Cybersecurity and Deterrence

The Ransomware Problem Is a Bitcoin Problem

By Nicholas Weaver
Thursday, May 27, 2021, 12:56 PM

The May 7 ransomware shutdown of Colonial Pipeline, resulting in the payment of nearly $5 million to the group responsible for hacking the corporation, illustrates how the ransomware epidemic is now out of hand. Beyond just the Colonial Pipeline hack, this single ransomware gang, DarkSide, has successfully earned/amassed/extorted $90 million in revenue in half a year, and the number of similar gangs is proliferating so much that one needs a scorecard to keep track of them all. Conservative estimates suggest the costs of direct extortion will be in the billions this year alone, and collateral damage to the economy is undoubtedly one or two orders of magnitude more.

But in the end, this cyber pandemic is not a result of a ransomware problem. Instead, it’s because society has a Bitcoin problem.

Back in the late 2000s, the world faced a different enterprise of Russian criminal actors, with spammers targeting Viagra and other pharmaceuticals. Like today’s ransomware, multiple gangs operated with an affiliate model, where the gangs provided the infrastructure and the affiliates compromised the targeted machines through spamming efforts. Then, as now, Russian authorities generally didn’t intervene as long as the spammers didn’t disrupt Russian computers or bring law enforcement into their internal squabbles. These late 2000 gangs grossed roughly $100 million a year, while causing consequential damages easily an order of magnitude higher.

At the time, it looked almost impossible for foreign law enforcement to combat these operations. These criminals were clearly outside the reach of U.S. law and were sheltered by a Russian government that viewed cybercrime as a profit center as long as the impacts weren’t localized. But the research group I was then a member of showed Pfizer how to eliminate the Viagra spam problem. 

Our study started with obtaining nearly a billion spam messages. We then built infrastructure to read these messages and automatically visit the advertised websites. Along the way we traced all this infrastructure. Then we completed the process by purchasing items such as fake watches and over-the-counter pharmaceuticals to discover the complete chain needed for a spammer to turn pharmaceutical spam into profit.

In selling these identified spamvertized pharmaceuticals, the attackers could create arbitrary websites and arbitrary domain names, making it impossible to say, “These are the bad spam-sites. Remove them.” Although they drop-shipped products from international locations, they still needed to process credit card payments, and at the time almost all the gangs used just three banks. This revelation, which was highlighted in a New York Times story, resulted in the closure of the gangs’ bank accounts within days of the story. This was the beginning of the end for the spam Viagra industry. One of the major gang operators posted portions of our paper on a Russian cybercrime forum the next day, ending his rant with a gripe that translated to “F***ing scientists, always at it again” and a picture of a mushroom cloud.

Subsequently, any spammer who dared use the “Viagra” trademark would quickly find their ability to accept credit cards irrevocably compromised as someone would perform a test purchase to find the receiving bank and then Pfizer would send the receiving bank a nastygram. In less than a year, the Viagra spam business effectively died, with one Russian cybercriminal remarking, “F***ing Visa is burning us with napalm.” If the criminals’ ability to process payments can be disrupted, so can their ability to operate.

As a society, we also saw the effectiveness of payment interdiction in the first major ransomware epidemic back in 2012 and 2013. Various ransomwares proliferated, including one purporting to involve the FBI. Some of these previous-generation ransomwares would accept either Bitcoin or Green Dot MoneyPaks and targeted retail victims by trying to extort a couple hundred dollars. Fortunately this scheme never metastasized, because Bitcoin was grossly inconvenient (and now can’t even work for small transactions, with each costing nearly $59 as of April 2020). Meanwhile, Green Dot cleaned up its act considerably in response to the Financial Crimes Enforcement Network and congressional pressure to remedy its role in these criminal efforts.

Now, a new threat has emerged—“big-game ransomware.” These operations target companies instead of individuals, in an attempt to extort millions rather than hundreds of dollars at a time. The revenues are large enough that some gangs can even specialize and develop zero-day vulnerabilities for specialized software. Even the cryptocurrency community has noted that ransomware is a Bitcoin problem. Multimillion-dollar ransoms, paid in Bitcoin, now seem to be commonplace.

This strongly suggests that the best way to deal with this new era of big-game ransomware will involve not just securing computer systems (after all, you can’t patch against a zero-day vulnerability) or prosecuting (since Russia clearly doesn’t care to either extradite or prosecute these criminals). It will also require disrupting the one payment channel capable of moving millions at a time outside of money laundering laws: Bitcoin and other cryptocurrencies. Currently, there are various methods that can degrade, disrupt or destroy the cryptocurrency space.

Others may argue that with so much money involved, the bad guys will find another way. I strongly disagree. There are only three existing mechanisms capable of transferring a $5 million ransom—a bank-to-bank transfer, cash or cryptocurrencies. No other mechanisms currently exist that can meet the requirements of transferring millions of dollars at a time.

The ransomware gangs can’t use normal banking. Even the most blatantly corrupt bank would consider processing ransomware payments as an existential risk. My group and I noticed this with the Viagra spammers: The spammers’ banks had a choice to either unbank the bad guys or be cut off from the financial system. The same would apply if ransomware tried to use wire transfers.

Cash is similarly a nonstarter. A $5 million ransom is 110 pounds (50 kilograms) in $100 bills, or two full-weight suitcases. Arranging such a transfer, to an extortionist operating outside the U.S., is clearly infeasible just from a physical standpoint. The ransomware purveyors need transfers that don’t require physical presence and a hundred pounds of stuff.

This means that cryptocurrencies are the only tool left for ransomware purveyors. So, if governments take meaningful action against Bitcoin and other cryptocurrencies, they should be able to disrupt this new ransomware plague and then eradicate it, as was seen with the spam Viagra industry.

For in the end, we don’t have a ransomware problem, we have a Bitcoin problem.