In Ransomware Battle, Bitcoin May Actually Be an Ally

Critical Infrastructure Security
,
Endpoint Security
,
Fraud Management & Cybercrime

Webs of Criminality Are Recorded on Bitcoin’s Blockchain


June 17, 2021    

A bitcoin mining facility in Farnham, Canada, run by Bitfarms. (Photo: Bitfarms)

The role of bitcoin in the ransomware payments pipeline is clear: it’s enabled fast, enormous payments with some degree of privacy.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce


How to deal with bitcoin and other crytocurrencies in the battle against ransomware is the subject of a spirited debate. Some have labelled bitcoin as a prominent foe and, as in this Wall Street Journal opinion piece, called to ban it. Others say the payment method used for ransoms is largely a red herring. If bitcoin was gone, the traditional banking system would be used.


What should be done about bitcoin in the battle against ransomware? Actually, the status quo isn’t so bad. 

Disrupting the flow of money to criminal enterprises is a traditional law enforcement technique. If the money stops flowing, or it becomes too onerous or risky to get paid, criminals tend to move to the next scheme that satisfies the risk-reward balance.


Policy makers and governments are looking for disruptive levers to slow a siege against businesses and critical infrastructure. Ransomware has reached a scale that it’s becoming a political problem for leaders and a tense discussion point between nations (see Biden Warns Putin of Cyber Retaliation).


What should be done about bitcoin? Actually, the status quo isn’t so bad. The paths to converting bitcoin to cash without scrutiny are narrowing. Law enforcement are making small but notable gains, including the FBI’s Colonial Pipeline action and the NetWalker takedown in January, both of which involved cryptocurrency seizures (see Another Takedown: Netwalker Ransomware Gang Disrupted).


Direct-Deposit Ransoms?


Bitcoin is a decentralized system launched in January 2009 by a pseudonymous programmer, Satoshi Nakamoto. Nakamoto’s white paper elegantly described a secure, peer-to-peer system for electronic cash that drew on some pre-existing computer science concepts.


Bitcoins are transferred by sending a balance from one alphanumeric address to another. Those transactions and addresses, which are recorded on a public ledger called the blockchain, are processed by computers distributed worldwide, known as “miners,” for a small slice of bitcoin as a reward. The people who control bitcoin addresses aren’t described in the blockchain, and data recorded in the blockchain can’t be changed.


The system is impossible to shut down, which make calls to ban bitcoin overly simplistic. Restrictions against bitcoin would more realistically take shape as legislation that bans people from buying bitcoin from exchanges.


The argument to ban bitcoin is nothing more than the argument to ban ransomware payments in a fancy coat, says Marcus Hutchins, a malware researcher who stopped the spread of the WannaCry ransomware in May 2017.


“Not only would banning bitcoin be ineffective due to the decentralized nature of cryptocurrency, it would also be less effective than an all out ransomware payment ban, because the gangs would simply move to other payment methods,” Hutchins tells me.



Banning ransomware payments is a step no government has thus taken so far. The issue is charged for a variety of reasons, including the potential that lives might be at stake or companies could be driven into bankruptcy without their data. The Ransomware Task Force, a coalition of experts and policy makers who released a comprehensive report in April for tackling ransomware, couldn’t come to consensus on whether payments should be prohibited.


Hutchins says if cryptocurrency ransoms were banned, cybercriminals could go back to using the traditional banking system. He recently published a video arguing cybercriminals routinely moved multimillion dollar amounts through banking systems in the heyday of banking malware (see More SWIFT-Related Fraud Revealed: How Banks Must Respond).


Hutchins contends banks would be reluctant to intervene: Ransomware victims would be willingly sending money to the ransomware gangs. Interfering with that process would put the banks at odds with what their customer wants to do, he says.


Degrade Cryptocurrency, Degrade Ransomware


There are opposing views. Nicholas Weaver, a computer security researcher and lecturer at the University of California at Berkeley, argued in a recent piece for Lawfare that ransomware gangs couldn’t leverage the traditional banking system.


“Even the most blatantly corrupt bank would consider processing ransomware payments as an existential risk,” Weaver writes.


In Weaver’s view, degrading or even destroying the cryptocurrency may be the key to solving the ransomware problem. Weaver was part of a group of scientists who released research in 2011 showing how the pharmaceutical spam ecosystem could be broken up by focusing on payment processing. It was put into practice, and it worked. The same approach could work with cryptocurrency, he writes.


“If governments take meaningful action against bitcoin and other cryptocurrencies, they should be able to disrupt this new ransomware plague and then eradicate it, as was seen with the spam Viagra industry,” Weaver writes.


There’s truth in what both Weaver and Hutchins contend, says Tom Uren, senior analyst with the Australian Strategic Policy Institute’s International Cyber Policy Centre.


If criminals moved from bitcoin to the traditional financial system, those institutions generally cooperate to stop crime. That would increase friction, which might limit scale, Uren says.


On the other side, making bitcoin illegal in one region doesn’t make it go away. But tighter controls around it would help spot illegal activity, which is one of the prongs of the Ransomware Task Force, Uren says.


Blockchain Investigations


Just a month after Colonial Pipeline Co. was struck by ransomware shutting down fuel transfers along the East Coast, the FBI announced it had recovered 63.7 of 75 bitcoins that the company paid. That portion ended up with an affiliate of the DarkSide ransomware group.


It was a remarkable announcement. An FBI special agent described in an affidavit how the agency watched how the bitcoins moved on the blockchain. The end of the description, though, felt like a cups and balls trick: the bitcoins magically land at an address for which the FBI controlled the private key.


Katie Nickels


The FBI purposely masked its tradecraft, but it shows that it and agencies such as the IRS are becoming increasingly nimble in cryptocurrency investigations. Tracking and stopping cryptocurrency transactions will be a necessary part of deterring ransomware, says Katie Nickels, director of intelligence at Red Canary, who participated in the Ransomware Task Force.


“The U.S. government’s ability to investigate cryptocurrency payments is significant because that ecosystem is part of what enables ransomware actors to be so successful and profitable,” Nickels says.


In January U.S. investigators seized $455,000 in cryptocurrency as part of the shutdown of the NetWalker ransomware scheme, according to the Justice Department. Cryptocurrency tracking and seizures have been made possible with help from private sector firms such Cipher Trace and Chainalysis, which described in detail how it tracked NetWalker actors.


Choke Point: Cashing Out


While the core ransomware gangs may be in Russia, there’s a whole worldwide criminal economy around it – malware developers, hosting providers and other services, says Maddie Kennedy, senior director of communications at Chainalysis.


Those actors usually get paid in bitcoin, and those webs of criminality can tracked on the blockchain. Discovering the identities of those people takes much more work, of course, but patterns can be teased out. “We think that the key to disrupting ransomware is the ransomware supply chain,” she says.


Maddie Kennedy


Cryptocurrency exchanges generally want to stay away from illegal activity. Although the views what cryptocurrencies are good for are sharp and divergent, there’s a growing economy around it. Many exchanges are using transaction monitoring software from firms such as Chainalysis to spot dodgy activity.


Potential choke points are exchanges where cryptocurrency can be turned into cash. Kennedy says the vast majority of ransomware-related cash outs are occurring on just a few exchanges. And even on those exchanges, that activity is concentrated on just 200 different deposit addresses, she says.


“It’s a very, very small ecosystem, and cash outs are primarily occurring by a small number of what appear to be professional money launderers,” Kennedy says.


Privacy coins, such as monero, don’t have public blockchains and are inherently harder to track. But mostly, they’re not a factor yet, in part due to low liquidity. “It would be much worse if [ransomware payments] were happening with a less transparent form of value transfer,” she says.