September 5, 2021
How to Stop Ransomware
by Paul Carroll
We can target ransomware payments in quite straightforward ways -- and, if the criminals can't get their money, what's the point in hacking?
When notorious criminal John Dillinger was asked during the Depression why he robbed banks, he famously replied: “Because that’s where the money is.” That simple observation may offer an answer to the surge of ransomware.
Even as companies struggle to strengthen their protections against hackers, we can target ransomware payments in some quite straightforward ways — and, if the criminals can’t get their money, what’s the point in hacking?
As this essay in the New York Times argues, “The United States does not have a ransomware problem so much as it has an anonymous ransom problem. If we can change the payment system to make the kidnapping [of businesses] less profitable, we will go a long way toward a solution.”
The author, Paul Rosenzweig, a former senior official in the Department of Homeland Security, says 95% to 98% of criminals involved in kidnaping people for ransom are caught and convicted, partly because they can be identified when the transfer of money occurs. By contrast, hackers demand ransomware in cryptocurrency, which, as of now, is extremely hard to trace.
Rosenzweig argues that the U.S. government could simply “adopt and enforce regulations for the cryptocurrency industry that are equivalent to those that govern the traditional banking industry. Cryptocurrency exchanges, ‘kiosks’ and trading ‘desks’ are not complying with laws that target money laundering, financing of terrorism and suspicious-activity reporting….
“For example, some cryptocurrency services offer a ‘tumbler’ feature. Tumblers take cryptocurrencies from many sources, mix them up and then redistribute them, making financial transactions harder to trace. This practice looks like money laundering and would be illegal in the nonvirtual world.”
Even though countries like Russia will probably continue to offer safe havens for ransomware thieves, the U.S. can take unilateral action and “refuse access to [the U.S. banking system] by cryptocurrency exchanges unless they demonstrate that they are equipped and prepared to prevent ransomware payoffs…. To be fully valuable, digital currency must also be convertible to cash, so the exchanges would have a strong incentive to comply.”
The U.S. could also require foreign banks to “impose stricter regulations on cryptocurrency. Because access to the American financial market is vitally important to foreign banks, they, too, would have a strong incentive to comply.”
There has been at least a bit of precedent for tracking and recovering the cryptocurrency used to pay corporate ransoms — after hackers shut down Colonial Pipeline in early May and were paid a ransom in Bitcoin that was valued at $4.4 million at the time, authorities recovered 85% of the Bitcoins.
There is also precedent for blocking illegal activities by cutting off access to the banking system. I saw an instance up close and personal in the mid-2000s when I was working on a book project with one of the world’s top poker players. He was involved in one of a series of high-profile efforts to take the popularity of poker on cable-TV and leverage it to build a massive online gambling site. While online gambling was illegal in the U.S., plenty of jurisdictions in the Caribbean were willing to host the site. Then the U.S. enacted a law that imposed major penalties on any U.S. bank that handled transactions for online gambling sites. And that was that. All the attempts at building national online poker sites shriveled up and died.
I suspect that companies and their insurers will still bear the brunt of ransomware for some time to come. Companies will need to shore up their defenses, with advice that insurers have developed by working with many clients across multiple industries and with technology companies that are working to stay one step ahead of the hackers. But aggressive action by the federal government could reduce ransomware significantly by going after the flows of money.
I look forward to the day when someone writes an article declaring the end of this scourge. I even have a headline in mind:
“Ransomware: Where the Money Isn’t.”