Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Ransomware, in which criminals steal an organisation’s data and demand cash to get it back, is one of the world’s biggest cyber threats.
Almost two-thirds of Australian businesses were disrupted by ransomware last year, with around half paying the ransom demanded. And how did they pay? With crypto, of course. Some used ethereum or tether, with monero rising in popularity, but bitcoin is by far the leader in this dark marketplace. Traditional currencies? Not so much.
But if crypto’s decentralised, unregulated nature makes it ransomware gangs’ currency of choice, its fluctuations have sometimes left criminals holding the short end of the stick. So how will the 2022 crypto crash – which saw bitcoin slip to around $40,000 per coin in late May, less than half of its November 2021 peak – affect ransomware groups? And what will it mean for ransomware activity across Australia and New Zealand?
Crypto has slumped before – but this one could be a game changer
Cryptocurrencies are naturally volatile. Bitcoin (which makes up around a third of the sector) slumped in 2018 and in summer 2021. Like most tech investments, crypto moves up and down based on the wider economy. But while more traditional types of financial assets are dominated by institutional investors and trading firms, it’s speculative day traders and amateur investors who drive cryptocurrencies. Amid the hype – with Matt Damon, Kim Kardashian and Charli D'Amelio among the many celebrities to publicly endorse currencies or exchanges – some observers have been warning for years that most cryptocurrencies could end up being worthless.
In May, terra luna, once worth $165 per coin, became virtually worthless. Panic spread, with even more reliable stablecoins dropping significantly. The market has steadied, but shows no sign of climbing back to its pre-crash levels, with many experts pointing to a “crypto winter”, and others questioning whether many cryptocurrencies will ever see another spring. The naysayers point to their huge environmental impact (bitcoin alone has the same carbon footprint as Thailand) and to the fact that crypto’s rise has depended on a ready supply of eager new investors – this collapse may dry that flood and make currencies unsustainable.
Cryptocurrency is crucial to ransom payments
Thanks to its unregulated and decentralised nature, cryptocurrency has long been an integral part of the ransomware trade. According to former US Federal Reserve Chair Ben Bernanke, “Nobody buys groceries with bitcoin because it’s too expensive and too inconvenient to do that… the underlying [value] of a bitcoin is to do ransomware.”
Why is crypto so useful for ransoms? Many bitcoin wallets can be set up without sharing any personal information. Transactions are almost immediate and can be made without engaging with a bank’s know-your-customer (KYC) processes. Once made, cash can be moved between accounts to obscure its origins and pay individual group members. The result is that many, if not most, hackers demand ransoms be paid in cryptocurrency form.
But a busted bitcoin won’t mean the end of the gangs
Will the crypto crash be the downfall of the ransomware gangs? It will certainly hit earnings that haven’t been cashed out and, with recent leaks showing that many criminals don’t get rich off ransomware, that pressure may squeeze some gangs and employees out of business.
And, while crypto and ransomware may be closely linked today, that hasn’t always been the case. The first ransomware attack took place in 1989, but blockchain currencies didn’t exist until 2009. As the rise of ransomware-as-a-service and extortionware shows, cybercriminals aren’t afraid to innovate or diversify – the crypto collapse may just encourage them to bank differently.
Indeed, bitcoin and its rivals can still be tracked. Transactions can be viewed online by anyone and followed from wallet to wallet, even though the parties themselves are anonymous. That trail enabled the FBI to recover half a $4.4 million ransom payout made by energy giant Colonial Pipeline. Such detective work is not easy, and extensive resources were used in the Colonial Pipeline case because of its importance to the US. But it suggests that cryptocurrencies aren’t the Wild West they are often portrayed as – and in turn hints that encouraging criminals to find alternative financing may be counterproductive.
Ransomware is constantly evolving
Given ransomware’s current upward trajectory, with the ACSC seeing a 15% rise in reported attacks during 2021, it’s more likely gangs will pivot rather than back out of the game. Criminals are already responding to the post-pandemic landscape by pivoting to attack logistics and infrastructure thanks to their role in the economic recovery and reliance on potentially vulnerable Internet of Things (IoT) tech. Attacks on hospitals and local government are likely to continue. Attackers will also double down on attack types that have 'traditional' real-world financial returns such as BEC (like impersonated CEOs requesting fund transfers) or man-in-the-middle attacks that try to redirect payments. These deliver cold, hard cash into the hands of cybercriminals, so we can expect an increase in these sorts of attacks.
While major targeted attacks on corporations, often aided by sophisticated AI and machine-learning tools, will continue to make the headlines, any reduction in profits may see ransomware groups increasingly strike at less well-protected small- and medium-sized enterprises. These attacks rarely target specific organisations. Instead, large-scale phishing attacks are mounted at numerous businesses, with criminals exploiting the leads that result. “Australian small businesses can be easy targets,” said Business Australia’s Phil Parisis. “SME’s account for nearly half of all cybercrime incidents.” Due to poor preparation and an “it won’t happen to me” attitude, smaller companies can be low-hanging fruit for hungry hackers.
The resistance to ransomware needs to move with the times
The crypto crash may result in short-term trouble for ransomware gangs, but it won’t end the plague. In the longer term, increased regulation (including the spread of KYC processes into crypto), better international cooperation and further investment in specialised law enforcement may make cryptocurrencies more sustainable for investors and less attractive to cybercriminals.
Organisations, meanwhile, should be alert to both targeted and indiscriminate attacks. Layered security (including attack surface and threat monitoring) and awareness training can help manage risk. Smaller companies in particular should consider outsourcing some security functions.
These policies are, let’s face it, a far better approach than simply waiting to see if market forces destroy a $1 trillion-odd crypto-shaped chunk of the finance industry (and take ransomware with it). Crypto is likely to prove a major part of the metaverse, and could help empower people who live in nations with untrustworthy financial networks. But the payment method for ransoms isn’t the issue. The challenge is that ransomware itself is here to stay, and will continue to evolve – and so should your cybersecurity.