In the wake of the world’s largest ransomware cyberattack, the attention of cybersecurity analysts and governments is focused on the ramifications of this fairly new but very threatening form of cybercrime.
During an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, Homeland Security Advisor to the President, made this statement on whether victims should pay ransom demands, and warned that victims could still lose access to files even after making a payment.
“Well, the U.S. government doesn’t make a recommendation on paying ransom, I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you’re gonna get your data back.”
Despite this recommendation, many consumers are willing to take the risk of losing their ransom payment in order to have a chance at recovering often priceless data, information, photos, videos, and other personal or professional files. However, government and legal actions may make it difficult for consumers to access the digital currencies demanded by ransomware cybercriminals.
Ransomware refers to a practice where hackers “lock” the personal files or hard drives of victims, and only restore access once they receive a payment. Bitcoin and other digital currencies have become the chosen medium of exchange for this activity, due to their anonymity and ease of instantaneous online transfer. Read Coin Center’s article here for an in-depth look at the reasons why cybercriminals demand bitcoin for their method of payment.
If consumers ultimately do choose to comply with ransomware demands, they may face hurdles if the disclose why they need digital currency funds, as businesses selling digital currencies may face severe consequences for helping these consumers out.
Anthony Murgio, a Florida man who has pled guilty to other financial crimes such as operating as a money transmitter without a license, was also charged with violating Title 18 U.S.C., Section 1030(a)(7). Prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with bitcoin to pay off ransomware demands.
The indictment states,
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransom-ware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
The Radiolab podcast “Darkode,” delves into this issue. The hosts interviewed bitcoin seller Will Wheeler, who runs a bitcoin exchange called ExpressCoin. FinCen’s guidance, according to Wheeler, was that FinCen may perceive selling bitcoin to someone to pay off a ransomware as an unlawful activity. He said, “I finally got a call back from FinCEN…they said that ‘we could perceive paying a ransom as unlawful activity,’ and so they might choose to use that against a company who helps out.” Wheeler stated that while he would like to help people whose files or personal information are being held hostage, he chose not to do so in order to avoid any criminal liability.
The Federal Bureau of Investigation (FBI) has offered differing advice to those affected by ransomware over the past several years. In 2015, the Bureau’s position was that victims should simply pay the ransom and that there was not a good chance they would get their data back otherwise.
Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program, expressed this sentiment at an October 2015 cybersecurity conference. According to The Security Ledger, Bonavolonta said, “The ransomware is that good. To be honest, we often advise people just to pay the ransom.” The Bureau later clarified their position, stating that people should try and restore their files from a backup rather than pay the ransom – however, if that is not possible or a backup has not been done, then the “remaining alternative” is to pay up.
In May 2016, the FBI began advising against paying ransoms, on the grounds that victims may not actually get their data back, and that paying ransoms emboldens cyber criminals. FBI Cyber Division Assistant Director James Trainor said:
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Paying ransomware is not in itself illegal. Some police departments have paid ransom demands, and business routinely pay. There does not seem to be any formal agency guidance or legal precedent that providing bitcoin to pay ransomware is illegal – but exchanges or sellers may be caught up in legal trouble if: they have avoided or neglected reporting requirements or have not registered as a money transmission business (like Murgio), or, if they had any involvement with the ransomware hackers. If a bitcoin seller was actually and actively abetting a hacker then they would likely be in legal risk, but if they merely made bitcoin available to a business (or individual) and gave them technical advice as to how to pay in bitcoin, then that seller should not be held legally liable and likely this would not be a chargeable offense. However, the extent to which a bitcoin seller aided someone paying ransomware is separate from reporting requirements and licensing rules, and may vary from state to state, in addition to the federal requirements.
Paying ransomware demands is legal, so a seller giving a person or business assistance (especially technical assistance) should logically be and remain legal. Until authorities find an effective way to help ransomware victims or develop a coherent and effective strategy to stem the tide of these attacks, there is every policy reason to allow private individuals and organizations to assist these victims, especially with something like bitcoin payments which are unfamiliar to most people.
Clearer guidance from FinCEN and state agencies may be valuable, so what is legal will be laid out clearly in this area of doubt and confusion. As seen in the podcast cited above, otherwise law-abiding bitcoin sellers may be dissuaded or discouraged from helping consumers pay ransomware demands. Uncertainty is a risk and a major concern in this area. At the time of this case, ransomware attacks were more obscure and not as well-known among the general public; today, however, they are far more prolific. Victims don’t really have any choice but to pay the demands, if they have not backed up their data previously. If bitcoin exchanges and sellers are hesitant to provide bitcoin to the victims of ransomware, then it will mean that more consumers will find it more difficult to regain access to their personal files.