Cryptocurrencies: Funding Crime One Ransomware Attack at a Time

March 4, 2018

Ransomware is aptly named, albeit possibly lacking in creativity. It is a method for cybercriminals to hold their victims’ data for ransom using software. The victim’s data is not stolen, it is simply encrypted so the victim can no longer access it until they have provided payment and received the decryption key.
Ransomware is typically purposefully, but unknowingly, spread via a user on the victim’s network. This often comes in the form on an email or website that requires an action by the user. The user will click on a link or open an attachment that will initiate an executable file that unleashes the ransomware program onto the network, encrypting files it can access. The human element of a ransomware attack provides an challenge for cyber-defenders as a network can only be as safe as its least discretionary clicker.
The effect of a ransomware attack depends on the who the victim is. While small companies and large companies are both targeted by ransomware attacks, they are impacted differently. Small companies can lack the resources, financial and staff, to pay the ransom or recover from the downtime that an attack can require. A $40,000 ransom can leave no other option for a mom and pop shop but to shut their doors rather than attempt to fight. On the other end of spectrum, large companies can face penalties for falling victim to such a data breach in addition to the ransom that’s requested.
One of the reasons why ransomware is so hard to combat is that the payment of the ransom is all but untraceable. A majority of attackers request payment via a cryptocurrency that allows for easy payment that is encrypted, providing a digital shield for the attackers to access the money. The SEC does not currently regulate cryptocurrencies, which contributes to the wild west nature of the sector and the lack of protection for its users.
Cryptocurrencies utilize blockchain technology to conduct secure transactions through the internet. The tokens, or coins, that are transferred to the party demanding a ransom have their own intrinsic value in the marketplace as well as a value when traded to the U.S. dollar.

“Forensic investigators can track the cryptocurrency transaction to the specific electronic wallet of the cybercriminal. However, access to the electronic wallet itself is encrypted, and the identification of the party withdrawing from that wallet is unknown.”

As ransomware and cryptocurrencies evolve, so, too, does the preferred method of payment for cybercriminals. Initially, Bitcoin was the cryptocurrency of choice as it was the most well-known among the technologically inclined and received relatively little attention from the public. However, as Bitcoin has become more mainstream, several challenges have presented themselves for cybercriminals. Chief among them is the development of cybercriminals stealing from cybercriminals. In these cases, cybercriminals change the addresses of Bitcoin accounts used for ransomware payments, rerouting the payments made by ransomware victims. Unfortunately, the ultimate losers are the victims who pay the ransom, but do not receive the decryption key because the original cybercriminals do not receive the intercepted ransom payment.
Cybercriminals seem to be moving away from Bitcoin as the cost of trading the cryptocurrency is increasing as is the complexity and time required to establish a Bitcoin account to pay the ransom. The fact that Bitcoin is now legally traded in high volumes means that the value of the currency is also subject to fluctuate quickly, affecting the amount of money that cybercriminals are collecting. Other cryptocurrencies are becoming more widely used including Ethereum and Monero, and even Bitcoin Cash most recently (although that particular ransomware has other drawbacks).
Since payments to ransomware cybercriminals remain encrypted through cryptocurrencies, the best way to combat attacks is through prevention. Once an attack has taken place, law enforcement on both a local and federal level will likely be reluctant to get involved due to the anonymity of the transactions. It is often advised not to pay the ransom as there are no guarantees that the criminal will keep their word to send the decryption key. However, as small and large companies alike face dire consequences, and the law is limited in the help it can provide, that is a tough decision to make.