Ransomware has penetrated the mass consciousness thanks to the recent closure of the Colonial Pipeline. Affected by the ransomware attack, Colonial eventually paid a $ 4.4 million ransom in Bitcoin to get rid of the attackers. Meanwhile, the East Coast of the United States suffered from a shortage of gasoline.
What are ransomware programs?
This is malicious software that seizes control of a computer, for example, by encrypting files or threatening to publicly disclose data. The ransomware operator releases this control only after receiving a ransom, usually Bitcoin, but sometimes Monero.
While the Colonial attack was widely covered in the headlines, the problem of ransomware has been growing for years. In a recent survey conducted by Sophos among 5,400 IT executives in corporations and government agencies around the world, 6.6% reported that they paid a ransom in 2020. Average price? It will be $170,000, which is tens of billions, if not hundreds of billions of ransom!
In an author’s article for the Wall Street Journal, Lee Reiners suggests banning cryptocurrency in order to get rid of ransomware. His argument is that cryptocurrencies like Bitcoin have no social purpose other than speculation. And getting rid of it will make the world a better place.
Don’t you think that the ban is too much? There are ways to deal with ransomware programs with less ambition and scope.
Why Blame Bitcoin
First, let’s look at what Reiners and I agree on. He clearly connects the phenomenon of ransomware with cryptocurrencies such as Bitcoin, when he says that ransomware cannot succeed without cryptocurrency.
He’s right. No Bitcoin , no ransomware boom. But it is worth adding one caveat. Only large-scale ransomware programs rely on cryptocurrency. The small ones have never demanded it.
According to security columnist Danny Palmer, the first type of ransomware appeared in 1989. She requested payment by bank cards, cash checks or money transfers to the P. O. address. Box in Panama. But a check is a terribly risky way for a criminal to get a ransom.
Eventually, ransomware gangs switched to centralized payment systems to extort money from victims. Ransom-A, a variant of the 2006 ransomware program, freezes the victims ‘ computers and releases them only after the transfer of $10.99 by Western Union. Another ransomware virus in 2011 posed as the FBI, and demanded to deposit $ 100 through MoneyPak, a prepaid card product offered by Green Dot Bank.
But, as you can see, all these are small ransomware programs. The gang could not block, say, a large bank and demand a ransom of $ 250,000 through Western Union or MoneyPak.
Another problem with Western Union and MoneyPak (from the criminal’s point of view) is that these systems are plastic – they can be updated. Thanks to pressure from law enforcement agencies and politicians, Western Union and MoneyPak eventually changed their payment processes to make it harder for criminals to use them to get a ransom.
Then the extortionist gangs turned to gift cards. Alpha Ransomware, which debuted in 2016, encrypts your data and requires $400 in iTunes gift cards for the decryption key. But a criminal cannot get a large ransom with gift cards: most stores do not sell cards with a face value higher than $500.
With the help of cryptocurrencies, ransomware gangs have discovered the ideal payment method. To use cryptocurrencies such as Bitcoin or Monero, you do not need to specify your identity. Users can remain under a pseudonym. Unlike Western Union or MoneyPak, these systems cannot exclude users. They are not plastic, and they cannot be recoded. In addition, a gang of extortionists can sit on their cryptocurrency account, knowing that law enforcement agencies do not have the ability to block their balances. And, unlike gift cards and MoneyPaks, a cryptocurrency transaction does not have maximum value.
Thus, censorship-resistant payment networks, such as Bitcoin, have opened the field for ransomware attacks on an industrial scale, in the amount of $10,000 to $50 million. Nevertheless, the ban on cryptocurrency goes too far.
Who uses Bitcoin?
Reiners rejects most cases of legitimate use of cryptocurrency, describing them as speculative assets. And he’s right. Most people who buy Bitcoin simply bet on its price.
But there is no certainty that we can use “this is just an assumption” to write off an entire industry. After all, no one will challenge the legality of Las Vegas and the gambling industry, and gambling is 100% speculative. Gambling does not serve important social needs. But this is a form of entertainment.
In addition to criminals and gamblers, it is worth mentioning two more groups of cryptocurrency users. Outsiders, such as retailers who have been cut off from centralized services due to engaging in legitimate but unfashionable activities, can turn to cryptocurrencies to make payments. Another group of legitimate non – speculative users are amateurs who oppose centralization.
These are small groups, but they exist. Banning cryptocurrencies would mean depriving these two groups, and potentially others, of the services they value.
The status quo
The alternative to the ban is to maintain the status quo. Just let law enforcement agencies like the FBI, Interpol, and RCMP do what they usually do: catch the bad guys.
But this approach has a problem. Most of the ransomware comes from North Korea. The Korean government turns a blind eye to ransomware gangs, provided that these operators do not attack Korean companies or agencies. Thus, ransomware programs operate beyond the reach of traditional Western law enforcement agencies.
The status quo also implies constant pressure on cryptocurrency exchanges to create means of protection against money laundering. Exchanges are the most liquid platforms for buying and selling cryptocurrencies. By universalizing anti-money laundering measures, extortionist gangs will be cut off from selling their income.
Again, the problem here is in the countries that refuse to cooperate. The cryptocurrency exchanges of these countries (by the way, Washington also counts Russia there) serve as platforms for money laundering and will continue to do this as long as the local authorities authorize their behavior.
Penalty for paying the ransom
Industry groups and other umbrella organizations, such as the US Conference of Mayors, are already urging their members not to pay the ransom. The FBI, too.
They have good reasons for trying to impose an informal embargo. Sending a ransom encourages the ransomware gangs to continue their attacks. If everyone suddenly stops paying, the income of the ransomware industry will decrease, and it will soon collapse.
But these “don’t pay” calls don’t really work without a good helmsman, someone who makes sure that everyone follows the same rule. Individual companies or agencies have a great incentive to abandon the optimum without a buyout. If they quietly pay the attacker, they will be able to get the decryption key and avoid the hassle associated with downtime and restoring the system from scratch.
What is needed is a body that can enforce the embargo, identifying the disobedient, and punishing them for paying a ransom. Several state governments, including North Carolina and New York, are trying to take on this role by introducing laws prohibiting ransom payments. (To date, none of these laws have been adopted.)
But to be effective, the helmsman must be a much bigger player than the state government. The US Treasury already has an agency to impose sanctions on intruders: the Office of Foreign Assets Control (OFAC). In order to impose an embargo on the payment of ransom, OFAC can announce that within a certain period of time, say nine months, it will start adding all the ransomware gangs to its list of specially defined entities (SDN).
When the OFAC defines an organization as an SDN, it becomes illegal for a US citizen to do business with it. Thus, the payment of ransom to any gang from the OFAC list will be prohibited. Corporations and agencies will quickly move to an ideal “don’t pay”balance. And when the income runs out, the extortionist gangs will go out of business.
A preliminary announcement of the policy of adding gangs to the SDN list would give corporations and agencies enough time to create their own IT protection lines. After all, once the gangs are on the SDN list, it will not be easy for organizations that have been attacked by these gangs to pay a ransom.
Of course, this is just a sketch of a potential solution. A well-designed embargo will require much more attention to detail. But with OFAC at the helm, the embargo can achieve everything the cryptocurrency ban promises without doing so. This does not deprive players, non-participants and people who are passionate about the crypt of access to the product they use.
It would also be more effective than the status quo, which cannot stop criminals operating with impunity from non-subordinate jurisdictions.