Bitcoin extortion: How cryptocurrency has enabled a massive surge in ransomware attacks

The disabling of Colonial Pipeline’s operations last week underscored the threat malicious hackers pose to critical infrastructure in the U.S., while illustrating the usefulness of cryptocurrency to cyber criminals that seek to extort large sums of money in an efficient and easily concealed manner.

The episode is likely to bring even greater interest in the regulation of bitcoin
BTCUSD,
+1.97%

and other cryptocurrencies as law enforcement seeks to track down the perpetrators and policymakers hope to prevent similar attacks from happening again, according to Yonatan Striem-Amit, chief technology officer at cybersecurity firm Cybereason.

“There’s a war going on over what the regulation of bitcoin should look like,” he said in an interview with MarketWatch. “We don’t yet have an equivalent for anti-money laundering laws in cryptocurrency like we do for the existing financial system.”

The Wall Street Journal and other outlets reported that Colonial Pipeline paid the hacking group, affiliated with a criminal ransomware provider called DarkSide, roughly $5 million to recover its stolen data. Experts told MarketWatch that the payment was likely paid directly to a digital wallet owned by the criminal enterprise — a method that would make it difficult for the authorities to track the culprits. A spokesperson for Colonial Pipeline declined to comment on the payment because the matter is the subject of an ongoing investigation.

The Ransomware Task Force, an international coalition of government officials, private-sector technologists and law enforcement, noted in a report published last month that cryptocurrencies “add to the challenge” of tracking down ransomware criminals because of the “borderless” nature of these types of digital money.

“The cryptocurrency community is expressly focused on building a set of technologies designed to reduce compliance and financial process costs,” the report reads. “After obfuscating the extorted funds, ransomware criminals may either withdraw the funds into hard cash, or because cryptocurrencies have become increasingly common (and their value has been steadily rising), they may keep their profits in cryptocurrency and use them to pay for other illicit activities.”

The taskforce recommended that regulators widen their definitions of which entities must adhere to federal anti-money laundering and know-your-customer rules. In 2019 the Treasury Department, the Securities and Exchange Commission and the Commodity Futures Trading Commission defined crypto exchanges as money service businesses, therefore making them subject to those rules.

But exchanges that are domiciled in countries outside U.S. and other services that enable the transfer of cryptocurrency are not overseen by these regulators. Tom Robinson, co-founder and chief scientist at the blockchain analysis and compliance firm Elliptic told MarketWatch that overly aggressive regulation could simply push more activity on to these services. “There are ways of buying bitcoin without going through regulated exchanges, and you’d just push people into those unregulated services,” he said.

Robinson added that the decentralized nature of cryptocurrency makes international cooperation of paramount importance for catching bad actors. Because the payment was reportedly made in bitcoin and not in privacy-focused currency like Monero, law enforcement will be better able to track where the bitcoin ransom has gone and where it will ultimately be spent, according to Robinson.

The Biden administration has said it believes that the hack was perpetrated by cybercriminals in Russia, a country which with the U.S. has frayed relations and no extradition treaty, making it even more unlikely that American law enforcement would eventually get its hands on the perpetrators.

It may be that the Russian government is also taking this episode seriously. Cyber intelligence firm Intel 471 said in a blog post Friday that over the past 24 hours it has “observed numerous ransomware operators and cybercrime forums either claim their infrastructure has been taken offline, amending their rules, or abandoning ransomware altogether due to the large amount of negative attention directed their way over the past week.” However, it’s not known for sure where these criminals are located or the reason that this infrastructure is being taken down.

Ransomware attacks remain a growing threat to private and public sector institutions around the world. On Friday, for instance, Ireland’s health service was forced to shut down its IT systems as the result of a ransomware attack, according to Reuters.

According to Chainanalysis 2021 Crypto Crime Report, while the total dollar amount of criminal cryptocurrency transactions fell dramatically in 2020 relative to 2019, that activity is increasingly driven by ransomware attacks.

Last year “ransomware accounted for just 7% of all funds received by criminal addresses at just under $350 million worth of cryptocurrency. But that figure represents a 311% increase over 2019,” the report reads. “No other category of cryptocurrency-based crime rose so dramatically in 2020, as Covid-prompted work-from-home measures opened up new vulnerabilities for many organizations.”