The Impact of Cryptocurrency on Cybersecurity

References

• Adam S (2024) Unpatched vulnerabilities: The most brutal ransomware attack vector. Sophos News (April 3), https://news.sophos.com/en-us/2024/04/03/unpatched-vulnerabilities-the-most-brutal-ransomware-attack-vector/.Google Scholar
• Ahnert T, Brolley M, Cimon D, Riordan R (2022) Cyber security and ransomware in financial markets. Accessed July 2022, https://doi.org/10.34989/swp-2022-32.Google Scholar
• Arctic Wolf Labs (2022) A Log4Shell (Log4j) retrospective. Accessed December 19, 2024, https://arcticwolf.com/resources/blog/log4j-retrospective/.Google Scholar
• August T, Tunca TI (2006) Network software security and user incentives. Management Sci. 52(11):1703–1720.Link, Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Link, Google Scholar
• August T, Dao D, Kim K (2019) Market segmentation and software security: Pricing patching rights. Management Sci. 65(10):4451–4949.Google Scholar
• August T, Dao D, Niculescu MF (2022) Economics of ransomware: Risk interdependence and large-scale attacks. Management Sci. 68(12):8979–9002.Link, Google Scholar
• Badea L, Mungiu-Pupazan MC (2021) The economic and environmental impact of Bitcoin. IEEE Access 9:48091–48104.Crossref, Google Scholar
• Balasubramanian A (2021) Insurance against ransomware. Preprint, submitted May 18, https://dx.doi.org/10.2139/ssrn.3846111.Google Scholar
• Bariviera AF, Merediz-Solà I (2021) Where do we stand in cryptocurrencies economic research? A survey based on hybrid analysis. J. Econom. Surveys 35(2):377–407.Crossref, Google Scholar
• Black DB (2022) Cryptocurrency fuels growth of crime. Accessed December 19, 2024, https://www.forbes.com/sites/davidblack/2022/03/11/cryptocurrency-fuels-explosive-growth-of-crime/.Google Scholar
• Black Duck (2024) Open source security and risk analysis report. Accessed December 19, 2024, https://www.blackduck.com/resources/analyst-reports/open-source-security-risk-analysis.html.Google Scholar
• Blosil J (2022) Measuring the true cost of a ransomware attack. NetApp (October 22), https://www.netapp.com/blog/ransomware-cost/.Google Scholar
• Böhme R, Schwartz G (2010) Modeling cyber-insurance: Towards a unifying framework. Proc. Workshop Econom. Inform. Security (Harvard University, Cambridge, MA).Google Scholar
• Brumfield C (2021) Four states propose laws to ban ransomware payments. CSO (June 28), https://www.csoonline.com/article/570895/four-states-propose-laws-to-ban-ransomware-payments.html.Google Scholar
• Cartwright A, Cartwright E (2019) Ransomware and reputation. Games 10(2):26.Crossref, Google Scholar
• Cartwright A, Cartwright E (2023) The economics of ransomware attacks on integrated supply chain networks. Digital Threats 4(4):1–14.Crossref, Google Scholar
• Cartwright E, Hernandez Castro J, Cartwright A (2019) To pay or not: Game theoretic models of ransomware. J. Cybersecurity 5(1):1–12.Crossref, Google Scholar
• Cavusoglu H, Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3):171–185.Crossref, Google Scholar
• Chainalysis (2024) Ransomware payments exceed $1 billion in 2023, hitting record high after 2022 decline. Accessed December 19, 2024, https://www.chainalysis.com/blog/ransomware-2024/.Google Scholar
• Choi JP, Fershtman C, Gandal N (2010) Network security: Vulnerabilities and disclosure policy. J. Industrial Econom. 58(4):868–894.Crossref, Google Scholar
• Cisa (2022) Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Accessed December 19, 2024, https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia.Google Scholar
• CNN (2021) FBI tells Congress ransomware payments shouldn’t be banned. Accessed December 19, 2024, https://www.cnn.com/2021/07/27/politics/senate-judiciary-ransomware-hearing/index.html.Google Scholar
• Crowdstrike (2022) History of ransomware. Accessed December 19, 2024, https://www.crowdstrike.com/cybersecurity-101/ransomware/history-of-ransomware/.Google Scholar
• Dey D, Lahiri A (2021) Should we outlaw ransomware payments? Proc. 54th Hawaii Internat. Conf. System Sci. 6609–6617.Google Scholar
• Dey D, Lahiri A, Zhang G (2015) Optimal policies for security patch management. J. Comput. 27(3):462–477.Abstract, Google Scholar
• DuBois EB, Peper A, Albert LA (2023) Interdicting attack plans with boundedly-rational players and multiple attackers: An adversarial risk analysis approach. Preprint, submitted February 3, https://arxiv.org/abs/2302.01975.Google Scholar
• Fang R, Xu M, Zhao P (2022) Determination of ransomware payment based on Bayesian game models. Computers Security 116(May):102685.Crossref, Google Scholar
• FinCEN (2022) Financial trend analysis: Ransomware trends in Bank Secrecy Act data between July 2021 and December 2021. US Treasury. Accessed December 19, 2024, https://www.fincen.gov/sites/default/files/2022-11/Financial\%20Trend\%20Analysis_Ransomware\%20FTA\%202_508\%20FINAL.pdf.Google Scholar
• Foley S, Karlsen JR, Putnins TJ (2019) Sex, drugs, and bitcoin: How much illegal activity is financed through cryptocurrencies? Rev. Financial Stud. 32 (5):1798–1853.Crossref, Google Scholar
• Gal-Or E, Ghose A (2005) The economic incentives for sharing security information. Inform. Systems Res. 16(2):186–208.Link, Google Scholar
• Galinkin E (2021) Winning the ransomware lottery: A game-theoretic approach to preventing ransomware attacks. Bošanský B, Gonzalez C, Rass S, Sinha A, eds. Proc. 12th Internat. Conf. Decision Game Theory Security (Springer, Cham, Switzerland), 195–207.Google Scholar
• Garcia E, Moll AV, Casbeer DW, Pachter M (2019) Strategies for defending a coastline against multiple attackers. Proc. IEEE 58th Conf. Decision Control (IEEE, Piscataway, NJ), 7319–7324.Crossref, Google Scholar
• Gates D (2018) Boeing hit by WannaCry virus, but says attack caused little damage. Seattle Times (March 28), https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/.Google Scholar
• Gatlan S (2023) IceFire ransomware now encrypts both Linux and Windows systems. BleepingComputer (March 9), https://www.bleepingcomputer.com/news/security/icefire-ransomware-now-encrypts-both-linux-and-windows-systems/.Google Scholar
• Geller E (2021) Global ‘whack-a-mole’: Why it’s so hard for the U.S. to go after hackers’ digital wallets. Politico (August 14), https://www.politico.com/news/2021/08/14/crypto-hackers-ransomware-fight-504460.Google Scholar
• GitHub (2024) Octoverse: The state of open source and rise of AI in 2023. Accessed December 19, 2024, https://github.blog/news-insights/research/the-state-of-open-source-and-ai/.Google Scholar
• Gkritsi E (2021) Biden administration sanctions crypto exchange chatex over ransomware allegations. Coindesk (November 9), https://www.coindesk.com/policy/2021/11/09/biden-administration-sanctions-crypto-exchange-chatex-over-ransomware-allegations/.Google Scholar
• Halaburda H, Haeringer G, Gans JS, Gandal N (2020) The microeconomics of cryptocurrencies. NBER Working Paper No. 27477, National Bureau of Economic Research, Cambridge, MA.Google Scholar
• Hausken K, Bier VM (2011) Defending against multiple different attackers. Eur. J. Oper. Res. 211(2):370–384.Crossref, Google Scholar
• Hernandez-Castro J, Cartwright A, Cartwright E (2020) An economic analysis of ransomware and its welfare consequences. R Soc. Open Sci. 7(3):190023.Crossref, Google Scholar
• House B (2021) U.S. plans to counter ransomware attacks through crypto tracing. Bloomberg (July 14), https://www.bloomberg.com/news/articles/2021-07-15/u-s-plans-to-counter-ransomware-attacks-through-crypto-tracing.Google Scholar
• IBM (2023) IBM report: Ransomware persisted despite improved detection in 2022. Accessed December 19, 2024, https://newsroom.ibm.com/2023-02-22-IBM-Report-Ransomware-Persisted-Despite-Improved-Detection-in-2022.Google Scholar
• IBM Security (2022) Cost of a data breach report 2022. Accessed December 19, 2024, https://www.ibm.com/downloads/cas/3R8N1DZJ.Google Scholar
• Ikeda S (2022) Patchwork of US state regulations becomes more complex as Florida, North Carolina ban ransomware payments. CPO Magazine (August 19), https://www.cpomagazine.com/cyber-security/patchwork-of-us-state-regulations-becomes-more-complex-as-florida-north-carolina-ban-ransomware-payments/.Google Scholar
• INTERPOL (2022) INTERPOL cybercrime capacity building project in the Americas, phase II. Accessed December 19, 2024, https://www.interpol.int/News-and-Events/News/2022/INTERPOL-Working-Group-highlights-cyber-threats-across-the-Americas.Google Scholar
• Intersoft Consulting (2023) Art. 33 GDPR: Notification of a personal data breach to the supervisory authority. Accessed December 19, 2024, https://gdpr-info.eu/art-33-gdpr/.Google Scholar
• Ioannidis C, Pym D, Williams J (2012) Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2):434–444.Crossref, Google Scholar
• Jeffery L, Ramachandran V (2021) Why ransomware attacks are on the rise—And what can be done to stop them. PBS News Hour, Nation (July 8), https://www.pbs.org/newshour/nation/why-ransomware-attacks-are-on-the-rise-and-what-can-be-done-to-stop-them.Google Scholar
• Kapko M (2022) US government rejects ransom payment ban to spur disclosure. Cybersecurity Dive (September 19), https://www.cybersecuritydive.com/news/government-ransomware-guidance/632136/.Google Scholar
• Kaseya (2020) The 2019 Kaseya state of IT operations report for small and midsized businesses. Accessed December 18, 2024, https://www.kaseya.com/wp-content/uploads/dlm_uploads/2020/05/Kaseya-Whitepaper-2019-IT-Operations-Survey-Report.pdf.Google Scholar
• Lakshmanan R (2021) Wormable DarkRadiation ransomware targets Linux and Docker instances. The Hacker News (June 22), https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html.Google Scholar
• Laszka A, Farhang S, Grossklags J (2017) On the economics of ransomware. Proc. 8th Internat. Conf. Decision Game Theory Security (Springer, New York), 397–417.Crossref, Google Scholar
• Lemire KA (2022) Cryptocurrency and anti-money laundering enforcement. Reuters (September 26), https://www.reuters.com/legal/transactional/cryptocurrency-anti-money-laundering-enforcement-2022-09-26/.Google Scholar
• Levy A (2024) 8 benefits of cryptocurrency & Why you should use it. The Motley Fool (September 11), https://www.fool.com/investing/stock-market/market-sectors/financials/cryptocurrency-stocks/benefits-of-cryptocurrency/.Google Scholar
• Lewin JL, Trumbull WN (1990) The social value of crime? Internat. Rev. Law Econom. 10(3):271–284.Crossref, Google Scholar
• Li Z, Liao Q (2020) Ransomware 2.0: To sell, or not to sell: A game-theoretical model of data-selling ransomware. Proc. 15th Internat. Conf. Availability Reliability Security, 1–9.Google Scholar
• Li X, Whinston A (2020) The economics of cyber crime. Preprint, submitted June 11, https://dx.doi.org/10.2139/ssrn.3603694.Google Scholar
• Lowe MS, Ostroff EG, Rogers SF (2023) Bank Secrecy Act’s crypto expansion is on the horizon. Law360 (February 7), https://www.law360.com/articles/1573438.Google Scholar
• Maudrill B (2024) Sonatype reports 156% increase in OSS malicious packages. Infosecurity Magazine (October 11), https://www.infosecurity-magazine.com/news/156-increase-in-oss-malicious/.Google Scholar
• Mitra S, Ransbotham S (2015) Information disclosure and the diffusion of information security attacks. Inform. Systems Res. 26(3):565–584.Link, Google Scholar
• Moody’s (2022) What does the proposed EU markets in Crypto-Assets Act (MiCA) mean for the industry? Accessed December 19, 2024, https://kyc.moodys.io/content-highlights-section/what-does-proposed-eu-markets-crypto-assets-act-mica-mean-industry.Google Scholar
• Morgan Lewis (2024) Preparing for DORA: ESAs publish incident reporting requirements. Accessed December 19, 2024, https://www.morganlewis.com/blogs/sourcingatmorganlewis/2024/08/preparing-for-dora-esas-publish-incident-reporting-requirements.Google Scholar
• Murphy-Kelly S (2021) The bizarre story of the inventor of ransomware. CNN (May 16), https://www.cnn.com/2021/05/16/tech/ransomware-joseph-popp/index.html.Google Scholar
• National Conference of State Legislatures (2022) Summary: 2022 security breach legislation. Accessed December 19, 2024, https://www.ncsl.org/technologyand-communication/2022-security-breach-legislation.Google Scholar
• National Cybersecurity Alliance (2022) Cybersecurity collaboration as a national imperative. Accessed December 19, 2024, https://www.staysafeonline.org/articles/cybersecurity-collaboration-as-a-national-imperative.Google Scholar
• NSA (2024) NSA Cybersecurity Collaboration Center. Accessed December 19, 2024, https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/.Google Scholar
• Polaris Market Research (2024) Patch management market. Accessed December 18, 2024, https://www.polarismarketresearch.com/industry-analysis/patch-management-market.Google Scholar
• Red Hat (2021) The State of Enterprise Open Source (Red Hat, Raleigh, NC).Google Scholar
• Ryan P, Fokker J, Healy S, Amann A (2022) Dynamics of targeted ransomware negotiation. IEEE Access 10:32836–32844.Crossref, Google Scholar
• Schryen G, Rich E (2010) Increasing software security through open source or closed source development? Empirics suggest that we have asked the wrong question. Proc. 43rd Hawaii Internat. Conf. System Sci. (IEEE, Piscataway, NJ), 1–10.Crossref, Google Scholar
• Segal E (2021) Banning ransomware payments could create new crisis situations. Forbes (June 8), https://www.forbes.com/sites/edwardsegal/2021/06/08/banning-ransomware-payments-could-create-new-crisis-situations/.Google Scholar
• Selten R (1988) Models of strategic rationality. A Simple Game Model of Kidnapping (Theory and Decision Library C. Springer, Dordrecht, Netherlands), 77–93.Crossref, Google Scholar
• Spring T (2021) Linux variant of REvil ransomware targets VMware’s ESXi, NAS devices. ThreatPost (July 1), https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/.Google Scholar
• Statista (2024) Number of supply chain attacks on open source software (OSS) from 2019 to 2023. Accessed December 19, 2024, https://www.statista.com/statistics/1268934/worldwide-open-source-supply-chain-attacks/.Google Scholar
• Swire PP (2005) A theory of disclosure for security and competitive reasons: Open source, proprietary software, and government systems. House Law Rev. 42:1333.Google Scholar
• Thompson Reuters (2022) Cryptocurrency regulations by country. Accessed December 19, 2024, https://www.thomsonreuters.com/en-us/posts/wp-content/uploads/sites/20/2022/04/Cryptos-Report-Compendium-2022.pdf.Google Scholar
• Tung L (2022) Ransomware: Hackers are using Log4j flaw as part of their attacks, warns Microsoft. ZDNET (January 11), https://www.zdnet.com/article/ransomware-warning-hackers-are-using-log4j-flaw-as-part-of-their-attacks-warns-microsoft/.Google Scholar
• Uberti D (2021) White House ransomware summit eyes tighter global scrutiny for crypto. Wall Street Journal (October 14), https://www.wsj.com/articles/white-house-ransomware-summit-eyes-tighter-global-scrutiny-for-crypto-11634227377.Google Scholar
• United Kingdom (2016) National cyber security strategy 2016–2021. Accessed December 19, 2024, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf.Google Scholar
• U.S. Congress (2024) H.R.7965 - Ransomware and Financial Stability Act of 2024. Accessed December 19, 2024, https://www.congress.gov/bill/118th-congress/house-bill/7965/all-info.Google Scholar
• U.S. Department of State (2025) Rewards for justice. Accessed February 13, 2025, https://www.state.gov/rewards-for-justice/.Google Scholar
• U.S. Department of Treasury (2022) Treasury sanctions Russia-based Hydra, world’s largest darknet market, and ransomware-enabling virtual currency exchange Garantex. Accessed December 19, 2024, https://home.treasury.gov/news/press-releases/jy0701.Google Scholar
• U.S. Department of Treasury (2023) U.S. treasury announces largest settlements in history with world’s largest virtual currency exchange Binance for violations of U.S. anti-money laundering and sanctions laws. Accessed December 19, 2024, https://home.treasury.gov/news/press-releases/jy1925.Google Scholar
• U.S. DOJ (2021a) Department of Justice Seizes $2.3 million in cryptocurrency paid to the ransomware extortionists darkside. Accessed December 19, 2024, https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside.Google Scholar
• U.S. DOJ (2021b) Deputy attorney general Lisa O. Monaco announces National Cryptocurrency Enforcement Team. Accessed December 19, 2024, https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team.Google Scholar
• Vakilinia I, Khalili MM, Li M (2021) A mechanism design approach to solve ransomware dilemmas. Proc. 12th Internat. Conf. Decision Game Theory Security (Springer, New York), 181–194.Crossref, Google Scholar
• Vanian J (2021) Everything to know about REvil, the group behind a big ransomware spree. Fortune (July 7), https://fortune.com/2021/07/07/what-is-revil-ransomware-attack-kaseya/.Google Scholar
• Vijayan J (2023) Majority of ransomware attacks last year exploited old bugs. Dark Reading (February 20), https://www.darkreading.com/cyberattacks-data-breaches/dozens-of-vulns-in-ransomware-attacks-offer-adversaries-full-kill-chain/.Google Scholar
• Wheeler T, Martin C (2021) Should ransomware payments be banned? Brookings (July 26), https://www.brookings.edu/techstream/should-ransomware-payments-be-banned/.Google Scholar
• White House (2021) Executive order on improving the nation’s cybersecurity. Accessed February 13, 2025, https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.Google Scholar
• White House (2023) National cybersecurity strategy. Accessed February 13, 2025, https://bidenwhitehouse.archives.gov/oncd/national-cybersecurity-strategy/.Google Scholar
• Winder D (2021) New ransomware threat jumps from Windows to Linux: What you need to know. Forbes (November 8), https://www.forbes.com/sites/daveywinder/2020/11/08/new-ransomware-threat-jumps-from-windows-to-linux-what-you-need-to-know/?sh=39d9d4893265.Google Scholar
• Witten B, Landwehr C, Caloyannides M (2001) Does open source improve system security? IEEE Software 18(1):57–61.Crossref, Google Scholar
• Xu Z, Zhuang J (2019) A study on a sequential one-defender-n-attacker game. Risk Anal. 39(6):1414–1432.Crossref, Google Scholar
• Yin T, Sarabi A, Liu M (2023) Deterrence, backup, or insurance: Game-theoretic modeling of ransomware. Games 14(2):20.Crossref, Google Scholar
• Yue Y, Li X, Zhang D, Wang S (2021) How cryptocurrency affects economy? A network analysis using bibliometric methods. Internat. Rev. Financial Anal. (Oxford) 77:101819.Google Scholar
• Zahravi A (2021) Bash ransomware DarkRadiation targets Red Hat- and Debian-based Linux distributions. Trend Micro (June 17), https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html.Google Scholar
• Zhao Y, Ge Y, Zhu Q (2021) Combating ransomware in internet of things: A games-in-games approach for cross-layer cyber defense and security investment. Proc. 12th Internat. Conf. Decision Game Theory Security (Springer, New York), 208–228.Crossref, Google Scholar
• Zhao X, Xue L, Whinston AB (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. J. Management Inform. Systems 30(1):123–152.Crossref, Google Scholar