Friday, June 11, 2021

Why do ransomware gangs like bitcoin? It's the censorship resistance

A new type of crime has recently emerged: big-ticket repeatable ransomware. Bitcoin is the chosen payments method for ransomware gangs. But these gangs don't use bitcoin because it is anonymous. They've chosen it because it is censorship-resistant.

Here's a quick illustration of how ransomware works. A university's servers are encrypted by a ransomware operator. Common victims also include corporations, hospitals, or police departments. Only a payment of, say, $1.14 million in bitcoins will release them (see below). The gang may up the ante by threatening to auction off the institution's data if a ransom isn't paid.

Ransomware isn't new. What is new and unique about the recent spate of ransom attacks is that they are:

That is, the average size of these attacks registers around $170,000, according to Sophos. Prior bouts of ransomware involved much smaller amounts. Secondly, these aren't isolated one-off attacks. They are manufactured at industry-scale with gangs like Ryuk or REvil carrying out dozens of attacks each day.

What makes bitcoin such a great tool for carrying out big-ticket repeatable attacks?

It's not the anonymity. A lot of people think that bitcoin is anonymous it's actually pseudonymous. All bitcoin transfers can be seen on the blockchain, or Bitcoin's public ledger. This is inconvenient for ransomware gangs because a ransom can be tracked from the original victim to its final destination. While it's possible to use a tool called a mixer to obfuscate one's bitcoin transactions, most ransomware gangs don't bother. Nor do gangs use cryptocurrencies that provide native anonymity, like Monero.

All of this points to the fact that anonymity is not really important to Ryuk, REvil, and other ransomware operators.

So what is it about Bitcoin that is attractive to these gangs? The feature they are after is something called censorship resistance. That is, Bitcoin allows value to be electronically transferred across vast distances without being halted or frozen. A ransomware gang can extort $1.14 from a victim in a country like the U.S. with strong law enforcement and repatriate it to a country with weak law enforcement like Russia, and then sell it for hard cash all without having to worry about a bank or the FBI freezing their funds somewhere in-between.

Bitcoin isn't the only censorship resistant payment network.

You wouldn't think it, but gift cards like iTunes and Google Play cards are (semi) censorship resistant payments networks, and it is for this reason that they've become popular with criminals. Scammers in call centres located in India frighten their U.S. victims with the fake threat of being apprehended by IRS agents, then tell the victim send a $500 gift card number by text in order to be exonerated. The gang will either resell the card number for cash or spend the balances in an app that they control. Gift card issuers don't have effective measures to freeze balances, so the bad guys can more-or-less use gift card networks with impunity.

So why are today's ransomware gangs using bitcoin instead of gift cards to extort money from the likes of the University of California San Francisco?

At the outset of this post I specified that one of the unique features of modern ransomware is that it is big ticket. A gang that wants to extort a victim for $1.14 million can't do so using gift cards. The maximum gift card size is $500. University of California San Francisco would have to buy 2,500 cards and send the attacker all the card numbers. And then the gang would have to launder all those cards. It's just too inconvenient. 

No, some other payment rail is necessary to do big ticket ransoms. Bitcoin is perfect for this there is no limit on transfer size.

What about carrying out big ticket ransom attacks via wire transfers? A wire transfer is an electronic payment from one bank account to another, often overseas.

Wire transfers are ideal for big ticket payments, but they aren't censorship resistant. Banks require identification and can freeze suspicious transfers. Our ransomware gang might be able work around this by setting up a network of money mules and accounts using fake ID in a foreign jurisdiction with weak law enforcement. They could then order a victim such as the University of California San Francisco to wire $1.14 million to the gang's foreign bank account. If the $10 million successfully arrives without being frozen, the gang  quickly withdraws the funds as cash before an injunction arrives.

But remember, the second key feature of modern day ransomware is that these gangs are carrying out multiple attacks each day. Setting up fake accounts at various foreign banks in order to receive wire transfers requires a lot of effort. Once one account has been used, it is compromised forever. By contrast, using the Bitcoin network over and over is a cinch. 

In short, wire transfers don't scale. Only Bitcoin allows for the mass production of ransom payments.

So now we know why ransomware gangs like to use Bitcoin. It's not the anonymity. Rather, Bitcoin opens up the field to big-ticket repeatable censorship-resistant payments. 

The next question we may want to ask ourselves is this: should we try and modify the Bitcoin payment network to stop these attacks?

We have a long history of making changes to payments systems that have become popular with criminals. When electronic gold issuer E-Gold became a tool for carders, it had to introduce a customer identification program. Western Union became a haven for “wire money to get me out of jail!” scams. It was fined and introduced much stricter know-your-customer rules. In the early 2010s Green Dot's MoneyPak became a popular network for FBI scams. Green Dot shut MoneyPak down for a year and rebuilt it from scratch to make it much harder for scammers to penetrate.

Bitcoin can't be modified, though. It is censorship-resistant. Which means we need other responses.

One possibility is to ban cryptocurrency. But as I wrote in a recent article for the Sound Money Project, I'm not a big fan of that solution. It seems like overkill. Rather, I suggested putting an embargo on the ransom payments themselves in order to cut off ransomware gangs' revenue. (I also fleshed this idea in an article for Coindesk in 2020.)

Here's another option. The U.S. government could make it difficult for ransomware operators by dusting off Section 311 of the USA Patriot Act. Let me explain how this would work.

A big chunk of the ransom payments that gangs like REvil collect are routed to cryptocurrency exchanges in jurisdictions with minimal anti-money laundering controls. The bitcoins then get converted into cash. Without these liquid offshore exchanges, it would be difficult for ransomware operators to launder their funds into spendable cash.

According to cryptocurrency analysis firm Chainalysis, one large Russian cryptocurrency took in nearly 44% of all ransomware funds sent to exchanges in 2019. (Chainalysis refused to name names). More recently, I stumbled on the following anecdote. It shows how a certain Russian exchange (perhaps the same one that Chainalysis mentions?) converts incoming bitcoin ransomware directly to U.S. dollar banknotes.

Now, without rogue exchanges such as the one above it would be difficult for ransomware operators to engage in business. But these exchanges are usually located outside of U.S. jurisdiction, so there seems to be little that the U.S. can be done about it.

This is where Section 311 comes in.

Section 311 allows the the Financial Crimes Enforcement Network (FinCEN), an arm of the U.S. Treasury, to designate any foreign based financial institution (like our Russian cryptocurrency exchange) as a primary money laundering concern. Once so designated, it becomes illegal for any U.S. financial institution to interact with the listed entity. 

For those readers with long memories, Section 311 was used to shut down Liberty Reserve, a Costa Rican-based electronic money issuer that became popular with criminals involved in identity fraud and credit card theft. Below is a list of entities that have been designated under Section 311.

Entities designated by FinCEN under Section 311 of the Patriot Act

What really provides Section 311 with the extra oomph for reaching rogue exchanges is that it allows FinCEN to require that U.S. financial institutions stop doing business with any other entity that provides banking services to the designated entity. Think of this strategy as the friend of my enemy is my enemy. Any Russian bank that offers an account to the offending Russian cryptocurrency exchange could be cut off from the U.S. banking system, too. Because the U.S. market is such an important market, most Russian banks will stop doing business with the exchange just to stay friendly with the US.

So Section 311 would cripple ransomware-friendly exchanges by severing them from the financial system. And without these rogue exchanges, it becomes much trickier to be a ransomware gang.

To sum up, Bitcoin is censorship-resistant. That's why ransomware gangs like it. This very same feature also prevents democratic societies from modifying the Bitcoin protocol to exclude ransomware gangs. Bitcoin may be censorship resistant, but the venues where it is traded are not. Section 311 and other tools that allow for leverage over these venues remain one of the best ways to attack bitcoin-based ransomware.


  1. Interestingly under section 11.49(1) of the Canadian Proceeds of Crime(Money Laundering) and Terrorist Finance Act the Governor in Council upon recommendation of the Canadian Minister of Finance may impose a similar restriction to that of Section 311 of the US Patriot Act with regards to foreign entities maintaining correspondent accounts and engaging in financial transactions to and from Canada.

    "Regulations — limitation and prohibition

    11.49 (1) The Governor in Council may, on the recommendation of the Minister, make regulations

    (a) imposing a limitation or a prohibition on any person or entity referred to in section 5, with respect to entering into, undertaking or facilitating, directly or indirectly, any financial transaction, or any financial transaction within a class of financial transactions, originating from or bound for any foreign state, foreign entity or entity referred to in paragraph 5(e.1);

    (b) prescribing terms and conditions with respect to a limitation or prohibition referred to in paragraph (a); and

    (c) excluding any transaction or any class of transactions from a limitation or prohibition imposed under paragraph (a)."

    Yet in the history of the PCMLTFA there has never been a ministerial finding under section 11.49 which in my opinion might actually cause the government of Canada to become liable to Canadians who have been victims of ransomware and rogue exchanges. By not restricting access to or imposing reporting requirements on lets say rogueish Russian banks that do business with rogue exchanges that are used to extort Canadians it would seem a case could be made that the Canadian government is acting negligently in not using the authority under PCMLTFA that Parliament gave it.

  2. A quick update on this...

    One of the suggestions in this post was to use Section 311 on Russian cryptoexchanges that are providing outbound liquidity to ransomware operators.

    Low and behold, a year and a half later (in early 2023) FinCEN designated a Russian exchange, Bitzlato, under Section 311.