In Ransomware Battle, Bitcoin May Actually Be an AllyWebs of Criminality Are Recorded on Bitcoin's Blockchain
The role of bitcoin in the ransomware payments pipeline is clear: It has enabled fast, enormous payments with some degree of privacy.
See Also: Threat Horizons Report
How to deal with bitcoin and other cryptocurrencies in the battle against ransomware is the subject of a spirited debate. Some have labelled bitcoin as a prominent foe and, as in this Wall Street Journal opinion piece, called to ban it. Others say the payment method used for ransoms is largely a red herring. If bitcoin was gone, the conventional banking system would be used.
What should be done about bitcoin in the battle against ransomware? Actually, the status quo isn't so bad.
Disrupting the flow of money to criminal enterprises is a common law enforcement technique. If the money stops flowing, or it becomes too onerous or risky to get paid, criminals tend to move to the next scheme that satisfies the risk-reward balance.
Policymakers and governments are looking for disruptive levers to slow a siege against businesses and critical infrastructure. Ransomware has reached a scale that is becoming a political problem for leaders and a tense discussion point among nations (see: Biden Promises Retaliation Unless Putin Stops Cyberattacks).
What should be done about bitcoin? Actually, the status quo isn't so bad. The paths to converting bitcoin to cash without scrutiny are narrowing. Law enforcement officials are making small, but notable, gains, including the FBI's Colonial Pipeline action and the Netwalker takedown in January, both of which involved cryptocurrency seizures (see: Another Takedown: Netwalker Ransomware Gang Disrupted).
Bitcoin is a decentralized system launched in January 2009 by a pseudonymous programmer, Satoshi Nakamoto. Nakamoto's white paper elegantly described a secure, peer-to-peer system for electronic cash that drew on some preexisting computer science concepts.
Bitcoins are transferred by sending a balance from one alphanumeric address to another. Those transactions and addresses, which are recorded on a public ledger called the blockchain, are processed by computers distributed worldwide, known as "miners," for a small slice of bitcoin as a reward. The people who control bitcoin addresses aren't described in the blockchain, and data recorded in the blockchain can't be changed.
The system is impossible to shut down, which make calls to ban bitcoin overly simplistic. Restrictions against bitcoin would more realistically take shape as legislation that bans individuals from buying bitcoin from exchanges.
The argument to ban bitcoin is nothing more than the argument to ban ransomware payments in a fancy coat, says Marcus Hutchins, a malware researcher who helped stopped the spread of the WannaCry ransomware in May 2017.
"Not only would banning bitcoin be ineffective due to the decentralized nature of cryptocurrency, it would also be less effective than an all-out ransomware payment ban, because the gangs would simply move to other payment methods," Hutchins tells me.
Why Destroying Bitcoin Wouldn't Stop Ransomwarehttps://t.co/CYqg0Fga70— MalwareTech (@MalwareTechBlog) June 8, 2021
Banning ransomware payments is a step no government has taken so far. The issue is charged for a variety of reasons, including the potential that lives might be at stake or companies could be driven into bankruptcy without their data. The Ransomware Task Force, a coalition of experts and policymakers that in April released a comprehensive report for tackling ransomware, couldn’t come to consensus on whether payments should be prohibited.
Hutchins says if cryptocurrency ransoms were banned, cybercriminals could go back to using the conventional banking system. He recently published a video arguing cybercriminals routinely moved multimillion-dollar amounts through banking systems in the heyday of banking malware (see: More SWIFT-Related Fraud Revealed: How Banks Must Respond).
Hutchins contends banks would be reluctant to intervene: Ransomware victims would be willingly sending money to the ransomware gangs. Interfering with that process would put the banks at odds with what their customer wants to do, he says.
Degrade Cryptocurrency, Degrade Ransomware
There are opposing views. Nicholas Weaver, a computer security researcher and lecturer at the University of California at Berkeley, argued in a recent piece for Lawfare that ransomware gangs couldn't leverage the traditional banking system.
"Even the most blatantly corrupt bank would consider processing ransomware payments as an existential risk," Weaver writes.
In Weaver's view, degrading or even destroying the cryptocurrency may be the key to solving the ransomware problem. Weaver was part of a group of scientists who released research in 2011 showing how the pharmaceutical spam ecosystem could be broken up by focusing on payment processing. It was put into practice, and it worked. The same approach could work with cryptocurrency, he writes.
"If governments take meaningful action against bitcoin and other cryptocurrencies, they should be able to disrupt this new ransomware plague and then eradicate it, as was seen with the spam Viagra industry," Weaver writes.
There's truth in what both Weaver and Hutchins contend, says Tom Uren, senior analyst with the Australian Strategic Policy Institute's International Cyber Policy Center.
If criminals moved from bitcoin to the conventional financial system, those institutions generally would cooperate to stop crime. That would increase friction, which might limit scale, Uren says.
On the other hand, making bitcoin illegal in one region doesn't make it go away. But tighter controls around it would help spot illegal activity, which is one of the prongs of the Ransomware Task Force, Uren says.
Just a month after Colonial Pipeline Co. was struck by ransomware, leading it to shut down fuel delivery along the U.S. East Coast, the FBI announced it had recovered 63.7 of 75 bitcoins that the company paid. That portion ended up with an affiliate of the DarkSide ransomware group.
It was a remarkable announcement. An FBI special agent described in an affidavit how the agency watched the movement of the bitcoins on the blockchain. The end of the description, though, felt like a cups and balls trick: The bitcoins magically landed at an address for which the FBI controlled the private key.
The FBI purposely masked its tradecraft. But its announcement shows that it and other agencies, such as the IRS, are becoming increasingly nimble in cryptocurrency investigations. Tracking and stopping cryptocurrency transactions will be a necessary part of deterring ransomware, says Katie Nickels, director of intelligence at Red Canary, who participated in the Ransomware Task Force.
"The U.S. government's ability to investigate cryptocurrency payments is significant because that ecosystem is part of what enables ransomware actors to be so successful and profitable," Nickels says.
In January, U.S. investigators seized $455,000 in cryptocurrency as part of the shutdown of the Netwalker ransomware scheme, according to the Justice Department. Cryptocurrency tracking and seizures have been made possible with help from private sector firms such as CipherTrace and Chainalysis, which described in detail how it tracked Netwalker actors.
Chokepoint: Cashing Out
While the core ransomware gangs may be in Russia, there's a worldwide criminal economy around them, including malware developers, hosting providers and other services, says Maddie Kennedy, senior director of communications at Chainalysis.
Those actors usually get paid in bitcoin, and those webs of criminality can tracked on the blockchain. Discovering the identities of those people takes much more work, of course, but patterns can be teased out. "We think that the key to disrupting ransomware is the ransomware supply chain," she says.
Cryptocurrency exchanges generally want to stay away from illegal activity. Although the views about what cryptocurrencies are good for are sharp and divergent, there's a growing economy around it. Many exchanges are using transaction monitoring software from firms such as Chainalysis to spot dodgy activity.
Potential chokepoints are exchanges where cryptocurrency can be turned into cash. Kennedy says the vast majority of ransomware-related cashouts are occurring on just a few exchanges. And even on those exchanges, that activity is concentrated on just 200 deposit addresses, she says.
"It's a very, very small ecosystem, and cashouts are primarily occurring by a small number of what appear to be professional money launderers," Kennedy says.
Privacy coins, such as monero, don't have public blockchains and are inherently more difficult to track. But mostly, they're not a factor yet, in part due to low liquidity. "It would be much worse if [ransomware payments] were happening with a less transparent form of value transfer," she says.