Would killing Bitcoin end ransomware?
Ransomware is running rampant. The SonicWall GRID Threat Network detected an increase from 3.8 million ransomware attacks in 2015 to 638 million in 2016. According to a Radware report, 49 percent of businesses were hit by a ransomware attack in 2016. Quite often the attacker asks for some amount of cybercurrency – usually Bitcoin – in exchange for providing a decryption key.
One question this raises is whether ransomware attacks would decrease if Bitcoin ceased to exist? Security experts answer that question with a resounding “no”, indicating that cybercriminals would just move on to another anonymous payment method to continue their extortion.
"Getting rid of Bitcoin to stop ransomware would be like the U.S. Government getting rid of $100 bills to try to stop drug dealers from laundering their dirty money. It’s not the right solution. Would it momentarily create a bump in the road for cyber attackers who are making millions off of ransomware? Absolutely, but only for a fleeting moment,” said Richard Henderson, global security strategist at Absolute.
He added that attackers will just switch to any of the dozens of other popular virtual currencies, or switch to other easily launder-able instruments like prepaid credit cards. “Remember, the GreenDot MoneyPak was a favorite among cybercriminals not too long ago. Attackers will just find another way to get paid.”
While paying the ransom is highly discouraged, many of the security experts said the only way to seriously reduce ransomware is through user education.
“We’re not going to get rid of ransomware easily. As long as people continue to struggle to keep their devices fully-patched and protected, and as long as people continue to open attachments they shouldn’t or click on links they probably shouldn’t, attackers are going to be able to infect machines,” Henderson said.
He said the most pragmatic solution to ending the ransomware scourge is to teach people the most basic principles of security hygiene: don’t visit sites that you suspect may be malicious or impostors, patch your machines the moment an update becomes available, and stop opening attachments in your email.
“If you’re not expecting a spreadsheet from your brother or aunt, don’t open it. Call them and ask them if they sent it to you. Courier companies are not going to email you out of the blue with an urgent tracking update. Your bank or PayPal are not going to email you asking you to ‘confirm your information’. And perhaps most importantly, you must have cold backups of the files and data most important to you. We’ve been reminding people of this for as long as I could type… long before malware became a serious issue,” he said.Getting rid of Bitcoin to stop ransomware would be like the US Government getting rid of $100 bills to try to stop drug dealers from laundering their dirty money.
Richard Henderson, global security strategist at Absolute
While eliminating Bitcoin won't solve the ransomware problem, it is worth identifying what makes Bitcoin so popular among criminals. Think of Bitcoin as a ‘superpower’ in the hands of criminals. It enables anonymous payments. You cannot trace who paid, or who was paid. Also, of course, it is an entirely digital payment scheme, and anybody can get an account – or two, or three, or a hundred – and nobody would be the wiser.
Markus Jakobsson, security researcher and chief scientist at Agari, said while getting rid of Bitcoin could certainly slow ransomware attacks, he does not think it is a very plausible goal. “Too many people use it and profit from it in legal ways. Bitcoin has a life of its own, as do the principles underlying it. If it were to somehow be shut down, a derivative would soon pop up.”
He instead wants to dig a bit deeper into the cybercriminal psyche. “By understanding the likely nature of attacks, other countermeasures can be built. The optimal solution is to block Bitcoin abuse, rather than trying to block Bitcoin itself.”
If not Bitcoin, what?
Considering the number of alternative currencies available (such as Monero, Litecoin, Ether, Dogecoin), even if you get rid of Bitcoin there are still over two dozen other cryptocurrencies that can be used, said Daniel Smith, security researcher at Radware. He added that ransomware existed before cryptocurrencies. Back in 1989, it was called PC Cyborg or AIDS Trojan. Criminals used traditional transfers or gift cards back then.
Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, said since Bitcoin is a decentralized cryptocurrency, it’s not possible to get rid of it. What did contribute substantially to the rise of ransomware was an increase in the consumer-friendliness of Bitcoin, which is now just a few clicks away like any foreign currency.
Scott Miserendino, chief data scientist at BluVector, said Bitcoin is a technology of convenience for the ransomware operators. If it is removed it would be replaced. “These extortion schemes existed long before Bitcoin. While Bitcoin has fueled their spread, I don't think that spread can be pushed back simply by removing one payment option now that criminals are widely aware of the effectiveness of the ransom mechanism.”
Florin Lazurca, senior technical manager at Citrix, said “unfortunately, the horse is out of the barn on Bitcoin and ransomware, as it is just one of many semi-anonymous payment channels. While it would slow down the scale of attacks, removing automated and unattended transactions, any transfer-of-value method lacking 'know your customer' standards will fill the void. We would have to eliminate cash and other digital currencies such as WebMoney.”
Lance James, chief scientist at Flashpoint, said that while many ransomware campaigns use Bitcoin to affect a transaction, this is a case where correlation does not imply causation. It happens to be a popular method in the public campaigns of late, but if you look back to CryptoLocker in 2013-2014 (the first heavy hitter ransomware) the operators were estimated to be making an average of $30 million in three months which was paid used moneypak cards.
“In fact Bitcoin can actually be an inhibitor to the success of ransomware campaigns, since the average victim likely doesn’t understand how to use Bitcoin or how to transfer money to Bitcoin currency,” James said. “In fact, ransomware operators try to create as little friction in their campaigns as possible, going as far as to keep ransom amounts low to dis-incent users from seeking professional assistance to unlock their data as the services would likely cost more than the ransom. The operators make it up in high volume of attacks.”
James cited the recent emergence of “crimeware-as-a-service,” which allows someone with a lower tech IQ to simply buy resources online to cause havoc.
Boaz Shunami, CEO and co-founder of KomodoSec, said getting rid of Bitcoin isn’t going to have any effect whatsoever on the spread of ransomware. Ransomware is big business on the dark web, he said. “It’s a standard, tactical tool in the cybercrime arsenal and one of the most profitable. You can actually buy ransomware-as-a-service.”
Extortionists and malicious actors are nimble and will go to great lengths to find other forms of anonymized digital currencies or ways of masking their nefarious activity, said Simon Taylor, vice president of product at Glasswall. “In general, ransomware will continue to evolve, as will the tactics to maintain anonymity and securely transferring money.”
Take down Bitcoin from the top?
Satoshi may not even be a singular person, and even if he or she could be tracked down, they are so far removed from what Bitcoin has evolved into in recent years that unmasking him won’t close Pandora’s Box, experts say.
It has been a mystery who actually runs Bitcoin. According to Wikipedia, the actual creator(s), is known only by a pseudonym - Satoshi Nakamoto. Many investigative reporters have tried to track down the mastermind of the cybercurrency to no avail.Getting rid of Bitcoin from the outside would require getting rid of the internet.
Florin Lazurca, senior technical manager at Citrix
"Getting rid of Bitcoin from the inside would require a high level of centralization and collusion of the mining power essentially destroying trust in the system along with investments made. Getting rid of Bitcoin from the outside would require getting rid of the internet,” said Lazurca.
Nakamoto has claimed to be a man living in Japan, born around 1975. However, speculation about the true identity of Nakamoto has mostly focused on a number of cryptography and computer science experts of non-Japanese descent, living in the United States and Europe. One person, Australian programmer Craig Steven Wright, has claimed to be Nakamoto, though he has not yet offered proof of this, according to Wikipedia.
“Ultimately, it doesn’t matter who the founder was. Bitcoin is an 'open source' idea now. It is decentralized and we all know how it works, so its creator really has no power over the system,” said Corey Nachreiner, CTO of WatchGuard Technologies. "We’ll probably learn for sure who the creator is one day, but I don’t think it will change much. Cryptocurrency will continue to evolve and we’ll see others use public blockchains for alternative uses as well.”
Security officials believe focusing on Bitcoin is just wasted energy. One security exec mentioned focusing on The Bitcoin Foundation instead to discuss changes to the cryptocurrency standard.
The premise behind Bitcoin is that the system is not reliant on a central authority. Because of that, and the fact that it is a peer-to-peer banking system that acts independently from any one person, it’s hard to think that identifying or getting the cooperation of the Bitcoin founder would lead to the end of Bitcoin.
Troy Gill, manager of security research at AppRiver, agrees that searching for an individual would not be of much benefit in the grand scheme of things. “I think efforts would be better spent by law enforcement agencies to develop some form of backdoor that would allow them to easily associate Bitcoin wallets to actual users.”
David King, director of solutions marketing at Commvault, said in the fight against ransomware, focusing on Bitcoin is like tilting at windmills. “The real dragon we need to take on is enterprises’ reluctance to implement holistic data management strategies to secure, govern and backup all their data. If we defeat this dragon, the ability of cybercriminals to profit from ransomware attacks will fall, and so will their attacks.”
How to tackle ransomware
There were a few main themes these security execs raised about how to decrease the amount of successful ransomware hits: user education, have a backup plan and non-payment.
Ransomware is certainly a plague on information-based enterprises everywhere, Miserendino said. Detection and prevention is still the best medicine but ransomware also needs to be publicly cast in the same light as gang/mafia extortion schemes of the past (and current day). The only proven effective approach is the victims need to stop paying the criminals.
According to Identity Theft Resource Center, there was a significant rise in ransomware attacks in 2016. The FBI shared that ransomware victims paid a total of $209 million in the first quarter of 2016 in order to get their data back.
“First and foremost, companies and individuals targeted with ransomware need to stop paying. I know this is easy to say when you aren’t the victim. In cases where the victim is a hospital providing critical care, the decision is very difficult,” Nachreiner said. “Nonetheless, it’s victims giving in to extortion that has made ransomware such a valuable business model for cybercriminals. They focus on ransomware because it successfully makes them money. If you remove that profit, they will move on.”
A disaster recovery and business continuity plan would include quick recovery from any attack or disaster.
There are many ways of infecting an organization with ransomware, but the easiest way to bypass hundreds of thousands, even millions of dollars’ worth of security investments is by playing on the weakest link of the cyber defense chain – the human, Taylor said.
“We continually see that email attachments are the primary attack vector for cyber criminals and that 97 percent of malware is unique to the target endpoint, rendering signature-based technologies useless,” he said. Glassware’s research shows that organizations relying on the identification of macros can miss 45 percent of other malware in documents, such as Excel and Word, giving attackers all they need to extort the target organization.
It always comes back to user education. Users aren’t quite catching on as quickly as most would hope. The Ponemon Institute reported in a study released last month that 48 percent of businesses victimized by ransomware said they paid.
Jens Monrad, senior intelligence analyst at FireEye, said ransomware has evolved the way it has because many victims pay the ransom as they are not in the position where they can restore the encrypted data. Many of these organizations often lack internal procedures for backing up data.
“Do not underestimate the importance of strengthening your human firewall by continuously training employees to recognize and avoid common threats,” SonicWall President and CEO Bill Conner said. “The most common ransomware variant in 2016, Locky, was typically delivered to an unsuspecting employee via email under the guise of a vendor invoice. If employees had been educated on this malicious tactic and known not to open these attachments, ransomware attacks would not have been nearly as successful over the last year.”
James said high public awareness drives up appreciation of backing up systems regularly and having data remotely and securely stored in more than one place. “Since the incentive to already protect your data is a familiar message for today's age, it will eventually come to down to outliers that get hit and can't recover will be few and far between probably within one to two years from now.”
Make sure the system you’re using to back up your data requires authentication or is not always online,” SonicWall’s Conner said. “Otherwise, if you’re hit with ransomware, you may find yourself reverting to an encrypted backup.”
Nachreiner said modern defenses can keep the majority of ransomware out of organizations. Basic firewall and antivirus are not enough in today’s threat landscape. However, modern security controls include things like advanced threat prevention solutions, which use behavioral analysis to find new strains of ransomware, and even threat detection and response tools, which can identify malware as it runs on your host, and in many cases can stop it from encrypting files.
Jason Haddix, head of trust and security at Bugcrowd, said that prevention and impact reduction are the key. Strong security fundamentals on both the perimeter network and on the endpoint are a good defense. Cyber insurance can reduce the risk as well.
Kalember noted that some ransomware now tries to encrypt backups first, so proper security configurations are essential for the backup infrastructure itself.
Alvaro Hoyos, chief information security officer at OneLogin, also cited better end user education. “Ransomware is just piggybacking on social engineering attacks that have been around for almost as long as email. Technical safeguards can help reduce the number of ransomware attacks that show up in your inbox, but it’s really the end users that you need to leverage to reduce the success of these attacks. Therefore, if there are no line items in your security budget for security awareness training and tools, then you are simply not doing enough.”
Zohar Alon, co-founder and CEO of Dome9, said weak security practices and user errors are at the heart of rising ransomware and data-jacking attacks. To get rid of the threat of ransomware, organizations need to start with strong multi-layered defense. For example, in cloud environments, this means investing in foundational technologies such as tools for configuration and vulnerability management, network segmentation and traffic visibility, as well as anti-virus and vulnerability shielding.
Monzy Merza, head of security research at Splunk, said that effective ransomware defense is a combination of preparation, analysis and response. And each aspect has elements of people, process and technology. There’s no silver bullet for ransomware.
“Defending against ransomware is not very different than defending against any threat that might impact your business. Standard cyber hygiene best practices such as identifying critical assets, having a mitigation plan, auditing user permissions, good patch management, or maintaining good backups are all important here, as they are for any threat vector,” Merza said.
Potential hardware failure was always a possibility, and for most people it only needed to happen once before they got in the habit of backing up their data, Henderson said. “Storage is almost free today on a per-GB basis, there’s no excuse anymore for not having a small high-capacity USB drive that you plug in, back up your critical and irreplaceable files, and put in your desk. If you have that insurance policy (and it’s the cheapest insurance you can buy), even if in a moment of carelessness, you won’t need to pay the ransom. No more ransoms being paid by victims? Attackers will find new ways to make their cash."