The last several years have seen a surge in efforts among the cryptocurrency community to legitimize the technology. Once seen as a tool for the dark web and black markets, cryptocurrencies like bitcoin now want to be a part of the broader economy.
For many, however, the technology still conjures up images of cybercrime and illicit activity, and new data revealing the rising threat of ransomware is likely to fuel that negative reputation.
Ransomware threats are increasing, not only because the volume of attacks against businesses is on the rise, but because new, unique strains of ransomware are emerging that target larger organizations and demand higher payouts.
A new report from cybersecurity company Coveware put some numbers behind this trend. Between 2018's fourth quarter and 2019's first, the average cost of a ransomware attack spiked by a whopping 89 percent to $12,762. The average span of system downtime increased, too, to 7.3 days, while the average cost of the knock-on impact of ransomware-related downtime stood at $65,645.
The regulatory and cybersecurity community's general consensus on ransomware attacks is to advise victims not to pay their attacker. However with Coveware finding that payouts yield a 96 percent success rate in securing a decryption tool that can restore enterprise data, it can be difficult for a company to resist adhering to cyberattackers' demands.
Coveware Co-Founder and Chief Executive Officer Bill Siegel told PYMNTS it is imperative that businesses understand ransomware payouts should only be used as a last resort.
"It's only in cases where a client says, 'We are going to go out of business, we are going to miss payroll, this is going to ruin my company unless we explore this option,'" he said in a recent interview.
Bitcoin at the Center
If an organization is ultimately forced to pay the ransom, by far the most common vehicle to do so is bitcoin, Coveware's analysis found, with 98 percent of demands requiring payment in bitcoin.
Unfortunately, this means that for many organizations, their first experience using a cryptocurrency isn't to accelerate payments or boost the efficiency of global transactions, as many innovators want. Rather, it's to pay off a cyberattacker.
"It's a last resort, but the reality is, when a company has only two choices — fold their tents and tell customers they can't do business anymore, or go through the business of dealing with the attacker and paying the ransom — the choice actually becomes very clear," said Siegel. "And however unpalatable it is, they would rather do that than shut their company down."
The widespread reliance on bitcoin to facilitate ransomware payouts is a "genuine challenge" for the cryptocurrency industry, he added. But the industry players that have a long-term, vested interest in the success and legitimacy of the technology are also the ones that take the issue of cybersecurity and regulatory compliance seriously.
And while corporates targeted by ransomware attacks may equate bitcoin to cybercrime, it's actually the privacy coins, such as Dash or Monero, that are untraceable and therefore likely will face a harder time in the market providing legitimacy.
That may be true, but bitcoin's notorious reputation remains difficult to shake off. And for corporates that ultimately decide to pay a ransom using cryptocurrency, the regulatory and compliance implications of doing so are sure to stir up anxieties as well.
Siegel noted that though the cybersecurity and cryptocurrency regulatory landscape remains in relative infancy, authorities are taking notice of the use of crypto in ransomware payouts and beginning to act accordingly.
He pointed to the U.S. Department of Justice's indictment last year of two Iranian men using ransomware to steal $30 million from a range of targets in the U.S. As a result, the DOJ, for the first time, placed information about digital currency wallets on its Specially Designated Nationals (SDN) and Blocked Persons list.
"There was no regulatory safe harbor, or any guidance provided, but our interpretation of that step by the Department of Justice validated our existing compliance program," he said, adding that Coveware actively monitors the Office of Foreign Assets Control's SDN list, as well as wallets associated with ransomware payouts to see if they ever end up on any sanctions lists moving forward.
"It's a new area, and it's something companies should be very careful on, because if you're not careful and you pay into a wallet on a sanctions list, you can be subject to secondary sanctions," he said, "which can be as existentially damaging to a business as actually losing all of your data."
The use of cryptocurrency in ransomware and other cyberattacks may leave a bad taste in corporates' mouths, and certainly presents an uphill battle for the crypto community to combat a negative reputation and encourage corporate adoption of the technology. A shifting regulatory landscape may present new compliance challenges for targeted corporates, but might also help to legitimize cryptocurrency as well.
Regardless, the best way to mitigate against the risk of non-compliance, and to avoid the challenges associated with ransomware payouts, is to protect IT infrastructure in the first place.
"We've entered a word where it is the standard to see the vast majority of attacks take place that are bespoke, targeted, and have very devastating and existentially risky consequences for a company," said Siegel. "Whether you're a small business or large business, it takes a considerable amount of persistent investment in your overall IT security to protect yourself."