The Colonial Pipeline ransomware shutdown on May 7, which resulted in nearly $ 5 million in payment to the group responsible for the company’s hacking, illustrates just how out of control the ransomware epidemic is now. Beyond just hacking Colonial Pipeline, this one ransomware gang, DarkSide, has been successful in winning / amassing / extorting $ 90 million income in six months, and the number of similar gangs is proliferating so much that you need a dashboard to keep track of all. Conservative estimates suggest that the costs of direct extortion will run into the billions this year alone, and the collateral damage to the economy is undoubtedly an order or two more.
But in the end, this cyber pandemic is not the result of a ransomware problem. Instead, it’s because the company has a Bitcoin problem.
In the late 2000s, the world was faced with a different business of Russian criminal actors, with spammers targeting Viagra and other pharmaceuticals. Like today’s ransomware, many gangs operated with a affiliate model, where gangs provided the infrastructure and affiliates compromised targeted machines through spam efforts. Then, like now, Russian authorities usually did not intervene until spammers did not disturb Russian computers or involve law enforcement in their internal quarrels. These gangs of the late 2000s brought in about $ 100 million per year, while causing indirect damage easily of an order of magnitude.
At the time, it seemed almost impossible for foreign law enforcement agencies to combat these operations. These criminals were clearly outside the reach of US law and were protected by a Russian government that viewed cybercrime as a center of profit until the impacts were localized. But the research group of which I was then a member show Pfizer How To Eliminate The Viagra Spam Problem.
Our study begin with obtaining nearly a billion spam messages. We then built an infrastructure to read those messages and automatically visit the advertised websites. Along the way, we mapped out all this infrastructure. Then we completed the process by purchasing items like fake watches and over the counter pharmaceuticals to uncover the complete chain needed for a spammer to turn pharmaceutical spam into profit.
By selling these pharmaceutical products identified as spamvertis, attackers could create arbitrary websites and arbitrary domain names, making it impossible to say, “These are bad spam sites. Take them out. ”Although they delivered product directly from international locations, they still had to process credit card payments and, at the time, almost all gangs only used three banks. , which was featured in a New York Times story, resulted in the closure of gang bank accounts days after the story. It was the beginning of the end for the Viagra spam industry. One of the major gang operators posted parts of our article on a Russian cybercrime forum the next day, ending his rant with a rebuke that resulted in “f *** ing scientists, always again” and a photo of a mushroom cloud.
Subsequently, any spammer who dared to use the “Viagra” brand would quickly find their ability to accept credit cards irrevocably compromised as someone would make a test purchase to find the receiving bank, then Pfizer would send a bad guy to the receiving bank. In less than a year, the Viagra spam business was effectively gone, with a Russian cybercriminal saying: “Damn Visa burns us with napalm. “If the ability of criminals to process payments may be disrupted, so too will their ability to function.
As a company, we also saw the effectiveness of the payment ban during the first major ransomware outbreak in 2012 and 2013. Various ransomware proliferated, including a suitor involve the FBI. Some of this previous generation ransomware would accept either Bitcoin or Green Dot MoneyPaks and targeted retail victims trying to extort a few hundred dollars. Fortunately, this pattern never metastasized, as Bitcoin was extremely inconvenient (and can’t even work for small transactions anymore, each cost nearly $ 59 in April 2020). Meanwhile, Green Dot has significantly cleaned up his act in response to the Financial Crimes Enforcement Network and congressional pressure to remedy his role in these criminal efforts.
Today, a new threat has emerged: “big game ransomware”. These operations target businesses rather than individuals, with the aim of extorting millions rather than hundreds of dollars at a time. The income is large enough that some gangs can even specialize and develop zero-day vulnerabilities for specialized software. Even the cryptocurrency community has Noted this ransomware is a bitcoin problem. Multi-million dollar ransoms, paid in Bitcoin, now appear to be commonplace.
This strongly suggests that the best way to deal with this new era of big game ransomware will involve not only securing computer systems (after all, you can’t fix a zero-day vulnerability) or suing (since Russia doesn’t. clearly does not extradite or prosecute these criminals). It will also require disrupting the only payment channel capable of moving millions at a time outside of money laundering laws: Bitcoin and other cryptocurrencies. Currently, there are different methods that can degrade, disrupt or destroy the cryptocurrency space.
Others will say that with so much money at stake, the bad guys will find another way. I strongly disagree. There are only three existing mechanisms capable of transferring a $ 5 million ransom: a bank-to-bank transfer, cash, or cryptocurrency. There is currently no other mechanism that can meet the transfer requirements of millions of dollars at a time.
Ransomware gangs cannot use normal banking. Even the most blatantly corrupt bank would view ransomware payment processing as an existential risk. My group and I noticed this with Viagra spammers: Spammer banks had the choice of either de-banking the bad guys or being cut off from the financial system. The same would apply if a ransomware attempted to use wire transfers.
Money is also a non-starter. A $ 5 million ransom is equivalent to 110 pounds (50 kilograms) in $ 100 bills, or two full suitcases. Arranging such a transfer, to an extortionist operating outside the United States, is clearly infeasible from a physical standpoint alone. Ransomware vendors need transfers that don’t require a physical presence and a hundred pounds of stuff.
This means that cryptocurrencies are the only tool left to ransomware vendors. So, if governments take meaningful action against Bitcoin and other cryptocurrencies, they should be able to disrupt this new scourge of ransomware and then eradicate it, as has been seen with the Viagra spam industry. .
Because in the end, we don’t have a ransomware problem, we have a Bitcoin problem.