It was only a matter of time. Ransomware has been driving businesses and institutions for a long time, and the increasing professionalization of the scene has been worrying experts for more than just yesterday. Now, a working group is calling on the U.S. government to take more bold action against ransomware. As part of this, cryptocurrencies are also to be regulated more strictly.
Of course, when a group of experts writes a report, it should also show how serious the issue is. It is therefore not surprising if the choice of words exaggerates rather than trivializes, and if it inflates rather than exaggerates the topic.
Still, the wording leaves an impression with which the “Combating Ransomware” report opens, written by the 8-member Ransomware Taskforce convened by the Institute for Security and Technology: In just a few years, ransomware – a type of virus that encrypts data and demands a ransom, usually in bitcoin, to decrypt it – has become “a serious national security threat and a risk to public health and safety.”
Ransomware, the report writes, “is not just financial extortion; it is a crime that infiltrates businesses, governments, universities, and geographic boundaries.” It affects health care during a pandemic and disrupts the operations of schools, hospitals, police departments, city governments and even military installations, it said. “It’s a crime that diverts both private and taxpayer money to global criminal organizations” that also fund illegal activities, such as human trafficking and the development and proliferation of weapons of mass destruction.
$350 million in ransom and much more in damages
Last year, the volume of ransomware payments tripled to more than $350 million, he said. Worse than the cost of payments, however, was the damage caused by the attacks.
In 2020 alone, there were 2,400 ransomware incidents in public institutions in the United States, such as municipalities, schools and hospitals. Their computer systems – and parts of their operations – were down for an average of 21 days as a result of an attack, he said, and took 287 days to fully recover. The cost of recovery often exceeds the ransom many times over. For example, the Atlanta city government paid a ransom of $50,000 but spent about $2.6 million to clean up the attack, he said.
The more the “Internet of Things” spreads, the more serious the threat from ransomware becomes, he said. The report cites some examples of “critical infrastructure threats”: in 2019, a ransomware attack shut down a Coast Guard facility for 30 hours; in 2020, it hit a natural gas pipeline for two days. The working group also views with concern the spike in attacks on hospitals, which led to the delay of treatments “and potentially cost lives.” The major catastrophe has yet to occur – but the attacks show how vulnerable infrastructure can be. You have to be very careful nowadays, there are tons of fake cryptocurrency websites out there which pretend to be an exchange or a bitcoin loan provider for example.
So it’s time to take action against the plague. But how?
Taking action against ransomware is extremely difficult. This is reflected in the fact that the gangs have been plaguing the Internet since 2013, but you can count the number of arrests on one hand, or at most two.
- Most of the hackers “operate with near impunity, living in jurisdictions unwilling or unable to bring them to justice.” Here, the task force is targeting Russia in particular.
- As recently as April, the U.S. Treasury Department issued sanctions against Russian citizens after a link between ransomware hackers and Russia’s FSB intelligence agency came to light.
- The FSB was “cultivating cooperation with criminal hackers,” according to the accusation, which is anything but new in security circles.
- Exacerbating the situation, the report says, is a financial system that allows attackers to receive money without the payments being traceable. Here, the report means Bitcoin and other cryptocurrencies.
- Despite the blockchain’s high level of transparency, experienced users can make tracking payments much more difficult by using mixers and other obfuscation techniques or by jumping from blockchain to blockchain.
A global response – and more regulation for crypto exchanges
Ransomware, the report notes, is a “global challenge” that can only be solved globally. It should therefore be a topic of discussion at summit forums such as the G7 or G20, Interpol, Europol and others. To these, the task force proposes a series of 48 measures aimed at more effectively holding hackers accountable and better preparing companies and institutions for and protecting against attacks.
Among many pieces of advice – such as a “name and shame” approach to also bring states like Russia in line in the fight against ransomware – the report includes a number of recommended measures that affect cryptocurrencies.
For example, governments should incentivize companies to report crypto payments expeditiously. All types of exchange platforms – including kiosks and over-the-counter trading bureaus – should be more closely monitored and pushed to implement applicable laws, such as the well-known KYC and AML rules: They should know the identity of their customers and identify and report potential attempts to launder money. The laws already exist, but compliance leaves much to be desired.
On the government side, competencies in blockchain analysis should be improved and centralized. Most importantly, governments should also be able to more effectively and expeditiously seize cryptocurrencies that exchanges hold for their customers. Only if this happens in a timely manner can the criminals be deprived of their funds.
Not all experts share the focus on cryptocurrencies, however. Ilia Kolochenko of ImmuniWeb, for example, says it’s better to focus on the root of the problem: the “widespread lack of minimal cyber hygiene.” Even if all crypto exchanges were regulated, criminals would find ways to undermine regulation.