Blockchain & Cryptocurrency, Business Continuity Management/Disaster Recovery, Cryptocurrency Fraud
Advice has changed on storing bitcoins ‘just in case’ to pay a ransom
Mathew J. Schwartz (euroinfosec) •
April 29, 2022
Do not store cryptocurrency in case your organization falls victim to ransomware attackers and may need to pay a ransom quickly.
This might seem obvious to anyone who has seen Bitcoin’s value behave extremely unpredictably in recent years. But not too long ago, at least some organizations would have stored bitcoins in case they were hit by a bunch of ransomware (see: Ransomware Extortion: A Matter of Time).
“The first place people go to steal money is from digital wallets. … It’s a headache you don’t need.”
“A question we used to get more of – and I don’t hear it as much now – is, ‘Should we have a wallet with bitcoins ready to pay a ransom?’ “,” says attorney Guillermo Christensen, a partner at the Indianapolis law firm Ice Miller that operates its Washington office.
“My answer to that, for almost every organization I’ve dealt with, is absolutely no,” he says. “The value fluctuates a lot. If you’re doing it for investment reasons, that’s fine. But the first place people go to steal money is from digital wallets. … It’s a puzzle whose you don’t need to, and there are plenty of reliable companies that will help you source Bitcoin or Monero.”
Risky cryptocurrency wallets
On the wallet front, criminals continue to use malware to not only infect systems, but also to ransack them in search of cryptocurrency wallets. One of the terms and conditions of a malware-as-a-service offering, for example, is that the user must share all stolen wallet information with the operator.
Trojanized versions of popular wallet apps – for Android and iOS – also continue to be deployed by criminals, and Chinese cryptocurrency users are prime targets, says Lukas Stefanko, malware researcher at the company. ESET Security.
“These malicious apps were able to steal victims’ passphrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” he wrote in a research report.
Hitting a hot wallet allows attackers to capture the seed or recovery phrase that is generated when first creating a cryptocurrency wallet. “This phrase is generated as a list of words that allow the wallet owner to access funds in the wallet,” Stefanko writes. “If attackers have a seed phrase, they can manipulate the contents of the wallet as if it were their own.”
Hence Christensen’s advice not to try to keep your own “rainy day ransom payment” cryptocurrency cache.
But what if your organization is hit by ransomware and decides to pay a ransom? This is not illegal, at least in North America and Europe, provided the funds are not sent to a sanctioned entity such as the North Korean group Lazarus or the Russian company Evil Corp, which executes ransomware such than WastedLocker (see: Russia’s war further complicates ransom payments for cybercrime).
Many ransomware groups prefer ransoms to be paid in Monero, aka XMR, because the privacy coin is by design harder to trace. “Bitcoin payments — like the one in the Colonial Pipeline attack — are made on an open, immutable public ledger that allows law enforcement to use tools like TRM to track the flow of funds,” says Ari Redbord, Head of Legal and Government Affairs. business of San Francisco-based blockchain analytics firm TRM Labs and Information Security Media Group contributor.
Given the cost of attempting to launder Bitcoin – often via tumbler or blender services, which are not free – ransomware groups often charge a bounty to victims who choose to pay in Bitcoin, aka BTC. “Instead of it being ‘only accept bitcoin,’ we got requests for Monero with a 10% to 15% markup if payment is made via bitcoin,” says attorney Catherine Lyle, Claims Manager at Coalition, a San Francisco-based cybersecurity insurance company.
Other experts I’ve spoken with say they’ve seen premiums for paying in Bitcoin ranging from 5% to 20%.
Even so, Bitcoin remains “the top crypto in demand by threat actors,” says Lyle. Beyond Monero, while other cryptocurrencies are available, ransomware incident response experts tell me attackers rarely, if ever, offer them as a payment option. Likewise, it is the rare group that only seeks Monero (see: Ransom payments: Monero promises privacy; Bitcoin Dominates).
How to Source Bitcoin or Monero
For any ransomware victim who wants to pay in Monero, however, it is relatively difficult to obtain. “It’s highly illiquid relative to BTC and isn’t traded on most national venues,” says Bill Siegel, CEO of Westport, Connecticut-based ransomware incident response firm Coveware.
Monero supply is more restricted as many exchanges have reduced risk by dropping support for Monero due to concerns about how the privacy coin can be used for money laundering, and under pressure from governments as well as industry partners, said Redbord of TRM Labs.
The vast majority of cryptocurrency transactions are not for illicit purposes, he says. But by not handling Monero, it’s easier for exchanges to better comply with “know your customer” and anti-money laundering regulations.
Therefore, finding enough Monero on your own to pay a ransom can be difficult. “While not recommended, organizations attempting to handle ransomware trading and payments themselves may find it slightly more difficult to acquire Monero rather than Bitcoin due to some popular exchanges that do not offer purchases of Monero,” says Jason Rebholz, CISO in Boston. commercial insurance provider Corvus Assurance.
But companies that help ransomware victims will be able to get hold of Bitcoin or Monero at short notice. “For third-party vendors specializing in ransomware trading and payments, there is no increased difficulty in obtaining Monero – apart from the ethical factor which will knowingly make it harder for law enforcement to track. payment channels,” says Rebholz.
Working with experts can pay
This is one more reason why experts recommend that ransomware victims always work with experienced responders. Last year, for example, it emerged that security firm Emsisoft had worked quietly with partners and victims to help exploit cryptographic weaknesses in DarkSide and later its spin-off BlackMatter. These weaknesses allowed some victims to decrypt their files without having to pay for a decryptor (see: Memo to ransomware victims: Asking for help can save you money).
Ransomware incident response companies, law firms and others who help victims will amass intelligence on specific attackers, including their propensity to provide a decryption tool if a victim pays, how often these tools work and how the group negotiates when it comes to disparaging their initial ransom demand.
This information can help a victim make informed decisions about what to do more quickly. “That’s one of the reasons why I worked very hard to try to build a combination of the legal, the threat intelligence, the negotiations, to try to integrate them in a way that allows us to be able to put all of this information together and making the most of every little piece of data we get in this negotiation,” says Christensen of Ice Miller.
The goal of these types of playbooks, each tailored to a particular threat group, he says, is “to be able to give our client the best advice: this is what you should do, this is it worth, is it what they’re going to want, is how they’re going to negotiate with us, and yes, we can make that payment Or, if we find out early on that no, we can’t not, so we’re spending a lot more money getting it back, because that’s your only way out.”