Ransomware has seeped into the mainstream consciousness thanks to the recent shutdown of the Colonial Pipeline. Crippled by a ransomware attack, Colonial ended up paying a $4.4 million ransom in bitcoins to free itself from its attackers. In the meantime, the U.S. Eastern Seaboard suffered from gasoline shortages.
What is ransomware? It is malicious software that takes control of a computer, say, by encrypting files or threatening to publicly expose data. The ransomware operator only releases that control after receiving a ransom payment, usually Bitcoin but sometimes Monero.
While Colonial’s attack grabbed headlines, the ransomware problem has been growing for years. In a recent survey by Sophos of 5,400 heads of IT at corporations and government agencies around the world, 6.6% reported paying a ransom in 2020. The average price? That would be $170,000, which works out to tens of billions, if not hundreds of billions of ransoms paid!
In an opinion piece for the Wall Street Journal, Lee Reiners suggests banning cryptocurrency in order to get rid of ransomware. His argument is that cryptocurrencies like bitcoin don’t have any social purpose apart from speculation. And so getting rid of it would make the world better off.
I think a ban is overkill. There are ways to go about attacking ransomware that have a smaller blast radius.
Bitcoin’s link to ransomware
First, let’s cover where Reiners and I agree. He explicitly links the ransomware phenomenon to cryptocurrencies like bitcoin when he says that “Ransomware can’t succeed without cryptocurrency.”
He’s right. No bitcoin, no ransomware boom. But I’d add a caveat. Only large-ticket ransomware relies on cryptocurrency. Small-ticket stuff never required it.
According to security writer Danny Palmer, the first strain of ransomware emerged in 1989. It asked for payment in bank drafts, cashiers’ check, or money orders to a P.O. Box in Panama. But a check is an awfully risky way for a criminal to extract ransom.
Ransomware gangs eventually moved on to centralized payments processors to extort money from victims. Ransom-A, a 2006 strain of ransomware, froze victims’ computers and would only release them when $10.99 had been transferred by remittance company Western Union. Another ransomware strain in 2011 impersonated the FBI and required a $100 payment via MoneyPak, a prepaid card product offered by Green Dot Bank.
But, as you can see, this is all small-ticket ransomware. A gang couldn’t lock down, say, a large bank and ask for a $250,000 ransom via Western Union or MoneyPak.
The other problem with Western Union and MoneyPak (from a criminal’s perspective) is that these systems are plastic—they can be updated. Thanks to pressure from law enforcement and politicians, Western Union and MoneyPak eventually modified their payments processes to make it tougher for criminals to use them for extracting ransoms.
Ransomware gangs then turned to gift cards. Alpha Ransomware, which debuted in 2016, would encrypt your data and demand $400 in iTunes gift cards for a decryption key. But a criminal can’t extract large ransoms with gift cards—most stores don’t sell cards with face values above $500.
With cryptocurrencies, ransomware gangs have discovered the perfect payment rail. No need to provide one’s identity to use cryptocurrencies such as Bitcoin or Monero. Users can remain pseudonymous. Unlike Western Union or MoneyPak, these systems cannot exclude users. They are not plastic; they cannot be recoded. To boot, a ransomware gang can sit on their cryptocurrency stash knowing that law enforcement has no ability to freeze their balances. And, unlike gift cards and MoneyPaks, there is no maximum value to a bitcoin transaction.
So censorship-resistant payments networks like Bitcoin have opened the field to industrial scale ransomware attacks in the range of $10,000 to $50 million. Nonetheless, a prohibition on ransomware goes too far.
Who uses bitcoin?
Reiners dismisses most licit cryptocurrency usage as speculative. And he’s right. Most people who buy bitcoin are just betting on its price.
But I’m not sure that we can use “it’s just speculation” to write off an entire industry. After all, we’ve chosen to keep Las Vegas and the gambling industry legal, and gambling is 100% speculative. Games of chance don’t serve a crucial societal need. But they are a form of entertainment.
Apart from criminals and gamblers, there are two other groups of cryptocurrency users worth mentioning. Outsiders, like salvia divinorum retailers, who have been cut off from centralized services for engaging in legal but unfashionable activities may turn to cryptocurrencies to make payments. Another group of licit nonspeculative users is hobbyists who oppose centralization.
These are not large groups, but they do exist. Banning cryptocurrencies would mean depriving these two groups, and potentially others, of services they value.
The status quo
An alternative to a ban is to maintain the status quo. Just let law enforcement agencies such as the FBI, INTERPOL, and RCMP do what they normally do: catch the bad guys.
But there’s a problem with this approach. Most ransomware activity originates from Russia. The Russian government turns a blind eye to ransomware gangs, on the condition that these operators don’t attack Russian companies or agencies. And so ransomware operates outside of the reach of traditional Western law enforcement.
The status quo also involves continued pressure on cryptocurrency exchanges to set up anti-money laundering defenses. Exchanges are the most liquid venues for buying and selling cryptocurrencies. By universalizing anti-money laundering measures, ransomware gangs would be cut off from selling their proceeds.
Again, the problem here is Russia. Russian cryptocurrency exchanges serve as venues for laundering and will continue to do so as long as local authorities sanction their behaviour.
Which gets us to an embargo on ransom payments.
A penalty for paying a ransom
Industry groups and other umbrella organizations, such as the U.S. Conference of Mayors, already exhort their members not to pay ransoms. So does the FBI.
They have good reasons for trying to set up an informal embargo. Sending a ransom encourages ransomware gangs to continue attacks. If everyone suddenly stopped paying, the ransomware industry’s income would be smothered and it would soon collapse.
But these “do not pay” exhortations don’t really work without a good coxswain, someone who makes sure that everyone is following the same rhythm. Individual companies or agencies have a big incentive to defect from the no-ransom optimum. If they quietly pay their attacker, they can get a decryption key and avoid the hassles of downtime and rebuilding systems from scratch.
What is needed is an authority who can enforce the embargo by calling out defectors and disciplining them for paying a ransom. A few state governments, including North Carolina and New York, are trying to take on this role by introducing anti-ransom payment legislation. (To date, none of this legislation has passed.)
But to be effective, the coxswain needs to be a much bigger actor than a state government. The U.S. Treasury already has an agency at its disposal for sanctioning bad actors: the Office of Foreign Assets Control (OFAC). To implement a ransom payment embargo, OFAC could announce that within a specified time period, say nine months, it will start to add all ransomware gangs to its list of specially designated nationals (SDN).
When OFAC designates an organization as an SDN, it becomes illegal for a U.S. citizen to do business with it. So paying a ransom to any gang on OFAC’s list would be prohibited. Corporations and agencies would quickly shift to the ideal “do not pay” equilibrium. And, with revenue drying up, ransomware gangs would exit the business.
Pre-announcing a policy of adding gangs to the SDN list would give enough lead time to corporations and agencies to build up their IT lines of defense. After all, once gangs are on the SDN list, organizations that are attacked by these gangs won’t have the easy out of a ransom payment.
This is just a sketch of a potential solution, of course. A well-designed embargo would require much more attention to detail. But, with OFAC as coxswain, an embargo might achieve everything that a ban on cryptocurrency promises to achieve without depriving gamblers, outsiders, and hobbyists of a product they utilize. It would also be more effective than the status quo, which is not capable of stopping criminals who operate with impunity from noncompliant jurisdictions.