Ransomware, Governance, Risk and Compliance

Will ransomware gangs see flow of cash throttled by Russia cryptocurrency restrictions?

A technician inspects the backside of a cryptocurrency mining farm in Saint Hyacinthe, Quebec. Talos discovered a new cryptocurrency-mining botnet attack, Prometei, that bypasses detection systems and monetizes its campaigns in less intrusive ways. (LARS HAGBERG/AFP via Getty Images)

Russia's federal bank, the Bank of Russia, this week issued sweeping recommendations to restrict the local cryptocurrency ecosystem. With a substantial portion of the cybercriminal economy operating out of Russia, using cryptocurrency to transfer wealth, an unintended side effect of such laws may be to eliminate some of the comfort ransomware gangs have found in the region.

Up until last week, when Russian security services arrested members of the REvil group, cybercriminals spent years viewing Russia as a place where they could victimize foreign targets without punishment. That extended to many of the cryptocurrency exchanges preferred by the money launderers employed by those groups, who wanted to keep funds close.

One key recommendation of the Bank of Russia's consultation paper is to ban local exchanges as just one means of promoting financial stability, national security and consumer protection.

"The larger ransomware groups (and other cybercriminals operating in Russia) prefer to use local exchanges. Even if the exchanges are headquartered overseas, as long as they have an office in Russia, cybercriminal groups will use them," said Allan Liska, a ransomware expert at Recorded Future. "If they can't use local exchanges, and they have to use international exchanges, does that increase the risk of having their money taken?"

Being forced to foreign exchanges creates several problems for criminals using them as a nexus for ill-begotten gains. Local exchanges have often been viewed as lax on anti-money laundering laws for cybercriminals, something that led to U.S. sanctions against one Russian exchange last year. Exchanges under Russian jurisdiction were subject to Russian judicial oversight for evidence and seizures, which Russian groups have historically put a lot of faith in. And, notes Liska, pliant local exchanges could provide cash directly to criminals rather than requiring a cash-out through the global financial system with stricter global oversight. It may be harder to obtain and traffic a box of Euros from a foreign country.

The Bank of Russia's paper is not largely directed at cybercrime. Instead, it takes a realistic look at the potential dangers of cryptocurrency on an emerging nations' economies and energy security. The Bank makes three major recommendations: banning local mining, shutting down local cryptocurrency exchanges and adding penalties to existing laws barring the use of cryptocurrency to make direct purchases. It would not prevent the purchase or ownership of cryptocurrencies from foreign exchanges.

By taking these steps, the Bank hopes to maintain control over a tenuous emerging economy more susceptible to fluctuations than many of its Western rivals. The Bank fears that widespread investing in cryptocurrency would substantially reduce the national money supply, reducing local investment, and the volatility of the market could wipe out local wealth entirely. It also notes that Bitcoin mining presents a risk to its energy security, potentially requiring more electricity than the country is able to create.

But the impacts to cybercrime could also be very real. Tom Kellermann, head of cybersecurity strategy for VMware who serves on U.S. Secret Service’s Cyber Investigations Advisory Board, noted that there may be other other ways to get illicit payments into criminal hands that could see a resurgence in popularity, including WebMoney, the Russian internet payments system. Still, he's optimistic about the potential effects.

"This will disrupt some money laundering associated with cybercrime in Russia," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.