How Bitcoin has facilitated ransomware – and what we need to do to fight back
If there was ever any doubt about the ongoing threat of cybercrime, you need look no further than the latest statistics from the FBI.
According to the ‘2019 Internet Crime report’, in the last five years the FBI has received 1.7m cybercrime complaints, with total annual losses increasing from $1.1bn in 2015 to more than $3.5bn in 2019. The top three crime types reported by victims were phishing/vishing, non-payment/non-delivery, and extortion. When it comes to ransomware, the 2018 report indicated a reduction in the number of complaints, but in 2019 these increased to their highest point since 2016 with losses totalling $8.9m.
So, why are attackers refocusing their efforts on ransomware? To answer this, it’s worth having a brief look at the recent history of cybercrime, and the role of spam, unsolicited messages sent via email over the internet, in its emergence.
The battle against spam ramped up in the 2000s when major players, such as Microsoft, started to tackle the infrastructure which spam runs on, using legal means to take down the domains and hosting sites that were being used. This tactic resulted in a significant reduction in spam, but even that was relatively short lived – spam volumes would pick up again within a number of weeks as they moved to another platform.
Then there was a focus on the payment systems behind spam – it was found that the whole system focused on the ability to use credit cards to purchase unlawful products. For example, adversaries were able to profit from selling illegal pharmaceuticals to US consumers by flooding the market with spam. An industry clamp-down on the use of credit cards to purchase unlawful products severely impacted the ability of criminals to raise funds.
The rise of Bitcoin
Criminal syndicates were left searching for a different financial channel. The rise of cryptocurrencies in the late 2000s provided a new method to raise funds from their victims. Bitcoin was the single biggest factor which enabled an alternative to spam and the rise of ransomware. Criminals were suddenly armed with the perfect mixture – organisations willing to pay a healthy sum for the return of their data plus a new, robust and (to a certain extent) anonymous payment method. As a result, Bitcoin has now become an inextricable part of the ransomware model.
Our own data supports that of the FBI – the rate of ransomware incidents is continuing to increase. We are seeing a growth in attacks on small and medium sized businesses, and also organisations that are highly reliant on IT but not well resourced, such as councils and hospitals. This was seen in the 2017 WannaCry attack, which had a huge impact on the UK National Health Service (NHS). However, we must be careful not to focus too heavily on categorising the types of organisation most likely to be targeted by ransomware. In the mind of the criminal, it doesn’t really matter who the target is – if an organisation has not taken the necessary precautions then they are vulnerable to attack.
So what is the solution? Organisations must start with two basic technical precautions – cyber hygiene including anti-virus and patches, and ensuring there is sufficient off-line back-up of the data that would take the business down if it were to be stolen. There also needs to be greater scrutiny and legislation of payment systems – in particular, the ease at which Bitcoin can be traded in ransomware cases. On a positive note, we are starting to see the first cases of legal action. In January, the UK High Court ordered a proprietary injunction on Bitcoin following an attack which resulted in over 1,000 computers of an insurance company being rendered unusable through the use of malware that encrypted files. The unidentified attackers demanded $1.2m in Bitcoin in exchange for decrypting the data.
Specialist cyber insurance is also being seen by many companies as a useful safety barrier to minimise the damage caused by an attack. The danger with insurance is that it may tempt businesses to perform the bare minimum cybersecurity measures, simply to comply with an insurance policy, but no more. This is to the detriment of robust best practice through regular investment in up-to-date solutions and continuous monitoring and testing. Furthermore, we now have a toxic mixture of organisations happy to pay a reasonably priced premium to cover their losses and insurers often prepared to pay the cost of a ransom. Meanwhile, the criminal is safe in the knowledge that the chances of their efforts resulting in financially gain have significantly increased.
In summary, ransomware isn’t new – what has changed is the systemic factors which are allowing attackers to capitalise on the market. Heightened data and privacy regulations, the rise of cyber insurance and the ease at which Bitcoin can be traded, have combined to create a market in which even the most uneducated of criminal can profit from holding firms to ransom.
There is no single, simple solution – the best advice to organisations is to have a clear understanding of their security debt. When companies ignore and accumulate security risks, this leads to an increase in security debt which must be paid when there is a breach. Businesses must understand that avoiding debt creep and servicing security debt sooner rather than later is incredibly important.
Link to Podcast
- Charl van der Walt, Head of Security Research, Orange Cyberdefense