Why Bitcoin is not the root cause of ransomware
Ransomware has been around for a while — turns out it’s about twenty years older than Bitcoin — but it’s been in the news again recently because of a particularly upsetting case involving a Los Angeles Hospital.
Most types of ransomware software “lock” the files on a victim’s computer by encrypting them with a key that the hackers withhold until a ransom payment is made. In the early days of these tools, payment was typically made with wire transfer, prepaid cards, or by SMS/mobile payments. Now payment is almost always demanded in bitcoin.
You might think that this is because Bitcoin is an “anonymous” payment method, and that hackers love it because they don’t have to worry about being identified and ultimately caught. That’s not actually why Bitcoin is a good fit. Prepaid cards are actually more anonymous because they can be mailed and then used or resold internationally with effectively no trace. Bitcoin transactions, however, leave a trail of pseudonymous breadcrumbs on the blockchain and if the hacker tries to cash out into local currency, she might accidentally put a name or an IP address to those pseudonyms and give herself away. Blockchain transactions can reveal the structure of organized ransomware crime rings, and individual hackers can be and have been caught and prosecuted.
No, Bitcoin is particularly useful here because it’s fast, reliable, and verifiable. The hacker can simply watch the public blockchain to know if and when a victim has paid up; she can even make a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address.
The truth is that criminals have, as usual, very strict design parameters for the tools they use because there’s no tech-support, contract, or legal recourse for a criminal whose tools fail to perform as they should. Criminals are using Bitcoin in this case because it’s a reliable system that just works. Ransomware hackers are rather like the proverbial rumrunners of prohibition: they like fast custom cars because almost everyone else is still driving a Model T.
As problematic and sad as these attacks are, it’s important to carefully understand what’s happening so that we don’t jump to “solutions” that wouldn’t solve the problem and could even make us less secure in the long run.
Three ingredients make ransomware the problem it is, and these things are just as true whether the victim is your Aunt Alice or a hospital or police station:
- Hackers gain unauthorized access to a computer with read/write permission over sensitive or valuable data.
- Hackers place malware on that computer to encrypt its files using strong cryptography and a key which only they control.
- Hackers use Bitcoin to receive payment in exchange for the key.
Cryptography and Bitcoin are the “sexy” parts of that trifecta, and accordingly they get most of the media attention. The root problem though, is number one: unauthorized access.
In the hospital context, for example, it’s already a security and privacy disaster that random hackers in Russia can access, read, modify, and delete all of your sensitive medical records. Whether the hacker then encrypts the files, or demands a ransom is a secondary issue; the damage is already done. Failing to keep those records private and safe puts patients in danger of discrimination, personal blackmail, and, of course, poor or compromised care.
So, to be very very clear, the problem of ransomware begins with bad security. Everyone — and especially employees of vulnerable institutions — needs to take the security of sensitive records more seriously; we all need to better understand phishing emails and other social engineering tactics that can be used by hackers to gain access to sensitive information. This is a problem that’s been around as long as the Internet, and yet the solutions are actually fairly straightforward: use strong passwords, don’t share your passwords with anyone (even people sending you official-looking emails), and don’t open suspicious email attachments from senders you don’t know.
Additionally, of this three-part problem, both cryptography and cryptocurrencies have entirely legal and even essential applications that make us more secure. The first part, unauthorized access caused by poor security, has no upside. If we’re looking for a way to stop these attacks we need to target weaknesses in our privacy infrastructure, not the tools that some may use to exploit those weaknesses. We need to use https encryption by default; we need to understand and practice two factor authentication; we need to talk about password managers and what makes a strong password; and we need to think about payment systems that don’t consistently hemorrhage our personal identifying information.
Ignoring this problem of unauthorized access and putting the blame on cryptography and cryptocurrencies will not stop ransomware. In fact, outlawing or compromising these tools will make ransomware significantly worse. Such policies would discourage honest individuals from learning about and utilizing the very technology that could make them safe; while criminals in darker corners of the world, the sophisticated rumrunners with strict design standards, would continue to use these powerful tools for evil.