The recent high profile ransomware attacks on Colonial Pipeline and food processing giant JBS have led to to ban cryptocurrencies because the attackers demanded to be paid in Bitcoin. But if cryptocurrency went away tomorrow would ransomware end? In a word, no. Ransomware existed before cryptocurrency was popular and, if cryptocurrency was outlawed tomorrow, criminals would simply seek alternative payment methods, of which there are many.
But blaming crypto for ransomware is like holding email accountable for ransomware because that’s a vector criminals use to infect victims. Neither are the cause of ransomware. What we need to eradicate this scourge is a more nuanced, multi-pronged strategy that gets to the root cause of the problem.
The growth of ransomware can be attributed to the rate at which companies are shifting critical systems online and the poor level of controls many companies have over their IT systems. When you couple those factors with ransomware gangs operating from foreign jurisdictions with relative impunity and little ability for law enforcement to drive an international response, you get a recipe for trouble.
This has led some pundits to throw up their hands and conclude the only . But if cryptocurrencies are banned, attackers will simply fall back to traditional money laundering methods like prepaid gift cards, money-mules, bulk cash smuggling, funnel accounts or requiring .
What’s more, there are many reasons cryptocurrency is good for law enforcement. Talk to law enforcement agents and those prosecuting crimes like this and they’ll tell you that cryptocurrencies are than traditional, .
In the world of Bitcoin, while you might not be able to immediately attach a name to a transfer, the whole history of transfers, for every address on the cryptocurrency network, is preserved forever and accessible to all. Law enforcement these “digital breadcrumbs” to track spending patterns. Where that cryptocurrency touches an exchange like Coinbase, which collects KYC (Know Your Customer) data for customers, a subpoena or a warrant will get them a real-world identity. That stands in stark contrast to traditional money laundering using cash or commodities.
If banning use of cryptocurrency isn’t the answer, what is?
Increase global law enforcement focus on ransomware and aggressively prosecute criminals — in the US or overseas — to create a real disincentive for criminals to use ransomware. The creation of a Ransomware and Digital Extortion Task Force by the DOJ was a positive step forward, but genuine investment in prosecutorial resources and continued engagement with our international partners will be key in the fight to ensure there are no safe haven countries for criminals.
In the wake of the Enron scandal, Congress created incentives for public companies to clean up financial controls and reporting via the Sarbanes-Oxley Act. Earlier this year Congress passed the Anti-Money Laundering Act, setting a framework for financial institutions to modernize their technology and improve the sharing of information to combat money laundering and terrorist financing. Congress must play a similar role in creating minimum standards for corporate security reporting and transparency, and creating safe harbors for cooperation and information sharing among companies.
Ensure common sense, existing regulations are applied evenly so that certain exchanges aren’t allowed to use jurisdictional arbitrage to avoid implementing KYC/AML programs. Research shows that the majority of illicit Bitcoin flows through a . Law enforcement and regulators could curb the flow of ransomware-proceeds by enforcing existing regulations on these venues.
That will take time, of course, so in the meantime companies in the trenches should actively review their own security posture and figure out if and how they could recover if attacked. Most companies have backup policies, but few organizations have restore policies or regularly test their ability to restore in a real-world scenario.
Ransomware isn’t going away even if cryptocurrencies are banned. So don’t be tempted by the “easy answer” given it isn’t really an answer at all. Let’s take the bull by the horns and focus on the hard work of putting ransomware in its place.
About Philip Martin
Philip Martin is the Chief Security Officer for Coinbase, where he is responsible for developing the technology, processes and team that safely store one of the world’s largest holdings of cryptocurrency. Prior to Coinbase, Philip built and led the Incident Response and Security Engineering teams at Palantir Technologies, developed new virtual infrastructure at Amazon A9 and spent a decade as a US Army counterintelligence agent in a range of foreign and domestic roles.