A crypto ban won’t curb the ransomware epidemic. Better software could
There are multiple reasons why the U.S. is in the grip of a ransomware tsunami.
Ransomware attacks are relatively easy because so many organizations have software with exploitable vulnerabilities.
It’s lucrative. Encrypt the data of your victim (also steal it for further blackmail leverage) and walk away with tens of thousands to millions of dollars after they pay you for the decryption key and a promise not to post their data online.
It’s relatively risk-free. A majority of the most devastating ransomware attacks are committed by perps beyond the reach of U.S. law enforcement, operating in hostile nation states. It’s done with keystrokes on a computer. No bullets or high-speed chases involved.
Also — and very importantly — the payments, in cryptocurrency, are anonymous and difficult to trace. No bank involved. No taxes to pay, which means the gross is the net. For a criminal, what’s not to like?
But plenty not to like for the law-abiding and law-enforcing world. So as the number and severity of ransomware attacks increases — the one against network management company Kaseya Ltd. earlier this month by the Russia-based gang REvil is just the latest in an ongoing string — so does the debate over whether governments should regulate cryptocurrency, ban it outright, or be more aggressive about hacking into the cryptocurrency infrastructure that the gangs use.
It’s a debate that goes well beyond experts on a panel at a security conference. After the attack on Kaseya, an unnamed White House official said “this is really about our own resilience as a nation in the face of these attacks. It’s about addressing the challenges posed by cryptocurrency, which provides fuel for these sorts of transactions.”
It’s complicated
So, remove the “fuel” and remove the threat?
Well, as is usually the case in the digital world, it’s not that simple. For starters, cryptocurrency is far too embedded in modern finance to ban it outright. You might as well try to ban the internet.
And while Bitcoin is still the best known cryptocurrency (and the one most often used for ransomware payments), there are thousands of others, many of them immensely popular in niche communities.
But even Bitcoin alone “is too big to ban. And a ban or regulation on cryptocurrency would only increase the costs associated with ransomware attacks,” said Travis Biehn, technical strategist with the Synopsys Software Integrity Group.
A ban, he said, would come with unintended consequences and simply drive the operation of that market underground. “A carte-blanche U.S. ban on cryptocurrency will wipe value from predominantly American cryptocurrency holders — Tesla and businesses like MicroStrategy (holder of 105,085 bitcoins as of June 21).”
“The price of a bitcoin would break down but, crucially, the network itself will continue to operate. The cryptocurrency will continue to exchange 24/7 where it isn’t banned, and likely under the table where it is. This means attackers will still demand ransom in bitcoin, but companies in the U.S. will have to turn to the black market to acquire the cryptocurrency,” he said.
Not that some governments aren’t trying at least to restrict it. Anna Chiang, product marketing manager with the Synopsys Software Integrity Group, said “authoritarian governments such as China have recently restricted cryptocurrencies like Bitcoin because they had become “tools for speculation” and were bringing potential risks to financial security and social stability. China has told its banks and online payment channels not to provide products or services for cryptocurrency transactions.”
But she added that “in a free society such as the U.S., regulating cryptocurrency or banning it outright is an affront to entrepreneurship. It’s best to let companies like Facebook Diem navigate the Bitcoin market opportunities on their own without restrictive government regulations.”
A cauldron of abuse
Not everybody agrees. Craig Spiezle, managing partner at AgeLight Advisory & Research Group and former executive director and president of the Online Trust Association, said his thinking has evolved to the point where “I am not an advocate for crypto. Regulation is required for the exchanges, as it is now the Wild West, full of abuse — not to mention a great platform for tax evasion and money laundering.”
And Dmitri Alperovich, executive chairman at Silverado Policy Accelerator and a cofounder and former CTO of the cybersecurity firm Crowdstrike, said in a video interview with the RSA conference that “crypto is what enables this whole ecosystem to exist,” and that it is indeed possible to defeat ransomware gangs with cryptocurrency regulation including “know your customer” — a requirement that financial services organizations verify the identity, suitability, and risks involved with any customer. The goal is to prevent businesses from being used by criminal elements for money laundering.
If foreign exchanges refused to comply and were “banned from interacting with the American financial system and being able to receive U.S. dollars, that would be devastating to them,” Alperovitch said.
But while debate proceeds on whether a ban would work or not, what about so-called ethical hackers working on behalf of law enforcement or governments to track and expose ransomware gangs? Indeed, after Colonial Pipeline paid a reported $4.4 million to the Russia-based DarkSide ransomware gang, the Department of Justice announced that it had been able to recover about $2.3 million of that by tracing and seizing the bitcoin wallet used by the hackers.
Also, as has been widely reported over the past week, REvil mysteriously disappeared from the dark web, prompting speculation that law enforcement or government had taken it down, although there was equal speculation that the gang had done it simply to “rebrand” itself to avoid more political pressure.
And some experts have said for years that the perception of cryptocurrency as secure and anonymous is a myth. Michael Perklin, CISO of ShapeShift.io and president of the CryptoCurrency Certification Consortium, said several years ago that “Bitcoin is one of the most traceable currencies on the planet, and contrary to media misreporting over the last few years, Bitcoin is not anonymous and offers very little privacy protection to its users.”
But Ted Harrington, executive partner at Independent Security Evaluators, said that kind of blanket statement doesn’t cover the whole cryptocurrency market. “To participate in the more user-friendly exchanges like Coinbase and Binance, you have to prove identity, which makes it easy to identify recipients of funds. But criminals collecting cryptocurrency payments are usually more savvy and collect ransoms directly to wallets that are anonymized. So law enforcement can see where the funds go but not necessarily who they belong to,” he said.
Which would make the Colonial case more an anecdotal exception than a trend when it comes to law enforcement seizing ransomware payments. Spiezle said that in the Colonial case, “the criminals were sloppy and left ‘breadcrumbs’ that aided law enforcement.”
Unintended consequences
Biehn agreed, saying criminals adapt quickly when they see one of their number make a mistake. “Attackers’ gains will be seized until they learn how to obfuscate the source of funds, avoid centralized exchanges that will play ball with the U.S., and secure their own cryptocurrency holdings,” he said. “It’s unlikely that dollars spent hacking wallets will have solid ROI in terms of deterrence or harm reduction because the solutions to prevent this type of seizure are cheap and accessible.”
There is also the reality that giving law enforcement added authority or tools to fight crime could have unintended consequences. “In theory, law enforcement could hack financial instruments to reclaim illicit funds, but that seems like a slippery slope,” Harrington said. “Who draws the line on what they’re allowed to hack? This feels analogous to law enforcement wanting backdoors in encryption that ‘only law enforcement can use,’ which is a terrible and impossible idea in practice.”
There is also disagreement over whether the benefits of cryptocurrency outweigh the downsides. Spiezle says they don’t, citing not just how it helps to enable ransomware but also its volatility, leading to some investors losing their money.
But others are convinced there is much more good than bad about it. “The ability to transfer funds, almost instantly, for very low fees directly between sender and recipient without bloated banks in the middle, is the future of finance,” Harrington said.
Biehn notes that it allows regular people to work around the gatekeepers of the traditional financial system. “The benefits of cryptocurrency are essentially that they provide a way out of the traditional financial markets and regulations,” he said. “For Venezuelans it means they can buy an asset that isn’t hyper-inflating, so they can afford to buy eggs day to day. For El Salvadorians it means they can send value home without long wait times, 24/7, instantly with low fees.”
“For Syrians,” he continued, “it’s a way out of hopelessness that renders you susceptible to extremism; they can get paid instantly on the global market, as web developers for example. And for Americans and Europeans, it’s a counterpoint to inflation and bailout practices that are asymmetrically benefiting the rich and well-connected.”
Finally, cryptocurrency advocates say restricting or banning it won’t solve the ransomware problem because it isn’t causing the problem. “Cryptocurrency isn’t the problem. Poor security is the problem,” Harrington said. “Let’s be careful not to conflate the two.”
And Biehn said ransomware actually has a useful function, because it illustrates, in a very stark and painful way, the cost of poor security. “Ransomware is like a market that facilitates price discovery of basic information security practices and hygiene,” he said.
“With ransomware attacks and efficient payment rails, society has a basic mechanism to understand and price cybersecurity compromises. We shouldn’t interrupt the course of this socially useful market.”
