Ransomware is the existential threat that could reverse crypto’s rise
With the threat of ransomware increasingly difficult for US policymakers to ignore, cryptocurrency exchanges should prepare to be the target of increasing regulatory scrutiny — or outright bans — in many countries.
For more than a decade, US regulators have done little to stymie the wave of cybercrime enabled by cryptocurrencies, making only minimal adjustments to the regulatory landscape for fear of stifling innovation and economic growth. But the tide is shifting when it comes to how regulators are looking at cryptocurrencies. And nothing is influencing them more than ransomware. The scourge of alarming and costly attacks is causing policymakers in Washington, China and elsewhere in the world to begin clamping down on the digital currencies that have underpinned cyber extortion and other online crimes for years.
After years of ambiguous, poorly conceived, and rarely enforced cryptocurrency policymaking, September seemed to mark a turning point with both China and the US taking the clearest and most aggressive steps yet to regulate cryptocurrencies in the same week.
On Sept. 21, the Treasury Department announced sanctions directed at the cryptocurrency exchange Suex OTC, S.R.O. for its role in facilitating ransomware payments. In early October, the Justice Department also announced it was creating a new team to prevent hackers from using cryptocurrency exchanges for extortion attacks and go after the infrastructure underlying cybercrimes. Meanwhile, on Sept. 24, China announced that all transactions involving virtual currencies would be illegal in the country. China’s announcement, unsurprisingly, had a larger impact on the value of cryptocurrencies, but Washington’s Suex sanctions were actually the more significant and surprising of the two announcements. China has long been skeptical of cryptocurrencies and made halfhearted efforts to block them going back to 2013, but the US finally beginning to revise its largely hands-off regulatory approach to virtual currencies marks an important shift in the way that regulators are weighing the benefits of cryptocurrencies against their harms.
It’s not just ransomware that is a problem, either. There are other types of cybercrime that can involve cryptocurrencies, including financial fraud and money laundering, but ransomware is the only one that really relies on cryptocurrencies — the only form of cybercrime that, by and large, could not be committed without a functioning cryptocurrency ecosystem. It’s no coincidence that the rise in ransomware we have witnessed over the past few years followed on the rise in availability of cryptocurrency services and exchanges that enabled people to easily purchase virtual currencies like Bitcoin and make payments using them.
If ransomware attacks had remained relatively untargeted, infecting individual computers and requiring their owners to make payments of a few hundred dollars’ worth of Bitcoin, they might not have made such a significant impact on the regulatory landscape. After all, ransomware has been around for at least a decade and there have been relatively few efforts in the US to meaningfully regulate cryptocurrencies during that time in ways that would make it harder for criminals to extort their victims. In that sense, the escalation of ransomware attacks to target large companies, local governments, and critical infrastructure and demand larger and larger payments from those high-profile targets helped draw attention to the seriousness of online extortion and — by extension — the threats posed by widespread cryptocurrency availability.
Cryptocurrencies fans take issue with the idea that technologies like Bitcoin are one of the primary reasons ransomware continues to be a profitable business model for criminals. And it is certainly true that cryptocurrencies are not the only thing that enables continued ransomware — the unwillingness of foreign countries like Russia to investigate and arrest perpetrators of these attacks is another important factor, so too are the poor cybersecurity practices of many organizations that allow for ransomware to infect their systems in the first place. But, importantly, cryptocurrencies are what allow criminals to monetize ransomware attacks. And the monetization stage of cyberattacks has long been a crucial one for law enforcement because it historically provided an opportunity for investigators to track profits back to the perpetrators by, for instance, infiltrating the forums where criminals sell stolen information such as credit card numbers or Social Security Numbers.
In the case of ransomware, however, that monetization happens exclusively through cryptocurrency transactions managed by exchanges, the intermediaries that transfer fiat currency into virtual currencies, and vice versa. This means it is often much more difficult for law enforcement to figure out who is receiving these payments or link the recipients to larger criminals networks. By going after particular exchanges, like Suex, that are known to facilitate a large volume of criminal transactions, the US government is hoping to be able to regain the upper hand by pulling cybercriminals’ payment processing infrastructure out from under them.
In sanctioning Suex, Treasury Deputy Secretary Wally Adeyemo explicitly referenced the exchange’s role in helping attackers “extract profits from ransomware.” According to the Treasury Department, over 40 percent of known Suex transactions involved illegal activity or illicit actors. So sanctioning Suex is not terribly controversial, even among people who think that cryptocurrencies are beneficial, because it’s so widely regarded as catering to criminals. But what about cryptocurrency exchanges where only 5 or 10 percent of transactions are illegal? Without knowing how widely the US will be willing to apply these measures, it’s hard to say how effective or how scalable the Treasury Department’s approach will be.
Assuming the Suex sanctions are enforced, and ransomware victims no longer make payments to Suex wallets, it remains to be seen whether the criminals will simply migrate to other cryptocurrency exchanges and, if so, whether the Treasury Department will be up to the task of keeping its list of banned exchanges up-to-date. If the US government is really committed to cracking down on exchanges that facilitate ransomware payments that list of sanctioned exchanges could potentially grow very long very quickly. For cryptocurrency regulations to actually take a real bite out of ransomware it may well turn out they have to be a little more draconian, and look a little more like China’s approach, than just singling out an individual exchange for bad behavior.
Cryptocurrency exchanges looking to get out ahead of regulations can invest in more rigorous screening of their customers and transactions to proactively ensure they are not serving criminals or facilitating extortion payments. These measures, on their own, may not be enough to do anything more than force criminals to use overseas exchanges, but they might make it at least a little bit harder for victims to pay ransoms, thereby potentially cutting into criminals’ profits.
One reason regulators have been hesitant thus far to regulate cryptocurrencies more aggressively is the sense that it is extremely difficult to do so effectively without more international cooperation and coordination.
But with the threat of ransomware becoming increasingly difficult for policymakers to ignore, cryptocurrency exchanges should prepare themselves to be the target of increasing regulatory scrutiny in many countries. Perhaps the best thing they can do to get ready is start monitoring their transactions and customers more closely — an approach that stands a little bit in contrast to the originating “digital cash” notion of anonymous cryptocurrencies, but is much more in line with their present status as a vehicle for large financial transactions and criminal activity.
If cryptocurrency exchanges can’t manage to refashion themselves more in the image of traditional banks, it seems entirely possible that ransomware could become an existential threat for them — pushing more countries in the direction of China’s regulatory approach to banning them outright.