ADVERTISEMENT
Advertise with BNC

Ransomware and cryptocurrency: A match made in hell

Ransomware attacks are at an all-time high in 2021. With the hackers choosing Bitcoin as the payment of choice, governments worldwide are scrambling for solutions - some of which could actually be good for the legitimacy of crypto overall.

Ransomware is an evolving form of malware designed to encrypt files on a victim’s devices, thus rendering those files useless on that device or on any other device on the network that wants to use them. The malicious actors will then demand a ransom in exchange for decrypting the compromised files.

Ransomware is typically delivered to victims via email attachments which are covertly infected with malicious code designed to install the ransomware without user consent. Ransomware often attacks important or confidential files and to ratchet up the fear-factor the attackers will usually threaten to leak or exfiltrate (carry out an unauthorized transfer) of the compromised data.

Why are ransomware attacks increasing?

For as long as there have been computer networks ransom demands from hackers have been a thing, but the issue criminals faced was how to easily collect their ransom and launder it. A perfect solution for that problem has emerged in recent times in the form of cryptocurrencies.

For ransomware attackers, the right kind of crypto is fast, cheap, liquid and difficult to trace. Although many attackers have asked for a Bitcoin ransom, Bitcoin is not as anonymous as people think and companies like CipherBlade specialize in tracking down and returning ransoms paid in Bitcoin.

There are cryptocurrencies that are much more anonymous than Bitcoin, though. The number one anonymous cryptocurrency by market cap is Monero (XMR). It permits private, untraceable, analysis resistant and unlinkable transactions. Every Monero transaction is anonymous by default due to a combination of ring confidential signatures (RCT), multilayered linkable spontaneous anonymous group signature algorithms (MLSAG) as well as stealth addresses. This makes Monero transactions virtually impossible to trace.

State actors are involved

Another reason for the increase in ransomware attacks is the growth in cyberwarfare overall. While no country wants to be involved in a shooting war, cyber-attacks can inflict major damage on global adversaries – while at the same time the nation behind the attacks can sidestep responsibility by blaming criminals. North Korea, for example, sources a significant amount of its GDP from cybercrime, but there are many other sovereign nation bad actors in the space – with the People’s Republic of China and Russia as two of the biggest players.

On the 19th of July, the White House released a statement accusing the Chinese government of supporting ransomware cyberattacks as well as funding instances of crypto-jacking, digital extortion, and theft. “Countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activity is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security,” said the statement. The U.S. also claimed that China’s Ministry of State Security (MSS) had a hand in a massive Microsoft Exchange email hack earlier this year.

Allies joining the United States in criticizing the PRC’s role in malicious cyber activities include the European Union, the United Kingdom, and assorted NATO states. Steps being taken to eliminate and clamp down on ransomware are escalating globally.

The most prominent ransomware group in recent years is REvil. The group’s name is an amalgam of "ransomware" and "evil." The organization has previously been named by security researchers for its family of malware, which encrypts or scrambles data as ‘REvil/Sodinokibi’. The group has ties to Russia and has been on a ransomware crime spree since March 2021.

Besides its own crimes, REvil operates a business model that sells hacking technology to third-party hackers. It has created a sophisticated online infrastructure on the dark web, which Google and other search engines don’t track because it’s not indexed in their databases. REvil ScreenAn REvil notification to an infected user.

REvil’s approach to its targets is very business-like. Victims are directed to a dashboard for payment instructions, with REvil providing helpdesk-like services and even a negotiator. The criminal group also recruits and equips affiliates and is thought to take 20% of any proceeds from ransomware payments collected by its partner hackers.

Since March REvil has attacked: Acer— a Taiwanese computer manufacturer (Requested $50 million), Asteelflash — French electronics manufacturer (Requested $12 million originally but increased to $24 million after the victim didn’t pay), Quanta Computer — a Taiwanese manufacturer of next-generation MacBooks and other computer hardware (initially requested $50 million), Tata Steel — an Indian steel maker (requested $4 million) and Pierre Faber— a large French pharmaceutical and dermocosmetics company ($25 million, originally then increased to $50 million after non payment).

On June 9th, US meat supplier JBS announced that it had paid an $11 million ransom to REvil after its plants (that process around 20% of the American meat supply) were knocked out by a ransomware attack. Coming so soon after the Colonial Pipeline attack (which was thought to have been carried out by another Russia-based group named DarkSide), the U.S made cyber attacks a major focus of the June 16th Geneva summit between US President Biden and Russian President Vladimir Putin.Putin Biden GenevaCybercrime was a major focus of the US and Russia’s Geneva Summit. Image Credit: Creative Commons 4.0

After the meeting, Biden told assembled media that he and Putin had agreed to form working groups with participants from both countries to evaluate the cybercrime issue – and that he had given Putin a list of 16 U.S. sectors that were not to be attacked. These included things like the electricity grid, water services, healthcare and critical food production infrastructure. "I talked about the proposition that certain critical infrastructure should be off-limits to attack, period — by cyber or any other means," Biden said.

The Kaseya attack – the straw that broke the camel’s back

The apparent truce didn’t last long, though. On July 2nd, Kaseya, an IT solutions provider for Managed Service Providers (MSPs) and enterprise clients, announced that it was the victim of a cyberattack. Like so many others before the Biden/Putin meeting, this attack was attributed to REvil – with the group claiming responsibility on its dark web-hosted ‘Happy Blog’.Happy BlogREvil routinely publicized its attacks on its Happy Blog website

The Kaseya breach was a supply chain ransomware attack that targeted a vulnerability in the company’s VSA software. Kaseya’s compromised software was then pushed out to the company’s Managed Service Providers (MSPs) customers in a regular software update. And these clients, in turn, spread the ransomware infected code to their clients.

Although Kaseya’s CEO Fred Vocolloa has said that less than 0.1% of its clients were affected by the breach, security experts have claimed the impact was much wider than that. This is because as many of the affected clients were MSPs, then their smaller and medium-sized clients were also affected and it’s estimated that 800-1500 companies had their operations disrupted by the attack. Kaseya Ransom NoticeKaseya’s MSP clients and their customers received individual demands for Monero

All down the chain the victims received a demand for around $45,000 worth of Monero. In addition, REvil offered a universal decryption key, that would supposedly be able to unlock all encrypted systems for what it said was a ‘bargain’ price of $70 million in Bitcoin.

REvil vanishes

It does not appear that this ransom will be paid to REvil, however, as the group’s payment site, public site, ‘helpdesk’ chat and negotiation portal all disappeared on July 13th. It is unclear why the sites have gone down but it is speculated that US law enforcement had a role in the takedown. Immediately before REvil went offline President Biden confronted President Putin about the attacks. Said Biden after the call: "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is."

For its part, Kaseya is adamant it will not and did not pay a ransom. The day before the REvil disappearance Kaseya released a patch to aid affected users and the company says 100% of its SaaS customers are now live. At the time it appeared that some victims were left in the lurch with REvil offline and no way to decrypt their locked files.

The situation continued to evolve when Kaseya announced on July 21st that it had “obtained a decryptor for victims of the REvil ransomware attack” that was 100% effective in decrypting files – and that it was contacting all affected parties to resolve their issues. The company made this statement about its access to a decrypter. “We are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”

Shooting the messenger? Addressing the ransomware & crypto unholy alliance

Even before the massive attacks of June and July, the U.S. Department of Justice had established an action group to take on ransomware. Set up in April, the Ransomware Task Force is a public-private group that includes representatives from the FBI and the Secret Service as well as major tech and security companies.

As part of its initiative, the Task Force has identified the payment pathway of an attack – and pinpointed the payment of ransoms in crypto as a key intervention point for regulators to disrupt the criminal enterprise.Payment Process Ransomware CryptoDisrupting crypto payments will be fundamental to beating ransomware according to the Ransomware Task Force

Who’s in the firing line?

The Task Force is recommending a two-pronged ‘vinegar or honey’ approach to its disruption mission. First, the vinegar. Over the next year the Task Force says “lawmakers need to pursue and enforce consistent licensing and registration requirements for cryptocurrency exchanges, crypto kiosks, and OTC trading desks where criminals cash out their cryptocurrency from ransomware payments.”

This is a shot across the bow of major exchanges like Binance and Huobi which Chainalysis has identified as popular offramps for the proceeds of crime. In a 2019 report, for example, the cyber data experts said it had traced $2.8 billion in Bitcoin that moved from criminal entities to exchanges and that just over 50% of that had gone through Binance and Huobi. There is no reason to believe that scenario is any different today.Binance Illicit BitcoinChainalysis says Binance and Huobi accounted for the majority of illicit Bitcoin transactions in 2019. Source: Chainaylsis

The Taskforce says that enforcement bodies must “penalize non-compliant exchanges, kiosks, and OTC desks” for noncompliance with Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws, and that those crypto off ramps should also “consistently report suspicious transactions to law enforcement or other institutions.”

Perhaps in response to this looming enforcement action, Binance announced on the 27th of July that it would be reducing its daily withdrawal limits for accounts that have completed only Basic Account Verification down to 0.06 BTC (approximately $2400). This is a significant reduction on the previous 2 BTC limit (around $80,000) and suggests that Binance is attempting to reduce the amount of illicit crypto flowing through its` exchange.

Furthermore, Binance’s CEO Changpeng Zhao said he would be willing to step down from his position as the exchange seeks to become a regulated financial institution. In recent months Binance has faced regulatory scrutiny and business restrictions from lawmakers in Asia, North America, and Europe. At Huobi, the daily limit for unverified users remains at 1 BTC ($40,000), although the exchange announced the launch of its “Z-Labs” division in June – which it says will “target crypto-crimes such as money laundering and fraud.”

In terms of honey, the Ransomware Task Force is leaving the door open for exchanges, kiosks and OTC desks to become part of the solution – saying they “should be incentivized” to report suspicious activity. While they don’t spell out exactly what form this incentivization might take, the fact that Task Force members the SEC and FinCen have well established whistleblower programs means there’s at least a mechanism in place for rewarding organizations that play ball.

How to protect against a ransomware attack

Cybersecurity researchers are generally mixed about whether ransomware attackers should pay their attackers. The FBI has advocated against doing so, although it is not against the law to pay a ransom. Often paying ransomware attackers doesn’t guarantee that you will receive a decryption key in return and a ‘prevention is better than cure’ approach is recommended, particularly as it relates to data security practices during day-to-day IT operations. Protective measures should include:

  • Regular backups of critical data, so that victims can bypass the ransom demand by having the ability to restore any encrypted data immediately.
  • Training staff on how to spot ransomware emails. Users can be trained to pick up the patterns that recur in ransomware, phishing, and social engineering emails, making them less likely to open malicious attachments.
  • Making sure software on the network is updated. This can be firmware, anti-malware applications, operating systems, and third-party software. New versions of these types of software will include the latest anti-malware upgrades.

Conclusion

In 2020 the Financial Stability Board (which is the global organization mandated to promote international financial stability) released a report that concluded crypto assets did not “pose a material risk” to global financial stability at the time – but needed vigilant monitoring. One of the main reasons the FSB didn’t see crypto as high risk to the global economy was that the total market capitalization of the sector was insignificant compared to other assets like stocks and bonds.

Approached from another angle, on an almost weekly basis the SEC names, shames and fines the world’s biggest banks and companies for financial crimes. In 2020, for example, Goldman Sachs agreed to pay $1 billion to resolve corruption charges, Wells Fargo settled a range of offences for $3 billion, and Ericsson agreed to pay $1 billion dollars to settle bribery charges. In this environment, SEC orders and fines against crypto related organizations are tiny in comparison.

The point being that as contributors to overall global crime, crypto criminals or cryptocurrency in general has not been a major factor. A scammy ICO here, an exchange rug-pull there, but all combined it has not added up to much in the larger scheme of things. Thus cryptocurrency has been able to fly under the radar of lawmakers and cops for most of its existence, and when problems did occur they were never considered a priority.

In 2021, however, things changed when cryptocurrency became an integral part of criminal schemes that saw Americans unable to put gas in their cars, buy a hamburger, or log in to their work computer. Ransomware attacks put cryptocurrency on the radar of global authorities for all the wrong reasons.

Because of this, the crypto exchanges that pay lip service to stopping money laundering will be forced to get onboard or face real consequences – as will crypto ATMs, OTC trading desks and any number of other entities and organizations that provide crypto-to-fiat off-ramp services. For many who view the crypto world through a libertian/cypherpunk lens, this will not be welcome news. But for those whose ultimate goal for cryptocurrency is wider adoption and true financial legitimacy, then it looks as though the ransomware scourge of 2021 may have created just the fork in the road and new direction that crypto needs to get there.


ADVERTISE WITH BRAVE NEW COIN

BNC AdvertisingPlanning your 2024 crypto-media spend? Brave New Coin’s combined website, podcast, newsletters and YouTube channel deliver over 500,000 brand impressions a month to engaged crypto fans worldwide.
Don’t miss out – Find out more today


ADVERTISEMENT
Advertise with BNC
ADVERTISEMENT
Advertise with BNC
BNC Newsletters: A weekly digest of the most important news and analysis.
ADVERTISEMENT
Advertise with BNC
Submit an event on bravenewcoin.com
Latest Insights More
ADVERTISEMENT
Advertise with BNC