The first ransomware attack took place in 1989—long before Bitcoin and cryptocurrencies. However, the rise of cryptocurrencies undoubtedly gifted criminals a new extortion method. Quick, entirely digital, and almost untraceable; a perfect trifecta of fraud.
Ransomware and cryptocurrencies are a perfect marriage, too. Although consumer ransomware infections are down, business ransomware infections continue to rise as criminals target those organizations with little choice other than to pay the ransom or face costly data destruction.
Does Bitcoin facilitate the laundering of ransomware extortion?
What Is Ransomware?
Ransomware is a type of malware that encrypts the files on an infected system. Once the target systems files are completely encrypted, the system displays a ransom note. The ransom note demands payment in cryptocurrency, usually Bitcoin or Monero, to decrypt the files.
Some ransomware types carry additional threats. For instance, attempting to restart the system causes the permanent deletion of a file or the ransom demand to increase in small increments.
Ransomware is notoriously difficult to remove. The encryption of your important files, such as photos, music, and documents, mean wiping your system clean to start again is an incredibly painful decision. Ransomware developers work in the knowledge that most people do not keep frequent backups of their most important data, pushing onus firmly on the victim to pay up or lose out—for good.
Why Is Bitcoin Vital to Ransomware Extortion?
As mentioned, the first ransomware attack took place in 1989, decades before the advent of Bitcoin and other cryptocurrencies. The “AIDS Trojan” demanded a payment of $189 for the system repair tool, but the analysis found that the decryption key was easily extracted from the code of the Trojan. Ultimately, it was a failure, but a sign of things to come.
The real boon for ransomware came with the advent of Bitcoin and cryptocurrency. With Bitcoin, suddenly there was an easy to use global currency that exists solely in the digital world. Even if the Bitcoin blockchain is too slow to function as a proper currency, it is perfectly capable of processing transactions. Furthermore, because Bitcoin is entirely digitized, it is much easier to develop malware demanding payment.
You don’t need a bank account, PayPal, or otherwise. Just a Bitcoin wallet address for the victim to send the ransom too. And if you’re talking real efficiency, a ransomware developer could program the decryption code or tool to send on receipt of the ransom using a blockchain transaction checker.
Monero In Ransomware Attacks
Bitcoin isn’t anonymous. It is pseudo-anonymous, meaning that if someone looks hard enough, with the right tools, they can uncover links between wallets and transactions. If someone has carelessly linked a wallet used for ransomware or other criminal activity to any identifying information, a blockchain analysis firm can potentially uncover the link and out the criminal.
Obviously, criminals dealing in ransomware don’t want that—it is bad for business. Several Bitcoin alternatives are vastly more secure and private than Bitcoin. Monero is one of the best known truly private cryptocurrencies, using a range of additional features to protect the identity of its users.
Some ransomware types demand payment in Monero to make blockchain analysis impossible. In early 2018, cybersecurity company Carbon Black reported that around 44-percent of ransomware attacks demanded payment in Monero due to its privacy and security features. However, Coveware’s Q1 2019 Global Ransomware Marketplace report [PDF] found that Bitcoin made up nearly 98-percent of all ransomware payments, a strong switch back to the better known and easier to access cryptocurrency.
Monero has other criminal uses, too. For instance, as Monero is easier to mine than Bitcoin, it is the cryptocurrency of choice for cryptojacking malware.
Crypto Exchanges Help Ransomware Cash-Out Strategies
A major problem facing the distributors of ransomware and other malware types is cashing out fraudulent currency. Just as “real-world” criminals must launder their financial gains to remain under the radar of the authorities, Bitcoin and cryptocurrencies similarly need laundering.
Blockchain intelligence firm, Chainalysis, report that 64-percent of ransomware cash-out strategies involve laundering funds through cryptocurrency exchanges. Chainalysis identified 38 exchanges that received funds from Bitcoin and other cryptocurrency addresses associated with ransomware attacks.
Cryptocurrency exchanges without Know-Your-Customer and Anti-Money Laundering (KYC/AML) procedures are a prime target for any criminal looking to wash their Bitcoins. A criminal can send ill-gotten Bitcoins to an unregulated exchange. Once on the exchange, the Bitcoin is sent through multiple transactions across different cryptocurrency types, completely severing the link between the ransomware proceeds and the criminal account. Once the criminal cashes out from the unregulated exchange, the Bitcoins or other cryptocurrencies are effectively clean, ready for the exchange to fiat.
Bitcoin Mixing Services Used for Crypto Laundering
Crypto exchanges were not the only method for cashing out ransomware funds. The Chainalysis report found cryptocurrency mixing services accounting for 12-percent, while 6-percent are laundered through peer-to-peer networks. Interestingly, the research also found some 9-percent of ransomware proceeds remain unspent.
A Bitcoin mixing service takes your Bitcoin and severs the link to its transaction history and wallets associated with you. In this case, a criminal could use a Bitcoin mixing service to sever the link between the ransomware, associated wallets, and wallets they use to cash out their gains.
It seems logical that criminals would use a cryptocurrency mixing service to tumble Bitcoins to create anonymity. Some do. But not the actual figure is much lower than you think. Another blockchain analysis firm, Elliptic, found that only 16-percent of funds entering Bitcoin mixers came from an illicit source. The remaining 84-percent is regular Bitcoin users attempting to improve their privacy using a Bitcoin mixing service.
Bitcoin Makes Ransomware Big Business
Would ransomware still exist without Bitcoin? Almost certainly. Does Bitcoin make it easier for criminals to use ransomware for extortion? That’s a big yes, too.
Ransomware shows no sign of slowing down, either. Since Q1 2018, ransomware attacks on businesses rocketed up by 508-percent, with a 189-percent increase in Q4 2018 alone. Businesses usually incur larger ransoms too, in comparison to consumers. The FBI’s Internet Crime Complaint Center (IC3) Internet Crime Report (2013, 2014, 2015, 2016, 2017, 2018) further illustrates the shift to businesses as the total number of ransomware complaints fell by nearly 500, yet loses increased to over $3.6 million.
A ProPublica report provides another indicator as to the growth in ransomware targeting businesses: cybersecurity firms. Some cybersecurity firms claim to have access to or be able to decrypt files locked with advanced encryption algorithms. The reality is that many firms offering advanced data recovery pay the criminals the ransom fee to receive the decryptor, unlock the files, then charge a premium for the ransom, their time, and “expertise.”
It is a boon for criminals using ransomware to extort money. Bitcoin ransoms remain lucrative due to the ease of use, relative simplicity to launder, and increasing understanding from businesses that paying up is often the best option to retrieve files. When data destruction is the other option, sending a Bitcoin to a criminal to return to regular operation is an almost safe option.
Want to stay safe while using cryptocurrencies? Check out these cryptocurrency scams and frauds you can avoid.
We earn commission if you purchase items using an affiliate link. We only recommend products we trust. See our affiliate disclosure.