Bitcoin ransoms (Photo Credit Sora Shimazaki)

Ransomware — The Problem Is Not Cryptocurrency, It Is Cybersecurity

According to antivirus vendor Sophos, ransomware is evolving into a bigger threat as it becomes faster, smarter and costlier to deal with. In the age of modern enterprise networks the expectations are the IT department should have all their bases covered when dealing with computer viruses. We have been through the worst of times, from the ILoveYou virus to worms like MyDoom. While lessons have been learned, computer viruses continue to evolve at the pace of technological advancement.

Computer viruses don’t have a life of their own, but they can also mutate like biological viruses. Rogue developers who create these variants do so with malicious intent to cause harm in order to steal data. At other times it is just released to cause disruption of service (e.g. Code Red) or even for “harmless fun”. The infection occurs when a user activates a payload in an e-mail message that is usually in the form of an attachment file. It can also spread if there is already an infected computer within the same network, via vulnerabilities. The Windows operating system is very prone to such attacks.

Ransomware is in a different category because it has a specific objective, and that is to collect money. It does so by using cryptographic techniques to encrypt a user’s data. The only way to recover the data is to “buy” the decryption key which is the ransom. In most cases, it must be paid with in cryptocurrency. The average ransom is costing victims a total of $1,852,872 (USD). Ransoms totaled $350 Million in 2020 according to Chainalysis, a blockchain analytics firm that tracks cryptocurrency ransom payments.

Victims of ransomware attacks include government offices, schools and now industrial operations. A big target was the Colonial Pipeline in the US, which supplies gas to several states on the East Coast. Ransomware interrupted its operations which affected millions of people. The US Federal Authorities were able to recover some of the money paid by following the trail. The FBI traced the Bitcoin digital addresses where the ransom was paid. The FBI then had to hack into the hacker’s wallet (details not available). The US is going to have some discussions with Russia during a joint summit in the summer of 2021 regarding the problem, since many attacks are originating from Russia. This has now become a threat to national security.

Some are viewing cryptocurrency to be the culprit behind the surge of ransomware attacks. Is that really the prime motivator? It certainly has something to do with the money. What hackers assume is that cryptocurrency covers their tracks when collecting ransom payments. However, that is not the case since the FBI were able to recover some of the payments. Let’s dissect the problem.

The Truth About Cryptocurrency

It seems that ransomware is the apex of a cybercrime. The hacker carries out a malicious deed and gets paid for doing it, then disappears into the sunset never to be heard from again. That is a misconception. What the recovery of the ransom payments has shown is that cryptocurrency can be traced, because it was meant to be.

Transactions in cryptocurrency are recorded on a blockchain, a decentralized database. It is immutable and transparent for all to view. Addresses can be queried to show all transactions in chronological order using what are called blockchain explorers. It is an open system, so that means it is not fully anonymous. Bitcoin, a popular cryptocurrency, was by design meant to be transparent to expose all transactions in order to facilitate peer-to-peer payments between strangers or people who do not trust each other. By recording the transaction on a decentralized ledger, it establishes a version of the truth like a witness to both parties (e.g. triple entry accounting).

One way to trace a transaction is by its Bitcoin address using a blockchain explorer.

Cryptocurrency does not anonymize your payments, which is what many think its purpose is for. It only provides a pseudonymous way to hide an identity, but it can still be traced to what is called a wallet address. That means it does not reveal the actual identity of a user, like name or address. We may never find out who the real identity of the person is, but we can track their payments. There are certain anonymity tokens like Monero that can hide transactions, but Bitcoin (which is used more often in ransomware) can still be traced.

The Root Of The Problem

This is more a cybersecurity issue than cryptocurrency. Even if cryptocurrency were not involved, criminals can still collect ransom using other means. It just so happens that cryptocurrency is a technology that makes payments easier. That serves its purpose, but that doesn’t mean it favors the cybercriminal just because they can use it.

The failure to stop ransomware has more to do with policy. This begins with IT departments and up to the respectable enforcement agencies to have more awareness in preparation to dealing with ransomware attacks. Unfortunately, it appears that some companies that fall victim to ransomware are not reporting it to authorities and just paying the ransom. Perhaps they have something to hide, but there are other reasons. It could also be because these companies need to keep operations going in order to minimize losses and service disruption. Investigations could hamper their operations with delays and it complicates matters.

The most common way to get ransomware in a system is via what is called a phishing attack. An e-mail with the ransomware is sent to an unsuspecting user, who will open the attachment and unleash its malicious code. (Photo Credit cottonbro)

Simple ransomware awareness campaigns to educate users in offices can help, but an overall better plan is with cybersecurity policies enacted by the IT department. This is as much an IT issue as a cybersecurity problem. A well trained IT staff can spot the ransomware threats much faster and mitigate the problem should it occur. Companies that are prepared will not need to pay the ransom because they can recover from backup and isolate the problem on their network. Having antivirus software and threat management devices are common in enterprise business operations today, but it only takes one careless user to affect the system (i.e. weakest link).

Synopsis

Banning cryptocurrency (as a WSJ article recommends) would be to the extreme to combat ransomware. That is like blanket banning cars because they can run over and kill people. That is not a solution at all. While the trend in cryptocurrency is moving towards privacy, that should still not be a reason to ban cryptocurrency. Not everyone is hiding from the authorities or committing crime when using cryptocurrency.

There has to be more effort to educate users on what to do when they encounter ransomware. They should avoid making payments as much as possible. If that data is valuable enough (i.e. something to hide from authorities), like for black mail, this does pressure the victim to make a payment. Users will need to be more aware about the dangers of ransomware and that should help reduce the number of incidents. IT policies should have measures in place when confronted with these threats.

With cybersecurity, the concerns are prevention and mitigation of systems should a ransomware attack occur. If it can be prevented, that is the best and most favorable solution. What ransomware attacks are exposing is the lack of a multi-layered cybersecurity approach that could have prevented attacks. The Colonial Pipeline leak was due to a password leak, so when those things are likely to occur, using multi-factor authentication or a hardware based key could prevent unauthorized entry. What makes it more difficult for users to login to a system, makes it more so for hackers. That is a tradeoff of convenience for more security.

Hackers can come up with even more devious schemes that involve dark money that unfortunately cannot be traced like cryptocurrency. Perhaps what hackers will learn is that using cryptocurrency for crime is not going to hide their tracks. There is a trail that can be followed when a payment is made, and that is what cryptocurrency was designed for. Recording data on a blockchain is all about accountability and auditable transactions. That is probably not something hackers would want if their purpose was hiding from authorities. That is why this is more a cybersecurity problem than cryptocurrency.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vincent Tabora

Vincent Tabora

Editor HD-PRO, DevOps Trusterras (Cybersecurity, Blockchain, Software Development, Engineering, Photography, Technology)