A massive cyber-extortion attack known as “WannaCry” wrought havoc across the globe last week, taking out much of Britain’s National Health Service and, in a delicious bit of irony, the Russian Interior Ministry.
The attack was a long time coming, representing the inevitable merging of two plagues that have long ravaged the Internet: the invention of programs that can rapidly infect digital systems and the rise of Internet crime. Without action, WannaCry represents just the first of what will undoubtedly be a long nightmare of self-propagating criminal attacks.
The first Internet plague arose in 1988 when a small program, written by computer scientist Robert Morris Jr., escaped. This program, clearly written as an interesting experiment, ran on a single computer and, from there, attempted to contact other computers. Once it found another computer it attempted to exploit the victim using one of several vulnerabilities. When successful, it copied itself over and started running: First two computers ran the program — then four, then eight. Exponential growth caused it to quickly spread to all vulnerable systems on the Internet. Combined with a bug that caused it to effectively overload its victims, this acted to effectively shut down the Internet of 1988.
This was the inadvertent dawning of the worm, a program that spreads on its own from computer to computer. Since that time we’ve seen many other worms, including Code Red (the first widespread worm in the modern era, infecting 300,000 systems over 13 hours), Slammer (spreading worldwide in 15 minutes and even infecting a nuclear power plant), Blaster (silently infecting hundreds of thousands of Windows computers) and Witty (which took down network security monitors belonging to the US Army).
The second plague crept up on us more subtly in the form of criminals seeking to make money. From spammers hawking Viagra to online bank-robbers seeking to take control over corporate accounts, this plague is organized crime that doesn’t care much about the damage done as long as it makes money. One particularly vile criminal strain involves ransomware: Malicious programs that encrypt a victim’s files and demand money to access them.
The ransomware epidemic is fueled by multiple factors, most notably the presence of both online criminal communities enabling specialization and Bitcoin. Criminal communities enable specialization: Somebody good at coding can write a ransomware framework and sell it to someone who’s good at attacking computers. Many of these communities are Russian, as Russia has a long history of sheltering cyber-criminals who don’t attack Russian interests.
WannaCry is simply the merging of these two plagues. Dealing with such worms is a technical problem — one that researchers have and will continue to focus on. But dealing with online criminals is a policy and economic problem.
Even when we can identify criminals, far too many escape capture unless they are foolish enough to go on vacation from their Russian sanctuary. And since we can’t seem to dissuade Russia from directly attacking Western democracies with its hacking and information operations, it is highly doubtful we can get Russian cooperation on cybercrime.
There is a potential, however, to disrupt payments: Don’t play whack-a-mole on criminals, play whack-a-mole on criminal business models. In the past, cyber-criminals used Liberty Reserve until the U.S. government shut it down and arrested its founder for money laundering. This proved a substantial blow to the criminal underground.
Likewise, ransomware actually looked poised to take off earlier with payments through Green Dot MoneyPak and similar networks, but pressure from the Treasury Department has stifled the cash-out network used by criminals to convert MoneyPak into currency. That leaves Bitcoin as the only game in town for those wanting to conduct cyber-extortion at scale.
Perhaps it is time for the United States to actually take meaningful action against Bitcoin. For non-criminal transactions, Bitcoin is decidedly inferior to all the alternatives, as it is expensive, cumbersome and surprisingly slow. Bitcoin’s only “superiority” over other electronic payment systems is its censorship resistance: There is no central authority that can say “thou shalt not.” Thus, it is only superior for criminal uses such as drug deals or extortion.
US Bitcoin exchanges can be pressured to not enable ransom payments, and the Treasury Department can exert pressure on foreign Bitcoin exchanges to either comply with US money-laundering laws or be cut off from all international bank transactions (not just those transactions which originate in the United States). There is also a possibility for a technical solution: Clogging the Bitcoin network with spam transactions.
Unless something can be done about the presence of payments through criminal-friendly Bitcoin or other means, we can only expect these two merged plagues — the crimeware worms — to continue to create chaos.
(The Washington Post)
Nicholas Weaver is a computer security researcher at the International Computer Science Institute in Berkeley, Calif.