The virtual asset market is typically described with buzzwords. Hot. Disruptive. High-risk. All true, but not the least bit explanatory. With the glut of information hitting the news every day, who and what do you believe? Cryptocurrency is puzzling. You can’t hold it in your hands or put it in your wallet. It’s traded “pseudonymously,” meaning the digital wallet in which the currency is held is associated with a randomly generated ID number rather than an individual’s real-world identity. And its reputation is further clouded by its reported association with illicit businesses. But virtual assets—and the underlying blockchain technology—have the potential to transform global payments and enable financial inclusion. In this new series, K2 Integrity crypto experts Gail Fuller and Gabe Hidalgo break down the names, concepts, and headlines you’re trying to make sense of every day.
In this inaugural piece, we are tackling ransomware.
You Can Run, But You Can’t Hide
According to Merriam-Webster, ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” Straightforward enough, but in practice a complicated, delicate, and potentially dangerous situation—with far-reaching consequences. Speaking at the recent Homeland Security Enterprise Forum about the Colonial Pipeline attack in May, National Cyber Director Chris Inglis explained: “Look at the confidence that fell right through the floor. There wasn’t an actual shortage of fuel, but there was this overwhelming fear that there would be. The by-product of the avariciousness [of ransomware] is this deterioration of confidence in our systems. The criminals get a ‘two for the price of one.’”
Ok, but does ransomware directly affect me?
Yes. Next question?
Seriously, ransomware attacks are increasing in frequency, and are also increasingly terrifying. Hospitals, transit systems, ATM networks, and the country’s largest oil pipeline have all been hacked and shut down in the past year. No sector, company, or individual is immune. A ransomware attack could strike your firm’s network; or, for financial institutions, you could unwittingly become ensnared in processing ransom payments.
Gabe Hidalgo explains: “Ransomware is no longer just a splashy headline. It has arrived and is disrupting more and more systems and financial institutions. All companies need a broad-based approach to reviewing their computer platforms for possible weaknesses, or avenues for a ransomware attack.”
How is this issue being addressed on the international stage?
Ransomware has become a matter of global security. Since the paralyzing attacks on Colonial Pipeline and meat distributor JBS USA Holdings Inc. this past spring, President Biden has been pushing to disrupt this booming “business.” U.S. Department of Justice (DOJ) guidelines now treat ransomware on par with terrorism, from a national security perspective, and just this week, the U.S. Department of the Treasury announced its first sanctions against virtual asset service providers (VASPs) for facilitating ransom payments. Even those that unwittingly facilitate ransom payments can be exposed to sanctions risk, based on guidance issued by the Office of Foreign Assets Control (OFAC).
But there are international roadblocks. For one, Russia. Widely believed to be a safe haven for cyber criminals, Russia’s stance is preventing an aggressive campaign against perpetrators. At the Geneva summit last July, Prime Minister Vladimir Putin denied involvement, refused to condemn the attacks, and turned down any opportunity to cooperate with the United States and its allies.
Networks of hundreds or thousands of hackers such as DarkSide or FiveHands find cover through connections to organized crime or, unbelievably, by working in concert with other hostile foreign governments. To finance its nuclear weapons program, North Korean state-sponsored cyber criminals were responsible for a 2017 attack that hit over 150 countries. Just days after their massive attack on the software company Kaseya, the cyber gang REvil completely disappeared off the dark web.
How can the private sector help?
With ransomware on the rise and without more proactive help from authorities, businesses need to understand and mitigate ransomware threats on their own. This is particularly crucial as more businesses move online and remote work creates new opportunities for hackers. The basics of good cybersecurity practices include:
- Backing up critical files on separate systems
- Implementing multifactor authentication for users
- Keeping software up to date
- Training employees to recognize phishing attempts and to avoid clicking on suspicious links
But it doesn’t end there. Financial institutions are not just expected to flag potential illicit activity, file suspicious activity reports, and identify any breach of security potentially connected to ransom payments—they are required to do so. Investing in cybersecurity infrastructure and leadership will allow you to approach the situation with confidence. A strong partner can help develop internal programs and policies to better identify risks.
What if my firm is the target of a ransomware attack?
This is a challenge. You want to minimize the damage just as much as you don’t want to line the pockets of dangerous criminals. You also have to worry about sanctions risk in the context of paying a ransom. The government is increasingly using its authority to target networks that perpetrate ransomware attacks. It has sanctioned a number of malicious cyber actors and explicitly warned that those facilitating ransom payments are themselves exposed to sanctions risk. Make sure to seek advice from knowledgeable professionals, stay engaged with law enforcement, and, for a specific transaction, understand where the payment would be going and what additional risks it could involve. Crypto, the often-preferred method of payment, appears to add another risky layer, but that’s not the whole story.
Gabe Hidalgo says, “While cryptocurrency usage in ransomware payments is often seen as a negative, the underlying blockchain platform allows investigators to forensically track the ransom payment movements. With this information, we can potentially block conversions to fiat currency and ultimately recover most of the money paid out.”
Others reject the idea of paying ransom at all. Cybersecurity experts overseas launched No More Ransom to provide free access to decryptors that recover files. Yes, for FREE. They explain, “By sending your money to cyber criminals, you’ll only confirm that ransomware works. And there’s no guarantee you’ll get the decryption key you need in return.”
What advice do you have for VASPs to help protect their systems from ransomware transactions?
Just don’t facilitate ransomware payments. Well, that was easy.
Gail Fuller says, “The role of crypto in criminal activity has been a long-standing concern. Companies that want to rise above that reputation and become legitimate actors in the space need to draw clear lines to differentiate themselves. It can be done.”
VASPs looking to stay above the fray should develop policies around ransomware payments and incorporate ransomware-related risks into their risk appetite statements. They need a comprehensive approach to identifying potential ransomware payments, understanding the related sanctions and other risks, and engaging with law enforcement prior to making payments.
Relatedly, VASPs that allow other crypto businesses to use their platforms, and traditional financial institutions that are doing business with VASPs, need to conduct thorough due diligence on their potential customers, which must include asking the hard questions about ransomware—finding out how they protect their own systems from attack as well as how they detect potential ransomware payments and mitigate associated risks.
Bottom line: Don’t just sit there.
Stay informed of current threats and take the steps necessary to prevent serious harm. It’s overwhelming, but the right guidance can set you up for success. DOJ has launched a Ransomware Task force and released StopRansomware.gov to help individuals, businesses, and other organizations, and the Institute for Security and Technology (IST) recently shared their recommended strategies. And of course, our team at K2 Integrity is ready to answer your questions and to help in any way we can.
Time is truly of the essence. REvil is already back online.