A Message For CISOs: Stop stockpiling cryptocurrencies for future ransomware payments
A recent Code 42 survey estimated that 73% of CISOs admitted that their company was stockpiling cryptocurrency in case a future ransomware payment was needed. A further 80% of those companies indicated they used the cryptocurrency to pay for ransomware or a data breach in the past 12 months. It may seem like those companies made a smart decision to stockpile cryptocurrency, but there are major downsides to this strategy.
Below are the top 4 reasons stockpiling cryptocurrency for ransomware is NOT smart strategy.
Reason #1: Newsflash - Bitcoin is volatile and ransomware payment amounts are USD pegged.
As we write this, Bitcoin is down 53% year to date, even more if you calculate off the highs of 2017. A company that decided to stockpile Bitcoin in January has had to mark that currency down by half. Those marks flow through the profit and loss statements of the company, and must be explained by your finance team (see reason #2). The translated dollar average of a given ransomware payment is pretty stable; it’s around one thousand dollars, regardless if bitcoin is $20,000 or $5,000.
Reason #2: Your CFO has a migraine with your CISO’s name on it.
Your organization's finance team will have to undertake the following in order to purchase, account, maintain, and dispose of cryptocurrency:
Create counterparty relationships with cryptocurrency exchanges and/or over the counter desks. This requires financial disclosure, paperwork, and weeks of application work. Legal, compliance, finance and possibly board level governance needs to weigh in.
Once some bitcoin is acquired, it will need to be marked to market at least monthly. This means a marking policy needs to be written, approved, and implemented so that the books can be closed regularly and account for the unrealized gains or losses of the cryptocurrency. This policy also needs to pass your auditors sniff test.
You’ll need to create proper personal controls for buying, selling and dispersing the cryptocurrency. Given the immutability of cryptocurrency transactions, strong dual authority procedures need to be implemented to ensure that any movement is well controlled. This means training personnel and creating redundancy (just in case the authorized people leave the company or are not available when ransomware hits).
Your CFO does not want / need to do all this extra work, especially since the amount of cryptocurrency needed for a given ransomware incident is relatively small.
Reason #3: Bitcoin is falling out of favor with cyber criminals. Ransomware is increasingly denominated in alternative cryptocurrencies.
While bitcoin remains a popular denomination, several groups have demonstrated an ability to track ransomware payments through the bitcoin blockchain. Cyber criminals have realized that bitcoin is relatively transparent compared to privacy enabled coins. Accordingly, we have seen a shift to cryptocurrencies like Monero and Dash.
A firm that stockpiled bitcoin for ransomware, would end up having to convert bitcoin to another cryptocurrency, most likely on a different exchange than they originally used. This alone could take weeks to execute. Let’s not forget about the accounting headache that will accompany it (realized gains, losses...etc).
Reason #4. Paying the bitcoin ransom is less than half the battle.
While having cryptocurrency readily on hand can save some time, the act of paying the bitcoin ransom is less than half the battle. The decryptor tools provided by ransomware authors are ‘flukey’ at best. Operating them in a manner that achieves full data recovery is not as simple as pressing a button. If encrypted files are moved or scanned by AV, it can impact that performance of the decryptor tool. If other non-compatible decryption tools have been run on the files, it can damage them and trip the proper decryptor tool. There is a world of nuance inside each decryptor tool, and performance SLA’s are not provided by the attacker.
While we admire the proactive mentality of companies that stockpile cryptocurrency, we also understand the downsides of the tactic. Every single day we see how the aggregated data we generate enables more informed, high velocity decisions during a live incident. Decisions like whether or not to negotiate, or the optimal hour of the day to communicate with an attacker dramatically impact recovery times. The ability to identify ransomware strains that successfully provide working decryptors vs ones that don’t dramatically impacts recovery costs.
Stockpiling cryptocurrency is a gamble, but more importantly it’s not an effective way to prepare proactively for a ransomware incident.