Rising Threats: Ransomware Attacks and Ransom Payments Enabled by Cryptocurrency (U.S. Senate Committee on Homeland Security and Governmental Affairs)

Hearing	Rising Threats: Ransomware Attacks and Ransom Payments Enabled by Cryptocurrency
Committee	U.S. Senate Committee on Homeland Security and Governmental Affairs
Date	June 7, 2022

 

Hearing Takeaways:

• Ransomware Attacks and Cyber Incidents: The hearing focused on the recent uptick in ransomware attacks and cyber incidents impacting both public and private networks. The hearing highlighted how these attacks and incidents could disrupt businesses and critical infrastructure and impose serious economic costs. Committee Members and the hearing’s witnesses noted how illicit actors were selling ransomware tools and services that enabled third parties to perpetrate ransomware attacks on their own. They stated that many ransomware attacks and cyber incidents went unreported due to a lack of knowledge among victims as to where precisely to report the attacks and incidents. They stated that many victims viewed this reporting as overwhelming given the myriad of government agencies that desired such information and their urgent need to restore their operations from the attack or incident. They further noted how many victims were reluctant to report such information out of a fear that the criminals would not provide the needed decryption keys that would enable the restoration of a victim’s business.
  • Recently Enacted Cyber Incident Reporting Legislation: Committee Members and the hearing’s witnesses noted how the U.S. had recently enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law as part of the Consolidated Appropriations Act, 2022. This legislation requires critical infrastructure owners and operators to report cyberattacks within 72 hours and ransomware payments within 24 hours. Mr. Siegel contended that cyber incident reporting requirements ought to be extended to all victims of ransomware rather than just organizations under the oversight of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
  • Implementation of Cyber Incident Reporting Law: The hearing’s witnesses contended that the success of the recently enacted cyber incident reporting law would heavily depend on its implementation. They raised concerns that poor implementation could burden federal agencies with unstructured data that could not be parsed or analyzed at scale. They called for the adoption of standardized reporting frameworks so that federal agencies could quickly operationalize information. Mr. Siegel further remarked that the rulemaking stemming from the recently enacted cyber incident reporting law should clarify where exactly ransomware victims should report cyber incidents.
  • Inability to Enforce Policies in Foreign Jurisdictions: Committee Members and the hearing’s witnesses noted how the U.S. often could not punish the criminals that perpetrated ransomware attacks and engaged in other types of illicit actors that were located in foreign jurisdictions. They highlighted how many of these illicit actors were located in hostile countries, including Russia, North Korea, Iran, and China. Ms. Koven remarked however that it was possible for U.S. law enforcement bodies to combat ransomware perpetrators that were out of its direct reach through imposing costs on them, seizing their assets, and leveraging global partnerships to reach them. She further stated that the U.S. could work to address the threat actors and enablers behind ransomware attacks, including access brokers and malware-as-a-service providers. 
  • Importance of Ensuring that Federal Agencies Possessed Sufficient Funding: Ms. Koven and Ms. Stifel emphasized the importance of ensuring that government agencies possess adequate funding for the training, tools, and resources that they require to conduct ransomware investigations, as well as operationalize and share cyber incident information.
  • Providing Support to Other Countries Regarding their Capabilities to Combat Ransomware Attacks: Ms. Koven and Ms. Stifel also called on the U.S. to provide assistance to foreign countries to support their adoption of anti-money laundering (AML) and know your customer (KYC) laws. Ms. Stifel suggested that international organizations could support the international adoption of these measures.
  • Support for Alternative Data Collection Efforts: Ms. Stifel stated that there were entities within the ransomware kill chain might possess relevant information, even if they lacked reporting requirements. She noted how these entities often worked with each other to share that information with the U.S. government. She suggested that the U.S. government should thus look at alternative means of obtaining information (beyond solely relying on entities that were subject to KYC and AML requirements).
  • Support for Private Sector Entities in Preparing for Ransomware Attacks: Sen. Jacky Rosen (D-NV) discussed how she had introduced legislation to support private entities in preparing for ransomware attacks. She mentioned how she had introduced the bipartisan Improving Cybersecurity of Small Organizations Act of 2021, which would direct federal agencies to develop cybersecurity recommendations for small entities and provide cybersecurity training for small entities. She also mentioned how she had introduced the Healthcare Cybersecurity Act of 2022, which would require CISA to make resources available to health care and public health sector entities.
• Use of Cryptocurrencies in Ransomware Payments and Illicit Activities: The hearing also focused on the prevalent use of cryptocurrencies in ransomware payments. Full Committee Chairman Gary Peters (D-MI) and Mr. Siefel highlighted how the perpetrators of ransomware attacks almost exclusively demanded cryptocurrencies when extorting large sums of money because cryptocurrency transactions could be obscured and could more easily escape regulatory scrutiny. Mr. Siegel further noted how there did not exist a mechanism for reversing illegitimate cryptocurrency transfers. Ms. Koven testified however that only 0.14 percent of cryptocurrency transactions in 2021 had an illicit component to them and remarked that the vast majority of cryptocurrency transactions were therefore legitimate. She noted that these legitimate transactions involved trading, remittances, and the use of cryptocurrencies as a store of value. However, Full Committee Chairman Peters expressed skepticism regarding how often cryptocurrencies were currently being used to exchange goods and services. 
  • Use of Specific Privacy-Enhanced Cryptocurrencies for Ransomware Payment Demands: Sen. Josh Hawley (R-MO) and Mr. Siegel discussed how the the use of privacy-enhanced cryptocurrencies (such as Monero) in ransomware payments could obfuscate the end designation of the payments. Mr. Siegel stated that policymakers ought to distinguish between cryptocurrencies made with the express intent of committing financial fraud and legitimate cryptocurrencies that seek to provide enhanced privacy. Ms. Koven stated however that many privacy-enhanced cryptocurrencies (including Monero) were illiquid, which made them impractical to use. She further highlighted how many cryptocurrency exchanges had delisted Monero in response to regulatory guidance.
  • Ability of Cryptocurrencies to Identify Criminal Networks and Enable the Recovery of Ransomware Payments: Ms. Koven contended that the transparency of cryptocurrencies and blockchains enhanced the ability of policymakers and government agencies to detect, attribute, and ultimately disrupt illicit activity. She stated that it was ultimately much easier to investigate cases involving the illicit use of cryptocurrencies than other forms of payments. She noted how the identification of an illicit actor’s cryptocurrency wallet from a ransom payment could provide law enforcement insight into the cash out destination, the network of accomplices, and the malicious tools underpinning the ransomware campaign.
  • Use of Mixing Services: Ms. Koven also mentioned how there had been an uptick in the use of mixing services, which obfuscated the destination of ransomware proceeds. She noted how the U.S. government had successfully employed blockchain analysis to trace payments to high-risk exchanges and taken law enforcement actions against these exchanges. She stated that these actions had caused deposits to precipitously drop in these exchanges.

Hearing Witnesses:

1. Ms. Megan Stifel, Chief Strategy Officer, Institute for Security and Technology
2. Mr. Bill Siegel, Chief Executive Officer, Coveware
3. Ms. Jacqueline Burns Koven, Head of Cyber Threat Intelligence, Chainalysis

Member Opening Statements:

Full Committee Chairman Gary Peters (D-MI):

• He discussed how there had occurred increasingly complex and sophisticated ransomware attacks on both public and private networks in recent years.
  • He commented that these ransomware attacks had caused “significant” disruptions to daily lives and imposed serious economic costs.
  • He further noted that the long-term impacts of ransomware attacks for businesses included lost revenues, reduced profits, damage to brand reputation, employee layoffs, and loss of customers.
• He stated that the perpetrators of ransomware attacks almost exclusively demanded cryptocurrencies when extorting large sums of money because cryptocurrency transactions could be obscured and could more easily escape regulatory scrutiny.
• He referenced a Chainalysis study that found that malicious actors had received at least $692 million in cryptocurrency extortion payments as part of ransomware attacks in 2020.
  • He indicated that this was an over 300 percent increase when compared to the previous year.
• He asserted that these figures were likely underestimates of the actual number of attacks and ransom payments made by victims.
• He noted how a cryptocurrency wallet was not tied to an individual person, which meant that wallet holders could take steps to conceal their identities in order to evade detection for their criminal activities.
• He also remarked that banking regulations (such as AML regulations) meant to prevent the criminal use of cryptocurrencies were inconsistently enforced, especially in foreign jurisdictions.
  • He referenced a Chainalysis report that found that approximately 74 percent of global ransomware revenue in 2021 went to entities either likely located in Russia or controlled by the Russian government.
  • He predicted that this Russian illicit activity would only increase in light of the U.S.’s support for Ukraine following Russia’s invasion of the country.
• He mentioned how he had recently released a report that explored that role that cryptocurrencies played in terms of incentivizing and enabling ransomware attacks.
• He indicated that the report found that the federal government lacks sufficient data and information on ransomware attacks and the use of cryptocurrency as ransom payments in these attacks.
  • He asserted that the federal government must collect better data in order to understand the full scope of the threat.
• He mentioned how he had co-authored bipartisan cyber incident reporting legislation with Full Committee Ranking Member Rob Portman (R-OH) that was recently passed into law and called this legislation a “significant first step” for obtaining necessary information for combating ransomware attacks.
  • He explained that the legislation requires critical infrastructure owners and operators to report cyberattacks within 72 hours and ransomware payments within 24 hours.
• He expressed interest in working to build upon this bipartisan cyber incident reporting legislation through holding foreign adversaries and cybercriminals accountable, as well as through finding ways to reduce the incentives to conduct these attacks in the first place.
• He contended that the U.S. must take additional actions to ensure cryptocurrencies are monitored appropriately.
• He lastly remarked that Congress must examine other types of criminal activity involving cryptocurrencies, such as human trafficking and drug trafficking.

Full Committee Ranking Member Rob Portman (R-OH):

• He discussed how ransomware groups had professionalized their operations through offering a “ransomware-as-a-service” model.
  • He explained that this model involved the sale or delivery of malware to individuals called “affiliates” who actually perpetuate the ransomware attack.
• He mentioned how he had released a March 2022 report that documented the experiences of a diverse set of U.S. companies victimized by Russian ransomware gangs.
• He remarked that ransomware posed a broad threat to U.S. businesses and that U.S. businesses must take proactive steps to protect against cyberattacks.
• He mentioned how he had co-authored cyber incident reporting legislation with Full Committee Chairman Gary Peters (D-MI) and indicated that this legislation had been successfully signed into law.
  • He called on CISA to work with industry experts and stakeholders to quickly implement the law.

Opening Statements:

Ms. Megan Stifel (Institute for Security and Technology):

• She mentioned how her organization, the Institute for Security and Technology (IST), had convened its Ransomware Task Force that was composed of stakeholders from industry, academia, civil society, governments (including the U.S. government), and multilateral organizations.
  • She noted how this organization had worked to identify measures for deterring, disrupting, preparing for, and responding to ransomware attacks.
• She testified that the IST Ransomware Task Force’s priority recommendations included the need for a sustained and coordinated U.S.-led multi-stakeholder collective action to address ransomware, an intelligence-driven anti-ransomware campaign (including support for collaboration between intelligence agencies and industry), the establishment of ransomware response and recovery funds, frameworks for ransomware preparation, mandatory reporting of ransomware payments, and closer international regulation of the cryptocurrency sector.
  • She commented that closer international regulation of the cryptocurrency sector was needed given how cryptocurrencies often enabled cybercrimes.
• She mentioned how several high-profile ransomware attacks had occurred following the publication of the IST Ransomware Task Force’s report, which had led to the disruption of fuel and meat production and distribution, as well as health care disruptions.
  • She stated that these attacks had spurred companies to make “significant progress” in countering the threats of ransomware.
• She remarked that ransomware constituted a modern form of extortion and asserted that industry and government must work to proactively monitor evolutions of extortion techniques.
• She discussed the importance of improving the scope and quality of information about ransomware incidents and stated that higher quality information could better enable the private sector to protect the rights and property of its customers and support private sector collaboration with governments to combat cybercrimes.
  • She commented that improving the quality and volume of ransomware information would better enable deterrence, enhance preparedness, and inform disruption activities.
• She remarked that the monitoring of payments constituted one of the most effective tools for combating ransomware and noted how information shared through voluntary and mandatory incident reporting supported this monitoring.
  • She asserted however that there did not exist an adequate incentive structure to meaningfully empower payments monitoring capabilities at scale.
• She called for harmony among government reporting avenues for ransomware payments and commented that this harmony would ease confusion among ransomware victims and would streamline the collection and analysis of ransomware attack information.
  • She stated that the recently enacted cyber incident reporting legislation would help to support this effort and contended that the legislation’s implementation ought to focus on bolstering reporting consistency across reporting pathways.
• She then remarked that collected information must be useful and appropriately disseminated within a meaningful period of time.
  • She highlighted how one piece of information might be of different value to different agencies and organizations.

Mr. Bill Siegel (Coveware):

• He discussed how his company, Coveware, had extensive experience handling ransomware incidents and stated that Coveware collected and analyzed ransomware data in order to identify best practices for preventing future ransomware attacks.
  • He also testified that Coveware had voluntarily and proactively reported subsets of its collected data to law enforcement bodies from every attack that it had ever worked on since the company’s inception.
• He applauded the Committee for case studies of ransomware attacks and its reports on the use of cryptocurrencies in ransomware attacks.
• He discussed how financially motivated cyber criminals almost universally denominated their ransom demands in cryptocurrencies.
  • He attributed the popularity of cryptocurrencies among cyber criminals to a desire to protect ransom payments from law enforcement seizure and the efficiency with which the money could be laundered.
  • He further highlighted how there did not exist a mechanism for reversing illegitimate cryptocurrency transfers.
• He contended that a ransomware attack was more akin to a kidnaping and ransom incident than a financial theft and stated that ransomware victims might not want their funds reclaimed out of a fear that the criminals would not provide the needed decryption keys that would enable the restoration of a victim’s business.
  • He also noted how the reclaiming of a ransomware payment required the victim to make a timely report to the correct branch of law enforcement.
  • He further stated that the end destination of a cryptocurrency must be within the reach of western law enforcement bodies for a trace and seizure to be successful.
• He remarked that one or several of the aforementioned variables tended to inhibit a trace and seizure of cryptocurrencies from even being started.
• He also noted how ransomware had existed prior to the advent of cryptocurrency and contended that ransomware attacks would continue if cryptocurrencies were to disappear.
  • He commented that ransomware attacks would remain attractive to bad actors so long as the attacks were to remain profitable.
• He then expressed Coveware’s support for the mandatory reporting of cyber incidents and stated that cyber incident reporting requirements ought to be extended to all victims of ransomware (rather than just organizations under the oversight of CISA).
  • He asserted that the efficacy of the recently enacted cyber incident reporting law would be largely dependent on its implementation.
• He remarked that mandatory reporting of cyber incidents would have two primary impacts: providing the federal government with clarity regarding the scope of the ransomware problem and providing the federal government with clarity regarding how to best respond to ransomware attacks.
• He raised concerns however that poor implementation of the recently enacted cyber incident reporting law could burden agencies with unstructured data that could not be parsed or analyzed at scale.

Ms. Jacqueline Burns Koven (Chainalysis):

• She discussed how ransomware attacks had increased “significantly” in recent years and highlighted how there had occurred ransomware attacks on critical infrastructure, law enforcement agencies, health care providers, municipalities, schools, and other businesses.
  • She acknowledged that while cryptocurrencies were the predominant form of ransomware payments, she asserted that cryptocurrencies were not the cause of ransomware attacks.
• She contended that the transparency of cryptocurrencies and blockchains enabled policymakers and government agencies to detect, attribute, and ultimately disrupt illicit activity.
• She stated that it could be much easier to investigate cases involving the illicit use of cryptocurrencies than the illicit use of other forms of payments.
  • She noted how the identification of an illicit actor’s cryptocurrency wallet from a ransom payment could provide law enforcement with insight into the cash out destination, the network of accomplices, and the malicious tools underpinning the ransomware campaign.
• She highlighted how a ransomware attack involving a traditional bank account would require law enforcement to engage in a protracted and resource intensive process to subpoena records and commented that this process’s findings would not be timely.
  • She added that these challenges for law enforcement were even greater for cash-based transactions.
• She testified that her company, Chainalysis, had found that at least $712 million in ransomware payments had been made in 2021.
  • She commented that while this estimate likely undercounted the total amount of ransomware payments made in 2021, she stated that this estimate still constituted a record.
• She then discussed how many ransomware groups often rebranded themselves in order evade government security and obfuscate their connections to sanctioned entities.
  • She mentioned how Chainalyisis often employed blockchain analysis in order to discern these rebrand attempts.
• She also remarked that extortion tactics had evolved in order to skirt traditional definitions of ransomware.
  • She noted how certain illicit actors will threaten to release or sell a compromised party’s data unless the compromised party pays a ransom.
• She stated that these evolving tactics necessitated that policymakers and government agencies needed to be flexible about cyberattack definitions when requesting reports on these events.
• She remarked that U.S. policies must leverage a “whole-of-government” approach for reducing ransomware attacks and mitigating their impacts and recommended that the U.S. pursue public-private partnerships to address these attacks.
• She called it vital that the U.S. improve ransomware reporting and information sharing.
  • She commented that there should be clear guidance on when, what, and where to report incidents and asserted that this information should be shared “swiftly” with law enforcement agencies.
• She also stated that it was important to ensure government agencies possessed adequate funding for the training, tools, and resources that they require to conduct ransomware investigations.
• She lastly remarked that the U.S. should help other countries to develop and implement “robust” AML laws for cryptocurrency businesses.
  • She commented that these laws would help to ensure that bad actors could not cash out their ill-gotten gains in unregulated jurisdictions.

Congressional Question Period:

Full Committee Chairman Gary Peters (D-MI):

• Chairman Peters mentioned how his report on the use of cryptocurrencies in ransomware attacks had found that the U.S. government lacked comprehensive data regarding the ransomware threat landscape. He asked Ms. Stifel to indicate whether she agreed with this finding. He also noted how the IST Ransomware Task Force had called for mandatory reporting requirements for ransomware payments made in cryptocurrency. He asked Ms. Stifel to explain why such requirements were necessary.
  • Ms. Stifel remarked that the U.S. government did not possess sufficient information about ransomware payments within the cryptocurrency space. She noted that there still existed many parties that did not attempt to comply with ransomware reporting requirements. She commented that this inconsistent compliance led to discrepancies regarding the amount of available information. She also discussed how the various government agencies that did collect transaction information tended to request different types of information, which contributed to a disaggregated picture of the threat. She remarked that mandatory reporting requirements for ransomware attack payments made in cryptocurrency would help the U.S. government to better understand the scale and scope of ransomware threats. She also stated that the reported information needed to be made available to the private sector so that it could support the U.S. government’s efforts to combat illicit activity. She expressed agreement with Mr. Siegel’s recommendation that the U.S. government ought to receive information under the recently enacted cyber incident reporting law in a structured format. She called it important for the information to be relevant and for the U.S. government to be equipped to manage the information. She elaborated that this management of the information would entail disseminating the information to relevant private sector actors.
• Chairman Peters then highlighted how federal agencies had expressed concerns with the gaps in their ability to enforce AML laws against illicit actors using located abroad cryptocurrencies. He mentioned how his report had found that these gaps impeded the ability of law enforcement to investigate, prosecute, and prevent cryptocurrency-related crimes. He asked Ms. Koven and Ms. Stifel to identify the shortfalls in the U.S.’s enforcement of AML regulations with respect to illicit cryptocurrency transactions. He also asked Ms. Koven and Ms. Stifel to indicate whether Congressional action was needed to address these shortfalls.
  • Ms. Koven testified that Chainalysis had observed a decline in the number of cryptocurrency cash out destinations for illicit actors and indicated that these cash out destinations mainly included offshore exchanges with limited or no regulation or enforcement. She called for the U.S. to provide assistance to foreign countries to support the implementation of AML laws. She also mentioned how Chainalysis had observed an uptick in the use of mixing services, which obfuscated the destination of ransomware proceeds. She noted how the U.S. government had successfully employed blockchain analysis to trace payments to high-risk exchanges and taken law enforcement actions against these exchanges. She stated that these actions had caused deposits to precipitously drop in these exchanges. She specifically highlighted how North Korean money launderers using stolen funds had made use of the illicit mixing service Blender.io.
  • Ms. Stifel remarked that the U.S.’s AML regulations had driven illicit actors to move abroad to cash out their ill-gotten cryptocurrencies. She stated that the absence of regulations in foreign countries made it possible for illicit actors to make money from their ransomware attacks because these actors could cash out ransomware payments made in cryptocurrency into fiat currency. She contended that a more consistent international regulatory environment would enable governments to better combat illicit activity involving cryptocurrencies. She then applauded Congress for its recent passage of cyber incident reporting legislation. She recommended that Congress clarify which measures private sector entities could take to respond to cyber incidents. She specifically suggested that Congress clarify the scope of the Cybersecurity Information Sharing Act of 2015. She further stated that policymakers ought to work to make cyber incident requirements consistent and to ensure that private sector entities maintain secure systems to reduce the prevalence of ransomware attacks.

Sen. Josh Hawley (R-MO):

• Sen. Hawley noted how Mr. Siegel had told the Committee that cybercriminals almost universally denominated their ransom demands in cryptocurrencies. He asked Mr. Seigel to explain why cybercriminals denominated their demands in cryptocurrencies and to discuss the implications of this tendency.
  • Mr. Siegel discussed how ransomware perpetrators tended to want to cash out their illicit proceeds using the most efficient means. He stated that cryptocurrencies constituted the most efficient means for cashing out illicit proceeds given their scale, ability to be transferred across borders, and ability to be transferred without the possibility of being reclaimed (unless the cryptocurrencies were moved through an exchange that cooperated with Western law enforcement bodies). He further noted how illicit actors could move their proceeds between different types of cryptocurrencies, which could obfuscate the whereabouts of the proceeds.
• Sen. Hawley asked Mr. Siegel to indicate whether there was a specific cryptocurrency that was more often used than others for ransom demands.
  • Mr. Siegel remarked that Bitcoin was the predominant cryptocurrency used for ransom payments. He mentioned however that some illicit actors denominated their ransom demands in other privacy-enhanced cryptocurrencies (such as Monero). He further noted that ransom payments made in Bitcoin were often exchanged into privacy-enhanced cryptocurrencies in order to obfuscate the end destination.
• Sen. Hawley then noted how there were currently over 10,000 active cryptocurrencies, which constituted a significant increase from over a decade ago. He asked Mr. Siegel to indicate whether the growing number of cryptocurrencies had influenced how ransom demands were being made.
  • Mr. Siegel answered no.
• Sen. Hawley asked Mr. Siegel to indicate whether new cryptocurrencies were being designed in a way that would optimize them for use in illicit activities.
  • Mr. Siegel remarked that it was possible that new cryptocurrencies were being designed in a way that would optimize them for use in illicit activities. He stated that policymakers ought to distinguish between cryptocurrencies made with the express intent of committing financial fraud and legitimate cryptocurrencies that seek to provide enhanced privacy. He commented that the latter type of cryptocurrency could be attractive to criminals for money laundering purposes.
• Sen. Hawley asked Mr. Siegel to indicate whether new cryptocurrencies were being purposely designed to be opaque.
  • Mr. Siegel remarked that some privacy coins were purposely designed to be more private. He stated that there were two challenges that a given cryptocurrency would face if it sought to be adopted by a large group of illicit actors. He explained that these cryptocurrencies must work and must be liquid. He attributed Bitcoin’s popularity amongst illicit actors to its liquidity.
• Sen. Hawley then noted how Ms. Koven had asserted that cryptocurrencies could enhance investigations into ransom demands given their transparent nature. He asked Ms. Koven to elaborate on this assertion.
  • Ms. Koven noted how Bitcoin was the most frequently demanded currency in ransomware cases and stated that the transparency of blockchains enabled law enforcement bodies to see where stolen cryptocurrencies were being cashed out. She noted that law enforcement bodies could use this information to subpoena exchanges for KYC information and potentially freeze the accounts used to withdraw the stolen cryptocurrencies. She further discussed how law enforcement bodies could review public blockchains to identify the activities of illicit actors. She stated that these reviews could identify other illicit actors that were coordinating with or providing services and tools to a given illicit actor.
• Sen. Hawley asked Ms. Koven to explain why criminals were disproportionately using cryptocurrencies as opposed to U.S. dollars.
  • Ms. Koven remarked that Bitcoin had broad appeal and testified that Chainalysis had found that only 0.14 percent of overall cryptocurrency transaction activity last year was crime-related. She noted how other types of cryptocurrencies (including Monero) were illiquid, which made them impractical to use. She further highlighted how many cryptocurrency exchanges had delisted Monero in response to regulatory guidance.
• Sen. Hawley then noted how Mr. Siegel had stated that cyber incident reporting requirements could burden federal agencies with unstructured data that could not be pared or analyzed at scale. He asked Mr. Siegel and Ms. Koven to discuss how federal agencies should optimally implement cyber incident reporting requirements.
  • Mr. Siegel remarked that federal agencies should look to adopt established standardized frameworks for cyber incident reporting. He explained that these frameworks standardized the tactics, techniques, and procedures used by illicit actors. He indicated that these frameworks came with standard hierarchies, standard names, and standard codes. He noted how ransomware attacks were very repetitive in nature and stated that the use of standardized frameworks to categorize these attacks would enable federal agencies to quickly identify patterns.
  • Ms. Koven expressed agreement with Mr. Siegel regarding the benefits of adopting standardized frameworks for cyber incident reporting. She stated that these frameworks would enable federal agencies to quickly operationalize information. She mentioned how this approach had already proven successful, including during the Netwalker ransomware takedown.

Sen. Jacky Rosen (D-NV):

• Sen. Rosen discussed how ransomware attacks could destroy small businesses and commented that small businesses often could not afford to adopt cybersecurity measures or hire cybersecurity professionals. She mentioned how she had introduced the bipartisan Improving Cybersecurity of Small Organizations Act of 2021, which would direct federal agencies to develop cybersecurity recommendations for small entities and to provide cybersecurity training for small entities. She highlighted how the Committee had approved the legislation in February 2022. She asked Mr. Siegel to address how ransomware perpetrators chose small businesses to target. She asked Mr. Siegel to discuss the tactics and techniques that these perpetrators were using to go after small businesses.
  • Mr. Siegel remarked that ransomware attacks were generally opportunistic (rather than targeted) in nature. He commented that ransomware attacks were generally based on economics and that targeting a specific company tended to not be economical. He discussed how ransomware perpetrators often identified businesses to target through purchasing previously breached credentials or through mass scanning the internet to find potential vulnerabilities. He expressed his belief that the Colonial Pipeline ransomware attack was likely not targeted and that the attack’s perpetrators had no political motivations for pursuing the attack. He commented that while there did not exist a “silver bullet” to address the problem of ransomware, he remarked that companies could adopt measures to make ransomware attacks more expensive and more difficult to execute. He stated that most small businesses had cybersecurity vulnerabilities that were very easy to exploit and that small businesses could address these vulnerabilities.
• Sen. Rosen then discussed how there had occurred an uptick in cyberattacks on hospitals and clinics and stated the increased use of medical devices created vulnerabilities for cyberattacks. She mentioned how the U.S. Federal Bureau of Investigations (FBI) had found that the health care sector had fallen victim to ransomware far more than any other critical infrastructure sector in 2021. She stated that these cyberattacks drove up the cost of health care and could impact health outcomes for patients. She mentioned how she had introduced the Healthcare Cybersecurity Act of 2022, which would require CISA to make resources available to health care and public health entities. She highlighted how this legislation would require CISA to develop products tailored to the specific needs of small and rural hospitals. She asked Mr. Siegel and Ms. Koven to discuss how health care entities could protect themselves against ransomware threats.
  • Mr. Siegel discussed how the most sensitive units of a hospital, including emergency rooms (ERs), neonatal intensive care unit (NICU), and oncology units, depended on electronic medical record (EMR) software to provide critical patient care. He noted that the hacking of this software prevented the delivery of this patient care. He remarked that the adoption of cybersecurity protection measures ought to be considered essential for critical infrastructure companies and asserted that the cybersecurity operations of these companies should be overseen and regulated.
  • Ms. Koven noted how Chainalysis had calculated that the median ransomware payment was $6,000 and commented that the impact of ransomware on smaller entities was often overlooked. She also stated that many smaller businesses and hospitals were not equipped to understand the sanctions risks of potential ransomware payments. She further discussed how the ransomware perpetrators that targeted small businesses also targeted hospitals and other forms of infrastructure. She remarked that improving education about ransomware threats would therefore play a key role in disrupting the use of ransomware.

Sen. James Lankford (R-OK):

• Sen. Lankford discussed how the FBI, CISA, U.S. Homeland Security Investigations (HSI), the U.S. Department of the Treasury, the U.S. Secret Service, and the U.S. Securities and Exchange Commission (SEC) all maintained reporting requirements for cryptocurrency entities. He commented that these reporting requirements likely overwhelmed many cryptocurrency entities. He asked the witnesses to discuss how cryptocurrency entities viewed these various reporting requirements across different federal agencies.
  • Mr. Siegel commented that while it would be great if only one federal agency were to oversee the cryptocurrency space, he remarked that all of the aforementioned federal agencies had a role to play in overseeing the space. He stated that the recently enacted cyber incident reporting law had taken the appropriate first step of designating a single agency and possible cooperating agencies to handle the initial inbound and triage of the reporting data. He explained that this law would route the reporting data to the proper agencies that could conduct the necessary investigations. He mentioned how the chief executive officer (CEO) of the Colonial Pipeline had told Congress that he had felt overwhelmed with the volume of inbound duplicative requests from law enforcement agencies and regulators as he worked to respond to his company’s hack. He remarked that the rulemaking stemming from the recently enacted cyber incident reporting law should clarify where exactly ransomware victims should report cyber incidents to.
  • Ms. Koven expressed support for the recently enacted cyber incident reporting law and specifically commended the law’s provisions that aggregated and standardized the reporting of cyber incidents. She also stated that Congress must ensure that federal agencies possessed adequate funding so that the agencies could operationalize this new cyber incident information. She discussed how there had been multiple federal agency successes over the past year in terms of targeting various aspects of the ransomware kill chain, illicit cash out destinations, and specific ransomware perpetrators. She called for enhanced training and tools so that federal agencies could operationalize the new influx of cyber incident data. She also discussed the importance of global cooperation between U.S. agencies and foreign agencies in terms of responding to cybersecurity threats.
  • Ms. Stifel remarked that there needed to exist greater clarity and simplicity in terms of the process for victims to report cyber incidents with the U.S. government. She also stated that federal agencies required sufficient resources to both receive the information and establish relationships amongst one another and other businesses to share received information. She further discussed the importance of having private organizations establish relationships with CISA and the FBI before they become victims of a cyber incident so that they are prepared to report cyber incidents when they arise.
• Sen. Lankford stated that most entities did not know precisely which government departments and agencies to establish relationships with because there were too many departments and agencies that maintained cyber incident reporting requirements. He commented that this myriad of reporting requirements could overwhelm companies as they work to respond to cyber incidents. He then highlighted how 74 percent of the entities involved in perpetrating ransomware attacks were either Russian or Russian-affiliated. He stated that these entities would not cooperate with U.S. law enforcement agencies on ransomware investigations. He asked Ms. Koven to discuss how best to address these Russian and Russian-affiliated entities involved in ransomware attacks.
  • Ms. Koven remarked that it was possible for U.S. law enforcement bodies to combat ransomware perpetrators that were out of its direct reach through imposing costs on them, seizing their assets, and leveraging global partnerships to reach them. She highlighted how the U.S. had taken actions against many ransomware cash out destinations and stated that the U.S.’s sanctions against Russian-based cryptocurrency exchanges had adversely impacted the exchanges. She further remarked that the U.S. could work to address the threat actors and enablers behind ransomware attacks, including access brokers and malware-as-a-service providers.

Sen. Maggie Hassan (D-NH):

• Sen. Hassan discussed how cryptocurrencies were often demanded in ransomware attacks so that the ransomware payments could be made unrecoverable. She mentioned how she had written letters to several federal departments and agencies, including the U.S. Department of Justice (DoJ), the U.S. Internal Revenue Service (IRS), and the U.S. Financial Crimes Enforcement Network (FinCEN), requesting recommendations on how the federal government could reduce the illicit use of cryptocurrencies. She noted how the IRS had made several suggestions on this issue, including increasing KYC requirements and increasing suspicious activity report (SAR) compliance for businesses connected to cryptocurrency markets. She asked Ms. Stifel to discuss why these requirements would be important and to provide recommendations for strengthening these requirements to combat the illicit use of cryptocurrencies.
  • Ms. Stifel remarked that KYC requirements and SARs played a key role in providing the U.S. government and industry with information about ransomware attacks and the payments associated with them. She lamented however that there was currently inadequate and inconsistent compliance with KYC and SAR requirements (particularly in foreign jurisdictions). She also stated that there existed entities within the kill chain that might lack reporting requirements. She indicated however that these entities might possess relevant information. She noted how these entities often worked with each other to share that information with the U.S. government. She suggested that the U.S. government should thus look at alternative means of obtaining information (beyond solely relying on entities that were subject to KYC and AML requirements).
• Sen. Hassan then noted how both Ms. Koven and Ms. Stifel had stated that sanctions could be effective in terms of preventing criminals from receiving or laundering ransomware payments. She asked Ms. Koven and Ms. Stifel to indicate whether the U.S. government ought to more aggressively sanction ransomware groups and entities that help to launder ransomware payments. She also asked Ms. Koven and Ms. Stifel to identify the barriers to implementing more aggressive sanctions.
  • Ms. Koven remarked that sanctions had proven “catastrophic” to many businesses that supported the laundering of ransomware payments. She also stated that sanctions had impacted the ability of ransomware groups to receive payments from certain victims. She noted how blockchain forensics could be used to identify ransomware groups that were attempting to rebrand as a means of evading sanctions. She testified that Chainalysis provided tools and services for transaction monitoring to identify whether payments were going to sanctioned jurisdictions and entities. She remarked that the further implementation of these tools and services could help to identify sanctions violations.
  • Ms. Stifel noted how the IST Ransomware Task Force’s report had called for an “all tools” approach to combating ransomware. She remarked that sanctions appeared to be effective in terms of reducing the ability of ransomware actors to cash out their ill-gotten proceeds. She stated that inadequate reporting of ransomware activity inhibited the U.S. government’s ability to levy sanctions on appropriate parties, which in turn made it difficult for the private sector to prevent illicit actors from obtaining their ill-gotten proceeds.
• Sen. Hassan then noted how Mr. Siegel had indicated that some ransomware victims did not want law enforcement bodies to recover their ransomware payments. She explained that these victims were afraid that the ransomware perpetrators would not honor their commitments if said money were to be recovered. She stated that this lack of recovery incentivized ransomware perpetrators to engage in future attacks. She asked Mr. Siegel to estimate the percentage of ransomware victims that did not want to recover their ransomware payments (even if presented with a viable option for recovery). She also asked Mr. Siegel to estimate the percentage of ransomware victims that did not want to involve law enforcement in their ransomware situations. She further asked Mr. Siegel to address how the U.S. could alleviate the worries of these victims.
  • Mr. Siegel estimated that about half of ransomware victims would volunteer to reclaim their ransomware payments after a ransomware attack. He then remarked that a minority of ransomware victims would report ransomware attacks absent reporting requirements given the hassles associated with reporting. He discussed how law enforcement faced challenges in reapproaching ransomware victims so that they could collect evidence in the proper format. He indicated that this process could take months or even years and stated that victim participation in these evidence collection efforts was very low. He remarked that the recently enacted cyber incident reporting law presented an opportunity to collect more accurate ransomware information and created a mechanism for law enforcement to reapproach ransomware victims to collect evidence. He further stated that the ability of the U.S. to sanction ransomware actors was very dependent on the ability of law enforcement bodies to conduct ransomware investigations.

Full Committee Chairman Gary Peters (D-MI):

• Chairman Peters noted how Ms. Koven had previously indicated that only 0.15 percent of cryptocurrencies were used in illicit transactions. He noted however that Chainalysis had also found that the illicit use of cryptocurrencies had grown from $7.8 billion in 2020 to an all-time high of $14 billion in 2021. He speculated that the vast majority of current cryptocurrency transactions were likely based on asset speculation (rather than the exchange of goods and services). He asked Ms. Koven to estimate what percentage of cryptocurrencies were being used to purchase legitimate goods and services.
  • Ms. Koven noted how 0.14 percent of cryptocurrency transactions in 2021 had an illicit component to them. She remarked that the vast majority of cryptocurrency transactions were legitimate and involved trading, remittances, and the use of cryptocurrencies as a store of value. She stated that she did not know what percentage of cryptocurrency transactions were used for the exchange of goods and services and expressed Chainalysis’s willingness to follow up with the Committee on Chairman Peters’s question. She remarked however that an increasing number of businesses were offering cryptocurrencies as a form of payment and added that this trend was global. She stated that the current difficulties associated with exchanging cryptocurrencies for goods and services led illicit actors to rely on cryptocurrency exchanges to convert their ill-gotten cryptocurrencies into fiat currencies. She commented that these conversions provided valuable information to law enforcement investigators.

Sen. Kyrsten Sinema (D-AZ):

• Sen. Sinema discussed how ransomware attacks were adversely impacting her state’s localities and health care providers. She noted how the recently enacted Infrastructure Investment and Jobs Act (IIJA) had provided investments for state and local cybersecurity capabilities to combat ransomware. She also mentioned how she had co-sponsored legislation to create new cyber incident reporting requirements. She noted how Chainalysis’s co-founder had previously told the U.S. Senate Committee on Banking, Housing, and Urban Affairs that Chainalysis had been able to successfully demix certain transactions that had used mixer and tumbler services. She explained that mixer and tumbler services combined cryptocurrencies from both illicit and lawful sources in order to make those cryptocurrencies more difficult to trace. She asked Ms. Koven to discuss Chainalysis’s demixing capabilities and to address the extent to which cryptocurrency mixers posed threats to ransomware investigations. 
  • Ms. Koven remarked that mixers were being incorporated more frequently into ransomware laundering techniques. She indicated that while she could not provide details regarding Chainalysis’s demixing capabilities due to its ongoing investigations, she stated that Chainalyis worked to identify all of the available mixers that ransomware perpetrators might be able to use. 
• Sen. Sinema then discussed how ransomware payments from companies motivated ransomware perpetrators to launch future attacks. She asked Mr. Siegel to discuss how Coveware balanced the immediate need to restore a client’s systems with the concern that paying a ransom might place a future target on its clients. She also asked Mr. Siegel to address how Coveware ensured that any ransomware payments made in cryptocurrencies would not be made in violation of U.S. sanctions.
  • Mr. Siegel remarked that the use of data was key for determining whether a ransomware payment would be made. He elaborated that there were certain types of ransomware that could cause a substantial amount of file corruption and that there were certain ransomware perpetrators that defaulted on their promises when ransomware payments were made. He stated that it was therefore important to provide accurate information on the forecasted outcome of a given ransomware payment. He also called ransomware payments an “option of last resort” and asserted that these payments must be weighed against all other available options for restoring critical data. He stated that ransomware payments were neither easy nor fast, which meant that it was usually better for companies to make use of their data backups (even if such backups would take time to implement). He then discussed how Coveware had developed a comprehensive compliance program for ransomware payments. He testified that Coveware looked at qualitative, technical, forensic, and cryptocurrency information to check whether the ransomware perpetrator is sanctioned either domestically or internationally. He also noted how Coveware looked at a ransomware perpetrator’s wallet address to determine whether the wallet was either clustered or cospent with any sanctioned wallets. He further testified that Coveware maintained its own internal restricted list so that it could identify instances when a sanctioned entity attempts to rebrand itself in order to evade sanctions. He stated that most ransomware payments to sanctioned entities involved a sanctioned entity that had rebranded itself. He remarked that Coveware provided all of the aforementioned information to ransomware victims, which enabled the victims to make more informed decisions as to whether to make ransomware payments.
• Sen. Sinema then highlighted how ransomware perpetrators were often sponsored by Russia, North Korea, Iran, and China. She stated that this dynamic prevented the U.S. criminal justice system from holding many ransomware perpetrators accountable. She asserted that this dynamic underscored the importance of ransomware payment recovery so that ransomware perpetrators would not be rewarded for their crimes. She asked Ms. Koven to identify lessons from the FBI’s successful recovery of much of the cryptocurrencies used to pay the Colonial Pipeline ransom. She also asked Ms. Koven to indicate whether enhanced public-private partnerships and data sharing would help ransomware victims to recover their ransomware payments on a more routine basis.
  • Ms. Koven noted how nearly 74 percent of ransomware payments had a Russian affiliation and how there had been several successful instances over the previous year of ransomware payments being recovered from non-U.S. friendly jurisdictions. She further stated that the U.S. had successfully crippled certain cash out destinations for ransomware payments (including Russia-based exchanges). She highlighted how there had been nearly $50 billion in ransomware funds seized from ransomware-related actors. She further discussed the risks associated with nation state actors becoming involved in ransomware that were more focused on ransomware as a form of espionage and disruption. She stated that blockchain forensics could identify the tools and services that were facilitating ransomware attacks from both nation state actors and financially motivated criminal gangs.

 Full Committee Chairman Gary Peters (D-MI):

• Chairman Peters asked Ms. Koven to indicate whether she had any estimates regarding the numbers of businesses that were accepting cryptocurrencies as payments for goods and services.
  • Ms. Koven stated that she did not have such estimates on hand and expressed her willingness to follow up with the Committee regarding Chairman Peters’s question. She noted how there had occurred a 500 percent increase in cryptocurrency transactions over the previous year. She also highlighted how many institutional players were getting involved in the cryptocurrency space. She stated that this involvement had accelerated the adoption of cryptocurrency for legitimate use cases. She also reiterated that the estimated value of cryptocurrencies involved in illicit transactions last year was $14 billion.
• Chairman Peters commented that many cryptocurrency transactions were investment transactions rather than exchanges of cryptocurrencies for goods and services. He also discussed how cryptocurrencies were very volatile, which made them ill-suited for pricing items. He asked Ms. Koven to explain why a business might accept cryptocurrencies as a means of payments given this volatility.
  • Ms. Koven remarked that many investors were taking a long-term interest in cryptocurrencies and had experience in dealing with volatility in cryptocurrency prices. She reiterated her willingness to follow up with Chairman Peters regarding specific figures for the use of cryptocurrencies in transactions.
• Chairman Peters reiterated his concerns that the volatile nature of cryptocurrencies made them ill-suited to serve as mediums of exchange for goods and services. He noted how criminals found cryptocurrencies very attractive, which led cryptocurrencies to be used in illicit transactions. He asked Ms. Stifel to indicate whether there existed additional tools that could help the U.S. government to recover cryptocurrency ransomware payments that had already been made.
  • Ms. Stifel applauded the Committee’s work to support the U.S. government’s cybersecurity capabilities. She suggested that the Committee work to better equip federal departments and agencies to manage the investigatory processes required to monitor blockchain transactions flows. She also stated that the Committee could help federal departments and agencies to better equip their international counterparts to address illicit transactions and to support these counterparts in adopting KYC and AML measures. She further suggested that international organizations could help support the international adoption of KYC and AML measures. She indicated that these organizations could include the Financial Action Task Force (FATF), the International Criminal Police Organization (Interpol), and the European Union Agency for Law Enforcement Cooperation (Europol).
• Chairman Peters asked Ms. Koven to discuss the issue of unhosted wallets and to explain the risks posed by the transfers of cryptocurrencies to unregulated peer-to-peer exchanges and unhosted wallets.
  • Ms. Koven first remarked that cryptocurrency was similar to other technologies that were susceptible to misuse. She acknowledged how cryptocurrencies often experienced significant price volatility and stated that stablecoins could serve as a mechanism for mitigating this volatility. She remarked that legitimate cryptocurrency trading activity was occurring and noted how cryptocurrencies were being used to support remittances. She asserted that the U.S. had an opportunity to play a dominant role within the cryptocurrency space through embracing the technology. She then discussed how Chainalysis often identified private wallets belonging to threat actors during the course of their investigations. She stated that Chainalysis monitored these private wallets in order to discern a threat actor’s spending habits, tools, services, and cash out destinations. She also noted how peer-to-peer exchanges were subject to regulatory requirements, including AML and combating the financing of terrorism (CFT) requirements.