The Colonial Pipeline cyberattack fallout: why a crypto crackdown is not the answer

By Eray Arda Akartuna
AML, Blockchain & Cyber Analyst

For those connected to the cyber-world (pretty much everyone), trading in cryptocurrency or in dire need of petrol in North Carolina, last week was nothing short of a catastrophe. The 7 May 2021 ransomware attack on the 5,500-mile Texas-New York Colonial Pipeline suspended its operations for a week and left millions without fuel. Since then, normal operations have resumed, and the Bitcoin wallets used by the perpetrators to receive ransoms have been seized. However, the debate surrounding the cybersecurity of critical infrastructure and regulation of cryptocurrencies, which are commonly used for cyberattack ransom payments, will rage on for some time.

Ransomware refers to malware that encrypts files and potentially threatens to publicise them unless a certain ransom is paid to the attackers. The Pipeline attack was the latest of numerous attacks perpetrated by a ransomware variant named DarkSide, which first appeared on a Russian hacker group in August 2020[1]. DarkSide is an example of ransomware-as-a-service (RaaS), where ransomware developers sell their malware to affiliate criminals who then launch attacks with it. Commission from the ransom paid is received by the original developers.

The RaaS industry is increasingly becoming a big market on dark web marketplaces, with developers providing customer services and even adhering to some form of ‘corporate social responsibility’[2]. DarkSide, for example, refused to attack critical infrastructure such as healthcare ‘out of principle’ and claimed that it would donate a portion of ransom proceeds to charity[3]. In public statements, they claimed their intention was not to cause disruption and that their primary motive was cash, denying that they were politically motivated or backed by Russia[4]. The group, and allegedly many other cybercriminals, suspended operations due to the negative press received from the Colonial Pipeline attack[5], demonstrating a somewhat odd fixation on public relations within an inherently criminal industry.

Other hackers, however, are not as ‘ethical’. The 2017 WannaCry attack, which hit over 200,000 computers in over 150 countries, still resonates with victims due to the significant disruption it caused to critical infrastructure[6]. The British National Health Service (NHS) was one of its most significant targets. Healthcare remains a common target of ransomware (as do education and banks), with the Covid-19 pandemic only increasing the lucrative benefits of attacking hospitals. In September 2020, the world’s first known death linked directly to ransomware occurred in Germany, when a patient needing urgent medical care was re-routed to a hospital 30km away due to her local hospital being under attack by ransomware at the time[7].

Such attacks are only likely to get worse, bolstered by the low level of detection, extradition and prosecution of perpetrators. Statistics prove that ransomware is something we should be increasingly worried about. 304.6 million ransomware attacks were recorded in 2020[8]. The monetary cost of ransomware recovery the same year was estimated to be USD $20 billion, up from $11.5 billion in 2019[9]. In 2021, a ransomware attack is projected to hit once every 11 seconds, up from 14 seconds in 2019 and 40 seconds in 2016[10]. This has reflected in a projected 20-50% increase in the cost of cyber insurance throughout 2021[11]. Though figures on average ransom pay-outs vary across studies, there is agreement that the average demanded ransom has increased, almost twofold, from 2019 to 2020[12]. Increases in remote working and Covid-19 hysteria has led to a rise in pandemic-related ransomware, delivered via Covid-related malicious emails or through vulnerabilities in remote desktop access solutions[13].

With increased attacks on critical infrastructure, governments will be more pressured into devising short-term, hard-hitting policy responses. Such policies may involve streamlining national agencies responsible for countering cyberattacks and establishing more rigid controls on software supply chains[14]. IT firms outsourcing parts of their software development to Eastern Europe, for example, will likely see such practices coming under increased scrutiny. However, another long-lasting policy debate that has gained traction since the Colonial Pipeline attack is cryptocurrency regulation, aiming to tackle the ability of cybercriminals to enjoy the proceeds of their attacks – and thereby disincentivise attacks in the first place.

Cryptocurrencies are (semi)-anonymous, decentralised, fast, borderless and accessible to all. This creates an enticing alternative medium, as opposed to standard electronic funds transfers, for cybercriminals to collect ransoms. There also exist numerous ways of ‘mixing’ cryptocurrencies across different wallets to fool tracking software, reducing the chances of malicious criminal-owned cryptocurrency wallets being identified and seized. The ability to use cryptocurrency for laundering criminal proceeds has arguably contributed to the rise in ransomware attacks and demanded ransoms over the years.

Going after the ability of cyber-attackers to enjoy their criminal proceeds has numerous advantages. However, regulators should be level-headed in their approach, resisting the pressure of applying rash measures to appease cryptocurrency-weary stakeholders in a short period of time. Outright prohibition has so far yielded counter-productive results in jurisdictions that have gone down such a route. China, which heavily restricted cryptocurrency in late 2017, saw an increase of 231% in Chinese cryptocurrency usage in the year after[15], highlighting the ineffectiveness of such measures towards a borderless technology.

Even approaches aiming to regulate the sector have so far attracted criticism. Trump-era proposals by the U.S. Treasury Department were received negatively by virtual asset service providers (VASPs) due to high regulatory costs and possible effects on the value of cryptocurrencies they would have[16]. Proposals included reporting thresholds and increased ‘know-your-customer’ requirements, largely similar to standard ‘anti-money laundering’ regulations applied to the traditional financial sector[17]. Such measures do not account for the borderless nature of cryptocurrencies, which would cause criminals to relocate their operations to jurisdictions where regulations are more relaxed, with relative ease.

VASPs have also called on proposed regulatory requirements to be proportionate to the true scale of illicit cryptocurrency use, which former acting CIA Director Michael Morrell has claimed to be ‘significantly overstated’[18]. With heavy-handed measures, legitimate users and innovators in the cryptocurrency space are likely to be adversely affected, with regulated cryptocurrency service providers bearing most of the regulatory cost and passing it on to traders through higher commission fees.

Cryptocurrency is a good idea on many levels, with the underlying technology now hosting decentralised applications allowing the trading of goods and services peer-to-peer without the traditional costs of intermediaries that would be involved in the conventional economy. Heavy-handed regulations threaten to harm innovations that potentially have significant economic benefits, ranging from efficient resource allocation to providing financial access to unbanked or underbanked populations.

Regulators should therefore be committed to devising strategies and solutions that allow illicit transactions to be detected in an innovation-friendly and cost-effective manner, without adversely affecting legitimate users or the overall technology. As Joe Light from Bloomberg puts it, “Blaming Bitcoin for the activities of its holders is a bit like getting mad at a $100 bill for being used in a drug deal.”[19] As crypto-averse industries such as traditional financial services see an opportunity to lobby for harsh cryptocurrency crackdowns, however, the regulations that emerge may be less accommodating.


References

[1] Trend Micro Research, ‘What We Know About Darkside Ransomware and the US Pipeline Attack’, Trend Micro, 13 May 2021, https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html.

[2] John Naughton, ‘Welcome to DarkSide – and the Inexorable Rise of Ransomware | John Naughton’, the Guardian, 15 May 2021, http://www.theguardian.com/commentisfree/2021/may/15/welcome-to-darkside-and-the-inexorable-rise-of-ransomware.

[3] Joe Tidy, ‘Mysterious “Robin Hood” Hackers Donating Stolen Money’, BBC News, 19 October 2020, sec. Technology, https://www.bbc.com/news/technology-54591761.

[4] Brian Krebs, ‘A Closer Look at the DarkSide Ransomware Gang – Krebs on Security’, Krebs on Security, 11 May 2021, https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/.

[5] Intel471, ‘The Moral Underground? Ransomware Operators Retreat…’, Intel471.com, accessed 17 May 2021, https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime.

[6] Reuters Staff, ‘Cyber Attack Hits 200,000 in at Least 150 Countries: Europol’, Reuters, 14 May 2017, https://www.reuters.com/article/us-cyber-attack-europol-idUSKCN18A0FX.

[7] Catalin Cimpanu, ‘First Death Reported Following a Ransomware Attack on a German Hospital’, ZDNet, 17 September 2020, https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/.

[8] ‘2021 SonicWall Cyber Threat Report’ (SonicWall, 2021), https://www.sonicwall.com/2021-cyber-threat-report/.

[9] Jason Firch, ‘10 Cyber Security Trends You Can’t Ignore In 2021’, PurpleSec (blog), 29 April 2020, https://purplesec.us/cyber-security-trends-2021/.

[10] ‘22 Shocking Ransomware Statistics for Cybersecurity in 2021’, Safeatlast (blog), accessed 17 May 2021, https://safeatlast.co/blog/ransomware-statistics/.

[11] John Reed, Ian Smith, and Hannah Murphy, ‘Axa’s Asian Operations Hit in Ransomware Attack’, 16 May 2021, https://www.ft.com/content/4443da60-6d90-4d27-b300-b0896425f99f.

[12] Graham Cluley, ‘Average Ransomware Payouts Shoot up 171% to over $300,000’, The State of Security, 25 March 2021, https://www.tripwire.com/state-of-security/featured/average-ransomware-payouts-shoot-up/.

[13] Coveware, ‘Don’t Become A Ransomware Target – Secure Your RDP Access’, Coveware: Ransomware Recovery First Responders, 8 January 2019, https://www.coveware.com/blog/dont-become-a-ransomware-target-secure-rdp.

[14] Terry Thompson, ‘National Cyber Defense Is a “Wicked” Problem: Why the Colonial Pipeline Ransomware Attack and the SolarWinds Hack Were All but Inevitable’, SciTechDaily (blog), 15 May 2021, https://scitechdaily.com/national-cyber-defense-is-a-wicked-problem-why-the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable/.

[15] Kenneth Rapoza, ‘What China Ban? Cryptocurrency Market Cap Rebounding’, Forbes, 28 September 2017, sec. Investing, https://www.forbes.com/sites/kenrapoza/2017/09/28/china-ico-ban-bitcoin-crypto-currency-market-cap-returns/.

[16] Joe Light, ‘Crypto’s Anonymity Has Regulators Circling After the Colonial Pipeline Hack’, Bloomberg.Com, 12 May 2021, https://www.bloomberg.com/news/articles/2021-05-12/crypto-s-anonymity-has-regulators-circling-after-colonial-ransomware-hack.

[17] Joseph Menn Shiffman John, ‘Government and Industry Push Bitcoin Regulation to Fight Ransomware Scourge’, CNBC, 28 April 2021, https://www.cnbc.com/2021/04/28/government-and-industry-push-bitcoin-regulation-to-fight-ransomware.html.

[18] Michael Morell, Josh Kirshner, and Thomas Schoenberger, ‘An Analysis of Bitcoin’s Use in Illicit Finance’ (Crypto Council for Innovation, 6 April 2021), https://cryptoforinnovation.org/resources/Analysis_of_Bitcoin_in_Illicit_Finance.pdf.

[19] Light, ‘Crypto’s Anonymity Has Regulators Circling After the Colonial Pipeline Hack’.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: