How Cryptocurrency Fuels Ransomware


Posted on by Patrick Garrity

Ransomware attacks have reached a new high—and cryptocurrency is one likely culprit helping to fuel the fire.

From a financial perspective, cryptocurrency is incredibly beneficial. It eliminates transaction fees, eases international trade and simplifies transactions by cutting out the middleman. But those very benefits are what makes cryptocurrency a perfect tool for cyberattackers, particularly ransomware gangs.

The Rise of Ransomware

Ransomware is a damaging form of malware in which cybercriminals encrypt a company’s data, lock out user access to infrastructure and servers, and demand payment in exchange to resume business operations. It’s a major threat to medium and small businesses—especially those in the government, healthcare and education industries. Even more concerning is the emergence of ransomware as a service (RaaS), a phenomenon in which ransomware developers sell or lease variants to third parties, making it easier for less computer-savvy cybercriminals to execute ransomware.

Ransomware attacks increased by 485% in 2020, according to Bitdefender’s 2020 consumer report. News outlets are flooded with stories of ransomware attacks across the world. In March of 2021 alone, there were 151 reports of cybersecurity incidents. Ransomware victims ranged from those in higher education, local and state government, and healthcare, including Buffalo Public Schools, Broward County Public Schools, the city of Frankfort, K.Y., the city of Covington, L.A., and the Southern Illinois University School of Medicine.

Especially for small and medium-sized businesses, the impact of ransomware is extremely damaging and often catastrophic. Ransomware has forced many companies to shut down business operations completely due to the financial impact. For hospitals, the consequences are even more dire; a patient died in September 2020 when a ransomware attack disrupted emergency care in a German hospital.

The COVID-19 pandemic is one of the factors that is fueling ransomware. As companies quickly pivot to the cloud to enable remote work at scale, they often leave security gaps and opportunities for cyberattacks.

The Cryptocurrency Conundrum

Cryptocurrency is one of the single enabling factors that allows cybercriminals to deploy a massive amount of ransomware across state and local agencies, said Christopher Krebs, former Department of Homeland Security official, in a recent Real Time with Bill Maher interview.

Cryptocurrency networks open up the ability to exchange payment without an authoritative third-party. With cryptocurrencies such as Bitcoin and Ethereum, cybercriminals can anonymously receive payments that are nearly impossible to track.

Banks and other reputable financial institutions go through a validation process by Society for Worldwide Interbank Financial Telecommunication (SWIFT) to enable secure and accurate international transfers. ACH and wire fraud problems still occur, but unlike cryptocurrency transactions, there’s usually a way to stop or revoke the transfer.

Perhaps even more damaging is the concept of decentralized finance, or DeFi, which introduces smart contracts on blockchains like Ethereum. An example of a good use case for smart contracts would be the ability to govern company equity, freeing up legal teams from dealing with stock transfers.

But there are malicious use cases for smart contracts, too—especially when combined with cryptocurrency. Hypothetically, a threat actor could set up a smart contract in which people have tokens of ownership that are tied to certain behaviors, like paying ransom. Once a ransom payment is completed, it would be distributed to those token holders. Smart contracts could potentially incentivize cybercriminals, encouraging them to involve investors in ransomware attacks.

Cryptocurrencies like the hypothetical DDoSCoin could enable distributed denial-of-service (DDoS) attacks and expand cryptocurrency-fueled incidents beyond traditional ransomware. DDoSCoin is a cryptocurrency with a malicious proof-of-work puzzle that monitors and incentivizes cybercriminals to execute DDoS attacks.

Preventing and Detecting Ransomware

Cryptocurrencies enable opportunities for ransomware to not only continue but to expand and incentivize cybercriminals even further. That’s why it’s even more important for organizations to have a plan if ransomware does get deployed.

  • Know the warning signs. Today’s ransomware attacks tend to move quickly (sometimes as fast as 12 hours), but there are still signs that IT and security teams can look out for to minimize the damage of ransomware or even stop it in its tracks. Warning signs include the emergence of network scanning, Mimikatz, password spraying, unauthorized remote access and software removal tools like IObit Uninstaller and GMER.
  • Don’t pay the ransom. There are no guarantees that companies will get their data back, even if they do pay the ransom. Plus, paying the ransom fuels cybercriminals and could result in compliance violation fees.
  • Implement controls like backups and security monitoring. One of the biggest challenges for IT and security teams is a lack of visibility, which can lead to not catching suspicious activity from hackers. Security teams should implement an incident detection response and solution that monitors the environment and alerts them of potential security incidents. IT teams should also implement backup solutions that can restore the environment if a ransomware attack does occur.

Contributors
Patrick Garrity

VP of Operations, Blumira

Protecting Data & Applied Crypto

ransomware

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community