Republican Rep. Andrew Clyde represents a rural district of Georgia, speckled with only a few urban areas. A manufacturing company in his district had a "very detrimental" ransomware attack that "shut them down for almost six weeks," Clyde said during a Homeland Security Committee hearing on May 5.
The ransomware actors asked for $100,000 in bitcoin, but recovery costs for the manufacturing company mounted to more than $1 million "in hard cash to replace their systems," Clyde said. "I think cryptocurrency is the common denominator in all ransomware."
Clyde was among other members of Congress with constituents directly affected by ransomware attacks. Through monetary losses and stalled operations, members of Congress and their constituents have felt the effects of ransomware — and the anonymity of cryptocurrency is causing the ransomware problem to grow, they said.
"Two more recent factors have thrown fuel on the already smoldering heat [of ransomware]: the spread of cryptocurrencies that enable the transfer of funds largely outside the eyes of financial regulators, and corrupt safe havens that don't mind if a little crime happens on their turf," said Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), during the hearing.
In Q1 2019, 98% of ransomware payments were in bitcoin, according to Emsisoft. "Bitcoin has become an inextricable part of the ransomware model," the firm said. In 2020, ransom payments reached $350 million in cryptocurrency, according to a report prepared by the Institute for Security and Technology (IST) for the Ransomware Task Force, which included representatives from the Global Cyber Alliance and Palo Alto Networks, among others. In Q4 2020, the average ransom was $154,108, the report said.
The cryptocurrency ecosystem may allow cybercriminals to hide in unregulated spaces. Despite gray, unregulated areas, major financial institutions, including Goldman Sachs, are refreshing their tolerance of Bitcoin and crypto investments.
With volatility refreshing mainstream enterprise interest, digital currency is hitting a "tipping point" this year, reported Cybersecurity Dive's sister publication Banking Dive. In July, the Office of the Comptroller of the Currency (OCC) published guidance for national banks engaging in crypto. Banks are permitted to work with legitimate businesses as long as risk and compliance are managed.
"It is important to reinforce that cryptocurrency in and of itself is not a criminal enterprise, nor do I currently believe eradicating or regulating it to the point of uselessness is the answer," said Krebs.
The rapid ascent of crypto, like other emerging technologies before it, has outpaced the federal government's ability to regulate it, Krebs said. Because of the popularity, Congress and financial institutions need to focus less on downplaying digital currencies and more on the policies that will police them, he said.
Crypto payments travel through a series of entities before reaching the cybercriminals seeking the ransom, the task force report said. The entities within this model often circumvent traditional standards.
Criminals obfuscate detection and tracking by "chainhopping," or exchange their cryptocurrency for other forms, the report said. Other gangs hide behind privacy coins, such as Monero, though those coins lack the liquidity of Bitcoin.
If governments and organizations can impose choke points within cryptocurrency, organizations might be better positioned to avoid a payment, or at the very least, trace payments. "Governments should require cryptocurrency exchanges, the crypto kiosk, the over-the-counter trading desk, to comply with existing laws," such as anti-money laundering or financing terrorism, said John Davis, vice president of public sector at Palo Alto Networks, during the hearing.
"Those are good laws, they're just not effectively or consistently implemented in all cases," said Davis, who is also a member of the ransomware task force. Sectors of the crypto market that host ransomware payments should be subject to these regulations.
Crypto kiosks or over-the-counter exchanges are where crypto and the conventional economy intersect, which makes financial regulation compliance easy to demand, said Krebs. Cryptocurrency "is here to stay … it is very likely going to be the future of financial transactions."