How Crypto Has Revolutionized the Ransomware Game
Merkle Science
|
Why are we talking about ransomware attacks?
Ransomware brings the ransom into the digital age. As the “ware” suffix implies, it is a type of malware, one that extorts a ransom from the affected user. It is important for stakeholders in the cryptocurrency community to discuss ransomware for three key reasons.
- The use of cryptocurrency - Ransomware injects cryptocurrency into the value-exchange process to minimize the associated risks. Instead of asking for the ransom in fiat, criminals are almost exclusively demanding payment in digital assets like cryptocurrency.
According to the Countering Ransomware Financing report from the Financial Action Task Force (FATF), criminals prefer cryptocurrency because it is less traceable, easier to transfer cross-border, and not subject to anti-money laundering (AML) efforts like fiat is when passing through financial institutions. Bitcoin is commonly requested - one study found that 98% of all ransomware requests were for Bitcoin, owing to the coin’s efficiency and anonymity. Other digital currencies that attackers occasionally turned to were Monero and Zcash for similar reasons. Per the FATF, hackers have also been known to use mixers, peel chains, and privacy coins to facilitate the laundering of successful ransoms. - Ransomware is costly - Ransomware is big business. As of 2021, the average ransom payout for enterprises was US$812,000. Because ransomware disrupts normal business operations, the lost money is not only from any ransomware payouts but in the productivity, an organization forfeits. One estimate placed the global financial damage from WannaCry - a ransomware attack in 2017 spread through Microsoft’s Windows - at an astounding US$4 billion. Ransomware is devastating to enterprises across both direct and indirect costs.
According to the FATF, the financial impact of ransomware is exacerbated by a variety of factors, such as these crimes going unreported by enterprise victims, the lack of technical sophistication among authorities to investigate crimes, and the fact that critical industries are commonly targeted.
- Ransomware may result in data loss - A common variation of ransomware is leakware, wherein attackers claim they will release data if a ransom is not paid. Leakware is not usually empty threats. In March 2023, the hacker group Play followed through on threats to leak sensitive data, posting information about City of Oakland employees online. This included everything from employee names and addresses to their driver’s licenses and social security numbers. Affected employees have been advised to watch their profiles closely and look out for possible instances of identity theft.
As noted by the FATF, data loss may be accelerated by the growing sophistication of ransomware attacks, including the rise of ransomware-as-a-service as well as triple and quadruple extortion.
Because ransomware is cryptocurrency-driven, costly to businesses, and damaging to sensitive data, industry stakeholders must be familiar with its intricacies. Only through mastering this modus operandi can we begin to thwart these attackers.
Why ransomware in an analog world is difficult
Let’s examine why ransomware is so effective. We are usually introduced to the idea of ransom by the movies. When the bad guys kidnap or hold someone hostage, they naturally then demand a ransom. This is often accomplished via a letter, or in more daring cases, a phone call to the authorities. These good guys then prepare the ransom, often represented as cash in black suitcases, so they can take it to the stated exchange site.
This is where most plans involving ransom fail, in both fiction and in real life. Because the ransom will have to be physically retrieved, the authorities can simply nab the bad guys. If it’s a direct exchange, the authorities can accept the hostage, then renege on any promises of impunity by arresting the bad guys, thus getting the ransom immediately back. If it’s a dead drop, where the good guys are tasked with leaving the ransom in a random location, they can simply monitor that site until the bad guys show. Despite what bad guys may initially think, demanding ransom is a tough business model.
How cryptocurrency has revolutionized the ransom game
Ransomware utilizing cryptocurrency has made it easier for criminals to operate with impunity and optimize their profits. Hackers often price ransoms based on a cost-benefit analysis, targeting industries such as healthcare and finance where disruptions can be costly. In 2021, the average ransom payment rose to US$812,000 from US$170,000 the previous year. Blanket ransomware attacks typically demand between US$200 and US$400, with the aim of making compliance more attractive than fighting the threat.
As with any threat, there is a deadline. Some ransomware will give a ballpark deadline, such as within 24 to 48 hours. Others will count down to the exact deadline via a timer. With some ransomware, the ransom demand will increase as more time passes - victims who pay sooner can thus effectively avail of a “discount” on the full value of the ransom.
Functionally, ransomware can take several forms. For example, ransomware is frequently paired with another type of attack, spear phishing, wherein attackers will send out emails targeted to a particular organization or person. The aim of this type of spear phishing is to get the target to open a file, which delivers a payload, the ransomware. While email-based ransomware may be common, there are many other infection methods. These include installing an infected program, clicking a malicious link on social media, succumbing to malvertising, getting redirected from a legitimate to a malicious site, and self-propagating the ransomware through USBs or other devices.
Because some of these attacks overlap in nature, many people in the industry use terms interchangeably.
Lockers These will lock a person’s device, making all software and files inaccessible unless the ransom is paid. Often this ransomware will keep the device locked to a screen with an official-looking message. The message may present a government seal and advise the user that the laptop has been locked on account of a minor crime, such as unlicensed software or illegal content. This ransomware may present the necessary ransom as a legitimate fine. |
Encryption This attack will also make a person’s software and files accessible but do so through more sophisticated means than just preventing access to the workstation. In this attack, the attacker will encrypt the person’s files using asymmetric encryption. The only way to decrypt the files is to pay the ransom, at which point the attacker is supposed to provide the private key corresponding to the public key. Unfortunately, some attackers have been known to withhold the key even with a paid ransom. |
Leakware These also threaten a person or organization with the release of sensitive personal or company data to certain parties or the general public. |
Scareware This scares people with a threat, but the payload will not actually be sophisticated enough to carry it out. |
Cryptocurrency, in short, is the lynchpin of ransomware. With digital currencies like Bitcoin, hackers can skip the need to meet up with victims, automate much of the ransom process, and move money across accounts and borders far more easily. Because ransomware is so effective, it remains a serious threat to enterprises. A single ransomware attack can render files inaccessible, disrupt business operations, and harm data security.
Crypto businesses must do their part to prevent ransomware attacks as well as halt the flow of ransom funds. Doing so ensures that they remain compliant, avoid sanctions and legal penalties, and protect their brand equity. To learn more on how to mitigate ransomware risk and stay compliant with AML/CFT regulations, read our next article in this series, Inspiring industry action: How the FATF believes we can counter ransomware, or reach out to us for a demo.