Security Experts:

Understanding the Cryptocurrency-Ransomware Connection

Unfortunately for the law-abiding of the world, ransomware is an idea that caught on immediately and never lost steam. In fact, it’s grown to the point that it now contributes to a thriving cybercrime business, often targeting large sectors, including education, finance, healthcare, the legal sector, and manufacturing. According to Fortinet research, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day. 

Ransomware was widespread long before cryptocurrency came along, but in recent years, both have skyrocketed in tandem. Because cryptocurrency is difficult to trace, cybercriminals have rapidly switched to it as their preferred method for ransom payments. In fact, DarkSide, the group behind the high-profile attack on Colonial Pipeline, purportedly raked in $90 million in Bitcoin ransom payments before shutting down in May.

So, why is this happening? And what do you need to know? Read on. 

The appeal of cryptocurrency

For bad actors extorting money from victim organizations via ransomware, they typically had to rely in the past on wire transfer services or other forms of payment using regular currency. While these got the job done, they also came with a paper trail – a very traceable paper trail, in most cases. And that made it easy for the FBI to track the bad actors down.

Meanwhile, cryptocurrency has surged in value in the past couple of years, and new currencies continue to be launched – though Bitcoin and Dogecoin continue to lead the pack. Bitcoin, in particular, soared to new highs during the pandemic, breaking through to an all-time high of more than $64,000 in the second quarter of 2021.

This popularity extends to cybercriminals. These days, almost all ransomware attackers demand payments via some form of cryptocurrency, which makes it a lot harder to identify who the actual person behind the keyboard is and it doesn’t leave the same kind of paper trail. It’s also faster – payments can be made almost instantly. For bad actors, this kind of convenience is a no-brainer. 

Cryptocurrency also makes it easier to diversify across payment platforms and demand payments in several smaller amounts paid out to different digital wallets, which again all goes back to making it hard for law enforcement to trace. They can also diversify in terms of the coins and platforms they’re using. The case of the Colonial Pipeline ransomware attack, in which the federal government was able to retrieve $5 million of the payment the company made to their attackers, is a definite exception to the rule – this was a highly unusual and rare incident.

Bad actors are also undoubtedly able to leverage fear, uncertainty and doubt when it comes to cryptocurrency, too. It’s such a comparatively new technology that many people still don’t fully understand it. 

More options, more bad actors

Another big trend within this parallel rise is the growth in variety. Back when bad actors relied on wire transfers and left lengthy paper trails behind, there weren’t as many of them. There were just a handful of ransomware operators and just a few “flavors” of ransomware. These days, there are more varieties of ransomware and far more criminal operators, especially when it comes to affiliate programs. Even novice attackers can be successful today by buying Ransomware-as-a-Service (RaaS) and other kit-like tools, which have lowered the bar to entry. At the same time, there’s been a shift toward “VIP” programs or the use of hand-selected partners to commit these major, seven-figure attacks. While it used to be there were hundreds or thousands of affiliates to partner with, now bad actors are being a little pickier for their large targets and ransom demands.

Concurrently, there are new cryptocurrencies being added to the marketplace regularly. While Bitcoin, Dogecoin and Ethereum are probably the three we hear of most often, they’re far from the only options in an increasingly crowded space. As of May 2021, there were more than 10,000 different cryptocurrencies available. That’s a whole lot of options for bad actors looking to fly under the radar when collecting ransom payments.

Putting the brakes on crypto-tied ransomware plots 

The cryptocurrency market has certainly seen its ups and downs in the past year, but it doesn’t show any sign of slowing down completely. And the rise of NFTs (non-fungible tokens) goes along with this. Likewise, ransomware shows no signs of stopping. Whether it’s Kaseya, JBS, Colonial Pipeline or the hundreds of incidents that don’t make international headlines each year, ransomware is huge business – and it’s increasingly organized.

How can organizations fight ransomware? The best solution is always prevention. Here are three tactics toward that goal:

Cyber hygiene must be part of board-level conversations, as should training and risk management.  Attackers often target high-value assets at organizations, as they have greater access to the network. Those in leadership must be trained to spot malicious tactics and ensure all other employees are trained, too.

Ransomware mitigation strategies must be put in place. These include zero-trust access (ZTA), regular data back-ups to an offsite location, data encryption and immediate patching of vulnerabilities.

Collaboration must be prioritized. More data ensures more effective responses, so share with all internal and external stakeholders, including law enforcement. Sharing intelligence with law enforcement and other global security organizations is the only way to effectively take down cybercrime groups.

Get involved

Ransomware is everywhere, it seems, in parallel with the growth of cryptocurrency. This isn’t a complete coincidence; bad actors have quickly figured out that cryptocurrency is an ideal vehicle for quickly receiving almost-untraceable ransoms. As usual, they are weaponizing technology that was meant to make things more convenient for people. Yet time-honored security wisdom, coupled with modern tools and international cooperation, can help bring down the cybercrime ecosystem. Use the tactics noted above to ransomware-proof your organization and help others catch their attackers.

view counter
Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.