The crypto industry needs to pay attention to – and help fight – the growing ransomware threat.
Ransomware has emerged in a big way recently, but information security specialists have been warning about this issue for years. Cryptocurrency isn’t the sole factor in ransomware’s increasing popularity, but it is becoming a major player in this type of malware’s spread. This is an issue the industry is going to have to reckon with sooner rather than later.
Mass adoption; wait, no not like that
The narrative
Ransomware attacks have been on the rise for a while, but some recent, very high-profile incidents are bringing this type of cyberattack to the forefront of mainstream awareness. Bitcoin is one of the key technologies that’s helping aid the current rise. So naturally, a number of individuals have called for banning the cryptocurrency (or all cryptocurrencies) to mitigate these attacks.
Banning crypto won’t work. But there are steps that the industry can take to try and limit the spread of ransomware attacks.
Why it matters
On Monday, National Security Advisor Jake Sullivan said that any federal or international response to ransomware would include a look at “how to deal with the cryptocurrency challenge which lies at the core of how these ransom transactions are played out.” This form of cyberattack is drawing an increasing amount of scrutiny from governments worldwide. Crypto’s role in enabling ransomware cannot be denied, and if the industry doesn’t take a role in finding a way to mitigate this issue, a solution will likely be forced on it by regulators.
It’s in the crypto industry’s best interests to be proactive here. Blockchain transactions are easily traceable, meaning the tools are already there to help mitigate this type of attack. Exchanges are also starting to comply with regulatory regimes more focused on identifying users and limiting money laundering, which can also help deal with this issue.
Breaking it down
Crypto has a ransomware problem.
In the last two months we’ve seen a number of major ransomware attacks cripple key infrastructure, such as fuel transportation, national health services and meat logistics. It’s not a new issue – ransomware has been a dark cloud on the horizon for a while. But recently attacks have become more daring, and more profitable.
Let’s step back a minute and define our terms. Ransomware attacks are when a piece of software essentially hijacks a computer or network, preventing anyone from using it until a decryption key is provided. Attackers can install their malware by taking advantage of a vulnerability or tricking victim users into downloading a malicious program through a phishing email.
If you’ve heard of JBS or Colonial Pipeline recently, it’s likely because they were hit by ransomware attacks. Other prominent victims in recent years include insurance firm CNA Financial, the city of Atlanta, parts of the Irish health service, parts of the UK health service, Australian hospitals, Cox Media Group and on and on. Anyone can get hit, and it often takes tons of resources – time and money – to recover.
Attackers will provide a decryption key if victims pay them for one (hence the “ransom” part of ransomware). And while these attacks predate crypto, bitcoin is a major enabler of this form of cyberattack.
Chainalysis, a crypto analytics firm, found a massive spike in the amount of funds ransomware attackers received last year – close to half a billion dollars. Trends in 2021 so far seem to be lagging somewhat, with victims sending only $127 million in the past six months, but Chainalysis Senior Director of Communications Madeleine Kennedy noted this is only a floor. More companies may have paid crypto ransoms than have reported doing so.
While companies are loath to share details about paying ransomware perpetrators, we know a few firms have paid millions or tens of millions of dollars. CNA Financial, a major insurance firm, reportedly paid some $40 million (a spokesperson refused to confirm whether it paid in crypto). Colonial Pipeline apparently paid $4 million in bitcoin.
This was always going to be a problem that the world’s governments would have to address if industry didn’t, and we’ve now reached that point. The U.S. President has directed his staff to evaluate how the federal government reacts to ransomware attacks, including by boosting crypto analysis efforts. The Department of Justice wants to treat ransomware attack investigations similar to terrorism investigations. Leading lawmakers are evaluating these attacks.
And again, it’s not just a U.S. problem. Government agencies worldwide, including Europol and the UK’s National Cyber Security Centre joined the U.S. Department of Homeland Security and a host of private companies in supporting an international Ransomware Task Force, which published a report outlining possible methods of mitigating these attacks earlier this year.
Banning bitcoin?
Crypto’s role in supporting ransomware can’t be underestimated. A stateless, decentralized tool for value transfer can help protestors fighting financial surveillance and censorship in dictatorships or store value amid runaway inflation, but it is equally helpful for criminals and malicious actors. I reached out to members of the task force to ask whether bitcoin was a major factor in the growth of ransomware.
“Without a doubt,” said Philip Reiner, CEO of the Institute for Security and Technology and a co-chair of the Ransomware Task Force.
“Without question,” said Michael Daniel, another task force co-chair and the CEO of the Cyber Threat Alliance.
Pamela Clegg, vice president of financial investigations at blockchain analysis firm CipherTrace, called crypto “a path of least resistance,” but said other payment methods could be used in lieu of crypto.
The fact that anyone around the world can set up a bitcoin wallet and transact through exchanges or even directly with another individual means criminals don’t have to worry about hiding from a bank’s know-your-customer (KYC) processes. It may also be easier for a victim company to send a few million dollars in bitcoin than try to send a wire transfer or international payment using fiat currencies.
So let’s establish here that this is the crypto industry’s problem.
As mentioned above, one proposed solution is to ban bitcoin entirely. But members of the Ransomware Task Force, which included representatives from crypto companies as well as firms and organizations with no crypto affiliation, don’t see this as an effective solution.
“You can try it, but I don’t think it would work,” Daniel said.
“It’s really not a feasible, viable approach to say that,” he said. “Instead, what seems to me is we have to find the right balance, policy balance between allowing the innovation that cryptocurrencies bring, the benefits they can provide and [bring] the protections we’ve built into the financial system to deal with criminal activity, to deal with money laundering.”
Reiner agreed. Easier solutions may include ensuring over-the-counter (OTC) trading desks enforce KYC rules, and keeping KYC and anti-money laundering rules (AML) on bitcoin teller machine kiosks.
It’s also important that companies and regulators understand how a bitcoin ransom works on a technical level. This includes understanding how exchanges transfer funds and how mixers operate.
“In any industry there is a moment of realization when major industry actors know they need to get together and take action before regulatory authorities step in,” he said. “I think this might be one of those types of situations where everyone in this ecosystem sees federal governments moving to do something about the cryptocurrency ecosystem and it’s to their advantage to be part of that conversation and maybe even lead it.”
Companies could start just by adopting the cyber hygiene recommendations recently published by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, he said.
Payment concerns
Even if banning bitcoin isn’t necessarily a viable solution, bitcoin’s role in ransomware needs to be examined.
“We’re in that window where a new technology has basically presented itself, [but] people are still understanding how it is going to be used,” said Chainalysis Director of Market Development Don Spies. “And I don’t think anyone really understands where it’s going to go and the opportunities that it truly has for, you know, the global financial system.”
Kennedy noted that while cybercriminals using bitcoin obviously isn’t good, the fact they are using a traceable cryptocurrency may be beneficial in the long-term, as law enforcement officials can track transactions and identify malicious actors.
All cryptocurrency transactions are recorded on the distributed blockchain ledger, allowing analytics firms or other individuals to trace them.
Indeed, the Department of Justice and FBI announced Monday that they had recovered some of the bitcoin Colonial paid. An affidavit filed by an unnamed special agent explained how this individual quite literally tracked this bitcoin across several transactions before finding a wallet that the FBI could seize control of.
Netwalker is one example. Federal officials indicted an individual earlier this year on allegations that he conducted over 90 different ransomware attacks, receiving up to $14 million in bitcoin (at the time).
A broader question is whether paying ransomware perpetrators is even advisable. Energy Secretary Jennifer Granholm said Sunday that paying ransoms may encourage further attacks. She’s not alone in voicing this concern.
Rep. Carolyn Maloney (D-N.Y.), who chairs the House Oversight Committee, wrote open letters to Colonial and CNA last week, asking them for more information about their decisions to pay the ransoms after their attacks.
“I am extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward,” she said in a statement accompanying the letters.
It’s not an easy question to answer though, Reiner said.
“You’re funding criminals, and in no circumstances is that a laudatory thing,” he said. “These companies are in a horrible position – either pay these criminals or go bankrupt.”
Simply banning ransom payments outright would put much of the burden on the victim companies without giving them additional tools or resources to weather such an attack.
Daniel said it was worth looking at what different nations were doing in response to ransomware attacks. In particular, some emerging markets don’t have a strong, legacy financial system, and how they approach the issue of ransomware operators within their borders could inform the broader global response.
“You want to be building these groups of like-minded countries that will agree to improving certain financial rules and agree to conduct joint investigations and agree to share information so we have a better understanding of the criminal networks,” he said. “All of this goes together. One of the reasons this problem is so challenging is it requires international coordination.”
Mitigating attacks
Better information sharing, maintaining cyber hygiene, boosting investigative resources and updating cybersecurity regulations to address different aspects of the ransomware ecosystem are all tangible steps that both regulators and companies can take to help mitigate this threat, Spies said.
“Information is not currently shared in a consistent or reliable manner,” he said. “There’s also currently under-reporting of ransomware, which obfuscates the true scope of the issue, and it means that law enforcement does not have all the necessary information to prioritize and investigate ransomware events.”
Other recommendations by the task force included ensuring international cooperation on KYC/AML regulations and establishing best principles for cryptocurrency exchanges to ensure they can provide services to legitimate businesses but not to illicit operations.
The task force had 48 recommendations overall, Reiner said.
“How can we convene conversations between smart people on both sides and figure out where it is actually falling down,” he said.
Congress has been looking at ransomware over the past few years but JBS and Colonial have “raised the stakes,” said Blockchain Association Director of Government Affairs Ron Hammond.
“We believe Congress should doubledown on solving the geopolitical and cybersecurity challenges, rather than calling out cryptocurrencies as the primary driver of this problem. Preventing ransomware attacks is a largely bipartisan issue and we hope that the solutions to the problem are defined by consensus as well,” he said.
At least one government entity is focused on technological and policy solutions beyond just crypto.
The Financial Crimes Enforcement Network (FinCEN), a U.S. Treasury Department office tasked with watching for financial transactions used for illicit activities, has been tracking ransomware attacks and assessing penalties against crypto exchanges that facilitate ransomware-related crypto transactions, a FinCEN official told CoinDesk.
“This past October, FinCEN issued an advisory to alert financial institutions to predominant trends, typologies and potential indicators of ransomware and associated money-laundering activities. The information contained in the advisory was derived from FinCEN’s analysis of cyber and ransomware related Bank Secrecy Act data, open source reporting, and FinCEN’s law enforcement partners,” the official said.
FinCEN and its sister agency, the Office of Foreign Asset Control (OFAC), have published a number of advisories. OFAC has also added cryptocurrency addresses to its sanctions list on ransomware charges. In 2018 OFAC alleged that ransomware proceeds were processed by Iranian residents, and essentially barred these individuals from the U.S.-based financial system.
In a statement, Acting FinCEN Director Michael Mosier said ransomware is “not a new issue” for the federal government or to the industry.
“Ultimately, however, ransomware is a cybersecurity issue, and the best protection is prevention, best practices, improved defenses and resilience,” he said. “While financial regulation can help with detection and slow the spread or speed the pursuit, we need to make it harder to happen, not just harder to pay. Not every actor is merely financially motivated, and we need to protect critical infrastructure and/or personal information in every way.”