The ransomware pandemic: what’s fueling the wave of hacker attacks and how it could affect Bitcoin

Since last year, many companies and government agencies have faced ransomware attacks. 

Due to breaches they not only lose the money demanded by ransomware operators for the decryption key, but also suspend operations — after the attack on Colonial Pipeline there were temporary fuel-supply disruptions, causing some U.S. states to declare a state of emergency.

After several high-profile attacks by authorities in various countries, especially the United States, they effectively equated the ransomware threat with terrorism. 

The search for a solution to ransomware could lead to tighter regulation of cryptocurrencies—an industry favourite for collecting the ransom. In the United States, calls have grown for closer tracing of crypto transactions and tougher KYC/AML procedures.

ForkLog has examined what lies behind the heightened ransomware threat and what consequences this will have for the cryptocurrency industry. 

What are ransomware programs?

The principle behind ransomware is simple: attackers infect devices, encrypt data or disrupt computer systems, and demand a ransom for the decryptor key.

Ransomware has existed for a long time, but recently it has drawn heightened attention due to the rising damage from attacks and the focus on businesses rather than individual users.

The standard infection method is phishing. Hackers send emails containing malware or links.

These emails are often signed with well-known brands—such as delivery services, banks, or business partners close to the victim—information that fraudsters gather in advance during the preparation of a targeted attack, ForkLog’s ESET experts said.

The history of ransomware began in the late 1980s. One of the first such viruses was the AIDS Trojan. Its author is believed to be Dr. Joseph Popp, who taught at Harvard. The virus was distributed on floppy disks packaged as educational programs about AIDS by a certain PC Cyborg Corporation.

After 90 reboots, the virus on the disks encrypted files and hid folders, demanding $189 for a ‘license extension’.

Over time, ransomware evolved, but truly large-scale attacks began after 2010. In addition to improving malware and finding new intrusion methods, the internet spread worldwide at unprecedented speed, and the number of potential victims grew by hundreds and thousands. 

New ways to obtain a ransom and evade law enforcement emerged — at least initially.  

In 2013 hackers began distributing CryptoLocker, targeting Windows users, via emails with malicious attachments, botnets and compromised sites. As ZDNet, citing Dell SecureWorks, reports, CryptoLocker harmed at least 250,000 victims in its early days.

The malware encrypted certain files and the victim received a ransom note with a countdown. Operators accepted payments via MoneyPak cards or in bitcoins. The note also warned that if the ransom was not paid in time, ‘no one will ever be able to recover the files’.

Later, hackers added the option to buy a decryptor key after the deadline through a dedicated service, but the price rose from 2 to 10 BTC.

According to ZDNet, which tracked several Bitcoin addresses to which CryptoLocker victims paid the ransom, between 15 October and 18 December 2013 around 41,928 BTC passed through the hackers’ wallets.

In June 2014, the US Department of Justice announced the dismantling of the Gameover Zeus botnet, used to distribute CryptoLocker and other malware, and Russian national Evgeniy Bogachev was charged with involvement in operating the botnet and ransomware. In the operation, authorities also said they had destroyed CryptoLocker.

Subsequently the world faced several more large-scale ransomware campaigns. The WannaCry damage, by some estimates, exceeded $1 billion, and the Petya worm not only encrypted data but also erased files, affecting many systems across companies and government agencies. 

While law enforcement and cybersecurity firms fought one set of ransomware groups, others rose to take this crime to a whole new level.

«Despite the authorities’ successes in curbing several ransomware groups, this form of malware has proved to be a hydra — you cut off one head, and several more appear», — analysts emphasize.

New Horizons

According to the analysts at Kaspersky Lab, 2016 was pivotal, ‘when in a few months the number of ransomware attacks on business tripled’. Data from Statista show that this year saw the highest number of attacks.

Nevertheless, according to Check Point Research, ransomware operators intensified in 2021. In the first four months of the year, the number of companies hit by ransomware attacks rose by 102% compared with the start of 2020.

Since the start of the year there have been several high-profile ransomware incidents — Colonial Pipeline, JBS, Acer and many other firms and agencies have fallen victim. Reuters reports that the United States has elevated the priority of investigations into such breaches to the level of terrorism cases, according to Reuters.

Analysts disagree on the total number of ransomware attacks. Reliable data are hard to obtain as many companies do not disclose details or even the fact of a breach.

However, almost all experts agree on the increased level of damage.

According to Chainalysis, the average ransom demanded by ransomware operators rose more than fourfold—from $12,000 in Q4 2019 to $54,000 in Q1 2021.

According to Cybersecurity Ventures, the damage from ransomware in 2021 will reach $20 billion, rising to about $265 billion by 2031.

One reason for the rising threat, experts say, is the transformation of extortion into an ecosystem, where malware developers are only part of the system.

Causes of the ransomware pandemic

Ransomware-as-a-Service (RaaS) — a model that lets you order a cyberattack as a service. Usually: hackers develop the malware and provide it to a client. Depending on the level of involvement, developers take a cut of the ransom.

Independent expert Alexander Isavin told ForkLog that the established ‘market for hired malware-as-a-service’ has significantly boosted the number of attacks:

«Someone develops, someone seeks paying victims, and the infrastructure for laundering illicit proceeds already existed. It’s clear criminals use the most advanced tools first — and they were among the first to adopt cryptocurrencies».

A prime example of a RaaS-style attack is the Colonial Pipeline breach, ForkLog’s cybersecurity expert from Kaspersky Lab, Dmitry Galov, said.

The group involved in the Colonial Pipeline attack not only developed the tools but built an entire infrastructure for execution. It helped its clients during negotiations with victims and in obtaining the ransom, and offered special programs to other criminals, pre-selected through a competitive process according to formal requirements and after interviews.

«The world of ransomware must be understood as an ecosystem and regarded as such», — analysts emphasize.

Attackers often do not know each other. They interact through various forums and platforms, paying for services with cryptocurrency. 

Thanks to this, arresting any single participant would have little effect on ransomware operations, since it is impossible to identify other actors.

One example supporting this view is the recent Ukrainian law-enforcement notification identifying members of the hacking group behind the Clop ransomware.

Spreading a week after this news, Clop published a new batch of data, allegedly obtained from two new victims. 

As it turned out, the searches targeted not group members but operators of a cryptocurrency exchange through which Bitcoins flowed; Binance helped identify them. The hackers, it would seem, remain at large.

According to researchers Intel471, among RaaS-operating groups are Doppel Paymer, Egregor/Maze, Netwalker, REvil, Ryuk and others.

The threat from ransomware activity grows also due to changing victim focus — hackers increasingly target companies and organisations rather than individuals. 

«Ransomware attacks in recent years have become a real threat to any organisation, including social facilities and industrial enterprises. Often the groups attacking business seek access to the maximum number of corporate networks and then study what company it is», said Dmitry Galov, cybersecurity expert at Kaspersky Lab.

Hackers increasingly adopt the tactic of double extortion. They not only encrypt data or devices but also exfiltrate personal or commercial information they threaten to publish if the ransom isn’t paid.

Many affected organisations choose to pay. As the media reports citing Proofpoint research, 52% of ransomware victims paid the ransom.

Experts do not recommend paying, as ‘there is no guarantee criminals will fulfil their promises to decrypt after payment’, ForkLog told ESET: 

«Moreover, statistics show that more than half of those who paid end up re-victimised within a year».

This is confirmed by Cybereason. A survey of 1,263 cybersecurity professionals found that 80% of those who paid the ransom were hit again.

The U.S. authorities are urging not to pay; some even advocate banning such payouts. 

? If you were the victim of a #ransomware attack, paying the ransom doesn’t guarantee you’ll get a decryption key or your data back from cybercriminals. Eliminate the need to pay – back up your data and patch your computer often! https://t.co/BuYmxnWdyK #Cybersecurity pic.twitter.com/VdwqP8cymn

— US-CERT (@USCERT_gov) July 1, 2021

In recent times American organisations and companies have increasingly found themselves in the crosshairs, prompting the government and security services to focus closely on this form of cybercrime. And with it—cryptocurrencies.

The Biden administration has already stated that tracking cryptocurrency transactions is one possible approach to counter ransomware.

Bitcoin and ransomware

Some see cryptocurrencies as a major driver of ransomware.

Programmer Stephen Diehl notes that previously attackers had few ways to collect a ransom without attracting law enforcement, especially for large sums. 

Cryptocurrency provided the perfect answer to allowing hackers to prey on their victims and extort unlimited and anonymous cash payments while completely minimising their exposure of being caught by law enforcement. (8/)

— Stephen Diehl (@smdiehl) May 21, 2021

According to Chainalysis, in 2020 ransomware victims paid more than $406 million in cryptocurrencies. Analysts note that this figure is likely to rise as investigations continue.

Most often the ransom is demanded in Bitcoin, but payments can be made in other cryptocurrencies as well. According to Samantha Levin of CAC Specialty, the payments have been observed in Ethereum and even Dogecoin.

Attackers focus on privacy-oriented assets. One such coin is Monero. Last year, the REvil (Sodinokibi) gang said it planned to abandon Bitcoin in favour of XMR. 

However, although attackers have already demanded a ransom in this cryptocurrency, they have not managed to move completely away from Bitcoin. In one of the latest attacks they demanded $70 million in BTC.

According to experts, the main reason hackers have not fully shifted to privacy-focused digital assets is that victims find it harder to access them. Consequently, they simply cannot pay the ransom.

«Many of these [privacy-focused] cryptocurrencies remain unusable on a global scale, unlike Bitcoin», said ForkLog to ESET.

Bitcoin extortionists could tarnish the reputation of the lead cryptocurrency as Congress weighs its status, says Illinois Congressman Bill Foster. 

With the rise in ransomware activity, U.S. authorities—who had long warned about criminals using crypto—have begun urging strict regulation of the industry, and government experts call for tighter compliance with KYC/AML rules at the international level, says.

Some even propose banning Bitcoin altogether. Yet it remains unclear how, since the essence of the protocol lies in decentralisation. Reddit users mocked the idea, suggesting banning phones to curb spam calls or officials to curb corruption.

Moreover, as The Verge notes, a theoretical ban on cryptocurrencies would disrupt legitimate market participants, while “dodgy exchanges based outside the United States” would persist.

Moreover, the reputation of Bitcoin as a totally anonymous coin is somewhat exaggerated, as the blockchain enables tracing of most transactions.

In June, the FBI recovered 63.7 BTC from the Colonial Pipeline ransom paid to the ransomware operators. The agency traced the blockchain transactions soon after the funds moved from the Colonial Pipeline address to the DarkSide hackers. Some were redirected to a wallet for which the authorities had the private key. 

How they obtained access remains undisclosed. However, as Adam Back, a pioneer of the crypto industry and the CEO of Blockstream, noted, it is unlikely the FBI hacked the wallet. It is more plausible that the agency simply gained access via a service provider or hosting company.

«Blockchain analysis allowed linking the payment to a specific Bitcoin address and identifying the true owner of the final account. This example demonstrated that Bitcoin transfers are traceable and that this will deter cyber criminals from using the payment method in the future», say ESET researchers.

Before this story, Elliptic researchers identified 47 Bitcoin wallets believed to belong to DarkSide.

Even privacy-focused Monero is not fully anonymous, and tools to track transactions with it are already being developed.

«The biggest myth, the greatest misconception is the traceability of Monero transactions. It’s not hard to ‘hack’ Monero privacy based on wallet analysis», said in a ForkLog interview one of the cryptocurrency developers, Riccardo Spagni.

Thus, the industry already has tools to track transactions, and exchanges are widely adopting KYC/AML procedures, akin to those used by traditional financial firms. If the industry does not participate in finding countermeasures, regulators are likely to propose a solution themselves. 

«Cryptocurrencies are in fact more transparent than most other forms of value transfer. Certainly more transparent than cash», says Chainalysis.

Author: Alina Sagan-skaya.

Read ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analysis.