Colonial Pipeline: is the Enforcement of Know-Your-Customer and AML Laws Key to Reducing Ransomware Attacks?

In the US this week, the Colonial Pipeline has had to take itself offline after it was subject to a ransomware cyber-attack. This has had far reaching consequences, resulting in a presidential statement, and the relaxation of transport rules to minimise disruption to supply. Indeed, these consequences went far beyond even what the cyber attacker had intended. In a public statement, the Darkside (who have admitted to the attack) wrote on its website “Our goal is to make money and not creating problems for society.” 

The question then is what can be done to reduce ransomware attacks? 

The Ransomware Task Force (RTF) recently released a comprehensive framework which aims to combat the ever increasing number of ransomware attacks, entitled "Combating Ransomware: A Comprehensive Framework for Action." In particular, it recommends greater regulatory oversight. 

What is a Ransomware Attack?

Ransomware attacks occur when an attacker uses a form of malware to encrypt a victim’s files, often on a particular device or through a network. . This has the effect of  blocking the files and preventing the victim from accessing or using them. The attacker then demands  payment of a “ransom” in order to restore access to the files. The ransom is often demanded in cryptocurrency, such as Bitcoin (BTC), and a decryption key is given to the victim upon payment of the ransom.  It is important to note, however, that the  payment of a ransom in and of itself does not guarantee that access to the files will be returned. 

A common example of a ransomware attack is a phishing email. Phishing, as part of a social engineering scheme, lures victims into executing actions without realising the malicious device. Typically, this involves the attacker sending a phishing email to a victim where the email is created to look like it has come from a trusted sender. Links or attachments pose as trusted files, but once the attachment has been downloaded or the link opened, malicious content is executed, encrypting the victim’s files and asking for the payment of a ransom. .  

According to Chainanalysis, the Blockchain Analysis Company, the “big story for cryptocurrency-based crime in 2020 is ransomware”. Indeed, last year saw a 311% increase in the value of  cryptocurrencies paid and/or received in ransomware attacks, totalling the equivalent of $30 million.  The true figure is, however, likely to be much higher as many ransomware attacks go unreported due to the perceived negativity of weak security systems.  

RTF Report 

The RTF was formed in January 2019 by the Institute for Security and Technology, with  support from various governmental and industry experts, including  Microsoft. 

The RTF report provides 48 recommendations to address the issue of ransomware. Among the top five recommendations is a call  for there to be better implementation, and enforcement, of cryptocurrency regulations. Of particular note, the report recommends that the cryptocurrency sector, which is described as  “a ransomware enabler”, should be more closely regulated; requiring it to comply with existing “know-your-customer” (KYC), Anti-Money Laundering (AML), and Combating Financing of Terrorism (CFT) laws. In accomplishing this aim, the report specifically recommends the extension of regulations to cryptocurrency exchanges, the imposition of tougher licensing requirements for cryptocurrency processors, and the extension of AML/CFT rules to over-the-counter (OTC) trading desks and kiosks that sell, buy and exchange cryptocurrency.

In order to be effective, the report goes even further and suggests that such regulatory oversight should be at an international level. Cryptocurrencies are a global phenomenon, with no apparent restrictions related to borders. It does, therefore, seem logical that regulatory oversight should take place at an international level, to allow for consistency and  uniformity across jurisdictions when tackling the global threat. 

However, little thought appears to have been given to how this might actually be achieved in practice. Countries all over the globe implement regulatory oversight differently, operating different AML/CTF laws; all of which are then enforced at a national level. Unless an international regulator is set up, with standalone regulations applicable to all cryptocurrency users, it is hard to see how consistency or uniformity can really be achieved. What’s more, many national regulators are still grappling with trying to understand cryptocurrencies and the blockchain. It seems unlikely then that these national regulators are going to be able to somehow come together to tackle this global problem, when they cannot yet deal with it at a domestic level. 

What Next?

Over the past year, we have seen cryptocurrencies becoming more widely used, and accepted, both in terms of payment and as an investment - at the time of writing this article, BTC’s value alone has increased from $10,000 to $50,000. Despite the recent buzz around regulatory oversight of the cryptocurrency space, this has in actual fact been hotly debated for many years, with no real movement to date. The latest report by the RTF sees a renewed focus among governments and the industry to push for cryptocurrency regulation, so perhaps now there will finally be some momentum. 

It has been argued, however, that regulation of cryptocurrency - and its users - detracts from its very concept.  Cryptocurrencies and the blockchain are designed, by their very nature, to be decentralised and anonymous. To impose regulations is said to be counterintuitive and invasive. 

What is clear is that the anonymity associated with cryptocurrencies means that it remains the currency of choice for criminals, including ransomware attackers. They, as it stands, face little to no risk of facing the consequences of their actions. Despite being created for the very purpose of being anonymous, there is a real danger that the opportunities cryptocurrencies have afforded to criminals - by providing a veil of protection through privacy - is tipping the balance from no regulation to some regulation.