Sanctions restricting the use of cryptocurrency to make ransomware payments are set to be implemented by the US government in a bid to make it harder to pay ransoms. The new rules, which could be announced this week, may penalise crypto-wallets and exchanges as well as individuals who help ransomware gangs to convert cryptocurrency. While the move has been hailed as an “interesting experiment” in the fight against ransomware, experts fear it may not have much impact.
The US government is taking action following a string of high-profile ransomware attacks targeting public and private sector organisations. Cryptocurrencies, which have made it possible for ransomware gangs to easily and anonymously accrue massive profits from large-scale ransomware attacks, are an obvious target for law enforcement agencies.
As well as a set of sanctions, fresh guidance on how to react to a ransomware attack will also be provided by the US Treasury, reports the Wall Street Journal.
Will anti-ransomware payment sanctions work?
While other bodies have introduced some resistance against online criminals – the EU, for example, has extended its framework for restrictive measures against cyberattacks until May 2022 – measures to sanction payments would be the first of their kind.
“This will be a very interesting experiment to see if ransomware can be crushed by cutting off its blood supply,” says Roger Grimes, author of the Ransomware Protection Playbook and part of security awareness group KnowBe4.
Sanctioning the payment of ransoms will prove the US takes the threat of online ransomware gangs seriously, believes Sam Curry, chief security officer at Cyber Reason. “After the incidents with Colonial Pipeline and JBS in the last quarter, the US needed to present a strong retaliatory response against the threat posed by ransomware,” Curry says. “That’s why US president Joe Biden set up a ransomware taskforce back in July 2021.”
These new sanctions will increase the options available to those trying to put a stop to ransomware attacks. However, making cryptocurrency harder to use for criminal payments is unlikely to be a silver bullet. Grimes says outlawing crypto payments could be a good first step, Grimes says. But, he warns, “the payments might re-migrate to the other forms of payment that were used before cryptocurrency became the go-to payment method, like wiring money, gift cards, or third-party brokers.”
The nature of cryptocurrency makes it difficult to sanction, he adds. “How to regulate money and value which is mostly based on the idea that it is unregulated and difficult to regulate from the start can be tough,” says Grimes.
Another risk of issuing fines to those who elect to pay the criminals is, if ransomware gangs continue to pose a risk to organisations, they may simply find a way to pay that avoids getting fined, says Curry. “Instead of preventing them from paying the ransoms, it might push these transactions further underground. Suppose the ransomware threat persists and causes a greater issue to organisations than fines and reputation damage. In that case, organisations will likely still choose to pay and do so in a way to avoid fines.”
Grimes agrees. “Turning otherwise legal people into possible criminals is never a good look for any regulation,” he says.
How would a US ban on ransomware payments affect the world?
Other than providing inspiration for other countries, these actions on the part of the US government will not do much to abate the global threat of ransomware. However, as the US has suffered the brunt of attacks these sanctions may significantly curb the spread of attacks, argues Curry. “It’s hard to imagine that these measures will resolve the huge ransomware issue outside of the US,” he says. “[But] given that the US is the largest target of ransomware, these measures could significantly cut into the ransomware groups’ profits if effective. It may also send a message to governments in the world to follow suit and declare similar actions.”
Whether the sanctions work or not, they help the US show it is making a stand against ransomware and the broader issue of cybercrime, Curry concludes. “By being the first country to install sanctions against the use of cryptocurrency by ransomware actors, the US likely aspires to act as a leader at the forefront of this battle, hoping that other allied countries will join soon”.