Ransomware was invented 30 years ago when an AIDS researcher mailed between 10 and 20 thousand 5.25 floppy disks emblazoned with the name “AIDS Information Version 2.0,” to people and business around the world. Over the past 30 years, much has changed including our use of computers which now, instead of being attached to cathode ray television sets, fit into our pockets. The trajectory, from floppy disks in the 80’s, to e-commerce by the early 2000s, has culminated in the minting of digital money. Since then, as the use of cryptocurrency has grown, other industries have grown with it. One industry, often overlooked, is ransomware. Ransomware is a plague on businesses world-wide. Indeed, the U.S. government recommends not paying these ransoms. New guidance, however, issued by the Financial Crimes Enforcement Network (“FinCEN”) to the industry in late 2020, takes this too far; it threatens to impose sanctions on the insurance industry that has bloomed around cyber crime and will likely hurt the victims, not the criminals.
Ransomware is Everywhere
“Today, ransomware is a booming business for cyber criminals, making cyber insurance a business imperative.” Says Bridget Choi, the General Counsel of Kivu Consulting, a digital forensic-incident response (“DFIR”) firm, who leads their regulatory program. “Since the dot.com boom, cyber insurance has become a billion-dollar industry.” Originally designed to be a risk transfer should a network go down and a business lose revenue, cyber insurance is now frequently used to protect against and respond to ransomware attacks. And cyber insurance claims happen to be an excellent metrics for tracking these cyber-attacks. “As recently as 2013, the large cyber-claims were typically well-known data or payment card data security breaches,” explains Choi. “With the growth of digital payments and cryptocurrency, the cyber threat landscape has changed.” Indeed, the FBI estimates that “$144.35 million in Bitcoin have been paid” for ransomware attacks between 2013 and 2019. Estimates for ransomware payments for 2020—based in part on the surge in remote work spurred by COVID-19—reached $350,000,000.
Enter the U.S. Government, which is trying to address cybercrime by applying Office of Foreign Assets Control (“OFAC”) compliance to the ransomware recovery industry—the businesses who help victims navigate the world of ransomware. That help often includes making ransomware payments.
You Might Not Want to Help …
In late 2020, overshadowed by the pandemic, election-mania, and riots that swept our nation, the U.S. Treasury issued dual guidance reminding the various cyber-incident response companies—a big part of the billion dollar cyber insurance industry—that they can be at risk for sanctions if they assist malware victims in making payments to actors who are on OFAC’s blacklist (known as the SDN list).
When US regulators hint that certain actions can subject entities to regulatory risks, it should be understood as a warning that taking such actions will subject the actor to regulatory action. And FinCEN was plain that this will happen:
“Processing ransomware payments is typically a multi-step process that involves at least one depository institution and one or more money services business (MSB). Many ransomware schemes involve convertible virtual currency (CVC), the preferred payment method of ransomware perpetrators. Following the delivery of the ransom demand, a ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim will send the CVC, often from a wallet hosted at the exchange, to the perpetrator’s designated account or CVC address. The perpetrator then launders the funds through various means, including … moving the CVC to foreign-located exchanges and peer-to-peer (P2P) exchangers in jurisdictions with weak anti-money laundering and countering financing of terrorism (AML/CFT) controls.”
MORE FOR YOU
The question is, can such regulatory enforcement help bring down these ransomware networks, or will it just make life harder on victims? After all, how can you comply with a blacklist if you don’t know the identities of those whom you are paying?
Crypto May Boost Ransomware, but it May Help Catch the Thieves
As suggested by FinCEN and others, cryptocurrency may have arguably boosted the business of ransomware. But nearly all cryptocurrencies run on publicly available blockchains. These distributed ledgers provide the complete transaction histories from one anonymous address to another. Once an address has been linked to an individual, however, investigators start connecting the dots. Just ask Hugh Haney, an unobtrusive 60-year-old, living in Columbus, Ohio. Haney, ran the “Pharmville” narcotics operation on the now infamous Silk Road online criminal marketplace. He was arrested by the United States government in July of 2019 after trying to liquidate $19 million worth of Bitcoin that was traced to Haney’s Silk Road wallet. (According to Haney’s lawyers, at the time of his narcotics sale, the total Bitcoin he was paid at the time he received the transfers was worth, approximately $7,600.). In the press release issued by the United States Attorney’s Office, the government went into detail about the ability to use wallet addresses to track the bitcoin that was moved, and to catch Haney.
More recently, an international sting operation netted the corporate heads of an infamous and prodigious ransomware “company” known as Egregor, who were living and working in Ukraine. Now that they are caught, the pseudonymous nature of the blockchain may be Egregor’s forensic undoing.
Good Intentions Be Damned.
While FinCEN’s guidance has been on the books for almost 5 months, it is too short of a time to determine its effect. FinCEN’s admonishment could result in more reporting, or it could shut down the section of the insurance companies and DFIRs that assist victim-customers with making payments. After all, nothing prevents ransomware victims from opening an account on a cryptocurrency trading platform, buying cryptocurrency, and paying the ransom themselves. Less draconian treatment, such as requiring these companies to file Suspicious Activity Reports (“SARs”) with basic information such as the amounts paid and the wallet addresses, would serve to provide the government with information and not punish the industry actors who are looking to assist ransomware victims. Will FinCEN’s guidance and attempts to enforce its regulatory scheme be an exercise in futility? The answer may very well be yes. Unfortunately for us all, no amount of regulation can stop crime—it certainly has not stopped ransomware, which has grown from a one-man, floppy-disk-by-snail-mail operation to complex, distributed international criminal syndicates replete with third-party service providers that specialize in everything from testing a target’s security to web hosting providers. FinCEN’s new guidance may only end up hurting the victims of cybercrime; an irony that should not be lost on our regulators.