Ransomware is a scourge, but eliminating cryptocurrencies won’t make it go away

By Philip Martin, Chief Security Officer, Coinbase

The recent high profile ransomware attacks on Colonial Pipeline and food processing giant JBS have led to knee jerk calls to ban cryptocurrencies because the attackers demanded to be paid in Bitcoin. But if cryptocurrency went away tomorrow would ransomware end? In a word, no. Ransomware existed before cryptocurrency was popular and, if cryptocurrency was outlawed tomorrow, criminals would simply seek alternative payment methods, of which there are many.

The rise of ransomware has been horrible to behold. It is one of the rare online crimes where the impact is felt broadly by everyone. Hospitals unable to service patients. Local governments unable to support citizens. Workers losing jobs because their employers go bankrupt.

But blaming crypto for ransomware is like holding email accountable for ransomware because that’s a vector criminals use to infect victims. Neither are the cause of ransomware. What we need to eradicate this scourge is a more nuanced, multi-pronged strategy that gets to the root cause of the problem.

Why it’s getting worse

The growth of ransomware can be attributed to the rate at which companies are shifting critical systems online and the poor level of controls many companies have over their IT systems. When you couple those factors with ransomware gangs operating from foreign jurisdictions with relative impunity and little ability for law enforcement to drive an international response, you get a recipe for trouble.

This has led some pundits to throw up their hands and conclude the only way to fight back is to ban cryptocurrencies. But if cryptocurrencies are banned, attackers will simply fall back to traditional money laundering methods like prepaid gift cards, money-mules, bulk cash smuggling, funnel accounts or requiring air-dropped cash payments.

What’s more, there are many reasons cryptocurrency is good for law enforcement. Talk to law enforcement agents and those prosecuting crimes like this and they’ll tell you that cryptocurrencies are much easier to track than traditional, harder to trace forms of payment, such as cash.

In the world of Bitcoin, while you might not be able to immediately attach a name to a transfer, the whole history of transfers, for every address on the cryptocurrency network, is preserved forever and accessible to all. Law enforcement can use these “digital breadcrumbs” to track spending patterns. Where that cryptocurrency touches an exchange like Coinbase, which collects KYC (Know Your Customer) data for customers, a subpoena or a warrant will get them a real-world identity. That stands in stark contrast to traditional money laundering using cash or commodities.

What we should be doing

If banning use of cryptocurrency isn’t the answer, what is?

  1. Increase global law enforcement focus on ransomware and aggressively prosecute criminals — in the US or overseas — to create a real disincentive for criminals to use ransomware. The creation of a Ransomware and Digital Extortion Task Force by the DOJ was a positive step forward, but genuine investment in prosecutorial resources and continued engagement with our international partners will be key in the fight to ensure there are no safe haven countries for criminals.
  2. In the wake of the Enron scandal, Congress created incentives for public companies to clean up financial controls and reporting via the Sarbanes-Oxley Act. Earlier this year Congress passed the Anti-Money Laundering Act, setting a framework for financial institutions to modernize their technology and improve the sharing of information to combat money laundering and terrorist financing. Congress must play a similar role in creating minimum standards for corporate security reporting and transparency, creating accountability for malfeasance and creating safe harbors for cooperation and information sharing among companies.
  3. Ensure common sense, existing regulations are applied evenly so that certain exchanges aren’t allowed to use jurisdictional arbitrage to avoid implementing KYC/AML programs. Research shows that the majority of illicit Bitcoin flows through a small group of exchanges. Law enforcement and regulators could curb the flow of ransomware-proceeds by enforcing existing regulations on these venues.

That will take time, of course, so in the meantime companies in the trenches should actively review their own security posture and figure out if and how they could recover if attacked. Most companies have backup policies, but few organizations have restore policies or regularly test their ability to restore in a real-world scenario.

Ransomware isn’t going away even if cryptocurrencies are banned. So don’t be tempted by the “easy answer” given it isn’t really an answer at all. Let’s take the bull by the horns and focus on the hard work of putting ransomware in its place.

This piece originally appeared in Morning Consult.


Ransomware is a scourge, but eliminating cryptocurrencies won’t make it go away was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.