A technician inspects the backside of a cryptocurrency mining farm in Saint Hyacinthe, Quebec. Cryptocurrency is famously anonymous, but evading capture is not the only reason cryptocurrency is the go-to payment solution for ransomware. (LARS HAGBERG/AFP via Getty Images)
Besides outright banning ransom payments, one of the most widely circulated policy ideas to curtail ransomware would be to treat cryptocurrencies as a bonafide component of the financial system: require cryptocurrency exchanges or the cryptocurrencies themselves to abide by regulations that reduce anonymity and prevent money laundering.
It’s a tempting solution, proven out by traditional banks. Would it work? SC Media broke down the potential.
First, understanding the role of cryptocurrency in ransomware
Cryptocurrency is famously anonymous, but evading capture is not the only reason cryptocurrency is the go-to payment solution for ransomware. It is also one of the easiest ways to transfer money across borders. Banks, even Switzerland’s one-time havens for anonymous money storage, now have several checks for illicit funds and global tax cheats and tie real names to accounts. The government has tamped down on remittance services like Western Union and web-based equivalents who face similar restrictions. Other payment methods used in cybercrime, such as gift cards, can only handle small money amounts.
“I am by no means someone who is trying to get rid of cryptocurrencies. And I think that there’s certainly some valid reasons why they are around. However, I think that it would be really disingenuous to say that ransomware and bitcoin did not really develop together,” said Roman Sannikoc, director of cybercrime and underground threat intelligence at Recorded Future.
“I just don’t see any other means to send the millions of dollars worth of extortion without something like cryptocurrency,” he added.
Cryptocurrency also makes it easier for countries that look the other way of international cybercrime to put on a veneer of legitimacy. In Russia, it is easier to reintegrate foreign currency – including bitcoin – into the financial system with a no question’s asked policy. And with the anonymity of bitcoin, they have an excuse to not look too closely for criminals.
“Even if the Russian government knows who these people are, they have plausible deniability,” said Brian Oliver, a senior analyst at Flashpoint.
Like many potential ransomware policy solutions, the goal of limiting cryptocurrency in crime is not necessarily to end all crime. One major point made by many of the people on the multistakeholder Ransomware Task Force is that merely encouraging criminals to run different crimes could be a good out. Ransomware has a uniquely outsized effect on national security compared to other cybercrime. Romance scams are devastating to individuals, they do not result in shuttering critical infrastructure, closing food supply chains, or preventing hospitals from functioning.
But that is not the only possible outcome.
There is a lot of skepticism on the feasibility of attaching financial regulations to cryptocurrency.
“It’s like saying, ‘well, we’ll just shut off the internet,’” said Kurtis Minder, CEO of GroupSense, a threat intelligence firm with an established ransomware negotiation practice.
Minder believes that the global nature of the cryptocurrency trade will leave opportunities for global companies to finagle ransom payments out of country. At a minimum, he said, any regulation would have to be worldwide, not limited to the United States.
Even if that happens, Minder and others believe that rather than give up on ransomware, operators might just focus on smaller targets, with ransoms of a size that traditional payment methods could handle.
“The big game hunters, as they call them, found that their economic model was no longer profitable against large targets. They may just repurpose that; focus on a different market segment,” he said.
That could mean a move towards smaller businesses or even bulk operations on consumers. Before ransomware targeted businesses, it targeted individual desktops and laptops for relative pocket change compared to the corporate ransoms currently being realized.
Or, hackers could get clever and try to find new payment methods. Regardless, disruption to cryptocurrency will likely be short term, said Oliver. “These groups would adapt and find another way, such that the impact would be highly limited, especially if it the regulation were only limited to Western countries.”
Creating a global regulatory system
There is already a global anti-money laundering system in place in every country but two. And with the recent news of El Salvador accepting bitcoin as official tender, an agreement may even be achieved within the current framework.
“Now that you have Central American economies and African economies standardizing on specific virtual currency platforms and exchanges, there’s going to be a huge movement afoot for the central banks of the world to step in,” said Tom Kellermann, chief cybersecurity officer at VMware Carbon Black. “Once you see a dozen countries around the world normalize payments through virtual currencies, you’ll see the big step.”
Kellermann is a member of the Cyber Fraud Task Force at the Secret Service, the agency not only guarding the president, but also tasked with preventing currency related crimes.
Kellermann believes that there will ultimately be a two-pronged agreement: Cryptocurrency exchanges and wallets will need to know their customers and reasonably investigate suspicious transactions, and be able to freeze the accounts of customers with a valid warrant.
This, he said, could either be put into place through a G7 agreement that sways the rest of the world to follow major economies’ lead or through the Bank of International Settlements, a cooperative body of the world’s central banks.
One of many solutions
Solving ransomware requires more than one plan of action. Keeping a tighter leash on cryptocurrency could be matched with broader plans, like sanctions against countries that harbor cybercriminals, or improving cybersecurity standards.
Indeed, even if ransomware was completely excised from existence, ransomware-type schemes may never be, said Recorded Future’s Sannikoc. Activists, for example, may hold a system hostage for social or political changes rather than money. And the vulnerabilities that could have allowed ransomware will still be attractive for other types of crime and espionage.
But at a time when the world’s governments are beginning to approach cryptocurrency seriously — from the UK banning Binance to China telling banks to stop allowing cryptocurrency transactions — it is not a stretch to believe regulatory adjustments to fight ransomware are not far behind.
“It’s inevitable,” said Kellermann. “If cryptocurrencies want to be treated as legitamate, this is what it will take.”