Editor’s Note: Alexander J. Urbelis is a lawyer and self-described hacker with more than 20 years’ experience with information security. He is a partner in the Blackstone Law Group, a founding member of Technology Advisory Board of Human Rights First, co-host of hacker-focused radio show and podcast “Off The Hook,” and was also the acting chief information security officer of the NFL. Follow him on Twitter @aurbelis. The views expressed in this commentary are his own. View more opinion articles on CNN.
Earlier this week, CNN broke the story that the Justice Department and FBI were able to recover $2.3 million of the nearly $5 million worth of Bitcoin Colonial Pipeline paid to DarkSide, the ransomware gang whose attack was responsible for Colonial Pipeline shutting down East Coast operations last month.
While this seizure signals more accountability, there are many reasons to expect that ransomware attacks will quickly get worse before getting better.
Ransomware encrypts a victim’s data, making it unusable, unless the victim pays a ransom for the keys to decrypt the data. Recently, criminals have also threatened to publish an organization’s data if it does not pay the ransom. In an announcement Monday, Deputy Attorney General Lisa Monaco called these payments “the fuel that propels the digital extortion engine.”
There are local initiatives and concerted commitments among mayors that would prevent municipalities from paying ransoms. Meanwhile, insurance carriers have started to remove ransomware payments from policies, and the federal government has placed several ransomware gangs on sanctions lists, making ransom payments illegal under the federal law.
Bitcoin has long been the cryptocurrency of choice for criminal enterprises deploying ransomware. Cryptocurrency infrastructure itself enables these tactics, but that is changing. This is not because, as some erroneously assume, Bitcoin is untraceable.
While Bitcoin does offer users extra privacy, it is not totally anonymous — rather, it provides users a form of digital pseudonym. As transactions are logged on the blockchain, a public ledger, Bitcoin is eminently traceable. Criminal enterprises paid in Bitcoin, however, launder their proceeds through legitimate coin-swapping services, illegitimate mixers designed to make it very difficult to “follow the money,” and shady over-the-counter brokers who turn cryptocurrency into cash.
Lax know-your-customer (KYC) requirements are, in large part, to blame for cryptocurrencies making extortion scalable. These lax practices are for the most part the hallmarks of a young, under-regulated industry rather than an intentionally malicious oversight. These practices will eventually mature into more robust KYC processes likely as a condition of doing business with larger exchanges like Coinbase.
The Biden administration’s strategic review of the role of cryptocurrency in ransomware steps on the gas. Moreover, the US is already developing methodologies to track lesser-known cryptocurrencies to which criminals are gravitating.
These factors creates a perfect storm — time is of the essence for criminal enterprises to make as much money as they can. This also puts pressure on the ransomware industry itself.
Operations like DarkSide are part of the ransomware-as-a-service ecosystem. For a share of the profits, DarkSide deploys ransomware on behalf of other criminal actors who have established illicit access to an organization.
For several years, I have hunted a persistent group that attempted to steal credentials from more than 1,500 entities in the United States, most of which are part of critical infrastructure. More than 300 hospitals, 80 energy sector companies (including pipelines), 60 pharmaceutical companies, 200 state and local governments, 80 school districts, and 100 targets in the food distribution ecosystem of the United States were targeted by this adversary. Slick, efficient, and designed to evade detection, many of these attacks were successful.
Left undetected, a competent adversary will find a way to make access persistent, which allows an adversary to poke around, find the high-grade ore, and stage an effective ransomware event that may even knock out backups intended to protect against ransomware. There is a rush to monetize this type of access, given the dwindling lifespan of ransomware — another reason why we can expect a higher velocity of attacks in the short term.
Finally, the risk versus reward calculus is changing. Last month the Justice Department used the Racketeer Influenced and Corrupt Organizations Act to go after service providers that enable cybercrime. The department is likely to use the same legal theories to pursue those who provide services for ransomware attacks, from server hosts to cryptocurrency exchanges. And US laws about the financing of criminal activities and terrorism may be extended to reach ransomware gangs.
At the state level, legislatures have been debating bills prohibiting ransom payments and providing criminal penalties for possessing ransomware. For countries that turn a blind eye to for-profit criminal ransomware enterprises, the United States and its allies are expected to exert significantly more carrot-and-stick influence to discourage such behavior, including economic sanctions if local criminals are not prosecuted. The days of impunity are, indeed, numbered.
All these reforms are moves in the right direction. But with opportunistic criminal enterprises racing to monetize their illicit access to US organizations, we can expect more short-term ransomware attacks on US organizations. We must be wary that even if ransomware events decrease in the United States, our supply chains are global — ransomware attacks in other countries will inevitably affect US interests.
Things will get worse before they get better. It is my sincere hope that the United States can serve both as a warning to the rest of the world about the dangerous implications of ransomware, and lead by example when it comes to deterring, prosecuting, and cooperating with our allies to stamp out this scourge.