Cryptocurrency Crackdown Won’t Stop Ransomware, CISA Official Says

The scourge of ransomware will proceed with or without closer regulation of the ecosystem that facilitates victims paying anonymous criminals to unlock or return data they steal and hold hostage, a senior Cybersecurity and Infrastructure Security Agency official said.

“Criminals have always found an innovative way to continue the attack [through] some mechanism so, you know, if we were to magically flip a switch and make Bitcoin for instance completely transparent, they're going to find another way to do it,” said CISA Deputy Director Nitin Natarajan. 

Natarajan was part of a panel discussion the U.S. Chamber of Commerce hosted on ransomware as a service Tuesday. Other participants included the United Kingdom’s National Cyber Security Centre Technical Director Harry W, McAfee Chief Scientist Raj Samani and Global Cyber Alliance Executive Director Megan Stifel. 

Stifel recently co-chaired a public-private ransomware task force which produced a report that made a big splash, garnering interest with a congressional hearing and support from Homeland Security Secretary Alejandro Mayorkas. 

The report recommended that governments should crack down on the way perpetrators of ransomware collect their payments: cryptocurrencies like Bitcoin.

“Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading ‘desks’ to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws,” the report reads. 

But that is much easier said than done. Mainstream U.S.-based cryptocurrency exchanges where the digital currencies are traded are already subject to the kinds of regulations that would require crypto holders to register their identity so law enforcement can track them or cut off payments if victims alert them to an attack.

But other exchanges exist in regimes where such regulations are not in place. And there are lots of ways around the system even in regulated regions.

“Criminals recruit money mules to help launder proceeds derived from online scams and frauds or crimes,” for example, according to the report.

McAfee's Samani argued that cryptocurrencies are no more to blame for ransomware than email is for phishing.

“This is not a cryptocurrency problem,” he said. “Criminals will always find a way to adapt … we have to stop blaming technology.”

Natarajan generally agreed with that sentiment, suggesting an approach that doesn’t include robust defensive measures would turn into a frustrating game of whack-a-mole.

“We really push focusing on the prevention side, you know, how can we strengthen the ability for businesses, or large, small, and governments of all levels, and globally, to really protect themselves,” he said.

Stifel maintained that tighter enforcement of money laundering and other transparency laws will help slow down and tire the criminals, but she was on the same page regarding the importance of defensive measures. 

“I think the biggest point that people can do is to be prepared,” she said. “There are hygiene measures that you can take that are largely the personnel investment, if you're running a large enterprise that's more than just personnel time, but things like multifactor authentication, having good email hygiene, segmenting networks … thinking about encryption at rest and in transit. There are steps that you can take that don't require you to wait for something to arrive later on.”