[Senate Hearing 117-575]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 117-575

                   RISING THREATS: RANSOMWARE ATTACKS
             AND RANSOM PAYMENTS ENABLED BY CRYPTOCURRENCY

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             SECOND SESSION

                               __________

                              JUNE 7, 2022

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
50-846 PDF               WASHINGTON : 2023












        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
               Alan S. Kahn, Chief Investigative Counsel
             Stephanie T. Rosenberg, Investigative Counsel
                 Victoria G. Kelley, Reseach Assistant
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
  William H.W. McKenna, Minority Chief Counsel and Chief Investigator
           Patrick T. Warren, Minority Investigative Counsel
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk






















                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Portman..............................................     3
    Senator Hawley...............................................    13
    Senator Rosen................................................    15
    Senator Lankford.............................................    18
    Senator Hassan...............................................    20
    Senator Sinema...............................................    23
Prepared statements:
    Senator Peters...............................................    29
    Senator Portman..............................................    31

                               WITNESSES
                         Tuesday, June 7, 2022

Megan Stifel, Chief Strategy Officer, Institute for Security and 
  Technology.....................................................     4
Bill Siegel, Chief Executive Officer, Coveware...................     7
Jackie Burns Koven, Head of Cyber Threat Intelligence, 
  Chainalysis....................................................     9

                     Alphabetical List of Witnesses

Koven, Jackie Burns:
    Testimony....................................................     9
    Prepared statement...........................................    48
Siegel, Bill:
    Testimony....................................................     7
    Prepared statement...........................................    44
Stifel, Megan:
    Testimony....................................................     4
    Prepared statement...........................................    33

                                APPENDIX

Senator Peters Majority Report...................................    74
Senator Portman Minority Report..................................   126
Palma Statement for the Record...................................   177

 
                   RISING THREATS: RANSOMWARE ATTACKS 
             AND RANSOM PAYMENTS ENABLED BY CRYPTOCURRENCY 

                              ----------                              


                         TUESDAY, JUNE 7, 2022

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Hassan, Sinema, Rosen, Ossoff, 
Portman, Johnson, Lankford, Scott, and Hawley.

            OPENING STATEMENT OF CHAIRMAN PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 29.
---------------------------------------------------------------------------
    I would first like to say thank you to our witnesses for 
joining us here. Today's hearing will provide a very important 
opportunity to discuss the rising threat posed by ransomware 
attacks, and the role that cryptocurrencies play in enabling 
these harmful cybercrimes.
    In recent years, we have seen a scourge of increasingly 
complex and sophisticated ransomware attacks on both public and 
private networks, where the attackers prevent access to an 
entity's computer systems or threaten to release stolen data 
unless a ransom is paid.
    From the Kaseya ransomware attack that affected between 800 
and 1,500 small businesses, to alarming attacks on our critical 
infrastructure that caused gas shortages across the East Coast 
and temporarily shut down processing plants for the world's 
largest meat supplier, ransomware attacks have caused 
significant disruptions to daily life and imposed serious 
economic costs.
    A single ransomware attack can force businesses to close 
their doors permanently, even if they pay the ransom demand. 
Cybercriminals may shut down computer systems, expose sensitive 
data, or erase data entirely, causing significant disruption to 
business continuity. Some of the longer-term impacts may 
include lost revenues, reduced profits, damage to brand 
reputation, employee layoffs, and loss of customers.
    These malign actors almost exclusively demand 
cryptocurrencies when extorting large sums of money, because 
they can take steps to obscure their transactions and 
circumvent regulatory scrutiny, making payments more difficult 
to trace.
    In 2020, according to a Chainalysis study, malicious 
hackers received at least $692 million in cryptocurrency 
extorted as part of ransomware attacks, up from $152 million in 
2019, and over a 300 percent increase year-over-year. These 
figures are likely a drastic underestimation of the actual 
number of attacks and ransomware payments made by victims.
    While Bitcoin and many other cryptocurrencies provide a 
public ledger of transactions, known as a ``blockchain,'' 
cryptocurrency wallets are not tied to an individual person, 
meaning account holders can take steps to conceal their 
identity to avoid being held accountable for criminal 
activities.
    Anti-money laundering and other banking regulations that 
are meant to prevent criminal use of currency, including 
cryptocurrency, are also often inconsistently enforced, 
particularly in foreign jurisdictions, where many attackers are 
based.
    For example, last year, according to Chainalysis, 
approximately 74 percent of global ransomware revenue went to 
entities either likely located in Russia, or controlled by the 
Russian government. Attacks from Russia-based entities are only 
expected to increase, especially as the United States continues 
its support of Ukraine against Russia's illegal and immoral 
invasion.
    Last month, I released a report examining the role 
cryptocurrencies play in incentivizing and enabling ransomware 
attacks, and the resulting harm these attacks have on victims. 
I will now move to introduce this report\1\ as part of the 
hearing record, and hearing no objection, this report will be 
entered into the record.
---------------------------------------------------------------------------
    \1\The Majority Report appears in the Appendix on page 74.
---------------------------------------------------------------------------
    My investigation found that the Federal Government lacks 
sufficient data and information on ransomware attacks and the 
use of cryptocurrency as ransom payment in these attacks, and 
must collect better data to understand the scope of the threat.
    The cyber incident reporting law that Ranking Member 
Portman and I authored and passed earlier this year marks a 
significant first step to getting the information the 
government needs to combat this growing threat. The legislation 
will require critical infrastructure owners and operators to 
report cyberattacks within 72 hours and ransomware payments 
within 24 hours, and I look forward to working with the 
Administration to ensure it is swiftly and effectively 
implemented.
    The more information we have, the better suited we will be 
to combat ransomware attacks. That means continuing to build 
off our bipartisan cyber incident reporting legislation by 
holding foreign adversaries and cybercriminals accountable, and 
finding ways to reduce the incentives to conduct these attacks 
in the first place, including by examining their use of 
cryptocurrency.
    While I am grateful to the many Federal law enforcement and 
regulatory agencies that have taken steps to address 
cybercriminals and the rising threat of ransomware attacks, 
more must be done to ensure cryptocurrencies are monitored 
appropriately, like their non-digital counterparts.
    Finally, in addition to addressing ransomware attacks and 
the use of cryptocurrency as ransom payment in those attacks, 
Congress must examine other criminal activity involving 
cryptocurrency that threatens our nation's national and 
economic security, such as human trafficking, the flow of 
illicit drugs across our borders, and other serious crimes.
    I look forward to our hearing today and to hear from panel 
of expert witnesses who can further elaborate on the uses of 
cryptocurrency in ransomware attacks, and provide answers to 
ensure we have the necessary tools and resources to tackle this 
issue head on.
    With that I would like to recognize our Ranking Member of 
this Committee, Ranking Member Portman, for his opening 
comments.

            OPENING STATEMENT OF SENATOR PORTMAN\1\

    Senator Portman. Thank you, Mr. Chairman, and I thank you 
to our witnesses for being with us today, some in person, some 
virtually. We are going to hear from a private sector panel of 
cybersecurity professionals and incident responders who are 
going to provide us with a unique perspective, in each case, on 
what can be done to combat ransomware.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Portman appears in the 
Appendix on page 31.
---------------------------------------------------------------------------
    Obviously, the frequency and severity of ransomware attacks 
continues concern us because it continues to grow. Ransomware 
groups have professionalized their operations using a business 
model often now called ransomware-as-a-service, which involves 
ransomware developers selling or delivering their malware to 
individuals called ``affiliates'' who actually carry out the 
attack. It is a business model. This allows ransomware gangs to 
conduct more attacks with broader impact.
    In March of this year, I released a report\2\ documenting 
the experiences of three American companies victimized by the 
most notorious Russian ransomware gangs, called REvil . The 
companies profiled in the report are from different business 
sectors and vary significantly in size, revenue, and their 
information technology (IT) resources. This was done on 
purpose, to try to show that this is affecting companies of 
every size and sophistication. Despite these differences, all 
of these companies fell victim to REvil. This underscores the 
broad threat ransomware presents and the proactive steps all 
organizations must take to implement cyber best practices.
---------------------------------------------------------------------------
    \2\ The Minority Report appears in the Appendix on page 126.
---------------------------------------------------------------------------
    REvil was largely believed to be offline following the 
arrests of several key members last fall, but public reports 
indicate the gang may be resuming operations. We know it is 
common for ransomware criminals to claim retirement only to 
``rebrand'' and reemerge under a new name.
    About a year ago, this Committee held a hearing on the 
Colonial Pipeline ransomware attack. That incident was a 
painful reminder to many Americans that these attacks have 
real-world consequences impacting everybody.
    Recognition of this challenge is one of the reasons 
Chairman Peters and I drafted cyber incident reporting 
legislation, which I am proud to say became law a couple of 
months ago. This law will enhance our nation's visibility into 
cyberattacks against the United States and will enable a more 
effective response including warning potential victims. It is 
really important that Cybersecurity and Infrastructure Security 
Agency (CISA) works with industry experts and stakeholders to 
implement this law immediately.
    We know ransomware attacks will continue to be a national 
security threat for the foreseeable future. As the committee of 
jurisdiction over cybersecurity, we will continue to work to 
identify solutions that address the threats associated with 
ransomware attacks and the ways we can fortify our defenses.
    Today we are going to have testimony from some real experts 
to ensure that we are making steps in the right direction, and 
I look forward to that testimony.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Ranking Member Portman.
    It is the practice of the Homeland Security and 
Governmental Affairs Committee (HSGAC) to swear in witnesses. 
If each of you will please stand and raise your right hand, 
including folks joining us online.
    Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Ms. Stifel. I do.
    Mr. Siegel. I do.
    Ms. Koven. I do.
    Chairman Peters. Everyone has answered affirmatively. You 
may be seated.
    Our first witness is Megan Stifel, Chief Strategy Officer 
(CSO) at the Institute for Security and Technology (IST), a 
partnership that provides public and private sector guidance on 
security and technology. In 2021, IST released a comprehensive 
report on combating ransomware.
    Ms. Stifel previously served as an attorney in the National 
Security Division at the Department of Justice (DOJ), where she 
also spent time detailed as a Director for International Cyber 
Policy on the National Security Council (NSC). She also 
previously served as a Senior Policy Counsel for Global Cyber 
Alliance.
    Welcome, Ms. Stifel. You may now proceed with your opening 
remarks.

   TESTIMONY OF MEGAN H. STIFEL,\1\ CHIEF STRATEGY OFFICER, 
             INSTITUTE FOR SECURITY AND TECHNOLOGY

    Ms. Stifel. Chairman Peters, Ranking Member Portman, 
distinguished Members of the Committee, thank you for the 
opportunity to testify today about the critical importance of 
information about ransomware attacks and associated payments 
combating the ongoing ransomware scourge.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Stifel appears in the Appendix on 
page 33.
---------------------------------------------------------------------------
    My name is Megan Stifel and I am the Chief Strategy Officer 
at the Institute for Security and Technology. We are a Bay 
Area-based nonprofit organization focused on staying ahead of 
security challenges resulting from our increasing dependence on 
technology. Our current work focuses on nuclear command and 
control, artificial intelligence (AI), digital cognition and 
democracy, and most relevant for today's purposes, information 
security.
    Early last year, in response to the growing threat posed by 
the escalating rise in ransomware incidents targeting critical 
infrastructure, IST convened the Ransomware Task Force (RTF), 
and I had the privilege of being a co-chair. The task force 
included participants from industry, academia, civil society, 
and governments, including the United States, the United 
Kingdom (UK), and Canada, as well as multilateral organizations 
such as Europol. In total, 60-plus organizations participated, 
including the organizations represented by my fellow witnesses.
    In a span of four months, this coalition worked to identify 
measures to help all stakeholders better deter, disrupt, 
prepare, and respond to ransomware. As noted, we published a 
report last spring, including four goals, five priority 
recommendations, and a series of recommended actions, and 
totaling 48. The priority recommendations included the need for 
a sustained, coordinated, U.S.-led, multi-stakeholder 
collective action to meaningfully reduce the ransomware threat; 
an intelligence-driven anti-ransomware campaign, including 
support for operational collaboration with industry; the 
establishment of ransomware response and recovery funds, 
frameworks for preparation and mandated reporting of payments; 
as well as closer international regulation of the 
cryptocurrency sector that enables ransomware crime.
    As noted just after the report's publication several high-
profile ransomware attacks occurred, leading to the disruption 
of fuel and meat production, distribution, as well as health 
care. These incidents formed pivotal moments in which 
significant progress has been made in countering ransomware. 
Much of this progress aligns with the task force's 
recommendations.
    Still, much work remains. I will focus my testimony today 
on the task force's recommendations related to information 
about ransomware incidents, especially payments, and helping 
government and industry effectively combat ransomware.
    Before I address the essential role of information in the 
ransomware lifecycle I have to pause and emphasize that 
ransomware is a symptom of a broader problem, and that problem 
originated decades ago through a confluence of factors, each of 
which must be addressed to put a significant dent in the 
ransomware-related cybercrime, but also in all aspects of 
cybersecurity risk and resulting cybercrime.
    Ransomware is 21st-century extortion, but extortion is not 
a 21st-century invention. New forms of extortionware are 
emerging. Thus, in examining collective measures by industry 
and government to combat ransomware, we are not just targeting 
today. We are working to better secure tomorrow against 
wherever these criminals turn next.
    In my testimony before the House last year, I noted the 
task force's recommendations, but the scope and quality of 
information about ransomware incidents must improve. The 
reasons for this are manyfold. Higher-quality information can 
better equip governments and other stakeholders in developing 
the international strategy the task force called for to reduce 
ransomware risk at scale. It can also provide more detailed 
evidence to support a range of measures that can reduce the 
ability of these actors to operate from safe havens.
    Of perhaps equal importance, higher-quality information can 
better inform the private sector's ability to protect its 
customers' right to property as well as enhance its capacity to 
collaborate with the government in combating ransomware and 
other cybercrimes.
    As the task force noted in April 2021, improving the 
quality and volume of ransomware information would better 
enable deterrence, enhance preparedness, and inform disruption 
activities. There were several recommendations in the report.
    Since ransomware is often a criminal endeavor to extract 
financial gain, one of the most effective tools in combating it 
is to follow the money. Information shared through voluntary 
and mandatory incident reporting, including ransom payments, is 
this tool's lifeblood. Yet to this date we have not found an 
adequate incentive structure to meaningfully empower this 
capability at scale.
    As depicted in the ransomware payment diagram submitted 
with my written testimony, a range of organizations may have 
information that can enable public and private sector entities 
to follow the money. Today, however, there are only partial 
views spread across many stakeholders without a common process 
or pathway to stitch the pieces together.
    Ultimately, there should be harmony among government 
reporting avenues. This would ease confusion among victims and 
streamline a collection and analysis of attack information. The 
recently passed reporting legislation will address aspects of 
this challenge. However, the need for consistency across 
reporting pathways is more immediate. It is especially critical 
while the rulemaking process is underway. It is also essential 
regardless of the rulemaking process, given the scope of 
entities that will likely be required to report pursuant to, or 
elect to share voluntarily under the legislation.
    To meet the risks of tomorrow, information gathered must be 
useful and it must be appropriately disseminated within a 
meaningful period of time. It is also important to know that 
the same information may be of different value, depending on 
the agency's or organization's mission.
    I must also pause to emphasize the need the task force 
placed on enabling disruptive capabilities through these 
channels. Disruptive actions taken in the past year to seize 
cryptocurrency assets could scale significantly if clear, 
concise, actionable information is made available to 
appropriate organizations as early as possible in the 
cryptocurrency kill chain.
    Thank you for the opportunity to participate today, and I 
look forward to your questions.
    Chairman Peters. Thank you, Ms. Stifel.
    Our next witness is Bill Siegel, Chief Executive Officer 
(CEO) and Co-Founder of Coveware, a cyber incident response 
firm that specializes in assisting victims of ransomware 
attacks. Mr. Siegel previously served as the Chief Financial 
Officer (CFO) for the cybersecurity rating company, 
SecurityScorecard, and the Chief Executive Officer of 
Secondmarket, and the Head of National Association of 
Securities Dealers Automated Quotations Stock Market (NASDAQ) 
Private Market.
    Mr. Siegel, you may proceed with your opening remarks.

 TESTIMONY OF BILL SIEGEL,\1\ CHIEF EXECUTIVE OFFICER, COVEWARE

    Mr. Siegel. Mr. Chairman, Ranking Member Portman, and 
Members of the Committee, thank you for the opportunity to 
share Coveware's perspective on ransomware attacks and the role 
of cryptocurrency in ransom payments.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Siegel appears in the Appendix on 
page 44.
---------------------------------------------------------------------------
    My testimony today is derived from Coveware's experience 
which spans thousands of ransomware incidents over the last few 
years. During a given incident, we interact with the victim of 
the attack, privacy attorneys, forensic investigators, 
restoration firms, cyber insurance companies, and the law 
enforcement agencies that investigate these attacks.
    Throughout the incident, we collect data firsthand, and the 
aggregated learnings from this data and our experience gives us 
a unique perspective on this problem. We collect and organize 
this data, because like any problem, you cannot solve it until 
you understand it. The analogy we use is that you cannot build 
safe cars without studying lots of car crashes.
    In addition to analysis, our firm has voluntarily and 
proactively reported subsets of our data to law enforcement 
from every attack we have ever worked on since inception of our 
firm. This data is used by law enforcement to augment active 
investigations into the criminal groups that carry out these 
attacks.
    We are grateful for the work that Chairman Peters and 
Ranking Member Portman, along with the Committee staff, have 
already completed in the publishing the staff report ``Case 
Studies In Ransomware Attacks On American Companies'' and the 
Majority Staff report ``Use of Cryptocurrency in Ransomware 
Attacks, Available Data, and National Security Concerns.'' Both 
of these reports highlight acute issues and we are grateful 
that this Committee is collaborating with public and private 
industry on, and that the Committee Members are already 
pursuing new and passing new legislation.
    I would like to quickly address two primary areas of focus 
in these reports, first with regards to cryptocurrency. 
Financially motivated cyber criminals almost universally 
denominate ransom demands in cryptocurrency. The popularity of 
cryptocurrency with cybercriminals is rooted in protecting the 
ransom payment law enforcement seizure and the efficiency with 
which the money can be laundered. The percentage of a ransom 
that finds its way to the cybercriminal's pockets is 
substantially higher when cryptocurrency is used versus other 
currencies or stores of value.
    This is clear when looking at the recovery rates between 
two types of cybercrime, wire fraud and ransomware. If reported 
within 72 hours, illegitimate wires can typically be reversed 
and recovered. No such mechanism exists with crypto currency.
    It is important to note that unlike financial theft, 
ransomware is much more akin to a kidnap and ransom incident. 
Victims may not want their funds reclaimed out of fear that the 
criminals will not reciprocate with decryption keys, critical 
to restore an organization's business. Reclaiming a ransom also 
requires that the victim make a timely report to the correct 
branch of law enforcement. Moreover, for a trace and seizure to 
be successful the end destination of the cryptocurrency must be 
within the reach of Western law enforcement. Most of the time, 
one or several of these variables inhibit a trace or seizure 
from even being started, let alone successful.
    It is also important to note that some form of currency, 
whether it be physical fiat, digital, or cryptocurrency, has 
always been used for lots of different types of extortion. 
Ransomware existed before the advent of cryptocurrency, and it 
will persist if cryptocurrency were to ever disappear. As long 
as ransomware attacks are profitable to carry out against 
organizations with weak cybersecurity, cybercriminals will 
continue to proliferate these attacks.
    This brings us to the second topic of today's hearing, 
mandatory reporting. Coveware has been vocal in our support for 
mandatory reporting for some time. Our hope is that reporting 
requirements will eventually be extended to all victims of 
ransomware, not just organizations under the oversight of CISA.
    As with any new law the efficacy lies in its 
implementation. This hearing is uniquely timed to allow 
policymakers to understand the dynamics of reporting and to 
ensure that final rules achieve the targeted impact.
    We believe there will be two primary impacts to mandatory 
reporting. First, the U.S. Government will gain clarity on the 
scope of the problem. As was clearly documented in the Majority 
Staff Report, the variance between privately reported 
ransomware statistics and agency reported statistics is 
cavernous. Collecting accurate statistics is step No. 1 and 
table stakes.
    Gaining clarity will allow agencies to more confidently 
resource their responses, and we are encouraged to see that the 
Cyber Incident Reporting Act authored by Chairman Peters and 
Ranking Member Portman has begun to outline a clear path for 
reporting and unique agency responsibility.
    The second impact will be in providing greater clarity on 
what to do about the problem. Gaining this clarity will hinge 
on what information CISA collects, and if CISA or other 
regulatory or law enforcement agencies are able to scalable 
digest the information reported to them. This new legislation 
has the potential to answer major questions, and enable CISA, 
the Federal Bureau of Investigation (FBI), the Department of 
Homeland Security (DHS) and other agencies to make meaningful 
progress on this problem.
    If not implemented correctly, however, this new legislation 
also has the potential to completely bury these agencies with 
unstructured data that cannot be parsed or analyzed at scale. 
This would render this new legislation completely ineffectual. 
Great care and focus should be applied to what information is 
collected, and how this information is organized so that the 
velocity of analysis, recommendations and actions can achieve 
maximum efficacy.
    Thank you very much, Mr. Chairman. I look forward to 
answering the Committee's questions.
    Chairman Peters. Thank you, Mr. Siegel.
    Our final witness is Jackie Burns Koven, Head of Cyber 
Threat Intelligence at Chainalysis, one of the leading cyber 
analytics companies that specializes in providing data, 
software, services, and research on blockchain technology.
    Ms. Koven has extensive knowledge and experience in the 
cybersecurity sector, and as the Head of Cyber Threat 
Intelligence Ms. Koven leads efforts to track ransomware 
operators and their enablers on blockchains. Prior to joining 
Chainalysis, Ms. Koven served in the intelligence community.
    Ms. Koven, welcome. You may proceed with your opening 
remarks.

   TESTIMONY OF JACKIE BURNS KOVEN,\1\ HEAD OF CYBER THREAT 
                   INTELLIGENCE, CHAINALYSIS

    Ms. Koven. Thank you. Chairman Peters, Ranking Member 
Portman, and distinguished Members of the Committee, thank you 
for inviting me to testify before you today on this very 
important topic.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Koven appears in the Appendix on 
page 48.
---------------------------------------------------------------------------
    My name is Jacqueline Koven and I am the Head of Cyber 
Threat Intelligence for the blockchain data platform, 
Chainalysis. In this role, I track ransomware operators and 
their enablers on the blockchain. I also coordinate with global 
law enforcement, ransomware research, partnerships, and joint 
initiatives.
    This hearing could not be more timely. We have seen 
ransomware attacks increase significantly over the last few 
years, with ransomware attacks on critical infrastructure, law 
enforcement agencies, health care providers, municipalities, 
schools, and other businesses. While it is true that 
cryptocurrency is generally the predominant form of payment in 
these cases, it is not true that cryptocurrency is the cause of 
ransomware attacks.
    If there is one point I want to make to the Members of this 
Committee it is that the transparency of cryptocurrency and 
blockchains enhances the ability of policymakers and government 
agencies to detect, attribute, and ultimately disrupt illicit 
activity. In fact, it can be much easier to investigate cases 
involving the illicit use of cryptocurrency than other forms of 
payment. By identifying an illicit actor's cryptocurrency 
wallet, for example, from a ransom payment, law enforcement can 
gain insight into not only the cash-out destination but also 
the network of accomplices and malicious tools underpinning the 
threat actor's campaign.
    In contrast, in a traditional financial investigation where 
that same actor is tied to a bank account, it is the beginning 
of a long resource-intensive process to subpoena records that 
can seldom generate a remotely comparable amount of insight and 
certainly not as timely. The investigative challenges would 
compound even more were that same illicit actor tied to a cash-
based transaction.
    Our ransomware data shows that there are at least $712 
million worth of ransom payments in 2021, and while almost 
certainly an undercount of ransoms paid, this figure 
constitutes a record-breaking year in terms of ransomware 
revenue. This shows the magnitude of the ransomware problem and 
underscores the importance of enhanced reporting initiatives.
    One of the biggest trends we have recently observed is an 
increase in the rebranding of ransomware strains. This is 
likely in part to evade government scrutiny but also, in some 
cases, to obfuscate a ransomer group's connection to a sanction 
entity so that victims might still pay. We can often discern 
these rebrand attempts via blockchain analysis, which enables 
us to identify links between ransomware gangs using their 
cryptocurrency footprint.
    Extortion tactics have also evolved to skirt traditional 
definitions of ransomware. More groups have emerged that will 
not encrypt victims' files but will still exfiltrate data and 
threaten to release or sell the data unless a ransom is paid. 
This trend means that policymakers and government agencies will 
need to be flexible about cyberattack definitions when 
requesting reporting on these events to encompass emerging 
threats.
    I further detail the evolution of ransomware groups in my 
written testimony, including the geopolitical aspects of this 
those threats, ransomware money-laundering techniques, and the 
impact of law enforcement and the Office of Foreign Assets 
Controls (OFAC) actions against ransomware actors and their 
facilitators.
    U.S. policies must leverage a whole-of-government approach 
for reducing ransomware attacks and mitigating their impact 
that incorporate private-public sector partnerships. In my 
written testimony I make a number of recommendations for this 
Committee and Congress to consider in order to improve the 
government response to this threat, and I will share just a few 
of these now.
    First, it is vital that we improve ransomware reporting and 
information sharing. There should be clear guidance on when, 
what, and where to report incidents, and this information 
should be shared swiftly with law enforcement agencies to 
operationalize. In addition, we must ensure government agencies 
have adequate funding for the training, tools, and resources 
they need to conduct these investigations that require the 
development of new skill sets and government agencies to work 
quickly in order to keep up with the evolving threat landscape.
    Finally, the U.S. should also work with other countries 
around the world to assist them in the development and 
implementation of robust anti-money laundering laws for 
cryptocurrency businesses to ensure that bad actors are cutoff 
from cashing out their ill-gotten gains in unregulated 
jurisdictions.
    Thank you, and I look forward to answering your questions.
    Chairman Peters. Thank you, Ms. Koven.
    On May 24th, after a 10-month investigation, I released a 
report on the rise in ransomware attacks and the use of 
cryptocurrency as ransom payments in these attacks, a report I 
entered into the record in my opening comments. One of my 
report's key findings is that the Federal Government simply 
does not have comprehensive data on ransomware threat 
landscape.
    Ms. Stifel, I have two questions for you. First off, do you 
agree with this finding, and second, in the Institute for 
Security and Technology's Ransomware Task Force report your 
organization advocates for mandatory reporting requirements on 
ransomware attack payments made in cryptocurrency. Why do you 
believe that this data is necessary? If you could answer both 
those questions I would appreciate it.
    Ms. Stifel. Senator, I do agree with the observation or the 
finding that there is not sufficient information within the 
government's holdings about payments in cryptocurrencies. We 
know, as has been highlighted in the testimony of Ms. Koven as 
well as Mr. Siegel, that there are many who attempt to comply 
with these requirements and regulations. However, there are 
also those who do not, and this leads to a significant amount 
of discrepancy in the amount of information that may be 
available to those in the ecosystem versus those who are 
receiving information the government side.
    The other challenge here is that within the organizations 
that do collect information on the government side, whether it 
be the Financial Crimes Enforcement Network (FinCEN), CISA, or 
the FBI's Internet Crime Complaint Center (IC3), they ask for 
different types of information, which also contributes to a 
disaggregated picture of the threat.
    With regard to your second question, Senator, we believe 
that the mandatory reporting requirement will help the 
government have a better picture of the actual scale and scope 
of this threat. We also believe that that information needs to 
get into the hands of the private sector who, as I mentioned in 
my testimony, can work with the government to collectively 
combat these actors when the information is delivered in a 
timely manner and is relevant.
    I do agree significantly with Mr. Siegel's comment that the 
government needs to be very structured in the way that it seeks 
the information that it will receive under the reporting 
requirement of the recently passed legislation. It is critical 
that the information be relevant and that the government is 
equipped to manage the information, not only in analyzing it 
itself but also in ensuring that it can receive and disseminate 
the information to private sector actors who can appropriately 
manage the information and take appropriation action with 
respect to it.
    Chairman Peters. Thank you. During my investigation, 
Federal agencies expressed to my team concerns with gaps in the 
ability to enforce anti-money laundering laws applicable to 
cryptocurrency against illicit actors outside of the United 
States. The report found that such gaps impede law 
enforcement's ability to investigate, to prosecute, and prevent 
cryptocurrency-enabled crimes.
    Ms. Koven, and then Ms. Stifel, I will ask you to answer 
this question after Ms. Koven answers, what shortfalls do you 
see regarding enforcement of anti-money laundering regulations 
with respect to illicit cryptocurrency transactions, both in 
the United States and abroad? The second question, what has 
happened to address these shortfalls, and can regulations alone 
solve this problem, or does Congress have a role here?
    If you could handle those questions for me now, and then 
Ms. Stifel after Ms. Koven.
    Ms. Koven. Thank you for your question, Senator. Yes, we 
have observed a winnowing down of the cash-out destinations for 
illicit actors, including ransomware actors, mainly to offshore 
exchanges with little to no regulation and enforcement, which 
underscores our recommendation for enhanced U.S. assistance in 
implementing anti-money laundering (AML) laws, to cutoff those 
illicit cash-out destinations.
    We have also observed the increased utilization of mixing 
services by these threat actors, to obfuscate the destination 
of these ransomware proceeds. I can point to a number of 
government successes over the last year that have actually used 
blockchain analysis to trace payments to these high-risk 
exchanges and law enforcement action against Garantex, 
Blender.io, Chatex, and Suex, primarily services based in 
Russia.
    What we saw as a result of these designations, especially 
against Suex, was that deposits dropped nearly to zero as soon 
as the designations were rolled out.
    There are a number of policy options for these illicit 
cash-out destinations, and blockchain forensics is a key tool 
in being able to identify where these threat actors are cashing 
out. If we look at Blender.io, that mixing service in 
particular, it was not only used by multiple ransomware groups, 
it was also used by North Korean launderers from stolen funds.
    These threat actors are going for the paths of least 
resistance, but it has narrowed down considerably to a handful 
of services that the United States can help support with 
implementing AML regulations.
    Chairman Peters. Thank you, Ms. Koven. Ms. Stifel.
    Ms. Stifel. Thank you for the question, Senator. I would 
agree with Ms. Koven that the impact of regulation in the 
United States has resulted in many cases the offshoring of the 
ability for these actors to convert a cryptocurrency into fiat, 
and as a result the absence of regulation overseas has provided 
this pathway for the conversion to continue to facilitate the 
demand and the desire for ransomware as a tool to generate 
financial gain.
    In other words, were we to have a more consistent 
regulatory environment internationally, through the application 
of know your customer anti-money laundering (KYC AML) and other 
regulatory measures, by working with partners, including 
through the Financial Action Task Force (FATF), that has been 
effective in the terrorism instances, that would provide a 
pathway, I think, for making a more significant impact on the 
ability for governments to obtain information that could 
facilitate arrests or other disruptive measures against these 
criminal actors.
    Senator, you also asked about the role of Congress here, 
and I would agree. I think reporting legislation is a 
significant step forward. It was something that was called for 
in our task force report, as you mentioned. I think there is 
also an opportunity for Congress to continue to also clarify 
other measures that private sector entities may take with 
respect to information about cybersecurity incidents, including 
by clarifying the scope of the Cybersecurity Information 
Sharing Act of 2015, and to be constantly mindful of the 
importance of there being harmony across, and not overly 
complicating matters with respect to ongoing regulatory 
opportunities, looking to streamline the process to allow for 
consistency in application so that victims are clear where they 
need to report, what they need to report, and within what 
period of time. Also their role in ensuring that they are 
working to, and equipping them to better maintain their systems 
in a more secure manner to reduce the likelihood of ransomware 
in the future.
    Chairman Peters. Thank you. Senator Hawley, you are 
recognized for your questions.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you very much, Mr. Chairman. Thanks 
to all of the witnesses for being here.
    If I could start with you, Mr. Siegel. You said in your 
written testimony that financially motivated cybercriminals 
almost universally denominate ransom demands in cryptocurrency. 
Can you just expand on that? Why is that and what are the 
implications?
    Mr. Siegel. For the most part ransomware actors know that 
they want to cash out their illicit proceeds using the most 
efficient means. Cryptocurrency is the most efficient means. It 
has great scale. They can move it very quickly across borders. 
It can be moved without worry of being reclaimed unless they 
make an operational security mistake or unless the move it 
through an exchange that participates with Western law 
enforcement. They also know that they have options to move 
their proceeds between different types of cryptocurrencies, 
which can further aid in the obfuscation and money laundering 
process and better the chances that a higher percentage of 
those ransom proceeds make it to their pocket at the end of the 
day.
    Senator Hawley. Is there a specific cryptocurrency that is 
more often used than others for ransom demands, to your 
knowledge?
    Mr. Siegel. Bitcoin is the predominant one, but I would 
note that some actors denominate their demands in other 
privacy-enhanced cryptocurrencies, like Monero. Even when 
Bitcoin is used for a ransom payment it is common for the 
Bitcoin to be exchanged into one of these privacy coins further 
down the money laundering process, to obfuscate the end 
destination.
    Senator Hawley. Got it. Let me ask you this. I understand 
that there are about 10,000 active cryptocurrencies. That is up 
from 63, I think it was, a decade ago. That is incredible 
growth. Has the growing number of cryptocurrencies influence 
how ransom demands are being made, in your observation?
    Mr. Siegel. No, it has not.
    Senator Hawley. Interesting. Are new coins being made with 
criminal intentions in mind, do you think?
    Mr. Siegel. It is certainly possible. I would bifurcate 
between new coins that are made with the express intent of 
committing financial fraud, these kinds of pump-and-dump 
schemes. Then what would appear to be legitimate projects, like 
Monero and others, that are aimed at the enhanced privacy of 
the coin itself, but with that come the attractiveness to the 
cybercriminals to use those coins for the money laundering 
process.
    Senator Hawley. Are new coins being purposely designed or 
being made and purposely designed to be more opaque, in your 
observation?
    Mr. Siegel. Some of these privacy coins are. That is the 
intention of the design, is to make them more private. I would 
note, though, that there are two challenging to having a coin 
actually be adopted by a large group of cybercriminals. No. 1, 
it has to work, and No. 2, it must be liquid. If there are 
thousands of completely illiquid privacy coins, but you cannot 
really buy or sell them, no one is going to use them, including 
cybercriminals. This is one of the reasons that Bitcoin is 
predominantly used is because it is the most liquid.
    Senator Hawley. Got it. Ms. Koven, let me ask you, you said 
just a minute ago that the use of crypto can actually enhance 
these investigations, investigations into ransomware demands. 
You said in your written testimony that due to its transparent 
nature it can be much easier to investigate cases involving the 
illicit use of cryptocurrency than other forms of payment.
    Can you just expand on that? I think that is an interesting 
point, maybe a counterintuitive point. Can you just say more 
about that?
    Ms. Koven. Thank you for that question, Senator. As Mr. 
Siegel testified, Bitcoin is the predominant currency demanded 
in these ransomware cases. What blockchain forensics and the 
transparency of the blockchain can provide is able to see the 
cash-out destination of these currencies to exchanges that 
enable law enforcement to subpoena those exchanges, or know 
your customer information, as well as potentially freeze the 
accounts.
    We can also move further up the kill chain to understand 
that threat actor and their wallet and the goods and services 
that they are purchasing that actually comprise that campaign, 
everything from Malware-as-a-service, access brokers, to 
compromised credentials and victim systems, to malware 
crypters, and all of those networks that are underpinning these 
attacks.
    Senator Hawley. Why do you think it is that criminals are 
disproportionately using cryptocurrencies as opposed to, say, 
U.S. dollars? Do you agree with Mr. Siegel's analysis? I mean, 
what would you say about that?
    Ms. Koven. Thank you. The same reason that Bitcoin is 
attractive to criminals is the same reason it is attractive for 
trading in a store of value. We have actually calculated that 
only 0.14 percent of overall transaction activity was criminal-
related, of the $15 trillion of transactions last year.
    It is the liquidity issue. Monero is illiquid and it is 
impractical to use. Many cryptocurrency exchanges have delisted 
Monero because of regulatory guidance about Monero and privacy 
coins in general.
    Senator Hawley. Very good. Let me ask both of you about 
reporting requirements. I think, Mr. Siegel, in your written 
testimony you note that reporting requirements could burden 
Federal agencies with unstructured data that cannot be paired 
or analyzed at scale. Have I got that right? Am I remembering 
correctly?
    So give me a sense, in light of that, how should agencies 
optimally implement reporting requirements, that they are 
effective?
    Mr. Siegel. Sure. I believe that agencies should look to 
establish standardized frameworks such as National Institute of 
Standards and Technology (NIST) or the Mitre Att&ck framework 
that standardize the tactics, techniques, and procedures that 
the threat actors are utilizing. These frameworks come with 
standard hierarchies, standard names, standard codes. 
Ransomware attacks are incredibly repetitive.
    The value of collecting the bottom end, the unstructured 
log data, which could be hundreds of gigabytes or terabytes for 
a single attack, is very minimal, but the value in abstracting 
that up a couple layers of altitude to just the tactics and 
techniques and procedures so that CISA could very quickly say, 
``OK, we have 10 reports that happened last week. They all used 
these tactics. These are tactics that we have not seen before. 
Let's get a timely warning out.''
    Conversely, if they were to collect the unstructured data 
it could require an army of individuals to perform weeks of 
forensic analysis before those same conclusions could be 
reached.
    Senator Hawley. Do you have a view on this, Ms. Koven, 
about the optimal implementation of reporting requirements by 
agencies?
    Ms. Koven. No, I agree with Mr. Siegel that the 
standardization is extremely important to be able to 
operationalize that information swiftly so that they can be 
used to subpoena cryptocurrency businesses and used for 
attribution and accountability of these threat actors. We had 
seen this in multiple high-profile cases, including the 
Netwalker ransomware takedown, where the most prominent 
affiliate of that group was actually arrested in Canada.
    I think being able to operationalize and share these at 
scale can lead to further successes.
    Senator Hawley. Very good. Thanks to you both. Thank you, 
Mr. Chairman.
    Chairman Peters. Thank you, Senator Hawley. Next we have 
Senator Lankford, but Senator Lankford, I understand, has 
graciously agreed to recognize Senator Rosen, who has to 
preside.
    Senator Rosen, you are recognized for your questions.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Mr. Chairman. Thank you, Senator 
Lankford. I appreciate it. I want to thank the witnesses for 
being here and testifying today.
    As a former software developer I helped to develop company-
wide disaster recovery plans, develop and execute them, all the 
different scenarios. I have both experience and many thoughts 
on this matter, but we will talk about cryptocurrency today.
    I want to talk a little bit about small business 
cybersecurity, because as the HSGAC Majority Staff Report on 
Ransomware and Cryptocurrency outlines, all it takes is one 
ransomware attack to cause a small company to go out of 
business. According to a recent Small Business Administration 
(SBA) survey, 88 percent of small business owners felt their 
business was vulnerable to a cyberattack.
    Yet, of course, many businesses cannot afford to adopt 
professional IT solutions, hire cybersecurity professionals, 
and actually they have a limited time to devote to 
cybersecurity as they focus on growing their companies.
    To help small business manage cyber risk, Senator Cornyn 
and I introduced the Improving Cybersecurity of Small Entities 
Act. This is bipartisan legislation to direct Federal agencies 
to develop common-sense cybersecurity recommendations, provide 
training for those small entities, including small businesses. 
This legislation passed out of this Committee in February, and 
hopefully will tell people the importance of offsite backups 
and how they use their journals, all kinds of things like that, 
of course, we know that they need to recover.
    But ransomware, Mr. Siegel, how do the ransomware criminals 
choose their victims in the small business community? What are 
some of the trends that you are seeing, and in terms of tactics 
and techniques, what are they using specifically? Are they just 
going after the data? Are they going after modifying the 
programs with malware where restoring backups may not be as 
effective, or effective at all?
    Mr. Siegel. Thank you for your question, Senator. We would 
describe ransomware attacks as opportunistic, not targeted. We 
view this problem as an economic problem, and targeting a 
specific company is uneconomical. There are numerous ways that 
ransomware actors can impact a small business or a large 
business, and most of those ways come from purchasing 
previously breached credentials or by mask-scanning the 
internet through freely available tools that allow them to look 
for vulnerabilities.
    So they essentially are combing the internet, picking up 
lists very quickly, finding the lowest-hanging fruit, and then 
attacking those companies.
    For instance, at the other end of the spectrum, the 
Colonial Pipeline attacks, I wholeheartedly believe that that 
was not a targeted attack meant to disrupt U.S. critical 
infrastructure. I do not think those attackers had any clue 
that that company controlled the volume of gasoline on the East 
Coast, and that would create a political issue, because U.S. 
consumers really do not like it when gas prices go up, and that 
it would cause a geopolitical issue. I think they saw a big 
energy company with a large balance sheet and the potential for 
a large ransom.
    I think that same thinking applies to small businesses. 
When they find a target that is going to take them 15 to 20 
minutes to compromise, and they can earn $50,000 to $100,000, 
potentially, of a ransom payment, that is too economical to not 
do.
    A lot of the recommendations that we have made in our 
testimony, and a lot of the things that we talk about are to 
recognize that there is no silver bullet to this problem, but 
there are lots of different ways to impose costs. The 
ransomware kill chain, as we have discussed today, is one of 
those ways. But these incremental ways that companies can 
incrementally harden themselves, to make themselves harder 
targets, more expensive targets, we think are the best ways to 
actually achieve an exponential reduction in risk versus a 
linear one, as may be perceived, with just making small 
additions. But the reality is most small businesses have these 
very easy-to-exploit vulnerabilities present, and closing those 
vulnerabilities is a process of just knowing what they are and 
finding the time or budget to close them.
    Senator Rosen. Thank you. I agree with what you are saying, 
and obviously the data is bearing it out.
    In the two minutes I have left I want to move over to 
health care cybersecurity, because, of course, this has really 
been increasing, attacks on our hospitals and clinics. As we 
even use more medical devices we understand the vulnerabilities 
there. In the FBI's 2021 Internet Crime Report the health care 
sector fell victim to ransomware far more than any other 
critical infrastructure sector last year. Health care entities 
increasingly are the target of these malicious cyberattacks. 
They result not only in data breaches but driving up the cost 
of care, and maybe ultimately even affecting patient outcomes.
    Senator Cassidy and I introduced the Health Care 
Cybersecurity Act. Again, it is bipartisan legislation that 
would require CISA to coordinate with and make resources 
available to health care and public health sector entities, 
including by developing products tailored to the specific needs 
of small and rural hospitals--they have been a big target--and 
our health clinics.
    Mr. Siegel and then Ms. Koven, with the ransomware 
criminals rapidly evolving their tactics, techniques, and 
procedures, how do you think this variety of health care 
entities can stay ahead of these threats and heighten their 
defenses against ransomware?
    Mr. Siegel. Thank you, Senator. I can testify from 
experience, having dealt with a number of hospital cases, that 
there is nothing more horrific than a ransomware attack on a 
health care institution that puts patient care at risk. It is 
the most sensitive areas--the emergency room (ER), the neonatal 
intensive care unit (NICU), oncology--that depend on electronic 
medical records (EMR) software to provide critical patient 
care. When those things go down that care cannot be delivered.
    Our sense is that, especially for critical infrastructure 
companies, having proper security is no different than the 
maintenance of a bridge. It is part of the cost of doing 
business, and it should be properly overseen and properly 
regulated.
    As these attacks and tactics evolve, there is no getting 
around these organizations making a substantial and continued 
investment in their people, in their technology so they can 
stay ahead of these things and continue to provide this 
critical care.
    Senator Rosen. I know I only have a couple of seconds left. 
I have to go preside. Can you speak briefly to it, and then I 
am going to run to the presiding chair on the floor. Thank you.
    Ms. Koven. Thank you. It is easy to lose the human cost and 
the toll when you look at ransomware figures, like $712 million 
paid those smaller businesses and hospitals, for example. We 
have actually calculated the median ransom payment is $6,000, 
so potentially smaller victims that do not necessarily make 
headlines but the impact is still devastating. Whether or not 
these institutions pay can still be devastating with the costs 
of remediation.
    The other issue is that a lot of these smaller businesses 
and hospitals are not necessarily equipped to be able to 
understand the sanctions risk of potential payments, and so 
being able to support them in that way is important.
    I will also add that the threat actors that are targeting 
the small businesses are also targeting the hospitals and other 
forms of infrastructure. So being able to shine a light on 
those tools and services, those threat actors that are 
underpinning this criminal economy that is driving ransomware 
is critical to disrupting ransomware.
    Senator Rosen. Thank you so much. I really appreciate you 
being here. Thank you again, Senator Lankford. Mr. Chairman.
    Chairman Peters. Thank you, Senator Rosen. Senator 
Lankford, you are recognized for your questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you. Thanks to all the witnesses 
that are here. I want to walk through a little bit of the 
reporting and the cooperation and duplication within 
government. Just back of the envelope, as I look at this, FBI, 
CISA, Homeland Security Investigations (HSI), Treasury, U.S. 
Secret Service (USSS), the Securities and Exchange Commission 
(SEC) all have cryptocurrency entitles, all say, ``Report to 
us. We want to be able to help through all this process.'' From 
entities on the outside working this cornucopia of three-letter 
agencies that are across the Federal Government that all have a 
cryptocurrency, cryptocrimes section of it, what does that look 
like? What are you getting as far as feedback?
    I would like all three of you to be able to respond to 
that. All three of you have some insight on that. Mr. Siegel, 
do you want to go first?
    Mr. Siegel. Sure. While it would be great if one agency 
could handle all of this, the reality is all the agencies have 
a specific role and function in imposing costs on these threat 
actors. I think the legislation that has recently been passed 
has taken the appropriate first step of designating a single 
agency and possible cooperating agencies to handle the initial 
inbound and triage of the reporting data, and then routing that 
information to the proper branches for investigations of 
different shapes and sizes.
    I think it was noted in the CEO of Colonial Pipeline's 
testimony some of the frustration that he felt being 
overwhelmed with the volume of inbound duplicative requests 
from law enforcement agencies and regulators while he was 
trying to manage his company through an incident. I felt Mr. 
Blount during that testimony. It can be distracting if a victim 
of ransomware contacts the wrong agency. It can be distracting.
    I think it is important, through this legislation and the 
rulemaking process, that it be made crystal clear where victims 
of ransomware, based on their State jurisdiction, regulatory 
jurisdiction, by industry, where they should go and what those 
requirements are so that the private industry, principally 
attorneys that advise and assist these victims, can study this 
and then give practical, timely advice and direct those victims 
to the proper agency in a timely manner.
    Senator Lankford. Ms. Koven.
    Ms. Koven. Thank you, Senator. I commend the legislation, 
specifically the tenets to aggregate and standardize the 
reporting. As an example, our data has recorded 14 times more 
ransomware payments than what was reported to FBI via IC3. This 
legislation will help bolster their intelligence.
    In order to handle this amount of data coming their way I 
would hope the agencies are resourced appropriately with the 
tools and resources they need to operationalize this 
information, that can lead to the arrest and seizures of 
cryptocurrency payments. We have seen a number of successes 
from multiple agencies over the last year, targeting various 
facets of the kill chain, targeting those illicit cash-out 
destinations that are laundering the proceeds, targeting 
specific threat actors and holding them accountable, and 
imposing costs by denying them of the cryptocurrency payment 
that they sought.
    So enhanced training and tools to be able to operationalize 
the influx of data, but also, I think, global cooperation with 
the U.S. agencies and global agencies is very important as the 
threats that are facing our global partners are also the same 
ones that are attacking us today.
    Senator Lankford. We will come back to that. Ms. Stifel.
    Ms. Stifel. Thank you, Senator. I would agree with my 
fellow witnesses that there needs to be, as I mentioned a few 
minutes ago, greater clarity and simplicity in the ability for 
victims to share information with the government.
    The other piece of this, of course, though, is that, as Ms. 
Koven just alluded to, there is a significant need for there to 
be adequate resources within departments and agencies to both 
ingest the information but also really to establish those 
relationships in the first place that facilitate this 
information sharing from victims to the government. Some will 
be required to do so under the legislation once the rulemaking 
process is complete, but others will not.
    The ability to have adequate resources within the field, 
whether it be within CISA's regional staff members, whether it 
is with Secret Service or FBI agents, it is really critical to 
establish those relationships within the community in order to 
better equip the government as well as the private sector to 
play a meaningful role in combating ransomware wherever we, as 
I mentioned, find cybercriminals going next.
    Senator Lankford. When you say ``the community,'' you are 
not talking about individual businesses. You are talking about 
entities that actually coordinate this, private businesses that 
work with other private businesses to be able to protect them 
from ransomware. Is that correct?
    Ms. Stifel. It is both, I would say. Yes, it is. It is 
those who are working to help victims manage their unfortunate 
ransomware incident but actually we often talk about and 
encourage organizations to establish a relationship with CISA 
and with FBI before they become the victim of an incident. It 
is better to know who to call and what may be useful to the 
government, learn that information ahead of time so that when 
the unfortunate day occurs there is already an established 
working relationship and that can facilitate a much more rapid 
response, both for the government but also for the victim.
    Senator Lankford. That is part of the challenge I want to 
lay out here, though. You do not know if that relationship is 
with FBI, with CISA, with HSI, with Treasury, with Secret 
Service, who that might be. It is one thing to be able to say 
they need to develop relationships, but to be able to maintain 
relationships with all those entities because they all will 
come calling. I left out--you were talking about the Colonial 
Pipeline--with the Department of Transportation (DOT), they may 
show up as well, and multiple other entities would show up as 
regulators to say, ``Did you fill out the paperwork?''
    This is still a convoluted mess at the worst possible 
moment for a company, for a hospital, whatever it may be, that 
just had a ransomware attack, and now they are getting 
bombarded with all these different Federal entities, calling 
them and wanting information in detail on this.
    There has to be a single source. I know we are in the 
process of working that through. But we have to also not just 
have one as a primary but the others turn that off in the 
process of going through that.
    I do need to clarify, as well, Ms. Koven, you talked about 
trying to be able to actually follow through, arrest, recover 
the information. From the Chairman's information of what they 
worked through already on this, 74 percent of the entities that 
are doing ransomware are Russian, Russian-affiliated, or 
Russian-controlled. The recovery at that point, in working with 
local law enforcement, clearly they are not going to cooperate. 
What is the best tool at this point to be able to get 
engagement?
    Ms. Koven. Thank you for that question, Senator, and that 
is a primary focus for us. There have been several examples 
over the last year that have illustrated that even if the 
perpetrator is out of reach of U.S. law enforcement we can 
still impose costs. We can still seize assets. We can leverage 
our global partnerships to be able to triangulate these threat 
actors. We have also taken actions against their cash-out 
destinations. A lot of Russian-based services like Garantex, 
Suex, and Chatex have been on the designation list, and it has 
severely inhibited their businesses.
    There are a number of ways we can still impose costs and 
then also work up the kill chain to identify those threat 
actors and enablers that access brokers, malware-as-a-service 
providers that are also fueling these campaigns.
    If the Netwalker case is any example, this is a global 
problem. That Network affiliate was a Canadian-based individual 
and the most profitable affiliate of that cybercrime ring.
    Senator Lankford. OK. Mr. Chairman, thank you.
    Chairman Peters. Thank you, Senator Lankford. Senator 
Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thanks so much, Mr. Chairman, and thanks to 
you and the Ranking Member for holding this hearing, and to all 
of our witnesses, thank you for sharing your expertise with us 
and for being here today.
    I want to start with a question to Ms. Stifel. 
Cryptocurrency can be used for illicit purposes, including in 
cyberattacks, such as when most of the $2.3 million stolen from 
the town of Peterborough, New Hampshire, was quickly converted 
to cryptocurrency to make it unrecoverable.
    Last September, I wrote letters to several agencies, 
including the Department of Justice, the Internal Revenue 
Service (IRS), and the Financial Crimes Enforcement Network 
asking what actions the Federal Government can take to help 
reduce the illicit use of cryptocurrencies.
    In the IRS's response to my letter the agency made several 
suggestions, including increasing know-your-customer 
requirements and strengthening suspicious activity reporting 
and compliance for businesses connected to cryptocurrency 
markets.
    Ms. Stifel, could you discuss why these are important and 
how you would strengthen these requirements to help combat 
illicit uses of cryptocurrency?
    Ms. Stifel. Thank you, Senator. The utility of KYC 
requirements, suspicious activity reports, and other mechanisms 
through which the government can receive information about 
ransomware attacks, and particularly payments associated with 
them is essential to, as we talked about, following the money 
and facilitating not only industry but also the government in 
getting an adequate picture of what is happening with these 
payments, the affiliates and the actors who are continuing to 
launch these types of incidents.
    Unfortunately, though, as we have also talked about today, 
there is inadequate and inconsistent compliance with these 
requirements, particularly when you leave the United States' 
jurisdiction.
    I would also note, though, that there are--and this is 
hopefully clear in the diagram that I shared in my written 
testimony--there are a number of other entities within the kill 
chain that may not have reporting requirements but may have 
relevant information, and oftentimes they currently work with 
each other to share that information with the government. I 
think there is an opportunity to look at other ways through 
which the government can obtain information, not necessarily 
from those who are currently subject to KYC and AML 
requirements.
    Senator Hassan. Thank you, and we will follow up with you 
on your diagram and information, as well.
    To both Ms. Koven and Ms. Stifel, in your written testimony 
both of you commented that sanctions can be effective in 
preventing criminals from receiving or laundering ransomware 
payments. Do you believe that the Federal Government should 
more aggressively sanction ransomware groups and entities that 
help launder ransom payments, and what are the barriers to 
implementing more aggressive sanctions?
    We will start with you, Ms. Koven.
    Ms. Koven. Thank you for your question, Senator. I defer to 
policymakers on whether more sanctions should be enforced. But 
I will say that the impact of sanctions on some of these 
services that had been identified as participating in 
ransomware laundering--Garantex, Suex, Chatex, Blender, the 
mixing services--sanctions have been catastrophic to their 
business, severely damaging their operations. There has also 
been designations against specific individuals tied to 
ransomware groups.
    I think we have also seen that sanctions have impacted 
ransomware groups' ability to receive payments from certain 
victims once they are designated, because we can use blockchain 
forensics to actually identify ransomware groups rebranding, 
trying to obfuscate their connection to sanctioned entities.
    We do provide tools and services for transaction 
monitoring, to identify a payment is made to a sanctioned 
jurisdiction or potentially sanctioned entity, and I think 
further implementation of those can also help prevent or 
identify any kind of sanctions violations.
    Senator Hassan. Thank you. Ms. Stifel.
    Ms. Stifel. Thank you, Senator. In the task force's report 
that we published last year we noted, and as has been also 
discussed in the hearing today, the need for an all-tools 
approach to combating ransomware. As Ms. Koven has mentioned, 
and we have also seen recent reports from members of the 
Administration, it appears that sanctions have been effective 
in reducing the ability for ransomware actors to cash out their 
proceeds. So that suggests that they have been an effective 
tool.
    With respect to your question about what barriers exist to 
the use of sanctions in this kind of all-tools approach, I 
would point to the concern around the degree of information 
that is reported about ransomware activity with an adequate 
picture of the scale and scope of this type of cybercrime. It 
inhibits the government's ability to identify and develop that 
sanctions package that allows them to fulfill the requirements 
under sanctions laws and regulations to have sufficient 
evidence to designate a particular entity and then for the 
private sector to then follow through with their requirements 
to prohibit and limit the ability for those actors to gain 
their proceeds.
    Senator Hassan. Thank you.
    Mr. Siegel, in your written testimony you indicated that 
some ransomware victims do not want law enforcement to try to 
recover their ransomware payment because they are worried that 
the criminals will not honor the commitments made in return for 
the ransom payment. This obviously presents a potential problem 
because those payments make ransomware profitable and help 
facilitate future cyberattacks. There are also likely other 
victims who do not want to involve law enforcement at all.
    In your experience working with ransomware victims, what 
percentage of victims do not want to recover their payments, 
even if they are given a viable option, and what percentage of 
victims do not want to involve law enforcement at all, and what 
do you think we could do to alleviate their worries?
    Mr. Siegel. I would say that if it were a risk that the 
victims would not get their deliverables, the decryption keys 
or these things, which they are a prize that that has a 
potential risk, that number could fluctuate between 0 and 100 
percent. I would say that, in general, probably close to half 
of the victims would volunteer to have their money seized or 
reclaimed because they are not as concerned about possible 
recrimination from the threat actors.
    As is relates to nonreporting, in the absence of 
requirements I would say that the minority of victims of 
ransomware would even both, because it is a hassle to them and 
they want to get on with their life.
    One of the most challenges aspects that we cited in our 
discussions with the staff ahead of this were the ability for 
law enforcement to proactively reapproach victims to collect 
evidence in the proper format so they can be submitted as 
evidence to secure indictments. This process can take months, 
sometimes years. When we approached the percentage of those 
victims that voluntarily participate it is very low. That is 
very frustrating to law enforcement.
    I think that through this rulemaking and through mandatory 
reporting the door is now open to try and not only collect more 
accurate information through the reporting but create 
mechanisms whereby law enforcement can reapproach victim of 
attacks and secure the evidence necessary to achieve these 
indictments.
    I would also note, per your prior questions, a lot of the 
ability for our agencies to sanction these groups depend on the 
investigations, and when those investigations cannot conclude 
we cannot get to the finish line on imposing sanctions.
    Senator Hassan. Yes. Thank you. Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Hassan.
    Ms. Koven, you testified earlier that only, I think it is 
0.15 percent of cryptocurrencies are used in illicit 
transactions, and yet according to your report, the 2022 
report, the illicit use of cryptocurrency has grown from $7.8 
billion in 2020, to an all-time high of $14 billion in 2021. 
The report explicitly acknowledges that such illicit activity, 
``represents a significant problem.''
    Clearly you have a very small percentage there, but I think 
the vast majority of all the transactions in crypto are people 
speculating back and forth, kind of similar to the Dutch tulip 
mania, as they bid the prices up.
    My question to, though, is, do we know the percentage of 
cryptocurrency that is actually used to buy a legitimate good 
or service? I do not think folks are going to Walmart or CVS. 
Are people actually using this to buy something? What 
percentage?
    Ms. Koven. Thank you for that question, Senator. Yes, we 
had noted 0.14 percent of transactions last year had an illicit 
component to it, and the vast majority of transactions were 
legitimate, trading, remittances, and viewing cryptocurrency as 
a store of value.
    Chairman Peters. But what percentage? What percentage are 
actually for products and goods?
    Ms. Koven. I do not have that answer on hand. My team can 
get back to you. But I would say it is a near daily occurrence 
that a new business that you and I might frequent is offering 
cryptocurrency as a form of payment. While it is not certainly 
prolific--you cannot pay your rent in cryptocurrency today--
there are more and more businesses that are adopting 
cryptocurrency as a form of payment. This is a global 
phenomenon. You can find more available in other jurisdictions.
    What I will say is that because it is more difficult to buy 
goods and services with cryptocurrency today it is why 
individuals, and even threat actors, rely on cryptocurrency 
businesses like exchanges to convert their cryptocurrency to 
other forms of fiat, like dollars and euros, which is a great 
intelligence lead for investigations.
    Chairman Peters. Very good. Senator Sinema, you are 
recognized for your questions.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Mr. Chairman. Thank you to our 
witnesses for joining us today.
    Ransomware attacks have wreaked havoc on communities across 
Arizona and our country, from last year's attack on the city of 
Kingman to the recent attempted hack against Yuma Regional 
Medical Center. Ransomware disrupts our lives, breaches 
sensitive data, and causes real-world harm.
    Our Bipartisan Infrastructure Law invests in State and 
local cybersecurity to combat ransomware, and I co-sponsored 
legislation creating new cyber incident reporting requirements. 
We need to continue to work together to enhance our 
cybersecurity and hold hackers and the countries that provide 
them safe harbor accountable.
    My first question is for you, Ms. Koven. In March, your 
company's co-founder testified before the Senate Banking 
Committee. I asked him about some of the more sophisticated 
techniques used by ransomware gangs to make ransom payments 
harder to trace, including the use of mixer and tumbler 
services to combine cryptocurrency from illicit sources with 
crypto from lawful sources.
    Mr. Levin noted that Chainalysis has actually been able to 
successfully demix certain transactions. Without revealing your 
specific demixing capabilities, could you expand on this, and 
how great of threat to ransomware investigations do 
cryptocurrency mixers currently pose?
    Ms. Koven. Thank you for your question, and this is an 
especially important topic because we have identified mixers 
being incorporated more frequently into ransomware laundering 
techniques.
    As you mentioned, we have recently publicly disclosed our 
demixing capabilities, and while we cannot go into details 
because of ongoing investigations, what I can say is that we 
make every effort to identify all available mixers that these 
threat actors might be able to use so that our law enforcement 
partners and investigators, when conducting and tracking 
ransomware payments, can understand when they are tracing into 
a mixer and do not attempt to trace through it.
    Senator Sinema. Mr. Siegel, you help victims negotiate with 
hackers and protect their specific company from further harm. 
While paying a ransom might be the smart move for a particular 
victim, these payments are the fuel that motivates hackers to 
keep launching additional attacks. How do you balance the 
immediate need to restore a client's systems with the concern 
that paying a ransom might put a target on your client's back 
in the future? When the decision is made to pay the ransom, how 
do you ensure that crypto is not sent in violation of U.S. 
sanctions, particularly given how many attacks are linked to 
countries like Russia and North Korea?
    Mr. Siegel. Thank you for your question. With regards to 
the first part on how the decision is made, the use of data is 
key. There are certain types of ransomware that can cause a 
substantial amount of file corruption. There are certain threat 
actors that default if paid, i.e., they do not provide the 
decryption tools or keys. Providing accurate information on the 
forecasted outcome of what will actually happen if a ransom is 
paid is step No. 1, so the company can make a clear decision.
    Step No. 2 is for the company to understand that this is an 
option of last resort. It has to be weighed against all other 
available paths to restore critical data. If there is one myth 
with ransom payments it is that it is easy and it is fast. It 
is the exact opposite. The vast majority of the time, when 
companies have adequate backups, even if those backups are 
going to take a very long time to recover, that is actually 
faster and is going to avail them to a much quicker recovery 
time than paying a ransom.
    So step No. 1 is to make sure that they understand the 
facts and that they are making a good, data-driven decision.
    To your second question about compliance, our firm has 
developed a comprehensive compliance program. It comes from our 
background. I personally came from the regulated financial 
services industry and ran and built large comprehensive 
compliance programs. We took with us that compliance program 
when we founded our company.
    We do three principal things that revolve around the 
attribution of the threat actor and other characteristics of 
the attack. No. 1 is we are looking at qualitative technical 
forensic and cryptocurrency information to check along the 
lines of common Bank Secrecy Act (BSA) Know-Your-Customer lines 
that the threat actor is not immediately listed on any 
sanctions list, both domestically and internationally. No. 2, 
we are looking at the wallet address, using products like 
Chainalysis to determine if the wallet is clustered or co-spent 
with any sanctioned wallets.
    And No. 3, most poignantly, is we keep our own internal 
restricted list, whereby we are tracking all the known 
sanctioned actors, and as they change their identity and 
further try and obfuscate who they are over time, we are 
tracking these things so that when the same threat actor that 
was sanctioned a year ago is on variant number seven to try and 
obfuscate their identity, we can identify it.
    That is actually the vast majority of the time when there 
is a sanctions issue in an active incident, it is not a one-
for-one identification of this name that you were attacked by 
is on an actual list. It is this name that you were attacked by 
is actually this person or group, and here is the evidence of 
how we have made that attribution.
    So we perform all of these checks well ahead of any payment 
being made. We provide all those facts and circumstances to the 
victim and allow them to make the decision accordingly.
    Senator Sinema. Thank you.
    Ms. Koven, the hackers behind some of the most devastating 
ransomware attacks are often located, or in some cases even 
sponsored by the governments of countries like Russia, North 
Korea, China, Iran. This means that even when we are able to 
identify those behind an attack, our criminal justice system is 
not able to hold those hackers accountable. That makes it 
particularly important that we successfully recover more ransom 
payments so these attackers, at the minimum, are not rewarded 
for their crimes.
    What lessons can we learn from the FBI's successful 
recovery of much of the cryptocurrency used to pay the Colonial 
Pipeline ransom, and with enhanced public-private partnerships 
and datasharing is it feasible to help ransomware victims 
recover ransom payments on a more routine basis?
    Ms. Koven. Thank you for that question, Senator. Yes, we 
have identified nearly 74 percent of ransom payments have a 
Russian affiliation, and we have seen, over the last year, 
several successes, including the Colonial Pipeline, of asset 
recovery from threat actors that exist outside of U.S.-friendly 
jurisdictions.
    Not only is asset seizure a powerful tool but we have also 
been able to cripple some of the primary cash-out destinations, 
including those exchanges based in Russia, like Garantex, Suex, 
and Chatex, that laundered a large amount of ransomware 
proceeds.
    I would further like to say there has been nearly $50 
million in ransomware funds seized from ransomware-related 
actors, and there is also the risk of nation-state actors 
getting involved in ransomware that are not focused on the 
monetary reward but are using ransomware as a cover for more 
strategic aims of espionage and disruption.
    Then the question then becomes, how did these nation-state 
actors get their hands on those tools and services to conduct 
the attack? Blockchain forensics can shine a bright light on 
those necessary tools and services that facilitate nation-state 
actors as well as financially motivated criminal gangs.
    Senator Sinema. Thank you. Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Sinema.
    Ms. Koven, I want to go back to, because of the questions 
that I was asking related to transactions for goods and 
services, you said a lot of businesses now are starting to 
accept crypto. Do you have any numbers or any estimate as to 
what you are seeing in that area?
    Ms. Koven. Senator, I apologize I do not have those figures 
on hand but we can get back to you.
    What I did want to say previously is that we have seen a 
500 percent increase in cryptocurrency transactions in the last 
year, and we have seen many institutional players getting 
involved in cryptocurrency and viewing it as an asset class. 
This has accelerated the adoption of cryptocurrency for 
legitimate use cases, and as you have pointed out, also an 
increase in the raw number of illicit transactions that we have 
been able to detect. It was $14 billion last year.
    Chairman Peters. But I want to be clear. When you are 
talking about all the transactions, these are investment 
transactions. They are not an increase of transactions of 
people actually going out and buying stuff. Maybe help me. If 
you are a business and you say you will accept crypto to pay 
for a service, if you accept dollars, you know the dollar 
tomorrow will still be worth a dollar, and next week it is 
still going to be worth a dollar. But crypto, like yesterday, I 
think many of the major cryptos dropped nine percent, or a 10 
percent drop. That would be like the Dow Jones (DJIA) dropping 
3,000 points in a day, which is a pretty huge drop.
    If you are a business and you say, ``I will sell you a 
product for crypto,'' but it may be worth 10 percent less 
tomorrow, I do not know what it will be worth. It could be 
greater, I guess, as well. But based on what we have seen 
recently it has been falling because it is a highly speculative 
asset.
    What is the incentive for a business to take crypto as 
opposed to a dollar when they are trading for an actual 
service?
    Ms. Koven. Thank you for that question, Senator. I am 
possibly not best-suited to answer that question in my current 
role, but what I will say is that many investors are in 
cryptocurrency for the long haul, and they have experienced 
dips and spikes in the ecosystem over the past few years. The 
same with threat actors. They are also dealing with 
cryptocurrency, viewing it as a long-term investment. But we 
can get back to you on specific numbers if you would like, sir.
    Chairman Peters. Yes. I would just be curious if you are 
going to track this. Clearly we all know it is a speculative 
asset that people are investing in, and it is highly volatile. 
We get that. But it is a medium of exchange, and most people 
think of a medium of exchange as it is going to be fairly 
consistent worth. If you buy a good from me and you give me a 
dollar, I will be able to buy a dollar's worth of another good 
somewhere else in the next day or two, or whenever it may be, 
which is different than a speculative stock or investing in 
stock options or other kinds of speculative assets. They are 
different.
    But we do know that because, for a variety of reasons, as 
we have heard today, that criminals are very attracted to 
crypto, and that is a big part of what the currency is used for 
when the actual kind of goods or services transaction is 
illicit. It is criminals that use this currency. In addition to 
speculators, it is criminals that seem to be using crypto.
    My question for Ms. Stifel, are there some additional tools 
that could help the Federal Government recover cryptocurrency 
ransom payments that have already been made? What additional 
tools should we be thinking about?
    Ms. Stifel. Thank you, Senator. I think one of the biggest 
tools that can be made, in part thanks to the work of this 
Committee has been made, is investing both in the cyber funds 
and the emergency authorities that have come through with the 
legislation that has been passed but also thinking about what 
we have talked about previously is better equipping departments 
and agencies to manage the investigatory process that is 
required in order to follow the money through the blockchain.
    Those investments also would be useful to better equip 
departments and agencies to engage their international 
counterparts and to push for the broader application of KYC, 
AML, and other measures more broadly internationally, 
including, as I mentioned, through the Financial Action Task 
Force but in other multilateral bodies where working with 
Europol, for example, or Interpol, more effective engagement 
can be made with counterparts in a range of countries where we 
know that cybercriminals are turning, for example, looking at 
Costa Rica, Peru most recently.
    The United States is not the only country targeted with 
ransomware, and it is essential to really combat this at a 
global scale, that we have partners in a range of jurisdictions 
who are able to meaningfully engage with us as we seek to 
investigate these malicious activities.
    Chairman Peters. Thank you. Ms. Koven, the last question 
here. If you could explain to the Committee, talk a little bit 
more about unhosted wallets and what risk exists when crypto is 
transferred to unregulated, peer-to-peer exchanges and unhosted 
wallets. What should we know about that?
    Ms. Koven. Thank you for your question. If I may address 
the previous comment, I do want to say that cryptocurrency is a 
technology, and as long as technologies have existed there have 
always been bad actors willing to exploit it. Yes, there is 
significant volatility in cryptocurrency. There is the 
mechanism of stablecoins, which can hold value. We do see 
legitimate trading activity as well as cryptocurrencies used in 
remittances, and it is an opportunity for the United States to 
be a key, predominant player in this financial ecosystem by 
harnessing this technology, and the applications that can be 
built on top of it provide tremendous opportunity and job 
growth for national security.
    What I want to say about private wallets, we do focus on 
identifying services--exchanges, darknet markets, ransom 
payments. But in the course of our investigations we do 
sometimes come across private wallets belonging to a threat 
actor, which allows us to monitor that wallet and also 
understand that threat actor's spending habits, all the tools 
and services purchased by that threat actor, and also cash-out 
destinations like peer-to-peer or cryptocurrency exchanges.
    Peer-to-peer services are also obligated to regulatory 
requirements--AML, CFT requirements--that do require KYC and 
other forms of identification.
    Chairman Peters. Right. Thank you.
    I want to thank all of our witnesses for participating in 
today's discussion, and I look forward to building on what we 
have learned from today's testimony, including additional ways 
to combat the national and economic security threats posed by 
ransomware attacks.
    I plan to continue my investigation to further examine the 
role cryptocurrencies play in these cybercrimes and other 
criminal activities, and I look forward to exploring the issues 
identified during today's hearing in detail, including 
shortfalls in the enforcement of applicable anti-money 
laundering regulations for cryptocurrency transaction.
    The record for this hear will remain open for 15 days, 
until 5 p.m. on June 22, 2022, for the submission of statements 
and questions for the record.
    This hearing is now adjourned.
    [Whereupon, at 11:24 a.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]