The risks of ransomware are real: Any organization that relies on computers may be vulnerable to digital extortion. The threat isn’t always clear: Malware can be developed or deployed by individuals, state-backed groups or hacking collectives. And the price is high: Computer hijackings can disrupt critical infrastructure from the electricity grids to watersheds, endangering lives and economies.
Considering the amorphous threat that ransomware presents, crypto seems like a vector for concrete action. After all, the Colonial Pipeline hackers were paid in BTC. So was REvil, a group that once attacked Apple, and which was paid $70 million in bitcoin for its recent Kaseya exploit. A new crowdfunding site, Ransomwhe.re, looks to track bitcoin payments to wallets associated with ransomware gangs.
But blaming crypto for the rise in ransomware is a mistake, said Marcus Hutchins, a British computer security researcher with a storied career in the malware industry. In a video titled “Why Destroying Bitcoin Wouldn't Stop Ransomware,” Hutchins notes that hackers will find a way, with or without bitcoin.
“Cryptocurrency has certainly made ransomware more accessible and contributed to its proliferation, but without it these kinds of attacks would have persisted,” he told CoinDesk. When the malware industry first emerged in 2012, it was the norm to accept U.S. dollars for exploits.
While the recent trend of corporate hacks has primarily been funded through crypto – Chainalysis found crypto payments to ransomware spiked to $412 million last year – that’s not reason enough to take action against a nascent industry.
“We have absolutely no data on what corporate ransomware attacks might look like without cryptocurrency. We can only theorize based on past techniques, but not future innovations. Therefore, advocating banning cryptocurrency to stop ransomware is naive at best,” he tweeted.
Hutchins is renowned in the hacker community for stopping WannaCry in 2017, at the time the largest ransomware attack, which infected hundreds of thousands of computers worldwide and shut down over a dozen U.K. hospitals.
He’s also the architect of darknet sites, botnets and malware scripts. As a teenager, Hutchins began spending time on web forums, where he fell into ghostwriting malicious code. It paid well, in recreational drugs and bitcoin. One script would eventually land him in U.S. custody, in a story told in full by Wired.
Since reformed, Hutchins has worked to reverse engineer malware and provide security advice. He also started a popular blog called Malware Tech. Having watched the ransomware industry evolve over the past decade, Hutchins says emphatically that the recent rise in ransomware cannot be pinned on crypto.
CoinDesk caught up with him to hear more.
Is there a natural rate of ransomware attacks we might expect even if bitcoin/crypto were banned/never existed?
Cryptocurrency has certainly made ransomware more accessible and contributed to its proliferation, but without it these kinds of attacks would have persisted. The sophisticated cyber-crime groups have access to money laundering networks, so are capable of working with USD. It's impossible to estimate how much ransomware there'd be without cryptocurrency, because today's corporate targeted ransomware only came about around 2016, when cryptocurrency was already the norm for payments.
Some have said bitcoin is a horrible currency to use for criminal operations as every transaction is recorded. What happened after the Colonial Pipeline hack is case in point. What do you think?
Typically bitcoin is preferred, as it can facilitate fast, frictionless, automated payment validation infrastructure. But, due to its traceable nature, many gangs opt to cash out the bitcoin and launder in USD instead.
You’ve noted that ransomware uses the banking system, money transmitters like Western Union, alternatives like Liberty Reserve and crypto. Considering the scope and history of cybercrime, is the only potential solution to ransomware more surveillance of all financial systems?
No. This is not a solution at all, only a partial mitigation. While gangs are capable of operating with impunity from non-extradition countries, it doesn't matter how easily they can be tracked down if they cannot be arrested or stopped.
The way hackers are written about sometimes paints ransomware as a professionalizing industry. Does this square with your experience?
Yes, some of these groups have complex organization structures with departments, management and task pipelines.
What would you generally recommend to a company or government that has been infected?
It's important to undergo an external IR to investigate the full scale and scope of the attack.
NTT, a Japanese tech services provider, found that cryptojackers made up 41% of all detected malware in 2020. What do you make of this trend? Is this cause for legitimate concern? Is it just a matter of rising crypto prices?
Cryptojacking is one of the ways to monetize device access with the lowest barrier to entry; as a result, it's accessible to even the lowest skilled hackers, thus very widespread. Due to the non-destructive nature of cryptojacking I believe it's something to be addressed, but not a high priority threat like ransomware.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.