Explaining Cryptocurrency's Ransomware Problem (USA)
A hacker gains access to a company's computer system and encrypts its data, effectively halting operations. The data is then held captive by the hacker until a ransom is paid. If the demand is for Bitcoin or another cryptocurrency, the victim must open a cryptocurrency exchange account, purchase Bitcoin, and deliver it to the hacker's virtual wallet in exchange for the decryption key. The key enables the organization to regain access to its data and resume operations. Meanwhile, the hacker launders the ransom money through cryptocurrency exchanges and "mixers"—services that blend cryptocurrency from diverse sources to disguise its origin.
The type of malware employed determines how it enters the system, although email phishing attempts are one of the most popular methods. If a company's systems are fully guarded, it may only take one person out of thousands to read the wrong email and click on the wrong link, and faked emails can be quite convincing. Hackers may also take advantage of flaws in a company's systems or launch a brute force assault, in which they guess at access credentials (such as passwords) until they find one that works.
The pandemic opened up various new attack vectors for hackers. There was an exponential rise in phishing emails that took advantage of the circumstances and collective fear. People were more inclined to click on a link that would infect their computers — and eventually the rest of the system — as a result of the circumstances. Additionally, pre-pandemic personnel did not need remote access, but this year more facilities became internet-connected and remotely operable which increased the attack surface.
The ransomware criminals are unable to use traditional banking methods. Even the most transparently corrupt bank would regard ransomware payments as an existential risk. The banks may unbank the perpetrators or be cut off from the financial system. If ransomware attackers tried to employ wire transfers, the same thing would happen.
Similarly, cash is not an option. A $5 million ransom is the equivalent of 110 pounds (50 kilograms) in $100 bills or two full-size suitcases. From a physical sense, arranging such a transfer to an extortionist operating outside the United States is simply impossible. The suppliers of ransomware require transactions that do not necessitate physical presence or a hundred pounds of goods. As a result, cryptocurrency is the only tool left.
Due to its pseudonymous nature, cryptocurrency is perfect for ransomware payments; even if you see the ultimate destination wallet into which the ransom payment is transferred, you can not tell who owns or controls the wallet. As a result, ransomware attacks may now be carried out with relative ease.
As a result of this impunity, there has been a surge in ransomware assaults, as well as the rise of DarkSide, a ransomware organization that leases its software to hackers in exchange for a percentage of any ransom paid. According to Elliptic, a blockchain analytics business, DarkSide, the recipient of the Colonial Pipeline ransom payment, has received more than $90 million in ransom payments in the last year.
Ransomware hackers have stolen data in the past and threatened to release or sell it online. More recently, on the other hand, hackers have been increasingly bringing operations to a halt by encrypting files required to continue operations. As a result, attacks are more likely to prove crippling, giving hackers additional power.
In 2020, the number of ransomware cases reported to the FBI increased by almost 66%, and the average ransomware payment tripled in less than two years, rising from $12,000 in Q4 2019 to $54,000 in Q1 2021. As of May 10, 2021, more than $81 million in cryptocurrency had been sent to ransomware addresses.
JBS or Colonial Pipeline have recently been in the news because they were victims of ransomware attacks. Insurance giant CNA Financial, the city of Atlanta, elements of the Irish health service, parts of the UK health service, Australian hospitals, Cox Media Group, and so on have all been major victims in recent years. Anyone can be hit and recovering requires a lot of resources - both time and money.
JBS SA, a meat processor, had to halt operations at its plants in the United States and Australia due to a ransomware attack. Following the hacks of Colonial Pipeline Co. and Scripps Health in San Diego, this incident demonstrated how extortion tactics can wreak havoc on the US economy and disrupt daily life. Businesses like Colonial, which paid $4.4 million in bitcoin to an Eastern European gang known as DarkSide, frequently make similar payments to avoid costly disruptions of their computer networks or the time-consuming task of restoring systems from backup data.
The health-care industry has been one of the most targeted because the consequences of not paying the ransom in a timely manner can be severe, ranging from the inability to provide health-care services to the leakage of sensitive patient data — or even the blackmailing of patients not to have their data released. Ransomware has also been known to target municipal or government systems.
CryptoLocker, TeslaCrypt, SimpleLocker, WannaCry, Locky, Leatherlocker, RobbinHood, GrandCrab, and Sodinokibi are a few of the worst ransomware offenders in the past few years.
Why Not Ban Cryptocurrency?
Despite fears that cryptocurrencies could be used to facilitate ransomware attacks, many in the sector and the federal government believe that a prohibition would be overbroad, logistically unfeasible, and likely to impair the United States' competitiveness.
Upon the ban of cryptocurrency, a country would also be missing out on the innovation around bitcoin and other digital assets
Additionally, it would be very difficult to stop people from transacting in cryptocurrencies.
Instead, the focus should be finding the proper policy balance between allowing for the innovation that cryptocurrencies offer, the benefits they can deliver, and the protections built into the financial system to deal with criminal activity and money laundering.
As regulators seem to concur, de-anonymizing transactions would help achieve both the preventive and punishment goals. If a hacker's identity is revealed, he or she is more likely to be discouraged from undertaking such an assault.
It is also suggested that we must expect more stringent enforcement of existing Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements and regulations. For example, cryptocurrency exchanges, custodial wallet companies, and crypto payment processors (among others) must register with FinCEN (The Financial Crimes Enforcement Network, a part of the Treasury Department) as money services businesses, implement AML programs that specify the KYC information collected, and appoint a compliance officer to monitor transactions and file Suspicious Activity Reports ("SARs") and Currency Transactions Reports ("CTRs") for transactions above ten thousand dollars.
These procedures are critical not only for prospective law enforcement tracking in the event of a crime but also for crime prevention and customer trust and confidence, all of which are required for widespread cryptocurrency adoption. New applicants should be aware that criminals will be checked and excluded.
More stringent KYC and licensing standards, as well as a centralized approach to preventing and responding to ransomware attacks, is required.
The US government has already stepped up its response. In a letter to corporations and industry leaders, the Biden administration made advice for how they might better secure themselves against threats, as well as an appeal to work on these issues.
Companies and regulators must also understand how a bitcoin ransom works on a technological level. Understanding how exchanges transfer funds and how mixers work is part of this.
All cryptocurrency transactions are recorded on the distributed blockchain ledger, making them traceable by analytics firms or other individuals. Since blockchain transactions are easily traceable, the mechanisms to assist mitigate this type of assault are already in place. Exchanges are also beginning to comply with regulatory regimes aimed at identifying users and preventing money laundering, which can aid in the resolution of this problem.
Additionally, solutions may include ensuring over-the-counter (OTC) trading desks enforce KYC rules, and that KYC and anti-money laundering rules (AML) are kept on bitcoin teller machine kiosks.
Ransomware attacks will prompt organizations to invest in cybersecurity and use the guidance and resources available.
Better information sharing, cyber hygiene, increased investigative resources, and updated cybersecurity rules to address different components of the ransomware ecosystem are all concrete initiatives that regulators and businesses can do to help minimize the problem.
Ransomware underreporting obscures the true magnitude of the problem, and it means that law enforcement lacks all of the information needed to prioritize and investigate ransomware incidents. Thus, attacks should be reported.
International collaboration on KYC/AML rules, as well as the establishment of best practices for cryptocurrency exchanges, is required to ensure that they can provide services to legitimate businesses while excluding illicit enterprises. Like-minded countries should agree to improve certain financial rules and conduct joint investigations or share information so there exists a better understanding of the criminal networks.
Good security and defensive practices are important to mitigate and prevent attacks:
- Keep your operating system patched and up-to-date to reduce the number of vulnerabilities that can be exploited.
- Don't install software or provide it with administrative capabilities unless you completely understand what it is and what it does.
- Set up antivirus software to detect harmful programs like ransomware as soon as they appear, as well as whitelisting software to prevent unauthorized programs from running in the first place.
- Make regular and automatic backups of your files. While this will not prevent a virus assault, it can significantly reduce the damage it causes.
- Multi-factor authentication – this would make hacking etc., more difficult.
Should ransomware attackers be paid?
New legislation may make it more difficult to pay and collect ransoms. If businesses are prohibited from paying ransoms and cryptocurrencies are better regulated, this might go a long way toward cutting off the funding source for many of these attacks. Both of these things are, of course, easier said than done. It's not impossible, though: for example, China's cryptocurrency crackdown. Opinions differ on whether or not ransom payments should be prohibited.
Paying international criminals could set a dangerous precedent and put a target on the back of critical infrastructure. On the other hand, the company may go bankrupt if it cannot function as a result of the attack.
Simply prohibiting ransom payments would place a significant burden on victim companies without providing them with extra tools or resources to withstand an attack.
That said, many firms that are infected with malware rapidly stop thinking in terms of the "greater good" and begin balancing the expense of the ransom against the worth of the encrypted data in a cost-benefit analysis. According to a Trend Micro study, while 66 percent of organizations say they would never pay a ransom as a matter of principle, 65 percent pay the ransom when they are attacked.
Some ransomware attackers keep their rates low, i.e., an amount that most businesses can afford to pay on short notice. Some highly sophisticated malware will recognize the country in which the infected machine is located and change the ransom to fit that country's economy, asking more from wealthy countries and less from those in poor countries.
Discounts are frequently offered for paying promptly, to entice victims to pay without thinking too much about it. In general, the price point is set high enough to be worthwhile to the criminal, but low enough to be less expensive than the cost of restoring the victim's machine or reconstructing the lost data. With this in mind, some businesses are beginning to factor in the possibility of having to pay a ransom into their security plans: for example, some large UK businesses that are otherwise uninvolved in cryptocurrency have set aside some Bitcoin specifically for ransom payments.
When paying attackers, it also has to be made sure that "scareware" is not involved, i.e., fake attacks. Sometimes the criminals simply take the money and run, and the software may not even include decryption functionality. However, because such malware quickly gains a reputation and does not generate revenue, the criminals usually ensure your data is restored in the majority of situations - Gary Sockrider estimates this to happen 65 to 70% of the time.
Therefore, ransomware attacks can have significant consequences. However, various actions are being taken to develop policies that can prevent, mitigate, and fix the associated problems. International corporation and better cybersecurity training/measures are also required.