Cryptocurrencies are an important tool for ransomware gangs. It is not without reason that this digital payment method is regularly called for to be banned. But that does not solve the problem. So what?
Ransomware is one of the great challenges of our time. Ransomware attacks cause many billions of euros in damage every year. Eighty percent of organizations worldwide have been attacked in the past two years, according to research from Mimecast. In the Netherlands, it is even 87 percent. The ransom required varies from thousands to millions of euros in bitcoins or another cryptocurrency.
There are good reasons not to pay the ransom. For example, payment does not guarantee that the affected organization will regain access to the data. Sometimes data is still sold or leaked, or the organization gets a new attack later. And by paying, the victims maintain the income model. Nevertheless, about half of the Dutch organizations concerned pay the full amount.
More attacks on SMEs
“The ransom is usually less than the total cost of an attack”
This is to some extent understandable as organizations need to ensure business continuity. The ransom usually dwarfs the total cost of an attack, from downtime and loss of data to damage to reputation.
Smaller organizations often have no choice but to pay the ransom. They usually have limited financial reserves, which means they can not survive a long-term disruption of business operations. Therefore, Mimecast estimates that SMEs will be more targeted in the medium and long term. SMEs are also a simple ‘practice prey’ for novice cybercriminals who buy a ransomware kit through the dark web (ransomware-as-a-service).
This makes the fight against ransomware extra complex. Agencies like the NCSC and the High Tech Crime Team already have limited resources to protect companies. A large organization often has its own security team or can call in forensic specialists. Because SMEs cannot do this, ransomware attacks there threaten to go unpunished, just like bicycle theft.
Prohibition of ransom payments
The search for a solution includes a ban on the payment of ransom. For example, the Ministry of Justice and Security investigated the possibility of banning insurance companies from paying ransoms. And in the United States, a congressman introduced a bill banning financial institutions from paying ransoms over a hundred thousand dollars.
Cryptocurrencies are really useful for cybercriminals as many consumers already have a crypto wallet. It makes it easier to pay the ransom. Transactions can be tracked, but it requires the necessary expertise and is a laborious process. For small amounts, it is often not worth it, not even for the police.
Ransomware attacks are unlikely to go away if we ban cryptocurrencies. Crypto is ‘only’ a means of payment. In the past, criminal money was carried through anonymous bank accounts in Switzerland or the Cayman Islands, or even through another payment system, but now it is via crypto. Ransomware is an extremely successful business model for cybercriminals. It is very unlikely that they will stop these activities if one of the payment methods is banned.
Alternative payment methods
“If we ban crypto, it will simply go underground”
If we ban crypto, ransomware gangs will fall back on alternatives. And there are plenty of them, even outside the traditional banking system. Recent price declines on many cryptocurrencies are also unlikely to have a major impact on ransomware. Cybercriminals simply demand more cryptocurrencies or use a different payment method. The damage remains the same for the affected organization.
The question is also whether it is practically possible to criminalize crypto. If we ban crypto, it will simply go underground. For the same reason, it is unlikely that a general ban on ransom will work. At the end of the day, a ransomware-affected organization wants to get it as soon as possible back to business to be. This is a business decision. Survival weighs heavier than principles.
Investment in cybersecurity
What should be done then? The big problem is not that organizations pay ransom or that they do it in crypto, but that many organizations are not yet resilient enough to ransom. Ransomware attacks pose a serious threat to business. It is therefore crucial that this is a priority in any boardroom.
Every organization must ensure effective, layered protection against ransomware and a well-rehearsed incident response plan. Other important recommendations include the integration of cyber risks into overall risk assessments and continuity planning, the provision of frequent security awareness training for staff and the creation of robust backups.
Is the organization still affected by a ransomware attack? Then it is important to communicate openly and honestly about this with the stakeholders.