The Cryptocurrency Forensics Solution to OFAC’s $11.5 Billion Ransomware Conundrum

5 min readDec 15, 2020

$11.5 billion: this is what ransomware cost the United States in 2019, up nearly $4 billion from the previous year. But the impact of ransomware goes far beyond the monetary; ransomware groups have specifically targeted vulnerable groups, even targeting overburdened hospitals in the midst of the ongoing COVID-19 pandemic.

From the time of its inception circa 1989 until the present, the ransomware defense playbook has remained frustratingly thin. For an attack that is startlingly easy to launch, that has become an industry all its own with the rise of RaaS (Ransomware as a Service), the numbers are disheartening.

Figure 1: The International Economics of RaaS (Ransomware as a Service) by Industry. FireEye Mandiant, 2020

Unfortunately, this already thin playbook has been all but devalued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) most recent announcement.

As noted by Law & Forensics founder and AnChain.AI advisor Daniel B. Garrie Esq., per the October 1st announcement an institution engaging in ransomware payments with OFAC-designated SDNs (Specially Designated Individuals) is subject to sanctions imposed based on strict liability, and could be held civilly liable despite not knowing or having reason to know that it was engaging in a transaction with a prohibited person under OFAC sanctions laws and regulations, dealing a crippling blow to what has become the de facto response to a ransomware compromise: payment of the ransom by an institution’s insurance provider via a broker.

The only solution is to start from scratch, building a comprehensive solution that addresses the short, medium, and long-term goals of modern ransomware response.

Cryptocurrency Forensics: A More Modern Approach

The growing complexity of modern ransomware attacks necessitates an equally informed response. In the same October 1st announcement in which OFAC first warned of potential liability for violation of CFT (Combating the Financing of Terrorism) efforts, recommending implementation of more robust compliance programs.

It will take time to bridge the gap between the currently outdated ransomware response playbook with more long-lasting solutions. Until then, the solution lies in the ability to bring light to the often murky origins of crypto-based cyber attacks.

The AnChain.AI team investigated over 100 ransomware families, and took a deep dive into 3 of the most infamous ransomware families’ Bitcoin transaction history: Locky, WannaCry and Ryuk.

Utilizing blockchain forensics, however, we can begin to build a unique profile for a ransomware strain, identifying patterns of activity, otherwise overlooked, that can aid in the remediation process.

Figure 2: Average dwell time of ransomware bitcoin wallets: Locky, WannaCry and Ryuk.

For as iconic as the WannaCry ransomware attacks are, the 2017 incident represents perhaps the simplest face of modern ransomware. More contemporary variants like the omnipresent Ryuk not only move received funds more quickly, as illustrated in Figure 2, exhibiting an average Bitcoin dwell time nearly ten times shorter, but utilize entirely different methods of infiltration. Such cryptocurrency forensics reflects similar behavioral insights such as Mandiant’s APT malware dwell time analysis.

Figure 3: Transaction In/Outflow of Ransomware Variants

Yet as the sophistication of ransomware attacks has continued to grow, ransomware response has become an increasingly narrow-minded endeavor, with organizations overwhelmingly turning to insurance providers to simply pay off the ransom.

Through the utilization of cryptocurrency forensics, we begin to observe the unique characteristics of an individual ransomware strain. As can be seen in Figures 6 thru 8, the distinctive transaction patterns provide instantaneous insight into the origins of the attackers, including broader trends of international ransomware hotbeds.

Figure 4: In/Outflow Transactions — Ryuk (Hackers Active on UTC 14:00–23:00. Probably European.)
Figure 5: In/Outflow Transactions — Locky (Hackers active UTC 8:00–18:00. Probably European)
Figure 6: In/Outflow Transactions — WannaCry (Hackers active UTC 9:00 -16:00. Probably Russian)
Figure 7: Heatmap of International Ryuk Ransomware Victims. Kaspersky, 2019

Not only can this information contribute to a heatmap of ransomware activity at-large, but it can be further iterated upon using blockchain forensics tools such as our CISO Investigative Platform. Utilizing AI-powered tracing techniques like the auto-trace demonstrated in Figure 10 below, cases can be built to acquire critical KYC information from liquidation portals like cryptocurrency exchanges, opening the possibility of criminal investigation by international law enforcement agencies.

Figure 8: AI-powered Auto-trace of Ransomware Funds Flowing to Exchange

The Evolving Face of Ransomware

The AnChain.AI threat research team has summarized the key behavior traits of ransomware hacker groups’ TTP (Tactics, Techniques and Procedures) and hacker attribution on WannaCry, Locky and Ryuk.

The diverse profiles of 3 ransomware families

From the iconic WannaCry to the countless variants of the more modern Ryuk, each individual strain exhibits qualities unique to itself, presenting a substantial cybersecurity dilemma. Simply put, it’s far easier for an attacker to put even a minor twist on an old ransomware classic than it is for an organization to safeguard itself against every possible permutation.

Even before the recent OFAC announcement brought the fundamental viability of this approach into question, it was already beginning to show its age, creating a dangerous big-game hunting economy in which ransomware attackers increasingly targeted larger organizations and demanded higher and higher ransoms. Like it or not, Bitcoin and other cryptocurrencies will continue to prevail as ransom payments.

Closing Remarks

Resolving the growing ransomware epidemic requires a multi-pronged solution:

  1. Utilization of cryptocurrency forensics as a powerful tool for hacker attribution.
  2. Preventive forensics, blocking ransomware payments to sanctioned individuals.
  3. AI/ML-powered intelligence empowering OFAC-compliant AML/CFT, enabling ransomware payments when possible.
  4. Comprehensive policy, education, and tech solutions to reduce long-term incidence of ransomware attacks.

There is no more critical time to safeguard oneself against the ransomware threat than the present, and while the OFAC announcement may call into question the viability of our current ransomware response tactics, they also open the door for a new approach to this emerging threat.

What are your company’s ransomware related concerns? AnChain.AI is here to assist. Contact us at




Blockchain data analytics firm providing security, risk, and compliance solutions.