How Bitcoin helped fuel an explosion in ransomware attacks

Share this…

Secure payment system Bitcoin has many legitimate uses, but like other technologies, it’s also been beneficial to cybercriminals seeking new ways to extort money.

Ransomware is booming. Be it Locky, CryptXXX or one of the countless other variants of the data-encrypting malware, cybercriminals are making hundreds of thousands of dollars every month off the back of swathes of infected victims each paying a few hundred dollars each to get access to their files back.


Cybersecurity researchers have warned that ransomware represents the most problematic cyber-threat. The most infamous ransomware attack this year took place at the Hollywood Presbyterian Medical Center, with the Los Angeles hospital forced to declare an “internal emergency” after its IT systems were locked down and held to ransom by hackers.

Ransom demands are typically made in Bitcoin, the cryptographic digital currency based on Blockchain distributed ledger technology, which offers a secure, often untraceable, method of making and receiving payments — a perfect currency for those who want their financial activities to remain hidden.

The popularity of Bitcoin has grown significantly in recent years and ransomware has spiked in 2016: could the growth of the two therefore be tied together?

“It’s helping. I think that’s definitely true. The existence of effectively anonymised payment mechanisms definitely plays into the hands of cybercriminals,” says David Emm, principal security researcher at Kaspersky Lab.

However, online extortion still took place regularly before the rise of Bitcoin. Emm recalls how some extortionists even attempted to use traditional postal services to receive payments for scams based on viruses.

Some of these viruses did the same sort of thing as ransomware, but were nowhere near as successful because authorities could watch the location where the payment was delivered to see who picked it up.

“It wasn’t successful because police could monitor the PO boxes, so as soon as someone went to pick up the goods, you could arrest them,” says Emm.

This lack of success led cybercriminals to switch to online payment systems, using Western Union or PayPal to receive payments from victims of malicious software. However, all of these systems are still tied to a bank account, giving the authorities an opportunity to trace the perpetrators.

That’s why the secretive nature of Bitcoin has proven so appealing for cybercriminals and why so many ransomware campaigns now want payment in that form — because it’s completely anonymous.

The Cerber ransomware campaign is one of many which not only demand payment in Bitcoin, but also passes the currency through multiple Bitcoin wallets, effectively a form of money laundering, in order to further cover the tracks of the cybercriminals.

“We saw tens of thousands of victims’ Bitcoin wallets transferred into one huge wallet. From there it’s transferred to tens of thousands of other wallets. It’s called a mixing service and it’s pretty standard for Bitcoin,” says Maya Horowitz, group manager of intelligence operations at Check Point.

“If you want your money in one wallet but you don’t want anyone to be able to trace it back and know how you got it, then you take it though a mixing service — like money laundering — and then it all eventually gets back to you after being mixed with other money,” she adds.

That ability to remain undetected is very much the reason cybercriminals trade in Bitcoin. “It makes it much easier to avoid law enforcement,” Horowitz said, noting how in the rare instances that cybercriminals convert Bitcoin into another currency law enforcement is able to link criminal wallets to real bank accounts and occasionally determine who the perpetrators are.

“From time to time it happens, especially if they don’t use mixing services, the authorities are able to trace a specific account back to a person and make an arrest,” she said.

Bitcoin not only makes it easier to remain anonymous, but also enables the extorted funds to be immediately transferred into criminal hands. Even other forms of financial cybercrime, such as data-stealing banking Trojans, don’t offer this sort of advantage. In the case of a Trojan, there will be a transaction using the stolen details, which may provide enough details to trace the perpetrator.

“That’s part of why threat actors move to ransomware, because it’s easier to operate in using just Bitcoin,” says Horowitz.

Operating in Bitcoin also brings other advantages to those dealing in ransomware. It’s much more flexible than traditional payment methods, which require specific financial or login details to use. If the criminal feels they’ve extorted enough using one campaign — or that the authorities are closing in — they can easily take their business and move on.

“In the modern age of online transactions, particularly when payments are easy to setup, then anyone can potentially become the online equivalent of Del Boy; you go along with a suitcase, you set up, when you see the police on the horizon, you pick it up and go somewhere else,” says Kaspersky Lab’s Emm.

“You have a mechanism for a particular attack, once you get enough money you’re off and using a different email address or account. That fluidity and the speed of business operation allows them to hide between the cracks a lot easier,” he adds.

But while Bitcoin has aided the rise of ransomware, it can’t be singled out as the specific cause for the boom. However, the nature of Bitcoin means cybercriminals have jumped at the opportunity to use it, as they have with other identity-hiding technologies, such as Tor or the wider dark web in general.

“The reality is cybercriminals will always use what is available to them. In many ways they’re inherently lazy, so if Bitcoin wasn’t there they’d find a different process to channel funds through. But because it exists, it’s certainly something which has provided them with an existing process to perform that money flow,” says Greg Day, VP and CSO, EMEA at Palo Alto Networks.

Ultimately, it could be said that the internet itself has been a huge gift for criminals, who are now using it not only for ransomware, but also malware, Trojans, hacking, and all manner of illegal activities on the dark web. In that case, Bitcoin is just the latest in a long line of technologies that have brought benefits to the wider world while unfortunately boosting the criminal underground.