The May 7 ransomware shutdown of Colonial Pipeline, resulting in the payment of nearly $5 million to the group responsible for hacking the corporation, illustrates how the ransomware epidemic is now out of hand. Beyond just the Colonial Pipeline hack, this single ransomware gang, DarkSide, has successfully earned/amassed/extorted $90 million in revenue in half a year, and the number of similar gangs is proliferating so much that one needs a scorecard to keep track of them all. Conservative estimates suggest the costs of direct extortion will be in the billions this year alone, and collateral damage to the economy is undoubtedly one or two orders of magnitude more.
But in the end, this cyber pandemic is not a result of a ransomware problem. Instead, it’s because society has a Bitcoin problem.
Back in the late 2000s, the world faced a different enterprise of Russian criminal actors, with spammers targeting Viagra and other pharmaceuticals. Like today’s ransomware, multiple gangs operated with an affiliate model, where the gangs provided the infrastructure and the affiliates compromised the targeted machines through spamming efforts. Then, as now, Russian authorities generally didn’t intervene as long as the spammers didn’t disrupt Russian computers or bring law enforcement into their internal squabbles. These late 2000 gangs grossed roughly $100 million a year, while causing consequential damages easily an order of magnitude higher.
At the time, it looked almost impossible for foreign law enforcement to combat these operations. These criminals were clearly outside the reach of U.S. law and were sheltered by a Russian government that viewed cybercrime as a profit center as long as the impacts weren’t localized. But the research group I was then a member of showed Pfizer how to eliminate the Viagra spam problem.
Our study started with obtaining nearly a billion spam messages. We then built infrastructure to read these messages and automatically visit the advertised websites. Along the way we traced all this infrastructure. Then we completed the process by purchasing items such as fake watches and over-the-counter pharmaceuticals to discover the complete chain needed for a spammer to turn pharmaceutical spam into profit.
In selling these identified spamvertized pharmaceuticals, the attackers could create arbitrary websites and arbitrary domain names, making it impossible to say, “These are the bad spam-sites. Remove them.” Although they drop-shipped products from international locations, they still needed to process credit card payments, and at the time almost all the gangs used just three banks. This revelation, which was highlighted in a New York Times story, resulted in the closure of the gangs’ bank accounts within days of the story. This was the beginning of the end for the spam Viagra industry. One of the major gang operators posted portions of our paper on a Russian cybercrime forum the next day, ending his rant with a…