For those of us who remember the advent of a plethora, a plague even, of malicious websites using the trademark name Viagra illegally to lure the unwary to their financial woes, and don’t know why we’re not still awash in such horrors, Nicholas Weaver of UC-Berkley has a short history:
At the time, it looked almost impossible for foreign law enforcement to combat these operations. These criminals were clearly outside the reach of U.S. law and were sheltered by a Russian government that viewed cybercrime as a profit center as long as the impacts weren’t localized. But the research group I was then a member of showed Pfizer how to eliminate the Viagra spam problem. …
… Although they drop-shipped products from international locations, they still needed to process credit card payments, and at the time almost all the gangs used just three banks. This revelation, which was highlighted in a New York Times story, resulted in the closure of the gangs’ bank accounts within days of the story. This was the beginning of the end for the spam Viagra industry. One of the major gang operators posted portions of our paper on a Russian cybercrime forum the next day, ending his rant with a gripe that translated to “F***ing scientists, always at it again” and a picture of a mushroom cloud.
Subsequently, any spammer who dared use the “Viagra” trademark would quickly find their ability to accept credit cards irrevocably compromised as someone would perform a test purchase to find the receiving bank and then Pfizer would send the receiving bank a nastygram. In less than a year, the Viagra spam business effectively died, with one Russian cybercriminal remarking, “F***ing Visa is burning us with napalm.” If the criminals’ ability to process payments can be disrupted, so can their ability to operate.
As a society, we also saw the effectiveness of payment interdiction in the first major ransomware epidemic back in 2012 and 2013. Various ransomwares proliferated, including one purporting to involve the FBI. Some of these previous-generation ransomwares would accept either Bitcoin or Green Dot MoneyPaks and targeted retail victims by trying to extort a couple hundred dollars. Fortunately this scheme never metastasized, because Bitcoin was grossly inconvenient (and now can’t even work for small transactions, with each costing nearly $59 as of April 2020). Meanwhile, Green Dot cleaned up its act considerably in response to the Financial Crimes Enforcement Network and congressional pressure to remedy its role in these criminal efforts. [Lawfare]
And this he connects to the recent use of ransomware and identifies Bitcoin as the financial vector:
Now, a new threat has emerged—“big-game ransomware.” These operations target companies instead of individuals, in an attempt to extort millions rather than hundreds of dollars at a time. The revenues are large enough that some gangs can even specialize and develop zero-day vulnerabilities for specialized software. Even the cryptocurrency community has noted that ransomware is a Bitcoin problem. Multimillion-dollar ransoms, paid in Bitcoin, now seem to be commonplace.
This strongly suggests that the best way to deal with this new era of big-game ransomware will involve not just securing computer systems (after all, you can’t patch against a zero-day vulnerability) or prosecuting (since Russia clearly doesn’t care to either extradite or prosecute these criminals). It will also require disrupting the one payment channel capable of moving millions at a time outside of money laundering laws: Bitcoin and other cryptocurrencies. Currently, there are various methods that can degrade, disrupt or destroy the cryptocurrency space.
“Bitcoin problem.” By the validity of the very nature of that phrase, there is a certain repudiation of one of the foundational piers of Bitcoin, isn’t there? That foundation would be the anti government control of currency. Right now, Bitcoin and its cousins are more or less algorithmically controlled, from generation to ownership, while being geographically insensitive. Only those without Internet access cannot use it, theoretically, although the Chinese will, or are, attempting to limit its use. Servers can exist anywhere and thus appear to be outside of government regulation.
So will this invalidate Bitcoin? As a currency, its popularity is a function of the number and legitimacy of the entities willing to use it for exchanging ownership and consumption of assets; if consumers refuse to use it, or corporations refuse to accept it, it loses value. Consumers can be encouraged or discouraged, as in China, and so can the companies. Without physical destruction of the servers, governments can still cripple it by refusing to permit its use by legit entities.
Although, if they take that tact, what is is to be done if a ransomware incident occurs and the maleficient still demand a Bitcoin ransom? I could see a cyberwar develop in which the goal is to revive the cryptocurrencies themselves. And I could see such a war being successful for those trying to revive the cryptocurrencies, at least so long as Russia remains an adversary with little interest in regulation. The difference between the Viagra incident and the ransomware problem is that the short hairs of the victims are in the grasp of the criminals in the latter scenario, rather than the former, if you’ll permit the my exceedingly crass word play. The Viagra sites were a passive opportunity, and if a consumer chose not to visit then they were safe.
Ransomware is inflicted on its victims and must either be deactivated by the actor or solved by the victim – the latter being very expensive and often a very doubtful exercise, while the former is more or less guaranteed to work – for a price. Weaver draws an analogy with a weakness that he doesn’t address.
Which all leads back to the conclusion that a dependence on computers, monoculture or not, may not be the wise investment that they appear to be. That may be a horrific and contentious conclusion, but it’s one to which I would pay some sober attention.
