The wild world of crypto ransomware payments

Hamilton Thomas
| 10/4/2021
The wild world of crypto ransomware payments

Protecting your organization from ransomware and the threat of crypto ransomware payments is challenging, but not impossible.

October is Cybersecurity Awareness Month, sponsored by the Cybersecurity and Infrastructure Security Agency. The theme for 2021 is “Do Your Part. #BeCyberSmart.” One of the cybersecurity areas that everyone can get smarter about is ransomware. In this first of two posts on ransomware this month, a Crowe professional discusses ransomware and crypto ransomware payments.

Ransomware is an increasingly common form of cybercrime, and every organization is vulnerable to attack. Add in crypto ransomware payments, and the situation becomes even more complex. However, organizations that take proactive measures and make the appropriate security investments can fare much better when a ransomware event occurs.

What is ransomware?

Ransomware is malware that encrypts computers, files, and even entire networks, rendering them temporarily unusable until victims pay ransoms for the return of data and files and access to their machines and networks. The malware is delivered through various methods, including websites, social media, instant messages, email attachments, and other forms of communication. Email phishing campaigns and websites are among the most common attack vectors for ransomware. In 2021, malicious emails have increased by 600% (partially due to COVID-19), and downtime after a ransomware attack has averaged 21 days.

Ransomware is sophisticated, and it can involve third parties. Some malware developers provide ransomware as a service (RaaS) for threat actors. In recent years, RaaS has emerged to provide almost anyone – even those without technical expertise – the ability to execute ransomware attack campaigns by simply signing up for the service.

Specific threat actors deploy ransomware, and it has been linked to cybercriminals, nation-states, hacktivists, and highly motivated individuals. The most common motivation for threat actors is financial gain. In 2021, the payout demand averaged $200,000.

The Federal Bureau of Investigation does not support paying ransom in the event of a ransomware attack. In June 2021, FBI Director Christopher Wray stated, “In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back.” However, many affected businesses still pay, even knowing that payment does not guarantee that the threat actor will return stolen data or release locked systems.

Wray’s message rings true. In 2021, 80% of those who chose to pay out experienced a subsequent attack. Among victims who paid ransoms, 46% received only corrupt data back. Only 8% of victims who paid ransoms recovered all of their encrypted files.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Crypto ransomware payments

Most often, threat actors demand ransomware payments in cryptocurrency because this form of payment provides anonymity for the destination address associated with the ransom demand. Unlike bank accounts, no personally identifiable information is required to obtain a crypto wallet. The identity of the crypto wallet address holder remains hidden unless deduced through other means.

Bitcoin is the cryptocurrency of choice for many threat actors, as it’s the most popular and accessible digital currency to date. It provides a degree of anonymity, and it’s reasonably easy to obtain, so requesting ransom in bitcoin makes it easier for victims to comply with crypto ransomware payment demands. Threat actors want to remain unidentified, and obtaining a bitcoin wallet address requires no personally identifiable information. They use bitcoin wallets to receive and send crypto ransomware payments quickly while keeping their identities hidden.

Monero is arguably the most well-known cryptocurrency that threat actors generally use because it provides privacy and it’s untraceable. However, because Monero isn’t as widely available or as easy as bitcoin for victims to buy, threat actors continue to use bitcoin as their crypto ransomware payment of choice.

Ransomware demands typically give victims a very short amount of time to come up with the crypto ransomware payments, so ransomware victims have to purchase bitcoin from an exchange. However, if victims don’t already have an account with an exchange such as Coinbase, it might be impossible to obtain the required funds (via legitimate or convenient means) in time because of the lengthy identity verification process those exchanges require.

Bitcoin is highly transparent by design. Every transaction and wallet address fund amount is openly viewable. This transparency allows investigating organizations such as law enforcement to follow the money by tracing the final destinations of funds once victims have made crypto ransomware payments.

Because it is possible to trace transactions, it might seem counterintuitive, then, that threat actors are attracted to bitcoin. Enter cryptocurrency tumbling services. Although bitcoin has a publicly viewable ledger where all transaction records are stored, tumbling services promise anonymity by mixing – or, in essence, cleaning – bitcoin for their users. These services mix potentially identifiable or tainted funds in a pool of other funds. This process makes it difficult to trace the funds back to the original source, as the funds are mixed in random amounts for random amounts of time.

Threat actors use cryptocurrency tumbling services because they help create a much more convoluted path for law enforcement and fraud investigators to follow. Here’s how tumbling works: First, the user sends bitcoin or another cryptocurrency to the tumbler’s address. Then, the user's bitcoin is mixed with other transactions and distributed among many wallets that belong to the tumbling service. Finally, after the process is complete, the clean bitcoin is sent back to the original user or another new user. 

Colonial Pipeline: A crypto ransomware payment in real time

In May 2021, Colonial Pipeline, a U.S. company responsible for an oil pipeline system that carries fuel to the southeast region of the United States, was hit by a ransomware attack by the DarkSide RaaS operation. Management at Colonial Pipeline struggled to ascertain the extent of the potential systems compromised and opted to pay the crypto ransomware payment demand of $4.4 million in bitcoins instead of further delaying critical operations.

Keep in mind, all bitcoin transactions that occur between wallets are stored on a blockchain. These records are publicly available to everyone for the purpose of transaction validation, and all transactions can be tracked and traced back to their origination. Therefore, the FBI was able to track each transaction as the threat actors moved the $4.4 million, about 75 bitcoins, from wallet to wallet.

The FBI tracked 63.7 bitcoins, worth about $2.3 million, that the threat actors had moved to a specific wallet to which the FBI had surreptitiously gained access. The FBI subsequently possessed the private key to the wallet and seized and recovered this portion of the crypto ransomware payment. The remaining 11.2 bitcoins were traced to the DarkSide developer’s address and identified as the payment for ransomware services provided to the threat actors. Ultimately, the amount paid by the threat actors for this RaaS could not be recovered.

Anti-money laundering and crypto ransomware payments

A ransomware attack quickly reveals the myriad risks to which organizations are vulnerable, and because ransomware is intimately connected with crypto ransomware payments, organizations should tailor controls to mitigate specific risks. Specifically, financial crime teams can use transaction monitoring systems and the concept of know your customer (KYC) to reveal points of concern.

First, transaction monitoring. When converting to or from cryptocurrency to fiat currency, one major difference in the various types of financial crimes is the use of numerous separate crypto wallet accounts to perform criminal acts. Threat actors that want to perpetrate financial crime on crypto blockchains will coordinate use of an extensive number of independent hot (internet-connected) and cold (offline) wallets to perform transactions. These layered transactions occur between threat actors’ wallets and normal users’ wallets in what appears to be legitimate activity. However, when investigators examine this transactional information more holistically, they can identify red flags. Given how such transactions function, it’s important to collect accurate and verifiable data from the blockchain to adequately document and conduct crypto wallet investigations on an ongoing basis.

KYC is also important for the multiple crypto wallets used in these cases because the wallets are extremely challenging to trace. If threat actors use noncustodial wallets, the inherent identity of the customer becomes difficult to track because no customer information such as name, address, or birthdate is required to open these wallets. To help identify red flags, customer and crypto wallet profiles need to be developed based on available information from the blockchain, which might include normal transactional volumes, value amounts, types of tokens purchased, blockchains used, and counterparties engaged with.

The typical KYC laws for opening a U.S. bank account do not apply to opening a wallet in some exchanges that operate outside of U.S. jurisdiction or to noncustodial wallets. Although each transaction in most blockchains is public and can be individually traced, issues arise when bitcoins or other cryptocurrencies are tumbled into several thousands of smaller transactions to many wallets, most of which have been opened without any associated human identity. Therefore, companies must rely on KYC, large-scale data analysis via transaction monitoring systems, and anomaly detection to identify cryptocurrency transactions associated with criminal acts.

Mitigating the risk of ransomware attacks

Every organization, no matter its size or stature, is vulnerable to ransomware attacks. Understanding the ransomware and crypto ransomware payment landscapes and acknowledging vulnerabilities up front is critical. Organizations can take several proactive measures to reduce their risk of being affected by ransomware and crypto ransomware payment demands, including:

  • Phishing training. IT teams should conduct ongoing phishing training to reduce the risk of individuals inadvertently providing network credentials or clicking on malicious links or attachments. Phishing training is a critical component of any holistic security awareness training program.
  • Patching programs. All devices in the environment should be kept up to date. An annual review of the patching policies and procedures of systems in the environment is critical. Key performance indicators are helpful when tracking the success of patching programs and provide an overall idea of the risk involved.
  • Annual account reviews. Performing an annual review of the account creation process – including a review of privileged accounts – can help determine that normal employees do not have local administrative privileges on their workstations and that principle of least privilege is being followed. IT teams should also create a process to make sure that only unique passwords are created. Ransomware commonly spreads due to the re-use of local administrator passwords or an overprivileged account becoming compromised.
  • Alert creation. Creating alerts around changes in the environment can point to a potential spread of ransomware, including alerting when employees open potentially malicious attachments, monitoring for known ransomware file extensions, and configuring alerts for an excessive number of files being renamed or encrypted.
  • Endpoint protection. User endpoints should have technical security controls in place to prevent and detect a ransomware attack on a local machine. The endpoint security solution should be able to detect multiple files being encrypted in a short amount of time.
  • Network segmentation and isolation. In order to prevent the potential spread of ransomware throughout the internal network, organizations should segment their networks and also isolate them based on use, role, or location. For example, endpoints should be isolated on specific virtual local area networks, and internal firewalls should be in place to prevent network traversal.
  • Protecting backups from ransomware. Because the ransomware attack process is evolving, protecting backups from ransomware is also a critical concern. Organizations should take steps to protect backups so that they can better respond should a ransomware event take place.
  • Penetration testing. Penetration testing – also referred to as ethical hacking – is specifically required by regulatory agencies in various industries. It is also a valuable cybersecurity tool because it can improve an organization’s security posture by proactively identifying and addressing vulnerabilities.
  • Incident response plans. Incident response (IR) planning encompasses several areas and programs within an organization. The goal of IR planning is to better prepare an organization to respond quickly, efficiently, and effectively to a potentially adverse event and to reduce the impact and overall risk of the event.

Meeting the challenges of a crypto ransomware payment world

Organizations that meet the challenges of the increasingly complex cybercrime world head-on can better protect their business, their assets, and their reputations. Taking proactive steps ahead of a ransomware event can help strengthen the organization’s security posture and make it more difficult for threat actors to take advantage.

 

Is there a topic you’d like to read about?

Let us know.