Even though ransomware is a trendy threat nowadays it isn’t new or disruptive; the idea dates back to the '80s, but currently, attackers and defenders have created a great business model around it mainly for two reasons. The first is the realization that no one values data more than its original owner, so extortion is feasible and the necessity for antimalware products arises with the typical marketing arguments on why you should deploy X or Y antimalware company in your organization to be “protected”. The second reason is the core of everything; the safest way of collecting ransoms: bitcoin.
And basically, this is the truth, since ransomware does not excel for its malware capabilities; it stands out for its business model. Without bitcoin, the major ransomware epidemic is likely to vanish, since the only payment alternatives are cash or the banking system, both of which have severe limitations for criminal organizations. Without bitcoin, ransomware will be degraded to regular kidnapping, with the riskiest part of collecting the ransom to be not very feasible for the criminals. The rise of a global, anonymous, distributed money-transfer system outside of any regulation or control is actually what makes ransomware alive and flourish.
The title of this post pretends to be an irony of the old days when Viagra spamming operations were disrupted mainly because in the past cyber criminal's ability to process payments could be disrupted, and all the malware effort basically could be sent to the trashcan easily.
All of this strongly suggests that dealing with ransomware should not only focus on "Securifying" (after all, patching against ransomware using a zero-day is useless) or prosecuting, (which is even more useless), it will also require disrupting the one payment channel capable of moving millions at a time outside of money laundering laws: Bitcoin and other cryptocurrencies (which is very unlikely to happen, although there are people coming with some ideas and methods that can degrade and control the crypto space).
As mentioned above, one proposed solution is to ban bitcoin entirely. But members of the ransomware task force, which included representatives from crypto companies as well as firms and organizations with no crypto affiliation, don’t see this as an effective solution. Except that it is conceptually simple, and according to Nicolas Weaver: “The entire cryptocurrency and blockchain space is effectively one big fraud. Cryptocurrencies are not fit for purpose unless you need censorship resistance, are fundamentally incompatible with modern finance, and are unfixable. They are, however, destroyable as they have technical, legal, and social weaknesses that can be exploited”.
Another alternative is disrupting the cryptocurrency markets and making them harder to use. Bitcoin is, in itself, and even with its great proliferation useless to the criminal and almost to everybody. You can’t actually buy much with bitcoin. It’s like any casino currency, only usable in a single establishment for a single purpose. People need to convert bitcoin into some national currency they can actually save or spend. To the extent that most people don’t use bitcoin, it’s because they still don’t trust/know bitcoin. That has nothing to do with cryptography or protocols. In fact, a system where you can potentially lose your life savings if you forget your key or download a piece of malware is not particularly easy to accept. No amount of explaining how SHA-256 works to prevent double-spending will fix that.
This is where it gets interesting, the chain swapping and currency conversion processes can be regulated to identify possible malicious activity. If speculators stopped buying and selling cryptocurrencies and the market drops drastically, these criminal activities would no longer be feasible1.
In conclusion, cryptocurrencies are the main tool for these criminal activities. In the end, we don’t have a ransomware problem, we have a cryptocurrency problem.
1 More information on this can be found at Can Cryptocurrency Laws Defeat Ransomware? and Court Authorizes Service of John Doe Summons Seeking Identities of U.S. Taxpayers Who Have Used Cryptocurrency.