[BreachExchange] Bitcoin is Not the Root Cause of Ransomware

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 10 19:20:51 EST 2016


http://www.coindesk.com/bitcoin-root-cause-ransomware/

Ransomware has been around for a while – turns out it's about 20 years
older than bitcoin – but it's been in the news again recently because of a
particularly upsetting case involving a Los Angeles Hospital.

Most types of ransomware software "lock" the files on a victim's computer
by encrypting them with a key that the hackers withhold until a ransom
payment is made. In the early days of these tools, payment was typically
made with wire transfer, prepaid cards or by SMS and mobile payments.

Now payment is almost always demanded in bitcoin.

You might think that this is because bitcoin is an "anonymous" payment
method, and that hackers love it because they don't have to worry about
being identified and ultimately caught. That's not actually why bitcoin is
a good fit. Prepaid cards are actually more anonymous because they can be
mailed and then used or resold internationally with effectively no trace.

Bitcoin transactions, however, leave a trail of pseudonymous breadcrumbs on
the blockchain, and if the hacker tries to cash out into local currency,
she might accidentally put a name or an IP address to those pseudonyms and
give herself away. Blockchain transactions can reveal the structure of
organized ransomware crime rings, and individual hackers can be and have
been caught and prosecuted.

No, bitcoin is particularly useful here because it's fast, reliable, and
verifiable.

The hacker can simply watch the public blockchain to know if and when a
victim has paid up; she can even make a unique payment address for each
victim and automate the process of unlocking their files upon a confirmed
bitcoin transaction to that unique address.

The truth is that criminals have, as usual, very strict design parameters
for the tools they use because there's no tech-support, contract or legal
recourse for a criminal whose tools fail to perform as they should.

Jumping to solutions

Criminals are using bitcoin in this case because it's a reliable system
that just works. Ransomware hackers are rather like the proverbial
rumrunners of prohibition: they like fast custom cars because almost
everyone else is still driving a Model T.

As problematic and sad as these attacks are, it’s important to carefully
understand what’s happening so that we don’t jump to "solutions" that
wouldn't solve the problem and could even make us less secure over time.

Three ingredients make ransomware the problem it is, and these things are
just as true whether the victim is your Aunt Alice or a hospital or police
station:

Hackers gain unauthorized access to a computer with read/write permission
over sensitive or valuable data
Hackers place malware on that computer to encrypt its files using strong
cryptography and a key which only they control
Hackers use Bitcoin to receive payment in exchange for the key.

Cryptography and bitcoin are the "sexy" parts of that trifecta, and
accordingly, they get most of the media attention.

The root problem though, is number one: unauthorized access.

Security and privacy

In the hospital context, for example, it's already a security and privacy
disaster that random hackers in Russia can access, read, modify and delete
all of your sensitive medical records.

Whether the hacker then encrypts the files, or demands a ransom is a
secondary issue; the damage is already done. Failing to keep those records
private and safe puts patients in danger of discrimination, personal
blackmail, and, of course, poor or compromised care.

So, to be very, very clear, the problem of ransomware begins with bad
security.

Everyone – and especially employees of vulnerable institutions – needs to
take the security of sensitive records more seriously; we all need to
better understand phishing emails and other social engineering tactics that
can be used by hackers to gain access to sensitive information.

This is a problem that's been around as long as the Internet, and yet the
solutions are actually fairly straightforward: use strong passwords, don’t
share your passwords with anyone (even people sending you official-looking
emails) and don’t open suspicious email attachments from senders you don’t
know.

Additionally, of this three-part problem, both cryptography and
cryptocurrencies have entirely legal and even essential applications that
make us more secure.

The first part, unauthorized access caused by poor security, has no upside.

Looking for a scapegoat

If we’re looking for a way to stop these attacks we need to target
weaknesses in our privacy infrastructure, not the tools that some may use
to exploit those weaknesses.

We need to use https encryption by default; we need to understand and
practice two-factor authentication; we need to talk about password managers
and what makes a strong password; and we need to think about payment
systems that don’t consistently hemorrhage our personal identifying
information.

Ignoring this problem of unauthorized access and putting the blame on
cryptography and cryptocurrencies will not stop ransomware. In fact,
outlawing or compromising these tools will make ransomware significantly
worse.

Such policies would discourage honest individuals from learning about and
utilizing the very technology that could make them safe; while criminals in
darker corners of the world, the sophisticated rumrunners with strict
design standards, would continue to use these powerful tools for evil.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160310/d9a99a8e/attachment.html>


More information about the BreachExchange mailing list