Tracing the cryptocurrency-ransomware conundrum

by Bruce Snell

17 September 2021

Woman in front of monitors
Bitcoin has become the payment method of choice for threat actors. But would an increase in cryptocurrency regulation actually make a dent in the current spate of ransomware attacks?

Last month there was an article in the Wall Street Journal about cryptocurrency’s role in ransomware hacks. On the heels of a spate of ransomware attacks that rocked the country, including SolarWinds, Colonial Pipeline, JBS and others, the Biden administration set to work examining cryptocurrency’s role in those hacks that disrupted key industries in the US and elsewhere.

Given the heavy coverage in the news, I’ve been getting a lot of questions from clients about ransomware and cryptocurrency. Why has Bitcoin become so popular in ransomware attacks? Would an increase in regulation on cryptocurrency actually make a dent?

Why Bitcoin?

Cybercriminals love Bitcoin because it is decentralized, anonymous, and difficult to trace. Before the widespread adoption of Bitcoin, cybercriminals used various money laundering techniques such as payment by gift cards or shady wire transfers. However, these methods tend to be fairly time consuming and end up costing the cybercriminals part of their ill-gotten gains in fees. The earliest usage of Bitcoin that I dealt with was CryptoLocker2.0 which showed up around 2013, only four years after Bitcoin was introduced into circulation. Bitcoin actually fell out of usage for a couple of years due to the complexity of buying cryptocurrencies at the time. Cybercriminals pivoted to alternative means of payment (including iTunes gift cards) for a while until it became easier for the average person to use Bitcoin.

Man in front of monitors

The decentralized nature of cryptocurrency makes it almost impossible to enforce any sort of legal controls that will impact cybercriminals.

Now that Bitcoin has become so commonplace, it’s relatively easy for anyone to make a ransomware payment using the currency. In fact, it’s not uncommon for cybercrime groups to have a dedicated support person to help their victims through the process of buying cryptocurrency to pay the ransom! Cybercrime service with a smile.

And this is a problem that only continues to grow. Cybercriminals want to take the easiest and quickest path to making money. It’s much quicker and easier to infect a business with ransomware and demand payment than it is to run a long ‘slow and low’ attack in which data is stolen with the intention of reselling the information later. Add in the relative ease of use and anonymity that comes with cryptocurrency and you have the makings of a winning cybercrime business model.

Legislation to the rescue?

I think however well-intended, legislation will have very little impact in curtailing the use of cryptocurrency in the current plague that is ransomware. The decentralized nature of cryptocurrency makes it almost impossible to enforce any sort of legal controls that will impact cybercriminals. Legislation will only impact people who are using cryptocurrency for legitimate transactions. From a criminal’s perspective, all they’ll need to do is shift their cryptocurrency to a country that has little to no regulation. Bitcoin doesn’t care about borders.

And while we saw the FBI step in and recover quite a bit of the Bitcoin used to pay the ransomware gang responsible for the Colonial Pipeline incident, for example, that required a tremendous amount of effort and attention that unfortunately can’t be used for every single victim of a ransomware attack.

The bottom line here is, if the government were to somehow manage to trace and shutdown ransomware payments on a regular basis or, even more unlikely, cripple cryptocurrency altogether, threat actors would find another way. It’s what they do. The best thing we can do as an industry, is to be ready for them.

Bruce Snell

Bruce Snell

VP Security Strategy and Transformation, Security Division at NTT Ltd.