Cryptocurrency was once positioned as a future alternative to traditional fiat money — a decentralized, digital currency that marked the next big step in the digitalization of the world.
But today, the single biggest practical use for cryptocurrency is as a money laundering vehicle for cybercriminals. This fact has helped fuel a ransomware boom that has struck two-thirds of organizations around the world — and made it all the more important for organizations to know how to best protect themselves in the face of what has become a global crisis.
Crypto changed the game for ransoms and cyber-fraud
Not that long ago, criminals negotiated ransoms through entirely physical, even face-to-face encounters: From dropping off duffel bags of cash in a public place to in-person exchanges of ransom for victims. It’s almost hard to imagine today’s criminals being willing to undergo such elaborate and exposing ransom exchanges — activity that was so pernicious in parts of the world that it even sparked legislation banning ransom payments outright to disincentivize criminals.
The reason it’s hard to imagine today’s cybercriminals going to those lengths is because they simply don’t have to. Your average ransomware group doesn’t need to plan a drop-off point for a ransom or navigate the logistics of picking up and transporting a large amount of cash.
Cryptocurrency offers a much faster and easier avenue. Victims are told to pay the ransom in, say, Bitcoin. The payment happens anonymously, obscuring who exactly it’s going to. At this point, the criminals will typically move the currency through Bitcoin tumblers to “launder” or “wash” the stolen funds.
They may transfer the money to more privacy-enhancing currencies like Monero and eventually back to something more liquid. In the end, we often don’t know where it ends up, as the laundering of cryptocurrencies is often impossible to unravel.
More lucrative, less chance for detection
The way crypto has upended cybercrime payments has changed the nature of cybercriminals’ fraudulent schemes, too. Credit card fraud, e-gold Ponzi schemes, GreenDot Moneypak schemes and gift card fraud from some of the biggest retailers cumulatively earns cybercriminals hundreds of millions of dollars.
But individually, these schemes often fail to net more than a few hundred dollars each. They’re also incredibly complex to pull off and are fraught with risk for detection or outright cancellation by the bank — or the retailer being ripped-off.
All of these schemes have been phased out by ransomware because of cryptocurrency. The proliferation of Bitcoin and Bitcoin ATMs made it easier to acquire, mine and trade digital coins, all but giving the greenlight for the modern ransomware attack.
Suddenly it became incredibly simple to extort victims for thousands or millions of dollars per attack. The addition of anonymous online payments also removed the threat of attackers being exposed in physical exchanges, and helped eliminate the ability to identify attackers and hold them accountable.
Cryptocurrency and the state of ransomware in 2022
What we have today is a global ransomware boom fueled by cryptocurrency. Our new research shows just how stark the ransomware landscape has become:
- From 2020 to 2021, the share of organizations worldwide attacked by ransomware nearly doubled from 37% to 66%.
- In that same period, the average ransom per attack grew almost five-fold, now extorting more than $800,000 from the victim. Additionally, the number of attacked organizations paying over $1 million in ransoms has nearly tripled, from 4% to 11%.
- At the same time, the share of ransoms worth $10,000 or less dropped from 34% to 21%. Ransoms are becoming more financially painful, as smaller schemes fade and big payouts for attackers skyrocket.
- The average cost to recover from a ransomware attack is $1.4 million, with time-to-recovery taking as long as one month.
- An overwhelming majority of victims (90%) say that ransomware impacts their ability to operate, and 86% say it causes them to lose business or revenue.
- Almost half (46%) of attacked organizations paid the ransom, even when they had other means of data recovery at their disposal.
A culmination of factors
Ultimately, ransomware attacks are hurting more organizations and the ransoms are getting bigger. And bad actors can get away with it because cryptocurrencies have made anonymous ransom payments to attackers easier and faster than ever. When nearly half of victims are willing to pay and collecting the payment is so easy, what incentive does a ransomware attacker have to stop?
Anti-money laundering regulations and “know your customer” rules can theoretically help make cryptocurrencies less viable as a dumping ground for ransomware gains. But despite both U.S. government action and international cooperation, cryptocurrency will continue to reward and accelerate ransomware activity.
This is largely thanks to a combination of foreign governments turning a blind eye to cybercriminals within their borders. This enables cryptocurrency exchanges with lax identity enforcement, verification schemes that continue to operate in countries ostensibly allied with ours and the sheer ease of laundering stolen digital coins into fiat currencies for ransomware groups.
The best offense against ransomware is a multi-layered defense
As always, the best tools we have against a growing global ransomware crisis are the ones that help organizations prepare for an attack — and position them for a quick and relatively painless recovery.
- Back up your data and regularly practice restoring your data from those backups: A ransomware attack should not be your first time figuring out data restoration. The more experience you have, the less disruptive the data recovery process will be to your organization — and the less tempted you’ll feel to pay the ransom.
- Deploy proactive threat hunting: Proactive threat detection helps you identify and stop ransomware groups before they can execute attacks. If you don’t have the resources for this, enlist outside expert managed detection and response (MDR) specialists who can do it for you.
- Develop incident response and business continuity plans: Having a clear and actionable roadmap to follow in the event of a ransomware attack reduces your chances of making rash decisions in the heat of the moment. Planning ahead can help prevent later regrets.
- Install and regularly update high-quality security controls: Protecting all endpoints within your environment reduces the probability of ransomware infection.
- Patch and carefully monitor critical server assets: Your mission-critical assets are what ransomware criminals need control over. Ensure that all server and application infrastructure is up to date with security fixes and protected by your most advanced security tools. Any gaps will give criminals a foothold they can widen into a full-blown attack.
Don’t be tempted by the path of least resistance
Finally, just don’t pay the ransom. For organizations like hospitals or utility providers, the threat of machines being encrypted and forcing an operational shutdown may be a matter of literal life and death. It’s tempting to bite the bullet and pay the ransom as the path of least resistance. But paying ransoms only puts more money into the crypto-ransomware economy and incentivizes ransomware groups to keep attacking.
Additionally, you have no guarantee that the attackers will actually decrypt your data. While most victims who pay get some of their data back, it’s rarely enough to prevent the need for a full restore from backup. Worse, it marks you as a target to future ransomware groups.
Ransomware attacks will only grow more intense in the near future, in part because cryptocurrencies have made it easy for attackers. Any organization can get caught in the crosshairs. No matter the industry, the best organizational offense is a proactive defense.
Chester Wisniewski is field CTO of applied research at Sophos.