Disrupting Ransomware by Disrupting Bitcoin

Ransomware isn’t new; the idea dates back to 1986 with the “Brain” computer virus. Now, it’s become the criminal business model of the internet for two reasons. The first is the realization that no one values data more than its original owner, and it makes more sense to ransom it back to them—sometimes with the added extortion of threatening to make it public—than it does to sell it to anyone else. The second is a safe way of collecting ransoms: bitcoin.

This is where the suggestion to ban cryptocurrencies as a way to “solve” ransomware comes from. Lee Reiners, executive director of the Global Financial Markets Center at Duke Law, proposed this in a recent Wall Street Journal op-ed. Journalist Jacob Silverman made the same proposal in a New Republic essay. Without this payment channel, they write, the major ransomware epidemic is likely to vanish, since the only payment alternatives are suitcases full of cash or the banking system, both of which have severe limitations for criminal enterprises.

It’s the same problem kidnappers have had for centuries. The riskiest part of the operation is collecting the ransom. That’s when the criminal exposes themselves, by telling the payer where to leave the money. Or gives out their banking details. This is how law enforcement tracks kidnappers down and arrests them. The rise of an anonymous, global, distributed money-transfer system outside of any national control is what makes computer ransomware possible.

This problem is made worse by the nature of the criminals. They operate out of countries that don’t have the resources to prosecute cybercriminals, like Nigeria; or protect cybercriminals that only attack outside their borders, like Russia; or use the proceeds as a revenue stream, like North Korea. So even when a particular group is identified, it is often impossible to prosecute. Which leaves the only tools left a combination of successfully blocking attacks (another hard problem) and eliminating the payment channels that the criminals need to turn their attacks into profit.

In this light, banning cryptocurrencies like bitcoin is an obvious solution. But while the solution is conceptually simple, it’s also impossible because—despite its overwhelming problems—there are so many legitimate interests using cryptocurrencies, albeit largely for speculation and not for legal payments.

We suggest an easier alternative: merely disrupt the cryptocurrency markets. Making them harder to use will have the effect of making them less useful as a ransomware payment vehicle, and not just because victims will have more difficulty figuring out how to pay. The reason requires understanding how criminals collect their profits.

Paying a ransom starts with a victim turning a large sum of money into bitcoin and then transferring it to a criminal controlled “account.” Bitcoin is, in itself, useless to the criminal. You can’t actually buy much with bitcoin. It’s more like casino chips, only usable in a single establishment for a single purpose. (Yes, there are companies that “accept” bitcoin, but that is mostly a PR stunt.) A criminal needs to convert the bitcoin into some national currency that he can actually save, spend, invest, or whatever.

This is where it gets interesting. Conceptually, bitcoin combines numbered Swiss bank accounts with public transactions and balances. Anyone can create as many anonymous accounts as they want, but every transaction is posted publicly for the entire world to see. This creates some important challenges for these criminals.

First, the criminal needs to take efforts to conceal the bitcoin. In the old days, criminals used “mixing services“: third parties that would accept bitcoin into one account and then return it (minus a fee) from an unconnected set of accounts. Modern bitcoin tracing tools make this money laundering trick ineffective. Instead, the modern criminal does something called “chain swaps.”

In a chain swap, the criminal transfers the bitcoin to a shady offshore cryptocurrency exchange. These exchanges are notoriously weak about enforcing money laundering laws and—for the most part—don’t have access to the banking system. Once on this alternate exchange, the criminal sells his bitcoin and buys some other cryptocurrency like Ethereum, Dogecoin, Tether, Monero, or one of dozens of others. They then transfer it to another shady offshore exchange and transfer it back into bitcoin. Voila­—they now have “clean” bitcoin.

Second, the criminal needs to convert that bitcoin into spendable money. They take their newly cleaned bitcoin and transfer it to yet another exchange, one connected to the banking system. Or perhaps they hire someone else to do this step. These exchanges conduct greater oversight of their customers, but the criminal can use a network of bogus accounts, recruit a bunch of users to act as mules, or simply bribe an employee at the exchange to evade whatever laws there. The end result of this activity is to turn the bitcoin into dollars, euros, or some other easily usable currency.

Both of these steps—the chain swapping and currency conversion—require a large amount of normal activity to keep from standing out. That is, they will be easy for law enforcement to identify unless they are hiding among lots of regular, noncriminal transactions. If speculators stopped buying and selling cryptocurrencies and the market shrunk drastically, these criminal activities would no longer be easy to conceal: there’s simply too much money involved.

This is why disruption will work. It doesn’t require an outright ban to stop these criminals from using bitcoin—just enough sand in the gears in the cryptocurrency space to reduce its size and scope.

How do we do this?

The first mechanism observes that the criminal’s flows have a unique pattern. The overall cryptocurrency space is “zero sum”: Every dollar made was provided by someone else. And the primary legal use of cryptocurrencies involves speculation: people effectively betting on a currency’s future value. So the background speculators are mostly balanced: One bitcoin in results in one bitcoin out. There are exceptions involving offshore exchanges and speculation among different cryptocurrencies, but they’re marginal, and only involve turning one bitcoin into a little more (if a speculator is lucky) or a little less (if unlucky).

Criminals and their victims act differently. Victims are net buyers, turning millions of dollars into bitcoin and never going the other way. Criminals are net sellers, only turning bitcoin into currency. The only other net sellers are the cryptocurrency miners, and they are easy to identify.

Any banked exchange that cares about enforcing money laundering laws must consider all significant net sellers of cryptocurrencies as potential criminals and report them to both in-country and US financial authorities. Any exchange that doesn’t should have its banking forcefully cut.

The US Treasury can ensure these exchanges are cut out of the banking system. By designating a rogue but banked exchange, the Treasury says that it is illegal not only to do business with the exchange but for US banks to do business with the exchange’s bank. As a consequence, the rogue exchange would quickly find its banking options eliminated.

A second mechanism involves the IRS. In 2019, it started demanding information from cryptocurrency exchanges and added a check box to the 1040 form that requires disclosure from those who both buy and sell cryptocurrencies. And while this is intended to target tax evasion, it has the side consequence of disrupting those offshore exchanges criminals rely to launder their bitcoin. Speculation on cryptocurrency is far less attractive since the speculators have to pay taxes but most exchanges don’t help out by filing 1099-Bs that make it easy to calculate the taxes owed.

A third mechanism involves targeting the cryptocurrency Tether. While most cryptocurrencies have values that fluctuate with demand, Tether is a “stablecoin” that is supposedly backed one-to-one with dollars. Of course, it probably isn’t, as its claim to be the seventh largest holder of commercial paper (short-term loans to major businesses) is blatantly untrue. Instead, they appear part of a cycle where new Tether is issued, used to buy cryptocurrencies, and the resulting cryptocurrencies now “back” Tether and drive up the price.

This behavior is clearly that of a “wildcat bank,” an 1800s fraudulent banking style that has long been illegal. Tether also bears a striking similarity to Liberty Reserve, an online currency that the Department of Justice successfully prosecuted for money laundering in 2013. Shutting down Tether would have the side effect of eliminating the value proposition for the exchanges that support chain swapping, since these exchanges need a “stable” value for the speculators to trade against.

There are further possibilities. One involves treating the cryptocurrency miners, those who validate all transactions and add them to the public record, as money transmitters—and subject to the regulations around that business. Another option involves requiring cryptocurrency exchanges to actually deliver the cryptocurrencies into customer-controlled wallets.

Effectively, all cryptocurrency exchanges avoid transferring cryptocurrencies between customers. Instead, they simply record entries in a central database. This makes sense because actual “on chain” transactions can be particularly expensive for cryptocurrencies like bitcoin or Ethereum. If all speculators needed to actually receive their bitcoins, it would make clear that its value proposition as a currency simply doesn’t exist, as the already strained system would grind to a halt.

And, of course, law enforcement can already target criminals’ bitcoin directly. An example of this just occurred, when US law enforcement was able to seize 85% of the $4 million ransom Colonial Pipeline paid to the criminal organization DarkSide. That by the time the seizure occurred the bitcoin lost more than 30% of its value is just one more reminder of how unworkable bitcoin is as a “store of value.”

There is no single silver bullet to disrupt either cryptocurrencies or ransomware. But enough little disruptions, a “death of a thousand cuts” through new and existing regulation, should make bitcoin no longer usable for ransomware. And if there’s no safe way for a criminal to collect the ransom, their business model becomes no longer viable.

This essay was written with Nicholas Weaver, and previously appeared on Slate.com.

Tags: , , , , ,

Posted on July 26, 2021 at 6:30 AM58 Comments

Comments

Michael P July 26, 2021 7:16 AM

Aren’t most Bitcoin miners also going to be net sellers of cryptocurrencies? Mining pools mean that there will be at least some transfer between the account that gets mining credit and the account that eventually sells the cryptocurrency for fiat currency. How would you propose to disrupt the ransomware market without substantially disrupting these legitimate (at least to the first order) market participants?

July 26, 2021 7:38 AM

While this may be effective against ransomware, it misses out on non-money-driven hacking. Only more secure and resilient software and hardware will protect us from that. While it probably is harder, it would be more impactful for prevention and less disruptive for legitimate uses of cryptocurrencies.

Matthias Hörmann July 26, 2021 7:46 AM

The link labelled mixing services has some sort of syntax error and does not show up as a link in the output.

Anonymous July 26, 2021 7:48 AM

What this blog is actually describing is “Disrupting Ransomware by Disrupting Government Currency”. Essentially it wants to exploit all the problem government currency has to attack the ransomware people, which is nothing new. Ultimately, moves like these would make cryptocurrency more appealing to be used as an actual currency, because using crypto just doesn’t have these exploits.

Szymon Sokół July 26, 2021 9:40 AM

How would you propose to disrupt the ransomware market without substantially disrupting these legitimate (at least to the first order) market participants?
But what for? The sooner the miners go out of business, the better. They drive up prices of hardware (GPUs in particular), consume huge amounts of energy adding to the global CO2 emission, and absolutely in no way make the world better. In my book, Bruce’s suggestion is hitting two birds – the hackers and the miners – with one stone.

Andamo July 26, 2021 10:07 AM

‘Disrupting the Payment Channel’ is the same basic tactic used by U.S. government to wage the infamous ‘War on Drugs’ for past half century.
That tactic had major unintended consequences and major disruptions to normal beneficial financial functioning.

In efforts to track illicit ‘drug money’, financial privacy is almost non-existent now for most Americans.
The Federal Government tracks all credit card purchases and requires all financial institutions to report all money transfers over $10K (plus any transfers of any amount subjectively deemed ‘suspicious’ by any institution).
These are direct violations of Constitution 4th Amendment.
Police are free to seize money & asses from anybody if the police subjectively feel the money might be related to illicit drug trafficking (Civil Asset Forfeiture); no legal charges or judicial due process is needed– and the police/government generally get to keep whatever they seize.
Large denomination paper $$ currency was eliminated to hinder carrying large amounts of cash, at a time when inflation ravaged $$ were worth less and less.

“We suggest an easier alternative: merely disrupt the cryptocurrency market”

… the kneejerk authoritarian approach seems an easy answer but is woefully ignorant and disdainful of basic citizen rights.

Rombobjörn July 26, 2021 10:12 AM

Labeling net sellers as criminals will victimize long-term investors who bought cryptocurrency years ago, before the government started tracking buyers and sellers. When an investor tries to cash in, their purchase won’t be in the government’s records, so they appear as a net seller. Poof! Instant criminal.

Anyway, it might be possible to drive away the financially motivated criminals this way. Then it will seem like the problem is gone, even tough all the security holes remain. This will greatly please your military adversaries, who retain access to all sorts of important systems, undisturbed by the criminals, and can wreak havoc whenever they feel that the political situation calls for it.

The only actual solution is to start taking information security seriously.

Hedo July 26, 2021 10:56 AM

Remember not too long ago when Elon Musk tweeted that his company “Tesla” won’t be accepting BitCoin payments? Immediately after that tweet – BitCoin value went down bigly. The morale of this story is: what kind of “ripoff currency” any currency does have to be, for it to be devalued by one tweet by one Elon Musk?
Why not try US$, or GBP, or Gold? Yeah, next time try Gold Mr. Musk. Why not?
To clarify: the emphasis here is not on Mr. Elon Musk – I have absolutely nothing against the man whatsoever. I am merely pointing out the nature of “virtual” currencies. Hey, your money is on a server, in a cloud. Each time I think of any virtual currency, I am reminded by MC Hammer that “U Can’t Touch This”.

Impossibly Stupid July 26, 2021 11:03 AM

no one values data more than its original owner

While true to a large extent, the “threatening to make it public” component underscores that much of that value might only be derived from keeping the data secret. There are countless examples of intellectual property that represent no intrinsic value to the owner, but could have great value to their enemies.

the only payment alternatives are suitcases full of cash or the banking system

That’s pretty limited thinking. There are many other alternatives that a clever person could come up with to solve such a problem. Even in just the cryptocurrency space itself there are already non-Bitcoin offerings that improve on the anonymity of transactions.

And the world is not static. It’s not like criminals looking to get rich on ransomware are just going to walk away if Bitcoin becomes worthless. Look no further than the recent rise of NFTs as a way to “legitimately” push around millions of dollars in value. Over the next few years, you have to expect all kinds of new digital economies to spring up that criminals will find ways to weaponize.

The riskiest part of the operation is collecting the ransom.

I would more generally say it is making the exchange. Both sides want to be able to get the item they value most. There are moves and counter moves that can sour the exchange in either direction. With cryptocurrencies (and the poor data security practiced by many organizations), the pendulum definitely has swung in favor of the attacker. That doesn’t necessarily mean the right way to swing it back is to monkey with those cryptocurrencies.

Bruce, you’re pretty good about calling out people who insist on fighting the last war. I think that’s ultimately what you’re doing here, though. Thinking criminals are certainly already planning the move to other ways to extract money from victims. Cryptocurrencies were just the first “proof of concept” as far as they’re concerned.

mark July 26, 2021 11:46 AM

Your comments on countries not going after crooks, as long as they attack outside their borders made me realize that we can classify the crooks easily, with very old names:
1. the ones attacking with state support/state actors are, of course, working with a license of marque and reprisal.
2. the ones that are not state supported, and only attack outside their country’s borders are cyber-coneers (aka bucconeers)
3. the ones that go after everyone are, of course, cyberpirates.

Which suggests that an anti-malware organization should be under the Marines.

CarpetCat July 26, 2021 12:09 PM

More fear porn, made no doubt in coordination with big money interests interested in making more money from bitcoin.

Everyone who is anyone is getting into crypto, and crypto means bitcoin. Amazon, Musk, jp morgan chase, etc. they are all scrambling to get into the business in one way or another, either hoarding bitcoins or positioning themselves as safe harbors thereof.

While the latest bitcoin drop has been cyclic as expected, this “currency” is nearing its maximum capacity. This is the last big drop there probably will be, and in comes the heavy weights.

They see bitcoin hasn’t faltered in its early years, and now that its on somewhat firm footing they are all trying to get in the door and reap those sweet sweet profits. Everyone keeps talking bad about it, but behind their back they keep buying more and more of it.

I am not advocating anyone buy any crypto whatsoever. But I hope one would know this is a classic example of how the rich get richer, and manipulate perceptions and markets to achieve their goals of neverending domination.

In the future, watch for these big banks to swoop in to “save” the bitcoin market from all this skullduggery. Promising stability, maturity, and of course the kicker- a huge stable of their own bitcoin to draw upon.

Petre Peter July 26, 2021 12:25 PM

If we keep banning the tools that the bad guys use, we will end up back in the trees.

Wendell July 26, 2021 12:51 PM

Banning cryptocurrency and designating “rogue” exchanges both seem like overkill. Why not make it illegal for businesses to pay ransoms? Actually illegal, meaning whoever arranges the payment personally goes to jail, or gets fired and fined (for which the company or insurers may not reimburse); as opposed to making the company pay a fine that’s less than the ransom or the recovery costs. Maybe combine it with a whistleblower award, and have exchanges report as suspicious any transactions that appear to be ransoms.

Clive Robinson July 26, 2021 1:30 PM

@ Wendell,

Why not make it illegal for businesses to pay ransoms? Actually illegal, meaning whoever arranges the payment personally goes to jail, or gets fired and fined

Because fourty years of experience tells us you can not make it illegal, there are just way to many ways around such measures.

And incidently why trying to make crypto currancy payments not work for ransom payments won’t work either.

People that come up with these ideas realy lack experience of the way the real world works.

If there is a demand a supply will arise to meet it, it realy is that simple, I know Nicholas Weaver dislikes Crypto Currancies intently and rightly considers them a scam / criminal enterprise which they are, but I thought both he and Bruce were a little more worldly wise about the way this sort of thing works.

It’s not as though I’ve not explained it more than a couple of times on this blog in the recent past.

Put simply all you need is some kind of legal “cut out” mechanism between those ransoming and those with ransom to pay.

In this case,

1, As a victim you contact,
2, A data recovery specialist in your country,
3, They in turn contact a “known” specialist in another country for you.
4, Who intern “know a man” in another country who develops special recovery software.

The “secret sauce” for that last man actually comes from those who developed the ransomware…

The ransomware writers use “cryptovirology” of a form published by Adam Young and Moti Yung last century using the redundancy available in public key crypto to hide a covert system that gives us “Kleptography”.

It kind of works the same way the NSA back door reputed to be in the Dual EC DRNG that NIST had to de-certify and ended up in Jupiter Networks Network equipment amongst other places works.

The thing is that even though people have a fairly good idea they know exactly what is going on, they can not prove it. Thus with a little subterfuge and skill the paying of the Ransom becomes the legitimate full legal tax payed etc payment of “Data Recovery Services”…

And if not done this way there are dozens more legal ways to do it…

All that realy happens by making the payment of Ransom illegal, is you double, tripple or quadruple the actual price to the victims as you put in a string of middlemen and make it a fully legal process you can not prosecute…

Which is all very counter productive at the end of the day, but does ensure that the various “tax men” get a slice of the action…

R-Squared July 26, 2021 3:00 PM

@ Wendell • July 26, 2021 12:51 PM

Banning cryptocurrency and designating “rogue” exchanges both seem like overkill. Why not make it illegal for businesses to pay ransoms? Actually illegal, meaning whoever arranges the payment personally goes to jail, or gets fired and fined (for which the company or insurers may not reimburse); as opposed to making the company pay a fine that’s less than the ransom or the recovery costs. Maybe combine it with a whistleblower award, and have exchanges report as suspicious any transactions that appear to be ransoms.

You’re raising a lot of Cain here.

If you’re going to make it “illegal” to pay blackmail or extortion ransom money then how do you propose to do this without shutting down the bitcoin exchanges and other cryptocurrency operations which facilitate the payment of ransom monies?

If you’re working for a business, it’s already illegal, an act of embezzlement or theft to arrange payment or authorize disbursement of ransom money from the corporate treasury for unlawful purposes.

And how does a “whistleblower award” differ from ransom money in any significant respect? Because a dude who blows the whistle will be countersued for sexual harassment because it’s a pretty sure bet at least one lady works at whatever company that is. E.g., Julian Assange.

Humdee July 26, 2021 5:04 PM

@petre Peters, @all

Ban bitcoin and all other cryptocurrency. They are a public scandal and it remains unfathomable to me why the Federal Reserve and Treasury ever allowed these scams into the public arena.

The problem with the “back to the tree” argument is that bitcoin is a tool that adds no social value, has no legitimate social purpose, and is nothing more than a scam to fleece money from the ignorant. This is one social experiment that never should have been tried.

R-Squared July 26, 2021 5:15 PM

@ Intind77

Paying a ransom of a few million dollars is simply the more cost effective, timely, and ethical route in a situation like that.

And we the people, at the peril of our lives, are supposed to spend our money, and forfeit such a share of our livelihood to patronize a hospital that supplies multi-million dollar funding on a regular basis for serious organized criminal operations?

Intind77 July 26, 2021 5:53 PM

@ R-Squared

You misunderstand my opinion on the issue. It doesn’t matter to me one way or the other necessarily on which way the laws end up being written on the matter. I am simply pointing out what is likely going to happen if it hasn’t already. There are more areas aside from the hospital example that might be just as urgent of a scenario. The point im making is, are there going to be certain exemptions to a potential law stating in emergency situations a ransom can be made? If so, the organized criminals will focus on those areas knowing they will be more likely to get paid.

The other scenarios dont play out in terms of attempting to solve the ransomware crises through banning crypto-payments. For example, lets say we decide to go that route. Who all is going to ban it? Just the US? The US and its Allies? the entire world? The latter likely will never happen, and if crypto is still a form of potential revenue even if banned in the US the criminals will still demand it, which in turn will lead to greater potential harm in an urgent scenario such as mentioned above. Even if all countries in the world agreed to ban crypto, at this point in time I dont think that would stop ransomware attacks. My rationale is, there has been a lot of tools and techniques, processes, craft developed in this area by the top tier malware makers those organized criminals will keep hitting businesses to test that resolve. The attacks will just be more targeted towards those more likely to pay via one way or another.

A ban might make it more difficult to launder the money, but some of these top tier gangs with financial experts likely know how to build some scheme in which payment could be had with little risk. At the end of the day, if billion dollar corporations have mission critical data encrypted that they need, they are going to pay that ransom one way or the other. The criminals know this. If not cryptocurrency for payment it will be something else, because the industry of making malware has already been established. Once that genie was out of the bottle, it would be very difficult to put it back in.

Intind77 July 26, 2021 6:09 PM

Another point id make is even if banning crypto did infact stop ransomware attacks, that doesnt mean the danger is over. What exactly is ransomware? A payload that encrypts data. The payload will simply be altered for another profitbale purpose. For example instead of encrypting all data on a network, it instead will ease drop on all hosts. Sucking up passwords, personal information, sensitive business details. There will still be ways for these criminals to monetize network compromise. They can sell insider information, target and blackmail CEO’s, sell credentials online, etc. The issue is network security in my opinion. Remember these organized criminals are your average thug holding up a bank. They are very smart and might have in some cases nation-state backing.

echo July 26, 2021 6:16 PM

In the UK gold transactions are charged VAT. Carbon taxes are badly thought through and not policed properly. Ditto the polluter pays legislation. However, thereis pressure to iprove this state of affairs at the international level. I feel this is a better direction to go in than what I read as an extra-legal business as usual police mindset in the topic article.

Bitcoin and other cryptocurrencies as is are simply too dangerous to allow to continue. They are a component of a bigger system which is a planet killer. By placing Bitcoin et al on a fully legal basis out of reach of the ordinary person and taking away the glamour the fact that Bitcoin is a planet killer and with the threshold of criminality attached to it a lot of people will both socially and emotionally not be responsive. If you are caught creating it or using or trading in it you will be of the level of people making VX gas, wife beating, and drunk driving. If you were a CEO of a major company would you pay a ransom in cocaine? John Delorean got caught up in something similar when he had business financial worries and we know Mark Thatcher supported a coup in Africa (he is banned from travelling to the US) so we know people can do ill-judged things but this is not routine and amateurs at these kinds of things usually come unstuck.

Good luck finding a country which will allow you to connect to their electricty grid if they’re going to get their power plants bombed from 50,000 feet.

Progressive, fair, and human rights and environment aware policies are be the future. I anticipate the charge of genocide will get some peoples attention because we are potentially at that point.

In the UK laws already exist for HMRC to conduct investigations on mere suspicion and lean on you in unpleasant ways. I personally think this is an abuse of law but we are where we are. There is also precedent for prosecuting activities which fall under a “dual purpose” defence such as ISP’s peddling download X music tracks in Y minutes when you buy Z capacity. Yes, I have gone full circle and turned myself into a hypocrite in the process. I’ll leave lawyers to tidy it up and police forces to decide how they implement things but yes I feel bitcon et al must be banned and not just banned but made beyond the pale like a lot of bad government and corporate practice and tawdry behavior. The world we live in and our futures depend on it.

Anonymous July 26, 2021 6:19 PM

Lol, yes more laws taking away freedoms will have no negative or unintended consequences. Some smart people can be so dumb. You’ve persuaded me that I need to start acquiring monero (or similar) immediately to escape your financial Orwellian nightmare world.

R-Squared July 26, 2021 6:44 PM

@ echo • July 26, 2021 6:16 PM

In the UK gold transactions are charged VAT.

So that’s 20% VAT when you purchase gold as an investment.

And if you ever do manage to sell it at a profit or recoup your investment, you owe Capital Gains Tax on any proceeds in excess of your original investment.

hxxps://www.gov.uk/capital-gains-tax

Nonetheless, the VAT effectively prevents British subjects from purchasing gold at a reasonable cost for investment or trading purposes in the first place.

So much for the (in)famous “London Gold Fix” then — the world commodities and precious metals markets are irredeemably rigged — which they confess outright as “fixing” the price with no apology.

Steve July 26, 2021 7:01 PM

@Peter Peter

If we keep banning the tools that the bad guys use, we will end up back in the trees.

You say this like it’s a bad thing.

Per Douglas Adams:

Many were increasingly of the opinion that they all made a big mistake in coming down from the trees in the first place. And some said that even the trees had been a bad move, and that no one should ever have left the oceans.

Wendell July 26, 2021 7:23 PM

@ R-Squared,

If you’re going to make it “illegal” to pay blackmail or extortion ransom money then how do you propose to do this without shutting down the bitcoin exchanges and other cryptocurrency operations which facilitate the payment of ransom monies?

I guess the same way we make bribes illegal, for example, without forbidding cash. Anyone caught doing it gets in serious trouble. A relevant question, then, would be whether the Foreign Corrupt Practices Act and the like actually work. They certainly bring in money, but do they deter the behavior they’re meant to?

If you’re working for a business, it’s already illegal, an act of embezzlement or theft to arrange payment or authorize disbursement of ransom money from the corporate treasury for unlawful purposes.

This is not accurate. It would only be theft or embezzlement if done without the permission of one’s employer. It’s well known that large businesses have paid ransoms without legal punishment. In fact, the FBI is sometimes fine with people paying ransom.

And how does a “whistleblower award” differ from ransom money in any significant respect? Because a dude who blows the whistle…

Well, that comment went off the rails at the end….

The SEC is an example of an agency that rewards people who report illegal behavior, such as bribing foreign officials. Companies caught retaliating against such people would face additional trouble. Rewards are different than ransom or bribery because the money would not go to criminals. The whole point of forbidding ransom payments would be to disrupt the flow of money to criminals, similar to what Bruce and Nicholas propose. How could a large company make a ransom payment and keep it secret if all the everyone involved knows that they can get a fat government check by turning on the company? And if large companies can’t make payments, why would ransomware users waste time spear-phishing them?

Clive is right, of course, that the payments won’t actually stop. Companies do illegal shit all the time. Small businesses would still be able to get away with making illegal payments—a sole proprietor in a cash business could siphon the money (not nearly as much money, though), and as long as they don’t cheat on their taxes, wouldn’t much have to worry about some financial auditor catching them 10 years in the future. Easy enough to keep a secret when it’s a conspiracy of one. Large businesses, though, would have to consider the risks of being caught, and the extra costs of such might make ransom payments less attractive than rebuilding. It’s all about incentives.

metaschima July 26, 2021 8:12 PM

I could go either way on this one. If we don’t get rid of cryptocurrency we gain in offering very costly and unwanted penetration testing for lots of corporations and government offices. On the other hand getting rid of cryto will help tremendously with energy demands, and will take out a big sector of online crime. So yeah, great benefits to both. I’m fine with either option.

R-Squared July 26, 2021 8:28 PM

@ Wendell

It’s well known that large businesses have paid ransoms without legal punishment.

That does not mean they are not breaking the law. Most businesses are incorporated “for any lawful purpose” which does not include financing extortion rackets or operating the business as a front for other organized criminal activity.

In fact, the FBI is sometimes fine with people paying ransom.

They’re supposed to investigate any serious violations of law in their jurisdiction.

If people are going to pay ransom or patronize protection rackets, they’d better have plans in place to catch those violent criminals and recover the ransom money when the crooks have performed their end of the contract or delivered on their promises.

But of course that doesn’t happen in real life, because the long-running undercover operations typical of the FBI, DEA, ATF and other government agencies inevitably succumb to the vices of the very organized crime they are purportedly intended to stop.

Matt July 27, 2021 3:12 AM

What a terrible idea. Ransomware incentivizes the improvement of cybersecurity through relatively minor service interruptions. If ransomware is eliminated through ways other than improving cybersecurity, the holes will remain unplugged and will grow. At some point there will inevitably be an attack and unlike ransomware it won’t come with an offer to pay for service restoration. Ransomware is the wake up call we need to correct the course of agencies like the NSA that have prioritized their own attack and surveillance capabilities over the protection of critical infrastructure from foreign adversaries. I think essays like this that plant the idea in people’s heads that ransomware can be solved without improving security are dangerous and set us up for a 9/11 size attack.

Winter July 27, 2021 3:26 AM

I think the Powers that Be are already bavfew steps ahead of the reasoning applied here.

The foundations of the policies in the works are that bitcoin streams are transparent and that banks are applying Know Your Customer and Anti Money Laundering legislation quite rigorously.

The new cryptocurrency rules require all exchanges to follow KYC rules. Any Bitcoin that cannot be traced back to a KYC account is blacklisted and no exchange or bank will touch it.

This means that any Bitcoin exchanged for Fiat money without KYC will from that moment be useless in the regulated banking system and any bank, exchange or company touching it will be blacklisted itself.

Clive Robinson July 27, 2021 3:32 AM

@ Matt,

Ransomware is the wake up call we need to correct the course of agencies like the NSA…

What we realy need is something to correct the course of the corporations like Microsoft et al that produce the shoddy cruft in the first place.

If we could get them to behave to even the minimum standards of others who sell other consumer items for “merchantability and fitness for purpose” then many many of the ills that we suffer from would not be happening.

James Riley July 27, 2021 5:25 AM

as more and more mining ops are shut down for stealing electricity, it’s clear that the only profit in mining comes when you’re not paying for the electric.

So yes, grab the miners in this net too.

CMYK July 27, 2021 7:20 AM

The article could be FUD for multiple reasons,

Number one being it encourages a resulting temporary drop in the value.

Number two the noise made from the malware authors panic selling might make this very successful.

These publications tend to be to encourage debate, otherwise they’re not be on the blog imo they’d be rfc like and posted somewhere else.

It’s worthwhile to leave an open comment system up for both the public and potentially private entities.

I’m not calling the content FUD, it’s just a potential summary of it’s goal – see my points above.

JonKnowsNothing July 27, 2021 8:40 AM

Traditionally and historically, ruling governments did not take kindly to other people minting money, particularly if it did not have the current ruler’s image on it.

Gold, often used for centuries and various amalgams, was not that hard to come by if you had assets and privilege enough to acquire it. Jewelry makers needed both gold and gems to make their luxury good but rulers/kings and similar groups needed it to pay for and fund the many wars they engaged in.

In order to control the funding flows, minting monies was restricted.

  • A couple of guys standing in the basement with sledgehammers banging away making the coin of the realm.

Bitcoins require enormous amounts of energy. A recent report of a group of investors buying up a decommissioned power plant have plans to fire it up to run their server farm. (1)

Energy consumption, especially electrical is highly regulated and utility providers know pretty much the expected usage of any household. In California one of the utility companies offers a “payment budget” plan that smooths the payment curves (winter heat / summer cooling) into a fix flat payment. They do this by reviewing the electrical consumption over 1 or more years.

While utility companies make money or have guaranteed income levels for providing electricity and selling more of it, they can determine excess usage. (2)

If you really want to do something about bitcoins, you have to tackle the electrical side of the business and the minting aspects. Bitcoin production is based on the false concept that the cost is near nil, that there isn’t any cost of resources or expenditures other than initial investment.

Those not wanting to pay for their own electrical usage, target other people’s utility bills by stealing “cycles”. (3) Like mils the cycles add up. The utility company is getting paid but not by the true user of the service.

There is a small problem because this same scheme of stealing cycles is used by many corporations and technical companies. They steal bandwidth, cable capacity, connections and other intangibles that are paid for by the consumer but are used for the benefit of the corporations piggybacking on the services.

===

1, Not much different than Bluffdale being located near an underused power station, guaranteeing a massive source of power that does not need to be shared to run the supercomputers and data archives located there.

2, Excess water usage during drought periods can be eye-wateringly expensive. One broken sprinkler head or a leaky pipe can get you a Shut Off Notice. This only applies to residential users. Leaky pipes owned and maintained by the water district never get a Shut Off Notice and they rarely get repaired. One of many reasons outside the cost of repairing massive pipes and valves is that you have to redirect the water during the repair period and there are very few redundant water systems.

3, Lots of things can be piggybacked or stolen, electricity, gas, and in California water is a big commodity. Illegal water trucks backup to fire hydrants or remote water wells, or water tanks and load up. Some even go as far as taking the well pumps – not for the pump but for the copper wires. A 1,000 foot well can be a lucrative source of illegal funds.

ht tps://en.wikipedia.org/wiki/Tower_of_London

ht tps://en.wikipedia.org/wiki/Royal_Mint

  • The original London mint from which the Royal Mint is the successor was established in 886 AD and operated within the Tower of London for approximately 800 years

ht tps://en.wikipedia.org/wiki/Hammered_coinage

  • Hammered coinage is the most common form of coins produced since the invention of coins in the first millennium BC until the early modern period of c. the 15th–17th centuries, contrasting to the cast coinage and the later developed milled coinage.
  • Hammered coins were produced by placing a blank piece of metal (a planchet or flan) of the correct weight between two dies, and then striking the upper die with a hammer to produce the required image on both sides.

(url fractured to prevent autorun)

Carter Cheng July 27, 2021 9:05 AM

I was looking at an old article of yours:

https://www.schneier.com/blog/archives/2015/03/bios_hacking.html

I have been wondering, if how this squares, with your understanding, of the ransomware situation; my suspicion is that they can easily hide a barbed sting, in the firmware. The idea is quite obvious, can you detect a restore from backup, or reinstall of the system? I suspect this is quite easy, just look for a random array of bytes/bits, in the file system, for example if the entire drive is encrypted, which behaves like a hash, except it has some properties of stenography.

This is my pet theory. Obviously it might be detectable, and reversable using a UEFI firmware extraction(JTAG/DCI?). Though I don’t yet have the expertise, in hardware reverse engineering to confirm this.

Thank you.

echo July 27, 2021 11:50 AM

@JonKnowsNothing

Little known or unremarked initiatives by Henry VIII include weights and measures standards and a floated but never implemented idea for a pan European single currency to facilitate trading. Back in the day the nation state was more of a vague notion so borders were porous much like today’s Shengen agreement. In short the European Union conceptually existed in the 15th to 16th Century.

Today’s 20th to 21st Century arrangement is disliked by certain bandits who are stuck in the 18th Century. Said bandits also have a fetishistic admiration of the US. The US that is sanitised and simplified by media and Hollywood and right wing thinktanks. It doesn’t cross their mind that the US is a zone occuping most of a continent and consists of disparate states many of whom are tugging in all manner of different directions.

Energy consumption, especially electrical is highly regulated and utility providers know pretty much the expected usage of any household.

Yes, Bitcoin farms are going to stand out as much as a marijuana farm. In fact I thibk it was only the other month in the UK one concern or other with none routine electricity needs got their door kicked in by the police because the police thought they were a marijuana farm.

I have no idea if this was a tip off by the electricity company or other means. GCHQ has very broad and deep legal powers for data gathering so this is always a possibility too.

You’re not going to get the SAS blowing the hinges off for playing Call of Duty at 4K resolution at 4am while smoking a joint. But strategic threats do get the wrong kind of attention from pretty much everybody.

Andrew Duane July 27, 2021 3:50 PM

Repurposing mining operations?

If, for one reason or another, mining bitcoin is no longer feasible, there would be several very large-scale (and very expensive) cryptography oriented server farms looking for a purpose. How many orders of magnitude away from doing things like brute-forcing some of our common cryptographic primitives are these farms? 1? 2? 10? 25?

Randy July 27, 2021 3:51 PM

@Hedo

Remember not too long ago when Elon Musk tweeted that his company “Tesla” won’t be accepting BitCoin payments? Immediately after that tweet – BitCoin value went down bigly. The morale of this story is: what kind of “ripoff currency” any currency does have to be, for it to be devalued by one tweet by one Elon Musk?

Well, it shows the fragility of Bitcoin for one thing. Anything that fragile is not a stable secure investment target.

And stability of Bitcoin would suffer even further if Tether is affected.

DOJ reportedly investigates crypto company Tether for possible bank fraud
https://www.cnbc.com/2021/07/26/doj-reportedly-probes-crypto-company-tether-for-possible-bank-fraud.html

Alex July 27, 2021 4:16 PM

I’m not sure I understand how one could limit the exchange of cryptocurrency effectively. Couldn’t one just exchange a few BTC for a briefcase full of money in some country not invested in this program? Seems like there must be thousands of other ways to do this…

JonKnowsNothing July 27, 2021 4:59 PM

@Alex

re: Couldn’t one just exchange a few BTC for a briefcase full of money

In the above transaction the briefcase full of loot is not the problem, it is the bitcoin (BTC).

BTC is just a very large sequence of 0101010101s. There isn’t anything physical about them. There have been some attempts at making physical bitcoins but these would be easily traceable because each BTC has a unique number and that unique number is assigned to another unique number called the Wallet.

If you are found in possession of a suspect unique BTC or Wallet number, you gather all the bother you were trying to avoid.

Once the electricity stops, so does the bitcoins. Backups are a good idea. Not sure how reliable they are for bitcoins.

iirc(badly) tl;dr

A long time back, I read about a reset of the bitcoin registration log. There was a flaw or something odd happened where an old ledger was re-attached to the existing ledger and as the numbers have a particular order, all the numbers between the old ledger and the next new number in the real log were wiped out, taking a big load of bitcoins with it.

It was an unrecoverable error but bitcoins were not worth all that much at the time.

It was proposed that this particular hiccup could be used deliberately to effectively wipe out nearly the entire register.

Perhaps it was fixed, perhaps not.

Nick Alcock July 28, 2021 8:12 AM

@Echo, you don’t need a tipoff from the electricity company to spot a pot farm: all you need is a helicopter or a drone, and an IR camera (and obviously the police have both without needing to ask anyone). The heat output from all those growlights shows up like a flare. (When it snows, which is increasingly rare over here, these places are really obvious because their roofs are always clear of snow.)

Of course this sometimes goes wrong — it can flag old people with their heating up really high, as well as (as noted) Bitcoin mining farms, CGI render farms etc. But as a general metric it’s surprisingly accurate. One problem is that if in-city agritech and hydroponics etc takes off, you’ll see a lot of genuine agriculture that will look more or less identical to marijuana farms, right down to having banks of plants under growlights. They’re just different plants: dangerous illegal stuff like cress, parsley, asparagus, lettuce, chard… (One place in London that does this sort of thing on a mixed commercial/experimental basis actually has an agreement with the police to leave them alone after multiple incidents, one of which AIUI led to the loss of quite a few plants due to environmental disturbance.)

CMYK July 28, 2021 8:17 AM

as an instance of what we i you others know,

infrared detection is outdated, led lights reduce thermal output to the point of not needing fans/ac

in addition

city sewer can be used as a vent pipe in highly suspect areas.

sorry about the dual use, the more we know 😉

Clive Robinson July 28, 2021 8:48 AM

@ Nick Alcock, echo, CMYK,

Of course this sometimes goes wrong…

Yes, and sometimes spectacularly so.

My favourite true story about it involves the Police throwing in lots of resources on a “new build” house, that just happened to be owned by a police sergeant…

There they were enjoying a peaceful night in watching the telly when helicoptors swooped in spot lights lit up the night and people dressed in black from head to toe came smashing their way in through doors and windows, armed and extreamly excitable all hopped up on adrenaline for the “bust of the year”…

Even certain chosen journalists had been invited along by senior police officers to view this major event…

Needless to say the police sergeant was less than ammused to put it politely and was out for blood.

Well to cut out the fun bits it all ended up going into court where the builder of the house got on the wrong side of a “not fit for purpose” law suit…

As for the senior police officers, apparently it was a very long time before they decided to have a “major bust” again…

Clive Robinson July 28, 2021 9:11 AM

@ CMYK, ALL,

led lights reduce thermal output to the point of not needing fans/ac

Whilst true…

Many LED Grow lights come from the Far East and lets just say the ElectroMagnetic Compatability(EMC) compliance realy is not what it should be…

The result is as many Ham Amateur Radio operators can tell you is very very easily identified and Direction Found (DF) signals leading right back to the building in use.

I suspect it will only take another three to four years for the average “criminal investigation” Dept to get told this and shown how to DF the signals out[1].

By which time I suspect the “big operators” will have solved the issue and it will be the little “home grower” that gets dragged through the process.

[1] Few people appear to realise that the “war on drugs” realy has little or norhing what so ever to do with either the supply or use of chemical substances… It’s all about silly politics promoting poor if not bad science as an Orwellian Way to distract the public from the real agendas. As has been noted the UK Home Office Minister Priti Patel is a shining example of such corrupt and totaly indefensible behaviour in her “war on society”.

Who? July 28, 2021 9:58 AM

Please, help me understanding the real problem described here.

Is it ransomware or is it the Keynesian economics model losing force when compared to the austrian economics approach? As I see it, it is just another poorly outlined attack against a new economic paradigm.

Babak July 28, 2021 10:07 AM

Next time Hackers will ask to throw all ransom money (in cash, bill) from a tall building to the street. Like movies

Winter July 28, 2021 12:45 PM

@Clive
“Few people appear to realise that the “war on drugs” realy has little or norhing what so ever to do with either the supply or use of chemical substances… ”

The War on Drugs was Nixon’s war on
1) Anti (Vietnam) war protesters
2) Black people
What the WoD did was criminalize hippies and the black community. And that still is the driving force. It allows the judiciary to lock up everyone they dislike. That excludes the rich people who use coke and never seem to be apprehended.

ht tps://edition.cnn.com/2016/03/23/politics/john-ehrlichman-richard-nixon-drug-war-blacks-hippie/index.html

ht tps://www.cnbc.com/2021/06/17/the-us-has-spent-over-a-trillion-dollars-fighting-war-on-drugs.html

echo July 28, 2021 12:52 PM

@Nick Alcock

you don’t need a tipoff from the electricity company to spot a pot farm: all you need is a helicopter or a drone, and an IR camera (and obviously the police have both without needing to ask anyone). The heat output from all those growlights shows up like a flare. (When it snows, which is increasingly rare over here, these places are really obvious because their roofs are always clear of snow.)

This is one method but the case I cited identified a potential suspect because of the electricity usage.

With LED lighting including more agriculturally energy efficent colour spectrum LED lights, insulation, heat pumps and underground heatsinks for energy storage, dual use or covert locations roofs without snow are not the big giveaway they used to be. Plus it rarely snows in summer.

The police have been know to lie about their sources fro time to time. “Man walking dog” was cover for an intelligence services dource.

R-Squared July 28, 2021 1:25 PM

@ Winter • July 28, 2021 12:45 PM

@Clive
“Few people appear to realise that the “war on drugs” realy has little or norhing what so ever to do with either the supply or use of chemical substances… ”

This is true. The “war on drugs” is commonly used as a cloak or cover for arbitrary and unwarranted local police powers. There’s an alleged possession of some substance — with a statutorily inferred “intent to distribute” some alleged mass or quantity of it — but no independent lab analysis of the alleged substance available for the defense counsel.

The War on Drugs was Nixon’s war on
1) Anti (Vietnam) war protesters
2) Black people
What the WoD did was criminalize hippies and the black community

You can’t fight a war when you’re high on drugs, as many U.S. soldiers were in the Vietnam War. The enemies were dealing, and high ranking U.S. officers were complicit in doping the soldiers’ food and drink and the air they breathed in common areas and barracks.

Controlled substances at the retail or street level need to be dealt with on a nuisance basis, like violating “no smoking” rules in certain public areas or buildings, or being intoxicated in public.

Narcotics Anonymous etc.? Sure. Why not? As long as it isn’t on a court ordered basis and people who want treatment or services or support don’t lose their civil rights for asking.

The wholesale drug dealers and manufacturers are mostly white collar criminals, but it is more often than not the black retail dealers who end up taking the fall for the white wholesalers’ drug crimes. The real kingpins are white, above the law, have legitimate businesses to serve as a front for wholesale dealing.

Anonymous July 30, 2021 7:09 PM

Why don’t the criminals just ask for Monero as ransom? It doesn’t need laundering and can be immediately cashed out with an exchange.

c1ue August 1, 2021 7:34 PM

The problem I have with Mr. Weaver’s proposed solution is that it is far more work than actually forming 1800s era “anti pirate” task forces to go after the ransomware gangs.
The regulatory and enforcement needed to enact the above is enormous: passage of many laws which will be contested by exchanges, HNW crypto holders and the CUSIP institutions. This is even assuming all this only needs to be done in 1 country vs. throughout the world.
Then there’s the execution: in theory, you can identify “net zero” transactions…but that’s idiotic because real world cyber criminal gangs understand that money laundering costs…money. The same level of sophistication which the drug gangs gained – will be gained by the cyber gangs. Let’s not even get into the whole big bank involvement in drug laundering…
So overall, a Rube Goldberg workup to try and improve and even less workable idea: banning all cryptocurrencies.

Ron August 1, 2021 8:25 PM

How does this work on an international level? Say China makes the crypto-yuan an official digital currency and other countries follow suite and all these countries have crypto exchanges. Seems like the USA would have less control or influence over those and banning an official cryptocurrency might be difficult. Would those countries follow the USA to deal with ransomware in their own countries? What about “rogue” or corrupt countries? What happens when cryptocurrencies CAN be used directly to buy stuff, no exchange required? Seems like there may be a lot of moving parts not addressed here.

Lookupchainlink August 15, 2021 11:58 AM

This article could have been written in 2014. Crypto assets are here to stay. Environmental impact is non-sense you might as well go after server farms. 99% of the comment section along with Schneier do not understand the value proposition of public immutable ledgers and have not even tried to keep up with the times. I suggest actually informing yourself on the state of the industry before proposing heavy handed and best of all useless measures.

- August 15, 2021 2:30 PM

@Lookupchainlink:

“99% of the comment section along with Schneier do not understand the value proposition of public immutable ledgers”

One of those ‘made up on the moment statistics’ that are not just easy to spot, but compleatly usless, unfounded in truth, and totally worthless.

Much like “public immutable ledgers” and similar nonsesnse based on a fantasy, similar to ‘Thar’ be Unicorns with rainbow coloured tails’…

The only “value proposition” is that of the con artist telling the tale, to mug punters, on the theory ‘A fool and their, money…’.

Erik August 15, 2021 5:50 PM

Making it illegal to pay Ransoms will disrupt the unhealthy ecosystem of insurances for security breaches and the ransomware hackers.

Allan Dyer August 17, 2021 12:08 AM

Brain wasn’t ransomware, it was the first virus for the IBM PC, created in a mis-guided attempt at copy protection. The first ransomware was the AIDS Diskette, posted to victims in December 1989 on a 5.25″ floppy. After encrypting the root directory of the hard disc, the program demanded a payment sent to an address in Panama. The encryption was easily cracked, and the “mastermind” was arrested in Amsterdam.

PetroBras May 6, 2022 6:20 AM

@Bruce: wrong link in sentence “That by the time the seizure occurred the bitcoin lost more than 30% of its value is just
one more reminder of how unworkable bitcoin is as a “store of value.”

The link you used is not about the 30% decrease of bitcoin value.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.