Cryptocurrency and ransomware have had a long history together. They are so closely intertwined, in fact, that many have blamed the rise of cryptocurrency for a parallel rise in ransomware attacks.
Ransomware attacks are certainly increasing — they rose by 118% in 2018 — but it’s not clear that this is due to cryptocurrency. While the vast majority of ransoms are paid in crypto, the transparent nature of these currencies actually means that they are a pretty bad place to hide stolen funds.
In this article, we’ll take a look at the relationship between cryptocurrency and ransomware, as well as what the future holds.
The ransomware crypto economy
There are at least two ways in which cryptocurrency is important for ransomware attacks. The first one is the most obvious — the majority of the ransoms paid during these kinds of attacks are generally in cryptocurrency. This was the case, for instance, in the WannaCry ransomware attacks, still the largest attack of its kind in history. Victims of the attack were instructed to send roughly $300 of Bitcoin (BTC) to their attackers.
There is another way in which crypto and ransomware are intertwined, though. Today, plenty of hackers are offering “ransomware as a service,” essentially letting anyone hire a hacker from online marketplaces. If you are so inclined, you can even buy ransomware off-the-shelf from these marketplaces. Both of these “services” can be paid for in — you’ve guessed it — cryptocurrency.
Cryptocurrency is also implicated in many other forms of cyberattack. Cryptojacking — a form of attack that uses victim’s computers to mine cryptocurrencies — is also on the rise, and new forms of malware such as Adylkuzz can be used by almost anyone with even a slight level of technical knowledge. Though these forms of attack are not technically ransomware, they further suggest the deep relationship between cryptocurrency and cybercrime.
Following the money
At first glance, it seems obvious that ransomware hackers would demand payment in cryptocurrency. Surely these currencies, based on anonymity and encryption, offer the best place to store stolen funds?
Well, not really. There is actually a different reason why ransomware attacks make use of cryptocurrencies. As Coin Center director of research Peter Van Valkenburgh wrote in 2017, it is the efficiency of cryptocurrency networks, rather than their secrecy, that attracts hackers. As he later put it:
“It’s electronic cash, so it’s easy to write software that can automatically demand payment and automatically demand that payment has been made.”
The value of cryptocurrency during a ransomware attack is actually the transparency of cryptocurrency exchanges. A hacker can simply watch the public blockchain to see if victims have paid up, and can automate the process of giving a victim their files back once this payment has been received.
This point also suggests a slightly curious aspect of the role of crypto in ransomware attacks: Cryptocurrency is, perhaps, the worst place to store ransom money. The open, transparent, nature of Bitcoin blockchain transactions means that the global community is closely watching the ransom money. That makes it extremely difficult to convert these funds into another currency, and means that they can be tracked by law enforcement.
As the director of research at Coin Center, Peter Van Valkenburgh, stated:
“In the U.S., every major bitcoin exchange is regulated by FINCEN. Right now the $50,000 extorted from victims is just sitting on the bitcoin network. … That [exchange into local currency] is where you’re vulnerable to being identified.”
Regulation and enforcement
The fact that stolen funds can be tracked in this way doesn’t necessarily mean that the hackers who stole them can be brought to justice, of course. The anonymity of cryptocurrency means that it is often impossible for law enforcement agencies to uncover the true identity of ransomware hackers, though of course there are exceptions.
Chief among these, according to Coin Center, is that the “blockchain allows one to trace all transactions involving a given bitcoin address, all the way back to the first transaction. That gives law enforcement the records it needs to ‘follow the money’ in a way that would never be possible with cash.”
Because of that, and also in response to a number of recent high-profile ransomware attacks, some have called for cryptocurrency to be regulated more closely. Regulation will need to be implemented carefully, however, because one of the major attractions of cryptocurrency — for ordinary citizens and hackers alike — is the fact that it is anonymous.
This means that attempts to regulate the space may make catching criminals even more difficult. As pointed out by Will Ellis, head of research at community advocacy group Privacy Australia, cryptocurrency bans led to a rise in VPN use, as investors seek to circumvent Know Your Customer and Anti-Money Laundering requirements in their home countries.
In addition, most governments simply don’t have the understanding or the resources to regulate the crypto space effectively. Some are so far behind that they aren’t even certain how to define what cryptocurrencies are. In this context, it is difficult to see how the close link between ransomware and cryptocurrency can ever be broken.
Related: From the UK to Malaysia: How Countries Have Been Classifying Crypto Across the World
The bottom line
The lack of governmental oversight of cryptocurrency, combined with the rapid rise in ransomware attacks, means that individuals need to protect themselves.
Some companies and individuals have taken unusual approaches. Companies have stockpiled Bitcoin not as an investment, but rather in case they need to pay a ransom as part of a future attack. Some enterprising individuals have even taken matters into their own hands, such as the German programmer who “hacked back” following a cyberattack using his own systems.
For most of us, though, protecting against ransomware attacks means doing the basics correctly. You should ensure that all of your systems are up to date, subscribe to a secure cloud storage provider and backup frequently. Companies of all sizes should partner with a managed security services provider to monitor enterprise networks, perform risk assessments and make recommendations specific to their data environment.
Ultimately, the relationship between cryptocurrency and ransomware is unlikely to be broken anytime soon. And while cryptocurrencies are certainly involved in the majority of ransomware attacks, we should not make the mistake of blaming crime on the currency it is conducted in.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense and cryptography. Previously, Sam was a defense contractor for the United States Department of Defense, working in partnership with architects and developers to mitigate controls for vulnerabilities identified across applications.
window.fbAsyncInit = function () FB.init( appId: ‘1922752334671725’, xfbml: true, version: ‘v2.9’ ); FB.AppEvents.logPageView(); ; (function (d, s, id) var js, fjs = d.getElementsByTagName(s); if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = “//connect.facebook.net/en_US/sdk.js”; js.defer = true; fjs.parentNode.insertBefore(js, fjs); (document, ‘script’, ‘facebook-jssdk’)); !function (f, b, e, v, n, t, s) if (f.fbq) return; n = f.fbq = function () n.callMethod ? n.callMethod.apply(n, arguments) : n.queue.push(arguments) ; if (!f._fbq) f._fbq = n; n.push = n; n.loaded = !0; n.version = ‘2.0’; n.queue = ; t = b.createElement(e); t.defer = !0; t.src = v; s = b.getElementsByTagName(e); s.parentNode.insertBefore(t, s) (window, document, ‘script’, ‘https://connect.facebook.net/en_US/fbevents.js’); fbq(‘init’, ‘1922752334671725’); fbq(‘track’, ‘PageView’);