facilitation of ransomwareattacks, where users are prevented from using their systemsuntil
a ransom is paid.
This paper looks at the challenges in following the money trail when investigating
ransomware attacks and how consistent,global regulation can go some way in helping law
enforcement agencies to identify those who use these currencies to facilitate ransomware
attacks and for other illicit purposes.The paper is structured as follows: Section 2 provides a
background on ransomware and looks at recent prominent ransomware attacks. Section 3
provides a literature review and current discourseon the topic of cryptocurrency regulation.
Section 4 explores the responses to Bitcoin regulation around the world, focussing on
regulatory approaches in Australia, Europe and the Americas. Section 5 looks at the
challenges posed by Bitcoin, and other cryptocurrencies, which make it extremely difﬁcult
to ascertain the identity of offenders and to reduce the frequency of these types of attack.
Section 6 looks at how regulation may help with attribution and assist law enforcement
agencies more effectivelydeal with crimes facilitated by Bitcoin. Finally,Section 7 concludes
Ransomware is a type of malware that prevents users from accessing their system by
locking the system’s screen, locking the users’ﬁles or using cryptographic techniques to
encrypt affected systems. Victims are forced to pay a ransom to obtain the decryption key
and regain access to the ﬁles on their device or system. Ransomware can unwittingly be
downloaded onto a system by a user visiting a malicious or compromisedwebsite, it can be
delivered as an attachment on spam or in a phishing email or it can arrive as a payload,
either dropped ontothe system or downloaded by another malware.
Often reported to be the ﬁrst ransomware attack, a ransomware variant called
TROJ_CRYZIP.A was detected in Russia between 2005 and 2006. TROJ_CRYZIP.A zipped
certain ﬁletypes before overwriting the original ﬁles, leaving only the password-protected
zip ﬁles in the user’s system (Trend Micro, 2006). A text ﬁle was also created that acted as
the ransomware note informing the user that their ﬁles could be retrieved in exchange for
US$300. The ﬁrst known case of ransomware attack, in fact, occurred nearly 30 years ago,
when, in 1989, the AIDS Trojan was initiated by AIDS researcher, Joseph Popp. Popp
distributed twenty thousand ﬂoppy disks to AIDS researchers in 90 countries (Mungo and
Glough, 1992) claimingthat, by completing a questionnaire contained on the disk, a program
on the disk could analyse an individual’s risk of contracting AIDS. However, the disk
contained a malware program that sat dormant on the recipient’s computer until the
computer had been powered on 90 times. After this threshold was reached, a message was
displayed demanding payment of $189 and $378 for a software lease (Mungo and Glough,
1992). Forensic investigation of targeted computers showed that sections of the hard disk
were deliberately “scrambled”orencrypted (Wilding, 1990). This attack could be considered
an early form of digital social engineering or scareware,where social engineering is used
to cause anxiety or perception of threatto manipulate users into buying unwanted software.
Early ransomware developers wrote their own rudimentary, unsophisticated encryption
code, and typically encrypted .doc, .xls, .jpg, .zip and .pdf ﬁles, but today’s attackers
increasingly rely on off-the-shelf cryptography libraries that are much more sophisticated
and much more difﬁcult to crack. These libraries, tools and applications can be easily
accessed and purchasedfrom numerous dark marketplaces.
Since these early cases of ransomware attack, ransomware has become a prominent
threat to organisationsand individuals. Ransomware was becoming such a prominent cyber
threat in 2015 that Trend Micro predicted that 2016would be the “year of online extortion”