Bitcoin ransomware attacks on the rise

Over the last year, cybercriminals have grown in confidence, asking for larger ransoms and launching brazen attacks on enterprises and governments that can’t afford to lose sensitive data or suffer IT downtime.

Bigger ransoms

When an employee at Florida’s Riviera Beach City Council opened a malware-infected email in June, hackers were able to take control of the computer systems. The attackers demanded a payment of $600,000 in Bitcoin to release them. The payment was made by the council’s insurers.

Similar attacks have occurred across the U.S. Neighboring Lake City paid a ransom of $460,000 after malware took down most of its IT systems, and in Georgia, Jackson County Council reportedly paid $400,000 to recover their own systems after an attack. The payments were made in Bitcoin.

Enterprises have also been affected. An especially pernicious strain of ransomware named after Japanese manga demon Ryuk, who kills by writing names in a deadly notebook, has hit the headlines for attacking “logistics companies, technology companies and small municipalities” that hold highly valued data, in both the US and China.

The perpetrators of the Ryuk attacks often demand bounties exceeding $5 million to restore services; a number that is significantly higher than just a few years ago.

Data from cybersecurity company Coveware indicates that in the last year, ransom payment demands have increased, with the average ransom almost doubling in the first half of 2019.

Some attribute these higher payments to more dangerous varieties of ransomware, which now offer encryption so complex that they are almost impossible to crack. Others, however, suggest that Bitcoin itself is giving attackers the confidence to demand large sums without fear of reprimand.

The role of Bitcoin

Since 2013, when Bitcoin first entered the mainstream, it has been used as a payment option for ransomware. While Bitcoin has proven popular for this purpose, the unique properties of the cryptocurrency cut both ways — creating a double-edged sword for attackers.

Irreversible transactions are useful for cybercriminals as they can avoid chargebacks after they have delivered the decryption key. Or they can simply keep demanding more funds without ever delivering.

For the attackers, it’s this quality that makes Bitcoin an attractive ransomware payment method. Bitcoin payments cannot be reversed or stopped, unlike wire transfers, prepaid cards, or SMS payments, which in some cases promise higher levels of anonymity.

But as Coincenter’s crypto lawyer Van Valkenburgh suggests, it is not necessarily irreversibility that makes Bitcoin the ransomware payment mechanism of choice, but rather the convenience of a digital asset that can easily be integrated with malicious software." The efficiency of the network is what criminals are really using it for here," Van Valkenburgh told Marketplace radio. "It’s electronic cash, so it’s easy to write software that can automatically demand payment and automatically detect that payment has been made."

While the ease of integration might be convenient, the transparent nature of the Bitcoin blockchain can make it possible for authorities to track the payment. Bitcoin is pseudonymous. Bitcoin transactions are sent as a string of numbers and transactions can be followed to the receiving address. If this can be connected to a real-world identity such as an exchange account, authorities can pounce.

Academics at several leading universities tested the strength of Bitcoin pseudonymity last year with a study that analyzed the Bitcoin blockchain to get a clearer picture into the state of ransomware.

The study, which was supported by data from blockchain forensics firm Chainalysis, traced Bitcoin ransomware transactions "from the moment victims acquire Bitcoins, to when ransomware operators cash them out."

Both regular Bitcoin transactions and those obscured by the CoinJoin privacy protocol were traced with techniques known as "transaction clustering and tracing" that looked at the series of time-stamped transactions imprinted on the blockchain.

At the end of the trail of transactions, the study was able to locate something that might be impossible with other payment methods — a real-world cash out point at BTC-e, the same Russian cryptocurrency exchange that was accused of laundering the millions worth of lost Bitcoin from Mt Gox.

The study estimates that “the overall ransomware ecosystem revenue for the past two years was over 16 million USD extorted from on the order of 20,000 victims. Our ensuing analysis of ransomware operators’ cash-out strategies indicated that BTCe was a key piece of support infrastructure that was used to exchange millions of USD worth of ill-gotten bitcoins into fiat currency.”

The best defense against a ransomware attack is proactive defense. However, today’s sprawling IT systems invariably have a weak point that can be attacked. The FBI has published an aggregate of existing federal government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.