The lights are flashing red. #Ransomware attacks like the #Kaseya attack threaten critical infrastructure, small businesses & national security. Congress must look into attack reporting, crypto’s role, and gov’t software security—then take swift action. https://t.co/UcjjSGgptM
— Rep. Eric Swalwell (@RepSwalwell) July 3, 2021
There have been a few high-profile ransomware attacks on US companies and government agencies in the last year or so. The role of Cryptocurrencies in these attacks has been a talking point for years now. Calls for more regulation to mitigate these attacks have added to the steady stream of FUD that has been hitting the Crypto space for the last few weeks. However, would regulating crypto have any real effect on ransomware attacks? Who are the culprits of these attacks? Let’s discuss.
Would ‘banning’ Crypto make a difference?
In our opinion, ‘banning’ cryptocurrencies would not influence the frequency or scale of ransomware attacks. The question is though – is it even possible to ban crypto? And if it is, how can regulators enforce a ban where they have no jurisdiction?
Short of ‘cancelling’ the internet, there is no feasible way to ban cryptocurrencies outright or stop people from interacting with blockchains. Blockchains are explicitly designed to be decentralised and censorship-resistant. Regulators can make it extremely difficult for the average Joe to get his fiat onto an exchange to buy or sell crypto. This would inevitably reduce the amount of liquidity available in the market, making it slightly more difficult for ransomware attackers to cash out their bounty – but only in the jurisdiction where regulation is enforced. All it takes is one country to have ‘looser’ regulations to create a global regulatory loophole to be exploited.
Similar to offshore tax havens, which allow multinational companies to bypass taxation in their country of operation, countries with a relaxed or different regulatory approach would become cryptocurrency havens. This form of geographical arbitrage is already occurring. Comparing the current regulations and governmental stances of Miami or Portugal with those of China concerning cryptocurrencies should highlight the point above.
Lastly, cyberattacks will occur regardless of any cryptocurrency-related regulations. Extracting payment in US Dollars, which are fully regulated, never previously posed an issue for criminals.
Regulating Crypto & Privacy Coins
As outlined above, truly regulating crypto is impossible. The most effective and best course of action left to regulators and governments is to go after cryptocurrency onramps and offramps. By strictly regulating all avenues that can be used to convert cryptocurrencies to fiat, law enforcement agencies can ensure that any attempts to convert illicitly gained cryptocurrency funds are identified. Such an approach is agnostic of the cryptocurrency used by criminals.
Regulators in many countries have already implemented strict KYC (Know Your Customer) requirements for most, if not all, cryptocurrency exchanges. Without a valid ID, it is exceedingly difficult for the average person to interact with the crypto market. Regulations at an institutional level are even stricter. Most other avenues for conversion of cryptocurrency assets to fiat currency do not offer enough liquidity to make them an option to criminals (i.e., a Bitcoin ATM) while also requiring someone to be physically present to collect the cash.
Ransoms extracted using Bitcoin leave a transaction trail on the blockchain, which anyone can view. In the recent case of the Colonial Pipeline ransomware attack carried out by the criminal cybergroup DarkSide, the FBI successfully recovered the ransom payment of 2.3 million USD in Bitcoin paid to the attackers. The Bitcoin wallet belonging to the cybercriminals containing the ransom payment was seized. The FBI has not disclosed how the Bitcoin wallet was compromised and accessed by them, citing the need to protect tradecraft.
This does, however, illustrate that law enforcement has the capability and resources necessary to combat cybercriminals using Bitcoin for nefarious purposes. This has led to cybercriminals preferring privacy-oriented coins such as Monero to extract ransom payments, as no trail of transactions is left on-chain.
Due to this lack of a ‘trail’ when privacy coins are used by cybercriminals, the actions that law enforcement can take to recover the ransom payment are limited. Law enforcement is aware of these issues, with the IRS offering bounties to anyone who can effectively track transactions made using Monero.
Other avenues of action such as authorities running a large network of their own Monero nodes, analyzing data seized from shutting down any non-compliant exchanges which list Monero, and utilizing spy software and wallets are being investigated by law enforcement. Details regarding such plans are understandably not released to the public.
However, the use of privacy-oriented cryptocurrencies does not eliminate the problem of converting the ransom payment to ‘clean’ fiat by criminals. To further increase the difficulty of using privacy coins for this purpose, these coins are usually not listed on many regulated exchanges, reducing the available liquidity.
Of course, the one loophole which can never be regulated is peer-to-peer exchanges and private agreements. However, this problem is not a cryptocurrency-specific one, as it is present across multiple asset classes such as precious gemstones, high-end watches, and artwork.
Regulating Crypto? Is it possible?
We have issued a consumer warning on Binance Markets Limited and the Binance Group https://t.co/noyoK1Bj1n
— Financial Conduct Authority (@TheFCA) June 28, 2021
Banning crypto at the retail point of access (i.e., exchanges) does not prevent peer-to-peer transactions and, if push comes to shove, people will always be able to get their hands on digital assets. The blockchain will not magically disappear with the introduction of harsh legislation. In countries not covered by the legislation, it is business as usual.
For example, look at the case of China – they banned mining. What happened to the miners? They packed up their mining rigs and are shipping their operations to crypto-friendly countries. Who are we regulating here? There is no CEO of Bitcoin and no single entity or individual responsible for the operation/maintenance of the ledger.
Additionally, a point can be made for people or groups already committing extortion – are they concerned about conforming to any laws, let alone regulations in a country they are not even operating in?
Another critical factor is the centralised nature of the fiat banking system. A bank has complete control of the funds it holds on behalf of its customers, along with its users’ transactions. This was recently illustrated by Barclays Bank PLC not allowing their account holders to deposit funds with cryptocurrency exchange Binance.
In a similar fashion, any bank transaction can be reversed or altered after its completion. For this reason, ransomware criminals have never used the banking system to extract their ransoms, preferring irreversible and censorship-resistant methods. Instead, prior to cryptocurrencies, alternative payment methods were used, such as E-Gold, prepaid debit cards, and even premium-rate phone numbers. Other methods took advantage of fiat payment services housed in countries that would either aid or turn a blind eye to such activities, for example, Russia, North Korea, and Iran.
Is there anything that governments can do?
Governments know that attempting a blanket ban on crypto is futile. However, we do not view crypto as the problem here. When we consider the hacking groups executing high-level attacks, it is an entirely different ball game. Ransomware attacks have existed forever. However, crypto is effectively replacing the physical risk of picking up a ransom with picking it up online.
To illustrate, in the movies, the ransom is paid using duffel bags of cash. When using crypto, the issue is not picking up/receiving the ransom; it is converting the crypto into usable ‘cleaned’ fiat. To “cash-out” at this scale, these groups are operating in countries that effectively sanction their actions – they will almost always be under the protection of a government.
If we look at the recent ransomware attacks that have affected US companies, such as the Kaseya hack by a group known as REVil, we are witnessing a recurring theme – most of these groups are based in Russia. North Korea is also known to be actively participating in crypto-based ransomware attacks.
President Biden emerged from a Situation Room meeting with his top cybersecurity advisers on Wednesday to declare that he “will deliver” a response to President Vladimir Putin of Russia for the wave of ransomware attacks hitting American companies. https://t.co/hCGCARAVnE
— NYT National News (@NYTNational) July 8, 2021
We believe that the main issue here is a lack of security. If outsiders can exploit a database with malicious intent, then it can be tested for vulnerabilities by a white-hat hacker on the company payroll.
Without the authority (or the means) to ban crypto worldwide, governments must look at ways of preventing these attacks in the first place.
- A valid intervention would be more extensive security standards for companies and government agencies managing high-value targets such as infrastructure and security databases.
- Another route would be to apply diplomatic pressure on countries where ransomware groups are known to operate. However, the political ramifications of this kind of action will no doubt have consequences.
Every time a ransomware group gets paid, their whole operation becomes more efficient; they can afford more talented hackers, better equipment, extensive intelligence – the list goes on. Security measures must be put in place before these attacks occur. We believe that security can be improved and is likely the easiest way of mitigating the frequency and severity of attacks. Diplomatic pressure can undoubtedly make hosting countries think about acting against such groups, but ultimately there is no way of forcing them to do anything about it.