In the following guest post, John Reed Stark takes a look at the troubling rise of ransomware attacks, and the disturbing relationship between ransomware attacks and bitcoin. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
If ransomware were to write a year-end thank you note to bitcoin, it would probably look something like this:
The unprecedented 2019 surge in ransomware attacks on cities, municipalities, schools and healthcare organizations in particular is just a foretaste of what is likely come in 2020. A recent Lloyds of London report boldly asserts that a large scale ransomware attack could cost the global economy $193 billion and impact more than 600,000 businesses worldwide.
Meanwhile, ransomware variants have evolved considerably in 2019, from the early days of scareware and locker attacks to sophisticated social engineering schemes and full-on cyber warfare. The U.S. ransomware plague has gone from bad to worse, with no end in sight to the outbreak:
- Ransomware threat groups now routinely collaborate, creating a burgeoning ransomware industry. For instance, the creators of ransomware families such as Cerber lease out their attack mechanisms like franchises in exchange for a profit percentage of extortion earnings;
- Ransomware attackers are now sharing attack vectors. For instance, security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware;
- Ransomware attack vectors have become more effective, impacting the outer reaches of IT infrastructure and back-up systems (even supply chains), while also becoming more targeted and strategic. For example, according to Yahoo Finance, a threat intelligence company called Anomali has discovered a new ransomware variant dubbed eCh0raix, with enhanced scoping power. Unlike traditional ransomware, which targets users and their files, eCh0raix attacks NAS appliances, the scalable hardware that has its own dedicated storage disks and (ironically) typically helps businesses protect corporate data, enable file-sharing among employees and remote connectivity;
- No longer merely spray and pray, ransomware attacks have adopted a range of advanced persistent threat (APT) command and control tactics. For instance, ransomware gangs now use more sophisticated modus operandi, by illegally gaining access to networks, and over time, slowly taking command by installing backdoors, stealing the credentials of administrative accounts, and ultimately gaining control over domain controllers; and
- Ransomware attacks have become more automated, requiring less attacker interaction. For instance, the ransomware variant called MegaCortex is now reportedly capable of executing directly with one single command. This makes post-exploitation deployment easier, requiring few, if any, other manual steps (such as requiring a password in order to decrypt and load the final payload during a live infection).
Ransomware attacks now also accomplish far more than just paralyzing corporate, healthcare and government computer systems but also use the opportunity to steal company data and threaten to release their data via social media unless the companies pay more. In other words, ransomware attacks have become data breaches. Krebs on Security reports:
“As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public website identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.”
How do most corporate victims of ransomware attacks pay the ransoms demanded? Bitcoin of course – it’s fast, reliable, verifiable, subject to little regulation, and virtually untraceable. Bitcoin has become ideal for ransomware extortion schemes. Attackers can simply watch the public blockchain to know if and when a victim has paid up. They can even create a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address.
Unlike the sequence of events during a kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, ransomware attackers can facilitate pseudo-anonymity and instantaneous payment via a simple, rapid and global bitcoin transaction process. Hence, rarely is there ever even an arrest, let alone a successful prosecution, of a ransomware attacker. Law enforcement remains virtually powerless and has even fallen victim themselves to ransomware extortion schemes.
In the history of financial innovation, modernization and invention, there has always existed one constant: whatever the product, criminals will attempt to exploit its application. Bitcoin dramatically illustrates this axiom. And in addition to the treacherous reality of bitcoin’s predominant use, bitcoin still thrives despite a litany of hurdles, including: liquidity risk; price volatility; cybersecurity vulnerabilities; commission fees; anti-money laundering (AML) implications; ethical dilemmas; tax burdens; entanglement mishaps and many other obstacles. Bitcoin has essentially evolved into a highly resilient and resistant toxic virus in and of itself.
Ransomware’s Dirty Little Secret
The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who had attended the World Health Organization AIDS conference in Stockholm in 1989. Thirty years later, WannaCry, NotPetya and Cryptolocker have become household names and corporate nightmares.
Today, bitcoin-enabled crimes like ransomware attacks upon medical facilities, physician practice groups and municipalities prosper especially because of ransomware’s dirty little secret i.e. ransomware victims pay the ransom. Left with no choice because of bitcoin’s global, anarchistic pseudononymity, paying the ransom remains the least painful solution to commonplace bitcoin-fueled extortion campaigns.
Indeed, Emsisoft studied 948 government/educational/healthcare entities hit by ransomware in 2019, and a whopping 759 paid the ransom. In the past year alone, one ransomware response firm facilitated over $60 million in ransomware payments to offshore extortionists — all in bitcoin. Yet, none of these criminals have been captured, despite an overwhelming corporate willingness to cooperate fully with the FBI and other law enforcement agencies. Ask any U.S. law enforcement why no ransomware attacker is ever caught – the answer will almost always be because of one reason — bitcoin.
President Trump: A New Hope?
President Trump has recognized bitcoin’s threat to global commerce, tweeting as much six months ago, but nothing has changed.
Yet President Trump could possibly transform his bitcoin-outrage into action because loathing of bitcoin is a wholly bipartisan issue. In fact, President Trump is 100% aligned with an array of outspoken and active cryptocurrency critics and skeptics, who also happen to be some of the most virulent anti-Trump Democrats, including U.S. Congresswoman Maxine Waters (D.Ca); U.S. Senator Elizabeth Warren (D Mass.); and U.S. Congressman Brad Sherman (D.Ca.).
President Trump even went so far as to co-opt some of Congressman Sherman’s arguments. Congressman Sherman (who specifically introduced articles of impeachment against President Trump) recently stated:
“An awful lot of our international power comes from the fact that the U.S. dollar is the standard unit of international finance and transactions,” Sherman said at a meeting of the House Financial Services Committee last week . . . Clearing through the New York Fed is critical for major oil and other transactions. It is the announced purpose of the supporters of cryptocurrency to take that power away from us, to put us in a position where the most significant sanctions we have against Iran, for example, would become irrelevant.”
The Myth: Cash Versus Bitcoin
Bitcoin-Barons argue that criminals can use cash and other trading financial systems just as easily as they can use bitcoin and other cryptocurrencies to commit crimes. After all, in comparison to bitcoin and other cryptocurrencies, isn’t cash similarly anonymous; untraceable; and fungible? Isn’t cash equally ubiquitous and available? The answer is no – which is precisely why bitcoin has become the currency of choice for criminals.
First off, in the U.S., pursuant to the Bank Secrecy Act (BSA), transactions involving traditional financial firms, such as banks, brokers and dealers, and money service businesses (MSBs), are subject to strict federal and state anti-money laundering laws and regulations aimed at detecting and reporting suspicious activity, including money laundering and terrorist financing, as well as securities fraud and market manipulation.
AML programs typically include a system of internal controls to ensure ongoing compliance with the BSA; independent testing of BSA/AML compliance; a designated BSA compliance officer to oversee compliance efforts; training for appropriate personnel; and a customer identification program. Thus, to ensure AML compliance, financial firms start by obtaining clearly identifiable information about a prospective client and identifying any potential risks of association. This rigor of oversight and regulation makes engaging in cash-related crimes challenging. Given in particular the tremendous technological innovation at financial institutions, moving or warehousing illicit cash is a good way to get caught and wake up one morning to find your financial accounts frozen.
In stark contrast, bitcoin and other cryptocurrency transactions can settle efficiently from anywhere on the globe, without much of a trace of the recipient’s identity and whereabouts. There exists no central authority to handle disputes, manage complaints or freeze accounts — and transfers are irreversible. One cryptocurrency can also be rapidly traded for another. This all creates challenging hurdles for law enforcement to identify criminals, let alone capture and convict them.
Theoretically, anyone with an Internet connection and a digital wallet can be part of any cryptocurrency platform, initial coin offering or other cryptocurrency financing endeavor operating anywhere on the globe – which, of course, opens a worldwide 24-7 laundromat for those with criminal motives. It is not surprising that security company CipherTrace found that “nearly all dark market commerce is transacted in cryptocurrencies,” while another recent study found that approximately one-quarter of bitcoin users and one-half of bitcoin transactions are associated with illicit activity.
Looking Ahead: Where Were the Lawyers?
Make no mistake, the innovative community of blockchain developers and entrepreneurs deserves congratulations, admiration and encouragement — but their good work has been hijacked by a dangerous legion of criminals. And while blockchain technology may very well have extraordinary potential, there exists no responsible gatekeeper to keep the process and the players honest.
Sadly, too many of the shamelessly self-anointed FinTech attorneys, who claim to practice within the crypto-space, are of little help and have at times actually exacerbated an already dire situation. Some not only blindly facilitate the criminal norms of the cryptocurrency marketplace, but their law firms also blithely encourage cryptocurrency transactions by accepting bitcoin as a form of payment for their legal services. It seems that some lawyers and their firms have become so desperate for fees that accepting bitcoin blood money seems somehow justifiable.
This last point about lawyers and cryptocurrency hits home and bothers me the most. Because when ransomware gets worse (which it will) and people die as a result (which they will), someone somewhere will undoubtedly ask: where were the lawyers?
First formulated by the legendary Stanley Sporkin about corporate misdeeds decades ago when he was head of the SEC Enforcement Division in the 1970s and then as U.S. federal district judge from the mid-80s onward, this damning question has been repeated in every major financial scandal since.
So thank you bitcoin, you have not only stained my profession, but you have once again proven true that ironic old adage: Those who do not learn from history are doomed to repeat it.
*John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”