The problem with pretend money.

Scarlett Cavendish

Scarlett Cavendish

4 min read
The problem with pretend money.
Photo by Traxer / Unsplash

Hello, and welcome to the first post of 2025! I hope you had the chance to wind down and mentally prepare for what's next. Let's kick things off in style, and talk about cryptocurrencies.

Right off the bat: ransomware only exists because cryptocurrencies are available and (mostly) freely traded. You get rid of cryptocurrencies, you get rid of ransomware. It's really that simple.

The cryptocurrency ecosystem is extremely convoluted, mainly because the participants have to deal with problems that pretty much every financial system based on "fiat currency" has solved by now. And they do it from first principles, which makes it extra funny.

A little sidebar here regarding "fiat currencies." Not to split hairs, but one can argue that cryptocurrencies are also fiat money given that they cannot have intrinsic value—cryptocurrencies are digital after all—and they are not backed by things with intrinsic value like precious metals or commodities. But, I hear you. At this point in time, all money is pretend money.

And we're not even talking about the regular losses from rug pulls, scams, and fraud. Nor are we talking about the indirect costs of maintaining the cryptocurrency infrastructure. In other words, even when we remove ransomware from the equation, it's still a bad deal overall. And, if you take the US financial regulators' word for it, they are bad news for the "legacy" financial system, too.

It's really hard to measure the impact of ransomware. The overwhelming majority of cases worldwide go unreported, and the ones that are reported might be downplaying the actual cost. But, the little information we do have about it indicates that at least some 60% of the financially motivated cybersecurity attacks are indeed ransomware. And that makes total sense.

If your cybercriminal outfit is engaged in industrial espionage, sabotage, extortion, selling data, or selling time on a botnet, you're limiting your targets. You have way more targets if you don't care about what they do. With ransomware, your target doesn't have to be critical infrastructure. Your target doesn't need to have interesting data you can sell. Your target doesn't have to be anything other than capable of sending you some bitcoins. The world is your oyster.

Ransomware is only a thing because it is profitable. And it is profitable because it is easy to get paid for doing it. And it is easy to get paid because of cryptocurrencies. You simply cannot do the same thing through a bank. You can't just wire some money to a ransomware gang in North Korea or Russia. Unless you convince (i.e. pay) a whole lot of people to look the other way, and that would be costly, thus defeating the purpose. The "legacy" financial systems have had the exact same issues with fraud, money laundering, and other financial crimes, and those are mostly solved. Or, at the very least, these issues are managed. In the cryptocurrency world, these traditional safeguards are easily bypassed.

So, we have a parallel financial system that is rife with fraud, scams, speculation, and one that also makes it really easy for ransomware gangs to get paid. This parallel financial system also doesn't really deliver on its own promises.

What can one do to avoid the fate of so many companies? Well, this type of cybercrime only works if you're not really thinking about it. It's been said (by me) that being victim of ransomware is a business choice at this point. There are known remedies that work, but, sometimes, the cost of deploying these remedies, as well as a sane cybersecurity program, is less than the cost of being hit by ransomware in the first place. If it takes 5 million US dollars a year to maintain a good cybersecurity program, and the cost of dealing with ransomware is $4,999,999.99, the choice is obvious. From the victim's point of view, that is.

However, it is important to note that this math only works when you don't factor in the negative externalities—which, ideology aside, are the cornerstone of a capitalist system—of such attacks. When a hospital is hit by ransomware, and someone dies as a direct consequence of the operational disruptions, there's a cost that usually doesn't go into this calculation for obvious reasons. In other words, there's some OPEX for dealing with ransomware, but there are societal costs, too. And businesses prefer to ignore those unless told otherwise by governments.

The smart cybersecurity professional would rather avoid the hassle, and just not deal with the immediate and future consequences of ransomware. Luckily, the proverbial ounce of prevention goes by the name of governance. You can probably name a whole lot of cybersecurity issues that are adequately prevented or at least minimized by good, old-fashioned governance. No AI required.

Knowing what's critical, where the weak spots are, and maintaining some basic cybersecurity hygiene goes a long way. Protect your data with—you guessed it!—cryptography. Pay attention to who has access to it. Use multi-factor authentication. Have reliable backups. Look for abnormal behavior in your systems. Do not blindly trust endpoints. Patch your stuff. Do this, and you'll avoid many headaches.

Where does that leave us, though? Well, until paralyzing businesses and other organizations, and extorting them for bitcoins is rendered unprofitable, we'll have to live with ransomware. The simple fix is not easy, and the more complex fix is not cheap, so you might as well do your homework and avoid the problem altogether.

💡
Join our Discord server and let's chat about cybersecurity, technology, and everything in between. Paying members even have access to the 32x33 Institute's editorial board private channel so they can pitch ideas, and help shape the future of the blog. Hope to see you there!

Read more