Earlier this month, hundreds of companies from the US to Sweden were entangled in theon Kaseya, which provides network infrastructure for businesses around the world.
The Kaseya hack comes on the heels of other headline-grabbing cyberattacks like theand the . In each instance, criminals had the opportunity to make off with millions — and much of the ransoms were paid in Bitcoin.
“We have to remember the primary reason for creating Bitcoin in the first place was to provide anonymity and secure, trustless and borderless transaction capabilities,” says Keatron Evans, principal security researcher at Infosec Institute.
As Bitcoin grows more prominent in markets around the world, cybercrooks have found a vital tool to help them move illegal assets quickly and pseudonymously. And by all accounts, the attacks are only becoming more common.
Ransomware on the rise
Ransomware is a cybercrime that involves ransoming personal and business data back to the owner of that data.
First, a criminal hacks into a private network. The hack is accomplished through various tactics, including phishing, social engineering and preying upon users’ weak passwords.
Once network access is gained, the criminal locks important files within the network using encryption. The owner can’t access the files unless they pay a ransom. Nowadays, cybercriminals tend to request their ransoms in cryptocurrencies.
The FBI estimates ransomware attacks accounted for at least $144.35 million in Bitcoin ransoms from 2013 to 2019.
These attacks are scalable and can be highly targeted or broad, ensnaring anyone who happens to click a link or install a particular software program.
This allows a small team of cybercrooks to ransom data back to organizations of all sizes — and the tools needed to hack into a small business or multinational cooperation are largely the same.
Private citizens, businesses, and state and national governments have all fallen victim — and many decided to pay ransoms.
Today’s business world depends on computer networks to keep track of administrative and financial data. When that data disappears, it can be impossible for the organization to function properly. This provides a large incentive to pay up.
Although victims of ransomware attacks are encouraged to report the crime to federal authorities, there’s no US law that says you have to report attacks (). Given this, there’s little authoritative data about the number of attacks or ransom payments.
However, a recent study from Threatpost found that only 20% of victims pay up. Whatever the actual number is, the FBI recommends against paying ransoms because there’s no guarantee that you’ll get the data back, and paying ransoms creates further incentive for ransomware attacks.
Why do hackers like cryptocurrency?
Cryptocurrency provides a helpful ransom tool for cybercrooks. Rather than being an aberration or misuse, the ability to make anonymous (or pseudonymous) transfers is a central value proposition of cryptocurrency.
“Bitcoin can be acquired fairly easily. It’s decentralized and readily
available in almost any country,” says Koen Maris, a cybersecurity expert and advisory board member at IOTA Foundation.
Different cryptocurrencies feature different levels of anonymity. Some cryptocurrencies, like Monero and Zcash, specialize in confidentiality and may even provide a higher level of security than Bitcoin for cybercriminals.
That’s because Bitcoin isn’t truly anonymous — it’s pseudonymous. Through careful detective work and analysis, it appears possible to trace and recoup Bitcoin used for ransoms, as the FBI recently demonstrated after the Colonial Pipeline hack. So Bitcoin isn’t necessarily used by ransomers simply because of security features. Bitcoin transfers are also fast, irreversible and easily verifiable. Once a ransomware victim has agreed to pay, the criminal can watch the transfer go through on the public blockchain.
After the ransom is sent, it’s usually gone forever. Then crooks can either exchange the Bitcoin for another currency — crypto or fiat — or transfer the Bitcoin to another wallet for safekeeping.
While it’s not clear exactly when or how Bitcoin became associated with ransomware, hackers, cybercrooks, and crypto-enthusiasts are all computer-savvy subcultures with a natural affinity for new tech, and Bitcoin was adopted for illicit activities online soon after its creation. One of Bitcoin’s first popular uses was currency for transactions on the dark web. Thewas among the early marketplaces that accepted Bitcoin.
Ransomware is big business. Cybercriminals made off just under $350 million worth of cryptocurrency in ransomware attacks last year, according to Chainanalysis. That’s an increase of over 300% in the amount of ransom payments from the year before.
The COVID-19 pandemic set the stage for a surge in ransomware attacks. With vast tracts of the global workforce moving out of well-fortified corporate IT environments into home offices, cybercriminals had more surface area to attack than ever.
According to research from cyberinsurer Coalition, the organizational changes needed to accommodate remote work opened up more businesses for cybercrime exploits, with Coalition’s policyholders reporting a 35% increase in funds transfer fraud and social engineering claims since the beginning of the pandemic.
It’s not just the number of attacks that is increasing, but the stakes, too. A 2021 report from Palo Alto Networks estimates that the average ransom paid in 2020 was over $300,000 — a year-over-year increase of more than 170%.
When an organization falls prey to cybercrime, the ransom is only one component of the financial cost. There are also remediation expenses — including lost orders, business downtime, consulting fees, and other unplanned expenses.
The State of Ransomware 2021 report from Sophos found that the total cost of remediating a ransomware attack for a business averaged $1.85 million in 2021, up from $761,000 in 2020.
Many companies now buy cyber insurance for financial protection. But as ransomware insurance claims increase, the insurance industry is also dealing with the fallout.
Globally, the price of cyber insurance has increased 32%, according to a new report from Howden, an international insurance broker. The increase is likely due to the growing cost these attacks cause for insurance providers.
A cyber insurance policy generally covers a business’s liability from a data breach, such as expenses (i.e., ransom payments) and legal fees. Some policies may also help with contacting the businesses customers who were affected by the breach and repairing damaged computer systems.
Cyber insurance payouts now account for more than 70% of all premiums collected, which is the break-even point for the providers.
“We noticed cyber insurers are paying ransom on behalf of their customers. That looks like a bad idea to me, as it will only lead to more ransom attacks,” says Maris. “Having said that, I fully understand the argument: the company either pays or it goes out of business. Only time will tell whether investing in ransom payments rather than in appropriate cybersecurity is a viable survival strategy.”
The AIDS Trojan, or PC Cyborg Trojan, is the first known ransomware attack.
The attack began in 1989 when an AIDS researcher distributed thousands of copies of a floppy disk containing malware. When people used the floppy disk, it encrypted the computer’s files with a message that demanded a payment sent to a PO Box in Panama.
Bitcoin wouldn’t come along until almost two decades later.
In 2009, Bitcoin’s mysterious founder, Satoshi Nakamoto, created the blockchain network by mining the first block in the chain — the genesis block.
Bitcoin was quickly adopted as the go-to currency for the dark web. While it’s unclear exactly when Bitcoin became popular in ransomware attacks, the 2013 CryptoLocker attack definitely put Bitcoin in the spotlight.
CryptoLocker infected more than 250,000 computers over a few months. The criminals made off with about $3 million in Bitcoin and pre-paid vouchers. It took an internationally coordinated operation to take the ransomware offline in 2014.
Since then, Bitcoin has moved closer to the mainstream, and ransomware attacks have become much easier to carry out.
Early ransomware attackers generally had to develop malware programs themselves. Nowadays, ransomware can be bought as a service, just like other software.
Ransomware-as-a-service allows criminals with little technical know-how to “rent” ransomware from a provider, which can be quickly employed against victims. Then if the job succeeds, the ransomware provider gets a cut.
In light of the recent high-profile ransomware attacks, calls for new legislation are growing louder in Washington.
President Joe Biden issued an executive order in May “on improving the nation’s cybersecurity.” The order is geared toward strengthening the federal government’s response to cybercrime, and it looks like more legislation is on the way.
The International Cybercrime Prevention Act was recently introduced by a bipartisan group of senators. The bill aims to ramp up penalties for cyberattacks that impact critical infrastructure, so the Justice Department would have an easier time charging criminals in foreign countries under the new act.
States are also taking their own stands against cybercrime: Four states have proposed legislation to outlaw ransomware payments. North Carolina, Pennsylvania, and Texas are all considering new laws that would outlaw taxpayer money from being used in ransom payments. New York’s law goes a step further and could outright ban private businesses from paying cybercrime ransoms.
“I think the concept of what cryptocurrency is and how it works is something that most legislative bodies worldwide struggle with understanding,” says Evans. “It’s difficult to legislate what we don’t really understand.”