Cyberattacks using ransomware are increasing in frequency, and ransom payments made to the hackers are swelling as well. Bitcoin and other cryptocurrencies, along with the exchanges where they can be traded anonymously, have emerged as key tools for the cyber extortionists. The vast sums being paid by corporations to regain control of their computers would have been near-impossible to move in any other legitimate currency market, experts say.
1. How is crypto used in cybercrime?
A typical ransomware attack on a company or organization might proceed like this: Executives realize their business website is down or systems inaccessible, and administrator overrides don’t work. A ransom demand arrives via email, providing a Bitcoin address where the payment must go if the company wants its systems operational again, along with a deadline. The victim calls up the Bitcoin address, which is 26 to 34 characters in length, when signing onto a cryptocurrency exchange to make the deposit. (Bitcoin is the most common, but not the only, digital currency used in ransomware attacks.)
2. What makes crypto attractive to criminals?
The anonymity built into the digital ledger system known as blockchain, which forms the foundation of Bitcoin and other cybercurrencies, can be leveraged through a variety of maneuvers. A ransom paid in Bitcoin can be swiftly run through a so-called cryptocurrency mixer, which obscures the trail of ownership by pooling it with other people’s holdings. (While the practice itself is not considered illegal, mixer operators can get into trouble if found to have laundered illegally gotten money.) Another option is to convert the ransom payment to a different cryptocurrency via a crypto exchange. So-called money mules can be recruited on dark web forums and directed to withdraw Bitcoins out of certain accounts.
3. How much has been stolen this way?
Ransomware attacks took off in 2020, when victims paid more than $406 million in cryptocurrency to attackers, according to blockchain analysis firm Chainanalysis. This year, groups had taken at least $81 million from victims as of May, the firm said. Cybersecurity firms say companies have paid many millions of dollars more in ransoms that have been kept quiet. Being insured against cybercrime may make victims more willing to pay ransoms if they are covered under the insurance policy. Hackers who specialize in ransomware are said to be actively seeking out targets that have insurance.
4. What did cyber thieves do before Bitcoin?
There have always been myriad ways to launder money — that is, to obscure its roots in illegal activity. In the past, ransomware payments were delivered by money transfers through services like Western Union, prepaid gift cards, wiring of funds into above-board bank accounts that are quickly transfered out by the criminals, even cash in duffle bags left at designated areas for pickup.
5. Can payments made in cryptocurrency be traced?
Yes, at least at first. All Bitcoin transactions, while anonymous, are available for anyone to see, so someone tracking a particular Bitcoin wallet can observe when cash arrives. But accessing the money inside the wallet requires a private key, essentially a password, and that’s something ransomware groups do not normally share with anyone outside their operation.
6. Have any ransomware payments been foiled?
Yes. The U.S. Federal Bureau of Investigation managed to recoup 63.7 of the 75 Bitcoins paid by Colonial Pipeline, operator of the biggest U.S. gasoline pipeline, to a Russian-linked ransomware operation because it was able to track the money as it went through over a dozen transactions, and importantly, came into possession of the private key the hackers had used. (The 63.7 Bitcoins were worth about $2.3 million at the time of the FBI action.) In the warrant it issued to seize funds, the FBI did not say how its agents acquired the private key.
7. Can anything else be done?
Regulation may be coming. In April, the Ransomware Task Force, a private-public partnership created by the Institute for Security and Technology, published an 81-page report with recommendations for how governments can protect against and deal with ransomware attacks. The group urged governments to extend Know Your Customer (KYC), Anti-Money Laundering (AML) and Combating Financing of Terrorism (CFT) requirements — which national and international authorities enforce against banks around the world — to crypto exchanges, kiosks (crypto’s version of automated teller machines) and over-the-counter trading desks. Calls to ban Bitcoin altogether have been quieted by the currency’s gradual acceptance by the financial industry.