomware incidents must improve. The
reasons for this are manyfold. Higher-quality information can
better equip governments and other stakeholders in developing
the international strategy the task force called for to reduce
ransomware risk at scale. It can also provide more detailed
evidence to support a range of measures that can reduce the
ability of these actors to operate from safe havens.
Of perhaps equal importance, higher-quality information can
better inform the private sector's ability to protect its
customers' right to property as well as enhance its capacity to
collaborate with the government in combating ransomware and
other cybercrimes.
As the task force noted in April 2021, improving the
quality and volume of ransomware information would better
enable deterrence, enhance preparedness, and inform disruption
activities. There were several recommendations in the report.
Since ransomware is often a criminal endeavor to extract
financial gain, one of the most effective tools in combating it
is to follow the money. Information shared through voluntary
and mandatory incident reporting, including ransom payments, is
this tool's lifeblood. Yet to this date we have not found an
adequate incentive structure to meaningfully empower this
capability at scale.
As depicted in the ransomware payment diagram submitted
with my written testimony, a range of organizations may have
information that can enable public and private sector entities
to follow the money. Today, however, there are only partial
views spread across many stakeholders without a common process
or pathway to stitch the pieces together.
Ultimately, there should be harmony among government
reporting avenues. This would ease confusion among victims and
streamline a collection and analysis of attack information. The
recently passed reporting legislation will address aspects of
this challenge. However, the need for consistency across
reporting pathways is more immediate. It is especially critical
while the rulemaking process is underway. It is also essential
regardless of the rulemaking process, given the scope of
entities that will likely be required to report pursuant to, or
elect to share voluntarily under the legislation.
To meet the risks of tomorrow, information gathered must be
useful and it must be appropriately disseminated within a
meaningful period of time. It is also important to know that
the same information may be of different value, depending on
the agency's or organization's mission.
I must also pause to emphasize the need the task force
placed on enabling disruptive capabilities through these
channels. Disruptive actions taken in the past year to seize
cryptocurrency assets could scale significantly if clear,
concise, actionable information is made available to
appropriate organizations as early as possible in the
cryptocurrency kill chain.
Thank you for the opportunity to participate today, and I
look forward to your questions.
Chairman Peters. Thank you, Ms. Stifel.
Our next witness is Bill Siegel, Chief Executive Officer
(CEO) and Co-Founder of Coveware, a cyber incident response
firm that specializes in assisting victims of ransomware
attacks. Mr. Siegel previously served as the Chief Financial
Officer (CFO) for the cybersecurity rating company,
SecurityScorecard, and the Chief Executive Officer of
Secondmarket, and the Head of National Association of
Securities Dealers Automated Quotations Stock Market (NASDAQ)
Private Market.
Mr. Siegel, you may proceed with your opening remarks.
TESTIMONY OF BILL SIEGEL,\1\ CHIEF EXECUTIVE OFFICER, COVEWARE
Mr. Siegel. Mr. Chairman, Ranking Member Portman, and
Members of the Committee, thank you for the opportunity to
share Coveware's perspective on ransomware attacks and the role
of cryptocurrency in ransom payments.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Siegel appears in the Appendix on
page 44.
---------------------------------------------------------------------------
My testimony today is derived from Coveware's experience
which spans thousands of ransomware incidents over the last few
years. During a given incident, we interact with the victim of
the attack, privacy attorneys, forensic investigators,
restoration firms, cyber insurance companies, and the law
enforcement agencies that investigate these attacks.
Throughout the incident, we collect data firsthand, and the
aggregated learnings from this data and our experience gives us
a unique perspective on this problem. We collect and organize
this data, because like any problem, you cannot solve it until
you understand it. The analogy we use is that you cannot build
safe cars without studying lots of car crashes.
In addition to analysis, our firm has voluntarily and
proactively reported subsets of our data to law enforcement
from every attack we have ever worked on since inception of our
firm. This data is used by law enforcement to augment active
investigations into the criminal groups that carry out these
attacks.
We are grateful for the work that Chairman Peters and
Ranking Member Portman, along with the Committee staff, have
already completed in the publishing the staff report ``Case
Studies In Ransomware Attacks On American Companies'' and the
Majority Staff report ``Use of Cryptocurrency in Ransomware
Attacks, Available Data, and National Security Concerns.'' Both
of these reports highlight acute issues and we are grateful
that this Committee is collaborating with public and private
industry on, and that the Committee Members are already
pursuing new and passing new legislation.
I would like to quickly address two primary areas of focus
in these reports, first with regards to cryptocurrency.
Financially motivated cyber criminals almost universally
denominate ransom demands in cryptocurrency. The popularity of
cryptocurrency with cybercriminals is rooted in protecting the
ransom payment law enforcement seizure and the efficiency with
which the money can be laundered. The percentage of a ransom
that finds its way to the cybercriminal's pockets is
substantially higher when cryptocurrency is used versus other
currencies or stores of value.
This is clear when looking at the recovery rates between
two types of cybercrime, wire fraud and ransomware. If reported
within 72 hours, illegitimate wires can typically be reversed
and recovered. No such mechanism exists with crypto currency.
It is important to note that unlike financial theft,
ransomware is much more akin to a kidnap and ransom incident.
Victims may not want their funds reclaimed out of fear that the
criminals will not reciprocate with decryption keys, critical
to restore an organization's business. Reclaiming a ransom also
requires that the victim make a timely report to the correct
branch of law enforcement. Moreover, for a trace and seizure to
be successful the end destination of the cryptocurrency must be
within the reach of Western law enforcement. Most of the time,
one or several of these variables inhibit a trace or seizure
from even being started, let alone successful.
It is also important to note that some form of currency,
whether it be physical fiat, digital, or cryptocurrency, has
always been used for lots of different types of extortion.
Ransomware existed before the advent of cryptocurrency, and it
will persist if cryptocurrency were to ever disappear. As long
as ransomware attacks are profitable to carry out against
organizations with weak cybersecurity, cybercriminals will
continue to proliferate these attacks.
This brings us to the second topic of today's hearing,
mandatory reporting. Coveware has been vocal in our support for
mandatory reporting for some time. Our hope is that reporting
requirements will eventually be extended to all victims of
ransomware, not just organizations under the oversight of CISA.
As with any new law the efficacy lies in its
implementation. This hearing is uniquely timed to allow
policymakers to understand the dynamics of reporting and to
ensure that final rules achieve the targeted impact.
We believe there will be two primary impacts to mandatory
reporting. First, the U.S. Government will gain clarity on the
scope of the problem. As was clearly documented in the Majority
Staff Report, the variance between privately reported
ransomware statistics and agency reported statistics is
cavernous. Collecting accurate statistics is step No. 1 and
table stakes.
Gaining clarity will allow agencies to more confidently
resource their responses, and we are encouraged to see that the
Cyber Incident Reporting Act authored by Chairman Peters and
Ranking Member Portman has begun to outline a clear path for
reporting and unique agency responsibility.
The second impact will be in providing greater clarity on
what to do about the problem. Gaining this clarity will hinge
on what information CISA collects, and if CISA or other
regulatory or law enforcement agencies are able to scalable
digest the information reported to them. This new legislation
has the potential to answer major questions, and enable CISA,
the Federal Bureau of Investigation (FBI), the Department of
Homeland Security (DHS) and other agencies to make meaningful
progress on this problem.
If not implemented correctly, however, this new legislation
also has the potential to completely bury these agencies with
unstructured data that cannot be parsed or analyzed at scale.
This would render this new legislation completely ineffectual.
Great care and focus should be applied to what information is
collected, and how this information is organized so that the
velocity of analysis, recommendations and actions can achieve
maximum efficacy.
Thank you very much, Mr. Chairman. I look forward to
answering the Committee's questions.
Chairman Peters. Thank you, Mr. Siegel.
Our final witness is Jackie Burns Koven, Head of Cyber
Threat Intelligence at Chainalysis, one of the leading cyber
analytics companies that specializes in providing data,
software, services, and research on blockchain technology.
Ms. Koven has extensive knowledge and experience in the
cybersecurity sector, and as the Head of Cyber Threat
Intelligence Ms. Koven leads efforts to track ransomware
operators and their enablers on blockchains. Prior to joining
Chainalysis, Ms. Koven served in the intelligence community.
Ms. Koven, welcome. You may proceed with your opening
remarks.
TESTIMONY OF JACKIE BURNS KOVEN,\1\ HEAD OF CYBER THREAT
INTELLIGENCE, CHAINALYSIS
Ms. Koven. Thank you. Chairman Peters, Ranking Member
Portman, and distinguished Members of the Committee, thank you
for inviting me to testify before you today on this very
important topic.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Koven appears in the Appendix on
page 48.
---------------------------------------------------------------------------
My name is Jacqueline Koven and I am the Head of Cyber
Threat Intelligence for the blockchain data platform,
Chainalysis. In this role, I track ransomware operators and
their enablers on the blockchain. I also coordinate with global
law enforcement, ransomware research, partnerships, and joint
initiatives.
This hearing could not be more timely. We have seen
ransomware attacks increase significantly over the last few
years, with ransomware attacks on critical infrastructure, law
enforcement agencies, health care providers, municipalities,
schools, and other businesses. While it is true that
cryptocurrency is generally the predominant form of payment in
these cases, it is not true that cryptocurrency is the cause of
ransomware attacks.
If there is one point I want to make to the Members of this
Committee it is that the transparency of cryptocurrency and
blockchains enhances the ability of policymakers and government
agencies to detect, attribute, and ultimately disrupt illicit
activity. In fact, it can be much easier to investigate cases
involving the illicit use of cryptocurrency than other forms of
payment. By identifying an illicit actor's cryptocurrency
wallet, for example, from a ransom payment, law enforcement can
gain insight into not only the cash-out destination but also
the network of accomplices and malicious tools underpinning the
threat actor's campaign.
In contrast, in a traditional financial investigation where
that same actor is tied to a bank account, it is the beginning
of a long resource-intensive process to subpoena records that
can seldom generate a remotely comparable amount of insight and
certainly not as timely. The investigative challenges would
compound even more were that same illicit actor tied to a cash-
based transaction.
Our ransomware data shows that there are at least $712
million worth of ransom payments in 2021, and while almost
certainly an undercount of ransoms paid, this figure
constitutes a record-breaking year in terms of ransomware
revenue. This shows the magnitude of the ransomware problem and
underscores the importance of enhanced reporting initiatives.
One of the biggest trends we have recently observed is an
increase in the rebranding of ransomware strains. This is
likely in part to evade government scrutiny but also, in some
cases, to obfuscate a ransomer group's connection to a sanction
entity so that victims might still pay. We can often discern
these rebrand attempts via blockchain analysis, which enables
us to identify links between ransomware gangs using their
cryptocurrency footprint.
Extortion tactics have also evolved to skirt traditional
definitions of ransomware. More groups have emerged that will
not encrypt victims' files but will still exfiltrate data and
threaten to release or sell the data unless a ransom is paid.
This trend means that policymakers and government agencies will
need to be flexible about cyberattack definitions when
requesting reporting on these events to encompass emerging
threats.
I further detail the evolution of ransomware groups in my
written testimony, including the geopolitical aspects of this
those threats, ransomware money-laundering techniques, and the
impact of law enforcement and the Office of Foreign Assets
Controls (OFAC) actions against ransomware actors and their
facilitators.
U.S. policies must leverage a whole-of-government approach
for reducing ransomware attacks and mitigating their impact
that incorporate private-public sector partnerships. In my
written testimony I make a number of recommendations for this
Committee and Congress to consider in order to improve the
government response to this threat, and I will share just a few
of these now.
First, it is vital that we improve ransomware reporting and
information sharing. There should be clear guidance on when,
what, and where to report incidents, and this information
should be shared swiftly with law enforcement agencies to
operationalize. In addition, we must ensure government agencies
have adequate funding for the training, tools, and resources
they need to conduct these investigations that require the
development of new skill sets and government agencies to work
quickly in order to keep up with the evolving threat landscape.
Finally, the U.S. should also work with other countries
around the world to assist them in the development and
implementation of robust anti-money laundering laws for
cryptocurrency businesses to ensure that bad actors are cutoff
from cashing out their ill-gotten gains in unregulated
jurisdictions.
Thank you, and I look forward to answering your questions.
Chairman Peters. Thank you, Ms. Koven.
On May 24th, after a 10-month investigation, I released a
report on the rise in ransomware attacks and the use of
cryptocurrency as ransom payments in these attacks, a report I
entered into the record in my opening comments. One of my
report's key findings is that the Federal Government simply
does not have comprehensive data on ransomware threat
landscape.
Ms. Stifel, I have two questions for you. First off, do you
agree with this finding, and second, in the Institute for
Security and Technology's Ransomware Task Force report your
organization advocates for mandatory reporting requirements on
ransomware attack payments made in cryptocurrency. Why do you
believe that this data is necessary? If you could answer both
those questions I would appreciate it.
Ms. Stifel. Senator, I do agree with the observation or the
finding that there is not sufficient information within the
government's holdings about payments in cryptocurrencies. We
know, as has been highlighted in the testimony of Ms. Koven as
well as Mr. Siegel, that there are many who attempt to comply
with these requirements and regulations. However, there are
also those who do not, and this leads to a significant amount
of discrepancy in the amount of information that may be
available to those in the ecosystem versus those who are
receiving information the government side.
The other challenge here is that within the organizations
that do collect information on the government side, whether it
be the Financial Crimes Enforcement Network (FinCEN), CISA, or
the FBI's Internet Crime Complaint Center (IC3), they ask for
different types of information, which also contributes to a
disaggregated picture of the threat.
With regard to your second question, Senator, we believe
that the mandatory reporting requirement will help the
government have a better picture of the actual scale and scope
of this threat. We also believe that that information needs to
get into the hands of the private sector who, as I mentioned in
my testimony, can work with the government to collectively
combat these actors when the information is delivered in a
timely manner and is relevant.
I do agree significantly with Mr. Siegel's comment that the
government needs to be very structured in the way that it seeks
the information that it will receive under the reporting
requirement of the recently passed legislation. It is critical
that the information be relevant and that the government is
equipped to manage the information, not only in analyzing it
itself but also in ensuring that it can receive and disseminate
the information to private sector actors who can appropriately
manage the information and take appropriation action with
respect to it.
Chairman Peters. Thank you. During my investigation,
Federal agencies expressed to my team concerns with gaps in the
ability to enforce anti-money laundering laws applicable to
cryptocurrency against illicit actors outside of the United
States. The report found that such gaps impede law
enforcement's ability to investigate, to prosecute, and prevent
cryptocurrency-enabled crimes.
Ms. Koven, and then Ms. Stifel, I will ask you to answer
this question after Ms. Koven answers, what shortfalls do you
see regarding enforcement of anti-money laundering regulations
with respect to illicit cryptocurrency transactions, both in
the United States and abroad? The second question, what has
happened to address these shortfalls, and can regulations alone
solve this problem, or does Congress have a role here?
If you could handle those questions for me now, and then
Ms. Stifel after Ms. Koven.
Ms. Koven. Thank you for your question, Senator. Yes, we
have observed a winnowing down of the cash-out destinations for
illicit actors, including ransomware actors, mainly to offshore
exchanges with little to no regulation and enforcement, which
underscores our recommendation for enhanced U.S. assistance in
implementing anti-money laundering (AML) laws, to cutoff those
illicit cash-out destinations.
We have also observed the increased utilization of mixing
services by these threat actors, to obfuscate the destination
of these ransomware proceeds. I can point to a number of
government successes over the last year that have actually used
blockchain analysis to trace payments to these high-risk
exchanges and law enforcement action against Garantex,
Blender.io, Chatex, and Suex, primarily services based in
Russia.
What we saw as a result of these designations, especially
against Suex, was that deposits dropped nearly to zero as soon
as the designations were rolled out.
There are a number of policy options for these illicit
cash-out destinations, and blockchain forensics is a key tool
in being able to identify where these threat actors are cashing
out. If we look at Blender.io, that mixing service in
particular, it was not only used by multiple ransomware groups,
it was also used by North Korean launderers from stolen funds.
These threat actors are going for the paths of least
resistance, but it has narrowed down considerably to a handful
of services that the United States can help support with
implementing AML regulations.
Chairman Peters. Thank you, Ms. Koven. Ms. Stifel.
Ms. Stifel. Thank you for the question, Senator. I would
agree with Ms. Koven that the impact of regulation in the
United States has resulted in many cases the offshoring of the
ability for these actors to convert a cryptocurrency into fiat,
and as a result the absence of regulation overseas has provided
this pathway for the conversion to continue to facilitate the
demand and the desire for ransomware as a tool to generate
financial gain.
In other words, were we to have a more consistent
regulatory environment internationally, through the application
of know your customer anti-money laundering (KYC AML) and other
regulatory measures, by working with partners, including
through the Financial Action Task Force (FATF), that has been
effective in the terrorism instances, that would provide a
pathway, I think, for making a more significant impact on the
ability for governments to obtain information that could
facilitate arrests or other disruptive measures against these
criminal actors.
Senator, you also asked about the role of Congress here,
and I would agree. I think reporting legislation is a
significant step forward. It was something that was called for
in our task force report, as you mentioned. I think there is
also an opportunity for Congress to continue to also clarify
other measures that private sector entities may take with
respect to information about cybersecurity incidents, including
by clarifying the scope of the Cybersecurity Information
Sharing Act of 2015, and to be constantly mindful of the
importance of there being harmony across, and not overly
complicating matters with respect to ongoing regulatory
opportunities, looking to streamline the process to allow for
consistency in application so that victims are clear where they
need to report, what they need to report, and within what
period of time. Also their role in ensuring that they are
working to, and equipping them to better maintain their systems
in a more secure manner to reduce the likelihood of ransomware
in the future.
Chairman Peters. Thank you. Senator Hawley, you are
recognized for your questions.
OPENING STATEMENT OF SENATOR HAWLEY
Senator Hawley. Thank you very much, Mr. Chairman. Thanks
to all of the witnesses for being here.
If I could start with you, Mr. Siegel. You said in your
written testimony that financially motivated cybercriminals
almost universally denominate ransom demands in cryptocurrency.
Can you just expand on that? Why is that and what are the
implications?
Mr. Siegel. For the most part ransomware actors know that
they want to cash out their illicit proceeds using the most
efficient means. Cryptocurrency is the most efficient means. It
has great scale. They can move it very quickly across borders.
It can be moved without worry of being reclaimed unless they
make an operational security mistake or unless the move it
through an exchange that participates with Western law
enforcement. They also know that they have options to move
their proceeds between different types of cryptocurrencies,
which can further aid in the obfuscation and money laundering
process and better the chances that a higher percentage of
those ransom proceeds make it to their pocket at the end of the
day.
Senator Hawley. Is there a specific cryptocurrency that is
more often used than others for ransom demands, to your
knowledge?
Mr. Siegel. Bitcoin is the predominant one, but I would
note that some actors denominate their demands in other
privacy-enhanced cryptocurrencies, like Monero. Even when
Bitcoin is used for a ransom payment it is common for the
Bitcoin to be exchanged into one of these privacy coins further
down the money laundering process, to obfuscate the end
destination.
Senator Hawley. Got it. Let me ask you this. I understand
that there are about 10,000 active cryptocurrencies. That is up
from 63, I think it was, a decade ago. That is incredible
growth. Has the growing number of cryptocurrencies influence
how ransom demands are being made, in your observation?
Mr. Siegel. No, it has not.
Senator Hawley. Interesting. Are new coins being made with
criminal intentions in mind, do you think?
Mr. Siegel. It is certainly possible. I would bifurcate
between new coins that are made with the express intent of
committing financial fraud, these kinds of pump-and-dump
schemes. Then what would appear to be legitimate projects, like
Monero and others, that are aimed at the enhanced privacy of
the coin itself, but with that come the attractiveness to the
cybercriminals to use those coins for the money laundering
process.
Senator Hawley. Are new coins being purposely designed or
being made and purposely designed to be more opaque, in your
observation?
Mr. Siegel. Some of these privacy coins are. That is the
intention of the design, is to make them more private. I would
note, though, that there are two challenging to having a coin
actually be adopted by a large group of cybercriminals. No. 1,
it has to work, and No. 2, it must be liquid. If there are
thousands of completely illiquid privacy coins, but you cannot
really buy or sell them, no one is going to use them, including
cybercriminals. This is one of the reasons that Bitcoin is
predominantly used is because it is the most liquid.
Senator Hawley. Got it. Ms. Koven, let me ask you, you said
just a minute ago that the use of crypto can actually enhance
these investigations, investigations into ransomware demands.
You said in your written testimony that due to its transparent
nature it can be much easier to investigate cases involving the
illicit use of cryptocurrency than other forms of payment.
Can you just expand on that? I think that is an interesting
point, maybe a counterintuitive point. Can you just say more
about that?
Ms. Koven. Thank you for that question, Senator. As Mr.
Siegel testified, Bitcoin is the predominant currency demanded
in these ransomware cases. What blockchain forensics and the
transparency of the blockchain can provide is able to see the
cash-out destination of these currencies to exchanges that
enable law enforcement to subpoena those exchanges, or know
your customer information, as well as potentially freeze the
accounts.
We can also move further up the kill chain to understand
that threat actor and their wallet and the goods and services
that they are purchasing that actually comprise that campaign,
everything from Malware-as-a-service, access brokers, to
compromised credentials and victim systems, to malware
crypters, and all of those networks that are underpinning these
attacks.
Senator Hawley. Why do you think it is that criminals are
disproportionately using cryptocurrencies as opposed to, say,
U.S. dollars? Do you agree with Mr. Siegel's analysis? I mean,
what would you say about that?
Ms. Koven. Thank you. The same reason that Bitcoin is
attractive to criminals is the same reason it is attractive for
trading in a store of value. We have actually calculated that
only 0.14 percent of overall transaction activity was criminal-
related, of the $15 trillion of transactions last year.
It is the liquidity issue. Monero is illiquid and it is
impractical to use. Many cryptocurrency exchanges have delisted
Monero because of regulatory guidance about Monero and privacy
coins in general.
Senator Hawley. Very good. Let me ask both of you about
reporting requirements. I think, Mr. Siegel, in your written
testimony you note that reporting requirements could burden
Federal agencies with unstructured data that cannot be paired
or analyzed at scale. Have I got that right? Am I remembering
correctly?
So give me a sense, in light of that, how should agencies
optimally implement reporting requirements, that they are
effective?
Mr. Siegel. Sure. I believe that agencies should look to
establish standardized frameworks such as National Institute of
Standards and Technology (NIST) or the Mitre Att&ck framework
that standardize the tactics, techniques, and procedures that
the threat actors are utilizing. These frameworks come with
standard hierarchies, standard names, standard codes.
Ransomware attacks are incredibly repetitive.
The value of collecting the bottom end, the unstructured
log data, which could be hundreds of gigabytes or terabytes for
a single attack, is very minimal, but the value in abstracting
that up a couple layers of altitude to just the tactics and
techniques and procedures so that CISA could very quickly say,
``OK, we have 10 reports that happened last week. They all used
these tactics. These are tactics that we have not seen before.
Let's get a timely warning out.''
Conversely, if they were to collect the unstructured data
it could require an army of individuals to perform weeks of
forensic analysis before those same conclusions could be
reached.
Senator Hawley. Do you have a view on this, Ms. Koven,
about the optimal implementation of reporting requirements by
agencies?
Ms. Koven. No, I agree with Mr. Siegel that the
standardization is extremely important to be able to
operationalize that information swiftly so that they can be
used to subpoena cryptocurrency businesses and used for
attribution and accountability of these threat actors. We had
seen this in multiple high-profile cases, including the
Netwalker ransomware takedown, where the most prominent
affiliate of that group was actually arrested in Canada.
I think being able to operationalize and share these at
scale can lead to further successes.
Senator Hawley. Very good. Thanks to you both. Thank you,
Mr. Chairman.
Chairman Peters. Thank you, Senator Hawley. Next we have
Senator Lankford, but Senator Lankford, I understand, has
graciously agreed to recognize Senator Rosen, who has to
preside.
Senator Rosen, you are recognized for your questions.
OPENING STATEMENT OF SENATOR ROSEN
Senator Rosen. Thank you, Mr. Chairman. Thank you, Senator
Lankford. I appreciate it. I want to thank the witnesses for
being here and testifying today.
As a former software developer I helped to develop company-
wide disaster recovery plans, develop and execute them, all the
different scenarios. I have both experience and many thoughts
on this matter, but we will talk about cryptocurrency today.
I want to talk a little bit about small business
cybersecurity, because as the HSGAC Majority Staff Report on
Ransomware and Cryptocurrency outlines, all it takes is one
ransomware attack to cause a small company to go out of
business. According to a recent Small Business Administration
(SBA) survey, 88 percent of small business owners felt their
business was vulnerable to a cyberattack.
Yet, of course, many businesses cannot afford to adopt
professional IT solutions, hire cybersecurity professionals,
and actually they have a limited time to devote to
cybersecurity as they focus on growing their companies.
To help small business manage cyber risk, Senator Cornyn
and I introduced the Improving Cybersecurity of Small Entities
Act. This is bipartisan legislation to direct Federal agencies
to develop common-sense cybersecurity recommendations, provide
training for those small entities, including small businesses.
This legislation passed out of this Committee in February, and
hopefully will tell people the importance of offsite backups
and how they use their journals, all kinds of things like that,
of course, we know that they need to recover.
But ransomware, Mr. Siegel, how do the ransomware criminals
choose their victims in the small business community? What are
some of the trends that you are seeing, and in terms of tactics
and techniques, what are they using specifically? Are they just
going after the data? Are they going after modifying the
programs with malware where restoring backups may not be as
effective, or effective at all?
Mr. Siegel. Thank you for your question, Senator. We would
describe ransomware attacks as opportunistic, not targeted. We
view this problem as an economic problem, and targeting a
specific company is uneconomical. There are numerous ways that
ransomware actors can impact a small business or a large
business, and most of those ways come from purchasing
previously breached credentials or by mask-scanning the
internet through freely available tools that allow them to look
for vulnerabilities.
So they essentially are combing the internet, picking up
lists very quickly, finding the lowest-hanging fruit, and then
attacking those companies.
For instance, at the other end of the spectrum, the
Colonial Pipeline attacks, I wholeheartedly believe that that
was not a targeted attack meant to disrupt U.S. critical
infrastructure. I do not think those attackers had any clue
that that company controlled the volume of gasoline on the East
Coast, and that would create a political issue, because U.S.
consumers really do not like it when gas prices go up, and that
it would cause a geopolitical issue. I think they saw a big
energy company with a large balance sheet and the potential for
a large ransom.
I think that same thinking applies to small businesses.
When they find a target that is going to take them 15 to 20
minutes to compromise, and they can earn $50,000 to $100,000,
potentially, of a ransom payment, that is too economical to not
do.
A lot of the recommendations that we have made in our
testimony, and a lot of the things that we talk about are to
recognize that there is no silver bullet to this problem, but
there are lots of different ways to impose costs. The
ransomware kill chain, as we have discussed today, is one of
those ways. But these incremental ways that companies can
incrementally harden themselves, to make themselves harder
targets, more expensive targets, we think are the best ways to
actually achieve an exponential reduction in risk versus a
linear one, as may be perceived, with just making small
additions. But the reality is most small businesses have these
very easy-to-exploit vulnerabilities present, and closing those
vulnerabilities is a process of just knowing what they are and
finding the time or budget to close them.
Senator Rosen. Thank you. I agree with what you are saying,
and obviously the data is bearing it out.
In the two minutes I have left I want to move over to
health care cybersecurity, because, of course, this has really
been increasing, attacks on our hospitals and clinics. As we
even use more medical devices we understand the vulnerabilities
there. In the FBI's 2021 Internet Crime Report the health care
sector fell victim to ransomware far more than any other
critical infrastructure sector last year. Health care entities
increasingly are the target of these malicious cyberattacks.
They result not only in data breaches but driving up the cost
of care, and maybe ultimately even affecting patient outcomes.
Senator Cassidy and I introduced the Health Care
Cybersecurity Act. Again, it is bipartisan legislation that
would require CISA to coordinate with and make resources
available to health care and public health sector entities,
including by developing products tailored to the specific needs
of small and rural hospitals--they have been a big target--and
our health clinics.
Mr. Siegel and then Ms. Koven, with the ransomware
criminals rapidly evolving their tactics, techniques, and
procedures, how do you think this variety of health care
entities can stay ahead of these threats and heighten their
defenses against ransomware?
Mr. Siegel. Thank you, Senator. I can testify from
experience, having dealt with a number of hospital cases, that
there is nothing more horrific than a ransomware attack on a
health care institution that puts patient care at risk. It is
the most sensitive areas--the emergency room (ER), the neonatal
intensive care unit (NICU), oncology--that depend on electronic
medical records (EMR) software to provide critical patient
care. When those things go down that care cannot be delivered.
Our sense is that, especially for critical infrastructure
companies, having proper security is no different than the
maintenance of a bridge. It is part of the cost of doing
business, and it should be properly overseen and properly
regulated.
As these attacks and tactics evolve, there is no getting
around these organizations making a substantial and continued
investment in their people, in their technology so they can
stay ahead of these things and continue to provide this
critical care.
Senator Rosen. I know I only have a couple of seconds left.
I have to go preside. Can you speak briefly to it, and then I
am going to run to the presiding chair on the floor. Thank you.
Ms. Koven. Thank you. It is easy to lose the human cost and
the toll when you look at ransomware figures, like $712 million
paid those smaller businesses and hospitals, for example. We
have actually calculated the median ransom payment is $6,000,
so potentially smaller victims that do not necessarily make
headlines but the impact is still devastating. Whether or not
these institutions pay can still be devastating with the costs
of remediation.
The other issue is that a lot of these smaller businesses
and hospitals are not necessarily equipped to be able to
understand the sanctions risk of potential payments, and so
being able to support them in that way is important.
I will also add that the threat actors that are targeting
the small businesses are also targeting the hospitals and other
forms of infrastructure. So being able to shine a light on
those tools and services, those threat actors that are
underpinning this criminal economy that is driving ransomware
is critical to disrupting ransomware.
Senator Rosen. Thank you so much. I really appreciate you
being here. Thank you again, Senator Lankford. Mr. Chairman.
Chairman Peters. Thank you, Senator Rosen. Senator
Lankford, you are recognized for your questions.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. Thank you. Thanks to all the witnesses
that are here. I want to walk through a little bit of the
reporting and the cooperation and duplication within
government. Just back of the envelope, as I look at this, FBI,
CISA, Homeland Security Investigations (HSI), Treasury, U.S.
Secret Service (USSS), the Securities and Exchange Commission
(SEC) all have cryptocurrency entitles, all say, ``Report to
us. We want to be able to help through all this process.'' From
entities on the outside working this cornucopia of three-letter
agencies that are across the Federal Government that all have a
cryptocurrency, cryptocrimes section of it, what does that look
like? What are you getting as far as feedback?
I would like all three of you to be able to respond to
that. All three of you have some insight on that. Mr. Siegel,
do you want to go first?
Mr. Siegel. Sure. While it would be great if one agency
could handle all of this, the reality is all the agencies have
a specific role and function in imposing costs on these threat
actors. I think the legislation that has recently been passed
has taken the appropriate first step of designating a single
agency and possible cooperating agencies to handle the initial
inbound and triage of the reporting data, and then routing that
information to the proper branches for investigations of
different shapes and sizes.
I think it was noted in the CEO of Colonial Pipeline's
testimony some of the frustration that he felt being
overwhelmed with the volume of inbound duplicative requests
from law enforcement agencies and regulators while he was
trying to manage his company through an incident. I felt Mr.
Blount during that testimony. It can be distracting if a victim
of ransomware contacts the wrong agency. It can be distracting.
I think it is important, through this legislation and the
rulemaking process, that it be made crystal clear where victims
of ransomware, based on their State jurisdiction, regulatory
jurisdiction, by industry, where they should go and what those
requirements are so that the private industry, principally
attorneys that advise and assist these victims, can study this
and then give practical, timely advice and direct those victims
to the proper agency in a timely manner.
Senator Lankford. Ms. Koven.
Ms. Koven. Thank you, Senator. I commend the legislation,
specifically the tenets to aggregate and standardize the
reporting. As an example, our data has recorded 14 times more
ransomware payments than what was reported to FBI via IC3. This
legislation will help bolster their intelligence.
In order to handle this amount of data coming their way I
would hope the agencies are resourced appropriately with the
tools and resources they need to operationalize this
information, that can lead to the arrest and seizures of
cryptocurrency payments. We have seen a number of successes
from multiple agencies over the last year, targeting various
facets of the kill chain, targeting those illicit cash-out
destinations that are laundering the proceeds, targeting
specific threat actors and holding them accountable, and
imposing costs by denying them of the cryptocurrency payment
that they sought.
So enhanced training and tools to be able to operationalize
the influx of data, but also, I think, global cooperation with
the U.S. agencies and global agencies is very important as the
threats that are facing our global partners are also the same
ones that are attacking us today.
Senator Lankford. We will come back to that. Ms. Stifel.
Ms. Stifel. Thank you, Senator. I would agree with my
fellow witnesses that there needs to be, as I mentioned a few
minutes ago, greater clarity and simplicity in the ability for
victims to share information with the government.
The other piece of this, of course, though, is that, as Ms.
Koven just alluded to, there is a significant need for there to
be adequate resources within departments and agencies to both
ingest the information but also really to establish those
relationships in the first place that facilitate this
information sharing from victims to the government. Some will
be required to do so under the legislation once the rulemaking
process is complete, but others will not.
The ability to have adequate resources within the field,
whether it be within CISA's regional staff members, whether it
is with Secret Service or FBI agents, it is really critical to
establish those relationships within the community in order to
better equip the government as well as the private sector to
play a meaningful role in combating ransomware wherever we, as
I mentioned, find cybercriminals going next.
Senator Lankford. When you say ``the community,'' you are
not talking about individual businesses. You are talking about
entities that actually coordinate this, private businesses that
work with other private businesses to be able to protect them
from ransomware. Is that correct?
Ms. Stifel. It is both, I would say. Yes, it is. It is
those who are working to help victims manage their unfortunate
ransomware incident but actually we often talk about and
encourage organizations to establish a relationship with CISA
and with FBI before they become the victim of an incident. It
is better to know who to call and what may be useful to the
government, learn that information ahead of time so that when
the unfortunate day occurs there is already an established
working relationship and that can facilitate a much more rapid
response, both for the government but also for the victim.
Senator Lankford. That is part of the challenge I want to
lay out here, though. You do not know if that relationship is
with FBI, with CISA, with HSI, with Treasury, with Secret
Service, who that might be. It is one thing to be able to say
they need to develop relationships, but to be able to maintain
relationships with all those entities because they all will
come calling. I left out--you were talking about the Colonial
Pipeline--with the Department of Transportation (DOT), they may
show up as well, and multiple other entities would show up as
regulators to say, ``Did you fill out the paperwork?''
This is still a convoluted mess at the worst possible
moment for a company, for a hospital, whatever it may be, that
just had a ransomware attack, and now they are getting
bombarded with all these different Federal entities, calling
them and wanting information in detail on this.
There has to be a single source. I know we are in the
process of working that through. But we have to also not just
have one as a primary but the others turn that off in the
process of going through that.
I do need to clarify, as well, Ms. Koven, you talked about
trying to be able to actually follow through, arrest, recover
the information. From the Chairman's information of what they
worked through already on this, 74 percent of the entities that
are doing ransomware are Russian, Russian-affiliated, or
Russian-controlled. The recovery at that point, in working with
local law enforcement, clearly they are not going to cooperate.
What is the best tool at this point to be able to get
engagement?
Ms. Koven. Thank you for that question, Senator, and that
is a primary focus for us. There have been several examples
over the last year that have illustrated that even if the
perpetrator is out of reach of U.S. law enforcement we can
still impose costs. We can still seize assets. We can leverage
our global partnerships to be able to triangulate these threat
actors. We have also taken actions against their cash-out
destinations. A lot of Russian-based services like Garantex,
Suex, and Chatex have been on the designation list, and it has
severely inhibited their businesses.
There are a number of ways we can still impose costs and
then also work up the kill chain to identify those threat
actors and enablers that access brokers, malware-as-a-service
providers that are also fueling these campaigns.
If the Netwalker case is any example, this is a global
problem. That Network affiliate was a Canadian-based individual
and the most profitable affiliate of that cybercrime ring.
Senator Lankford. OK. Mr. Chairman, thank you.
Chairman Peters. Thank you, Senator Lankford. Senator
Hassan, you are recognized for your questions.
OPENING STATEMENT OF SENATOR HASSAN
Senator Hassan. Thanks so much, Mr. Chairman, and thanks to
you and the Ranking Member for holding this hearing, and to all
of our witnesses, thank you for sharing your expertise with us
and for being here today.
I want to start with a question to Ms. Stifel.
Cryptocurrency can be used for illicit purposes, including in
cyberattacks, such as when most of the $2.3 million stolen from
the town of Peterborough, New Hampshire, was quickly converted
to cryptocurrency to make it unrecoverable.
Last September, I wrote letters to several agencies,
including the Department of Justice, the Internal Revenue
Service (IRS), and the Financial Crimes Enforcement Network
asking what actions the Federal Government can take to help
reduce the illicit use of cryptocurrencies.
In the IRS's response to my letter the agency made several
suggestions, including increasing know-your-customer
requirements and strengthening suspicious activity reporting
and compliance for businesses connected to cryptocurrency
markets.
Ms. Stifel, could you discuss why these are important and
how you would strengthen these requirements to help combat
illicit uses of cryptocurrency?
Ms. Stifel. Thank you, Senator. The utility of KYC
requirements, suspicious activity reports, and other mechanisms
through which the government can receive information about
ransomware attacks, and particularly payments associated with
them is essential to, as we talked about, following the money
and facilitating not only industry but also the government in
getting an adequate picture of what is happening with these
payments, the affiliates and the actors who are continuing to
launch these types of incidents.
Unfortunately, though, as we have also talked about today,
there is inadequate and inconsistent compliance with these
requirements, particularly when you leave the United States'
jurisdiction.
I would also note, though, that there are--and this is
hopefully clear in the diagram that I shared in my written
testimony--there are a number of other entities within the kill
chain that may not have reporting requirements but may have
relevant information, and oftentimes they currently work with
each other to share that information with the government. I
think there is an opportunity to look at other ways through
which the government can obtain information, not necessarily
from those who are currently subject to KYC and AML
requirements.
Senator Hassan. Thank you, and we will follow up with you
on your diagram and information, as well.
To both Ms. Koven and Ms. Stifel, in your written testimony
both of you commented that sanctions can be effective in
preventing criminals from receiving or laundering ransomware
payments. Do you believe that the Federal Government should
more aggressively sanction ransomware groups and entities that
help launder ransom payments, and what are the barriers to
implementing more aggressive sanctions?
We will start with you, Ms. Koven.
Ms. Koven. Thank you for your question, Senator. I defer to
policymakers on whether more sanctions should be enforced. But
I will say that the impact of sanctions on some of these
services that had been identified as participating in
ransomware laundering--Garantex, Suex, Chatex, Blender, the
mixing services--sanctions have been catastrophic to their
business, severely damaging their operations. There has also
been designations against specific individuals tied to
ransomware groups.
I think we have also seen that sanctions have impacted
ransomware groups' ability to receive payments from certain
victims once they are designated, because we can use blockchain
forensics to actually identify ransomware groups rebranding,
trying to obfuscate their connection to sanctioned entities.
We do provide tools and services for transaction
monitoring, to identify a payment is made to a sanctioned
jurisdiction or potentially sanctioned entity, and I think
further implementation of those can also help prevent or
identify any kind of sanctions violations.
Senator Hassan. Thank you. Ms. Stifel.
Ms. Stifel. Thank you, Senator. In the task force's report
that we published last year we noted, and as has been also
discussed in the hearing today, the need for an all-tools
approach to combating ransomware. As Ms. Koven has mentioned,
and we have also seen recent reports from members of the
Administration, it appears that sanctions have been effective
in reducing the ability for ransomware actors to cash out their
proceeds. So that suggests that they have been an effective
tool.
With respect to your question about what barriers exist to
the use of sanctions in this kind of all-tools approach, I
would point to the concern around the degree of information
that is reported about ransomware activity with an adequate
picture of the scale and scope of this type of cybercrime. It
inhibits the government's ability to identify and develop that
sanctions package that allows them to fulfill the requirements
under sanctions laws and regulations to have sufficient
evidence to designate a particular entity and then for the
private sector to then follow through with their requirements
to prohibit and limit the ability for those actors to gain
their proceeds.
Senator Hassan. Thank you.
Mr. Siegel, in your written testimony you indicated that
some ransomware victims do not want law enforcement to try to
recover their ransomware payment because they are worried that
the criminals will not honor the commitments made in return for
the ransom payment. This obviously presents a potential problem
because those payments make ransomware profitable and help
facilitate future cyberattacks. There are also likely other
victims who do not want to involve law enforcement at all.
In your experience working with ransomware victims, what
percentage of victims do not want to recover their payments,
even if they are given a viable option, and what percentage of
victims do not want to involve law enforcement at all, and what
do you think we could do to alleviate their worries?
Mr. Siegel. I would say that if it were a risk that the
victims would not get their deliverables, the decryption keys
or these things, which they are a prize that that has a
potential risk, that number could fluctuate between 0 and 100
percent. I would say that, in general, probably close to half
of the victims would volunteer to have their money seized or
reclaimed because they are not as concerned about possible
recrimination from the threat actors.
As is relates to nonreporting, in the absence of
requirements I would say that the minority of victims of
ransomware would even both, because it is a hassle to them and
they want to get on with their life.
One of the most challenges aspects that we cited in our
discussions with the staff ahead of this were the ability for
law enforcement to proactively reapproach victims to collect
evidence in the proper format so they can be submitted as
evidence to secure indictments. This process can take months,
sometimes years. When we approached the percentage of those
victims that voluntarily participate it is very low. That is
very frustrating to law enforcement.
I think that through this rulemaking and through mandatory
reporting the door is now open to try and not only collect more
accurate information through the reporting but create
mechanisms whereby law enforcement can reapproach victim of
attacks and secure the evidence necessary to achieve these
indictments.
I would also note, per your prior questions, a lot of the
ability for our agencies to sanction these groups depend on the
investigations, and when those investigations cannot conclude
we cannot get to the finish line on imposing sanctions.
Senator Hassan. Yes. Thank you. Thank you, Mr. Chairman.
Chairman Peters. Thank you, Senator Hassan.
Ms. Koven, you testified earlier that only, I think it is
0.15 percent of cryptocurrencies are used in illicit
transactions, and yet according to your report, the 2022
report, the illicit use of cryptocurrency has grown from $7.8
billion in 2020, to an all-time high of $14 billion in 2021.
The report explicitly acknowledges that such illicit activity,
``represents a significant problem.''
Clearly you have a very small percentage there, but I think
the vast majority of all the transactions in crypto are people
speculating back and forth, kind of similar to the Dutch tulip
mania, as they bid the prices up.
My question to, though, is, do we know the percentage of
cryptocurrency that is actually used to buy a legitimate good
or service? I do not think folks are going to Walmart or CVS.
Are people actually using this to buy something? What
percentage?
Ms. Koven. Thank you for that question, Senator. Yes, we
had noted 0.14 percent of transactions last year had an illicit
component to it, and the vast majority of transactions were
legitimate, trading, remittances, and viewing cryptocurrency as
a store of value.
Chairman Peters. But what percentage? What percentage are
actually for products and goods?
Ms. Koven. I do not have that answer on hand. My team can
get back to you. But I would say it is a near daily occurrence
that a new business that you and I might frequent is offering
cryptocurrency as a form of payment. While it is not certainly
prolific--you cannot pay your rent in cryptocurrency today--
there are more and more businesses that are adopting
cryptocurrency as a form of payment. This is a global
phenomenon. You can find more available in other jurisdictions.
What I will say is that because it is more difficult to buy
goods and services with cryptocurrency today it is why
individuals, and even threat actors, rely on cryptocurrency
businesses like exchanges to convert their cryptocurrency to
other forms of fiat, like dollars and euros, which is a great
intelligence lead for investigations.
Chairman Peters. Very good. Senator Sinema, you are
recognized for your questions.
OPENING STATEMENT OF SENATOR SINEMA
Senator Sinema. Thank you, Mr. Chairman. Thank you to our
witnesses for joining us today.
Ransomware attacks have wreaked havoc on communities across
Arizona and our country, from last year's attack on the city of
Kingman to the recent attempted hack against Yuma Regional
Medical Center. Ransomware disrupts our lives, breaches
sensitive data, and causes real-world harm.
Our Bipartisan Infrastructure Law invests in State and
local cybersecurity to combat ransomware, and I co-sponsored
legislation creating new cyber incident reporting requirements.
We need to continue to work together to enhance our
cybersecurity and hold hackers and the countries that provide
them safe harbor accountable.
My first question is for you, Ms. Koven. In March, your
company's co-founder testified before the Senate Banking
Committee. I asked him about some of the more sophisticated
techniques used by ransomware gangs to make ransom payments
harder to trace, including the use of mixer and tumbler
services to combine cryptocurrency from illicit sources with
crypto from lawful sources.
Mr. Levin noted that Chainalysis has actually been able to
successfully demix certain transactions. Without revealing your
specific demixing capabilities, could you expand on this, and
how great of threat to ransomware investigations do
cryptocurrency mixers currently pose?
Ms. Koven. Thank you for your question, and this is an
especially important topic because we have identified mixers
being incorporated more frequently into ransomware laundering
techniques.
As you mentioned, we have recently publicly disclosed our
demixing capabilities, and while we cannot go into details
because of ongoing investigations, what I can say is that we
make every effort to identify all available mixers that these
threat actors might be able to use so that our law enforcement
partners and investigators, when conducting and tracking
ransomware payments, can understand when they are tracing into
a mixer and do not attempt to trace through it.
Senator Sinema. Mr. Siegel, you help victims negotiate with
hackers and protect their specific company from further harm.
While paying a ransom might be the smart move for a particular
victim, these payments are the fuel that motivates hackers to
keep launching additional attacks. How do you balance the
immediate need to restore a client's systems with the concern
that paying a ransom might put a target on your client's back
in the future? When the decision is made to pay the ransom, how
do you ensure that crypto is not sent in violation of U.S.
sanctions, particularly given how many attacks are linked to
countries like Russia and North Korea?
Mr. Siegel. Thank you for your question. With regards to
the first part on how the decision is made, the use of data is
key. There are certain types of ransomware that can cause a
substantial amount of file corruption. There are certain threat
actors that default if paid, i.e., they do not provide the
decryption tools or keys. Providing accurate information on the
forecasted outcome of what will actually happen if a ransom is
paid is step No. 1, so the company can make a clear decision.
Step No. 2 is for the company to understand that this is an
option of last resort. It has to be weighed against all other
available paths to restore critical data. If there is one myth
with ransom payments it is that it is easy and it is fast. It
is the exact opposite. The vast majority of the time, when
companies have adequate backups, even if those backups are
going to take a very long time to recover, that is actually
faster and is going to avail them to a much quicker recovery
time than paying a ransom.
So step No. 1 is to make sure that they understand the
facts and that they are making a good, data-driven decision.
To your second question about compliance, our firm has
developed a comprehensive compliance program. It comes from our
background. I personally came from the regulated financial
services industry and ran and built large comprehensive
compliance programs. We took with us that compliance program
when we founded our company.
We do three principal things that revolve around the
attribution of the threat actor and other characteristics of
the attack. No. 1 is we are looking at qualitative technical
forensic and cryptocurrency information to check along the
lines of common Bank Secrecy Act (BSA) Know-Your-Customer lines
that the threat actor is not immediately listed on any
sanctions list, both domestically and internationally. No. 2,
we are looking at the wallet address, using products like
Chainalysis to determine if the wallet is clustered or co-spent
with any sanctioned wallets.
And No. 3, most poignantly, is we keep our own internal
restricted list, whereby we are tracking all the known
sanctioned actors, and as they change their identity and
further try and obfuscate who they are over time, we are
tracking these things so that when the same threat actor that
was sanctioned a year ago is on variant number seven to try and
obfuscate their identity, we can identify it.
That is actually the vast majority of the time when there
is a sanctions issue in an active incident, it is not a one-
for-one identification of this name that you were attacked by
is on an actual list. It is this name that you were attacked by
is actually this person or group, and here is the evidence of
how we have made that attribution.
So we perform all of these checks well ahead of any payment
being made. We provide all those facts and circumstances to the
victim and allow them to make the decision accordingly.
Senator Sinema. Thank you.
Ms. Koven, the hackers behind some of the most devastating
ransomware attacks are often located, or in some cases even
sponsored by the governments of countries like Russia, North
Korea, China, Iran. This means that even when we are able to
identify those behind an attack, our criminal justice system is
not able to hold those hackers accountable. That makes it
particularly important that we successfully recover more ransom
payments so these attackers, at the minimum, are not rewarded
for their crimes.
What lessons can we learn from the FBI's successful
recovery of much of the cryptocurrency used to pay the Colonial
Pipeline ransom, and with enhanced public-private partnerships
and datasharing is it feasible to help ransomware victims
recover ransom payments on a more routine basis?
Ms. Koven. Thank you for that question, Senator. Yes, we
have identified nearly 74 percent of ransom payments have a
Russian affiliation, and we have seen, over the last year,
several successes, including the Colonial Pipeline, of asset
recovery from threat actors that exist outside of U.S.-friendly
jurisdictions.
Not only is asset seizure a powerful tool but we have also
been able to cripple some of the primary cash-out destinations,
including those exchanges based in Russia, like Garantex, Suex,
and Chatex, that laundered a large amount of ransomware
proceeds.
I would further like to say there has been nearly $50
million in ransomware funds seized from ransomware-related
actors, and there is also the risk of nation-state actors
getting involved in ransomware that are not focused on the
monetary reward but are using ransomware as a cover for more
strategic aims of espionage and disruption.
Then the question then becomes, how did these nation-state
actors get their hands on those tools and services to conduct
the attack? Blockchain forensics can shine a bright light on
those necessary tools and services that facilitate nation-state
actors as well as financially motivated criminal gangs.
Senator Sinema. Thank you. Thank you, Mr. Chair.
Chairman Peters. Thank you, Senator Sinema.
Ms. Koven, I want to go back to, because of the questions
that I was asking related to transactions for goods and
services, you said a lot of businesses now are starting to
accept crypto. Do you have any numbers or any estimate as to
what you are seeing in that area?
Ms. Koven. Senator, I apologize I do not have those figures
on hand but we can get back to you.
What I did want to say previously is that we have seen a
500 percent increase in cryptocurrency transactions in the last
year, and we have seen many institutional players getting
involved in cryptocurrency and viewing it as an asset class.
This has accelerated the adoption of cryptocurrency for
legitimate use cases, and as you have pointed out, also an
increase in the raw number of illicit transactions that we have
been able to detect. It was $14 billion last year.
Chairman Peters. But I want to be clear. When you are
talking about all the transactions, these are investment
transactions. They are not an increase of transactions of
people actually going out and buying stuff. Maybe help me. If
you are a business and you say you will accept crypto to pay
for a service, if you accept dollars, you know the dollar
tomorrow will still be worth a dollar, and next week it is
still going to be worth a dollar. But crypto, like yesterday, I
think many of the major cryptos dropped nine percent, or a 10
percent drop. That would be like the Dow Jones (DJIA) dropping
3,000 points in a day, which is a pretty huge drop.
If you are a business and you say, ``I will sell you a
product for crypto,'' but it may be worth 10 percent less
tomorrow, I do not know what it will be worth. It could be
greater, I guess, as well. But based on what we have seen
recently it has been falling because it is a highly speculative
asset.
What is the incentive for a business to take crypto as
opposed to a dollar when they are trading for an actual
service?
Ms. Koven. Thank you for that question, Senator. I am
possibly not best-suited to answer that question in my current
role, but what I will say is that many investors are in
cryptocurrency for the long haul, and they have experienced
dips and spikes in the ecosystem over the past few years. The
same with threat actors. They are also dealing with
cryptocurrency, viewing it as a long-term investment. But we
can get back to you on specific numbers if you would like, sir.
Chairman Peters. Yes. I would just be curious if you are
going to track this. Clearly we all know it is a speculative
asset that people are investing in, and it is highly volatile.
We get that. But it is a medium of exchange, and most people
think of a medium of exchange as it is going to be fairly
consistent worth. If you buy a good from me and you give me a
dollar, I will be able to buy a dollar's worth of another good
somewhere else in the next day or two, or whenever it may be,
which is different than a speculative stock or investing in
stock options or other kinds of speculative assets. They are
different.
But we do know that because, for a variety of reasons, as
we have heard today, that criminals are very attracted to
crypto, and that is a big part of what the currency is used for
when the actual kind of goods or services transaction is
illicit. It is criminals that use this currency. In addition to
speculators, it is criminals that seem to be using crypto.
My question for Ms. Stifel, are there some additional tools
that could help the Federal Government recover cryptocurrency
ransom payments that have already been made? What additional
tools should we be thinking about?
Ms. Stifel. Thank you, Senator. I think one of the biggest
tools that can be made, in part thanks to the work of this
Committee has been made, is investing both in the cyber funds
and the emergency authorities that have come through with the
legislation that has been passed but also thinking about what
we have talked about previously is better equipping departments
and agencies to manage the investigatory process that is
required in order to follow the money through the blockchain.
Those investments also would be useful to better equip
departments and agencies to engage their international
counterparts and to push for the broader application of KYC,
AML, and other measures more broadly internationally,
including, as I mentioned, through the Financial Action Task
Force but in other multilateral bodies where working with
Europol, for example, or Interpol, more effective engagement
can be made with counterparts in a range of countries where we
know that cybercriminals are turning, for example, looking at
Costa Rica, Peru most recently.
The United States is not the only country targeted with
ransomware, and it is essential to really combat this at a
global scale, that we have partners in a range of jurisdictions
who are able to meaningfully engage with us as we seek to
investigate these malicious activities.
Chairman Peters. Thank you. Ms. Koven, the last question
here. If you could explain to the Committee, talk a little bit
more about unhosted wallets and what risk exists when crypto is
transferred to unregulated, peer-to-peer exchanges and unhosted
wallets. What should we know about that?
Ms. Koven. Thank you for your question. If I may address
the previous comment, I do want to say that cryptocurrency is a
technology, and as long as technologies have existed there have
always been bad actors willing to exploit it. Yes, there is
significant volatility in cryptocurrency. There is the
mechanism of stablecoins, which can hold value. We do see
legitimate trading activity as well as cryptocurrencies used in
remittances, and it is an opportunity for the United States to
be a key, predominant player in this financial ecosystem by
harnessing this technology, and the applications that can be
built on top of it provide tremendous opportunity and job
growth for national security.
What I want to say about private wallets, we do focus on
identifying services--exchanges, darknet markets, ransom
payments. But in the course of our investigations we do
sometimes come across private wallets belonging to a threat
actor, which allows us to monitor that wallet and also
understand that threat actor's spending habits, all the tools
and services purchased by that threat actor, and also cash-out
destinations like peer-to-peer or cryptocurrency exchanges.
Peer-to-peer services are also obligated to regulatory
requirements--AML, CFT requirements--that do require KYC and
other forms of identification.
Chairman Peters. Right. Thank you.
I want to thank all of our witnesses for participating in
today's discussion, and I look forward to building on what we
have learned from today's testimony, including additional ways
to combat the national and economic security threats posed by
ransomware attacks.
I plan to continue my investigation to further examine the
role cryptocurrencies play in these cybercrimes and other
criminal activities, and I look forward to exploring the issues
identified during today's hearing in detail, including
shortfalls in the enforcement of applicable anti-money
laundering regulations for cryptocurrency transaction.
The record for this hear will remain open for 15 days,
until 5 p.m. on June 22, 2022, for the submission of statements
and questions for the record.
This hearing is now adjourned.
[Whereupon, at 11:24 a.m., the hearing was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]