By David Uberti and James Rundle
The Biden administration is examining cryptocurrency's role in recent hacks that have disrupted important U.S. industries including healthcare, fuel and food, exploring new ways to track victims' payouts to foreign ransomware gangs.
White House officials this week said they are pushing to better trace ransomware payments, which hackers demand to unlock companies' data.
The move came after a cyberattack this weekend caused meat processor JBS SA to pause production at U.S. and Australian plants. That incident followed last month's hacks of Colonial Pipeline Co. and Scripps Health in San Diego, showing how such extortion schemes can snarl the U.S. economy and disrupt daily life.
The White House didn't respond to requests for details on its approach to tracking the transactions or whether additional regulation is in the works.
In a letter to business leaders Wednesday, Deputy National Security Adviser Anne Neuberger said U.S. officials are working with international partners on consistent policies for when to pay ransoms and how to trace them.
Hackers ask for ransoms in cryptocurrency because it is difficult to pursue across digital wallets and national borders. U.S. officials discourage companies from paying ransoms, but many do so when losing data would cripple their businesses. Paying hackers who are affiliated with sanctioned entities, however, risks penalties from the Treasury Department.
Some cybersecurity experts say the spate of attacks underscores the need for a more aggressive approach to monitoring crypto payments. In April, a task force of major tech companies and U.S. officials called for governments to enforce know-your-customer rules, similar to Treasury regulations, to improve transparency and accountability of bitcoin and other digital money.
"There are some responsibilities that come with being a responsible, mature currency in the world," said Michael Daniel, a former Obama administration official who is now chief executive of the Cyber Threat Alliance, a nonprofit intelligence-sharing group.
But hackers and the exchanges that process their payouts often operate overseas, limiting Washington's regulatory power. Improved oversight of cryptocurrency exchanges abroad, which some cyber experts say face lower regulatory standards, could require international cooperation or pressure.
Ransomware specialists, however, are skeptical that restrictions on bitcoin payments or tighter regulations will slow the growth in ransomware. Restrictions on individual digital currencies such as bitcoin mean criminals will just switch to another, less-regulated, currency, and any regulation strong enough to deter payments to criminals will take a long time to develop, said Lior Div, chief executive of cybersecurity firm Cybereason Inc., which develops software designed to combat ransomware.
Prominent U.S.-based cryptocurrency exchanges say they use strong controls to prevent money laundering and identify clients. Marco Santori, chief legal officer for Payward Inc.'s Kraken cryptocurrency exchange, said Kraken's controls are equal to those at major banks, and that large exchanges are in frequent communication with regulators.
"There's this meme out there that crypto is unregulated and crypto participants don't engage with the government. It just couldn't be further from the truth," he said.
Businesses including Colonial -- which paid $4.4 million in bitcoin to a gang known as DarkSide, believed to be in Eastern Europe -- often make such payments to avoid costly outages of their computer networks or the hard work of restoring systems from backup data.
A representative for JBS didn't respond to requests for comment. A spokeswoman for Scripps Health declined to comment.
Victims that pay ransoms typically engage third-party brokers such as Chicago-based DigitalMint to convert their cash to cryptocurrency. DigitalMint officials said they collect standard know-your-customer data on clients and check hackers' digital wallets for potential overlap with sanctioned entities in countries such as Russia, where many ransomware groups operate.
Payments made by DigitalMint tend to go directly to overseas markets. "A lot of what we see ends up at these big foreign exchanges," said Seth Sattler, DigitalMint's director of compliance.
Ransomware groups often spread cryptocurrency among many digital wallets to disguise themselves and to hide potential connections with sanctioned entities, Mr. Sattler said.
The Financial Crimes Enforcement Network, a part of the Treasury Department known as FinCEN, has proposed additional rules in December for many cryptocurrency transactions, requiring U.S.-based banks and money-service businesses to vet some customers and report transactions over $10,000.
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, a think tank, said the FinCEN regulators should also require companies to report the exchanges they use. That information could help Treasury pinpoint which exchanges or affiliated entities to target with sanctions, he said.
"Virtually every exchange around the world is dealing in some form or fashion with U.S. currency," Mr. Alperovitch said. "The U.S. could absolutely pressure all of them through sanctions and the like to adopt the same policies."
A spokeswoman for the Treasury Department said it received over 7,000 comments on the proposed rule, and is working with the concerned parties to ensure the final regulation balances costs and benefits to the public and private sectors. The department is monitoring emerging risks in this area daily, the spokeswoman added.
Some ransomware victims and their cybersecurity consultants voluntarily report to law enforcement data about ransom payments, such as dates, wallet addresses and amounts, said Bill Siegel, chief executive of Coveware Inc., a firm that helps clients respond to incidents and negotiate with attackers.
"It's just a question of what they [law-enforcement officials] do with it," he said. "There's nothing from a regulatory perspective that I think would be effective in this, outside of creating a broad mandatory reporting requirement for victims of ransomware.
Write to David Uberti at firstname.lastname@example.org and James Rundle at email@example.com
(END) Dow Jones Newswires