Ransomware’s cryptofootprint

Cybercriminals made off with more than $16 million from ransomware from 2016 to 2017.

The better we understand the modus operandi and operational scale of cybercriminals, the more effectively we can combat them. In the case of ransomware, assessing the success and profitability of any particular criminal group is usually no easy task. Security vendors usually learn about such attacks by observing and communicating with their clients, which essentially means we tend to see the attempts that fail. Meanwhile, ransomware victims tend to keep quiet (especially if they paid up).

As a consequence, reliable data on successful attacks is scarce. However, at the 2020 Remote Chaos Communication Congress (RC3), a team of researchers presented a rather curious method for analyzing cybercriminal campaigns from start to finish based on cryptocurrency footprints.

Analysts at Princeton University, New York University, and University of California, San Diego, as well as employees of Google and Chainalysis, conducted the study in 2016 and 2017. It’s now been a few years, but their method remains applicable.

Research method

Criminals fear leaving money trails, which is why modern cybercrime favors cryptocurrency (Bitcoin in particular), which is practically unregulated and ensures anonymity. Moreover, cryptocurrency is available to anyone, and transactions made with it cannot be canceled.

However, another relevant characteristic of Bitcoin applies here: All Bitcoin transactions are public. That means it is possible to trace the financial flows and glimpse the scale of the inner workings of the cybercriminal economy. And that is precisely what the researchers did.

Some, but not all, attackers generate a unique BTC wallet address for each victim, so the researchers first collected wallets intended for ransom payments. They found some of the addresses in public messages about the infection (many victims posted screenshots of the ransom message online), and they obtained others by running ransomware on test machines.

Next, the researchers traced the cryptocurrency’s path after it was transferred to the wallet, which in some cases required making Bitcoin micropayments of their own. Bitcoin’s support of cospending, whereby funds from several wallets are transferred to one, enabled cybercriminals to consolidate ransom payments from several victims. But such an operation requires the mastermind to have the keys to multiple wallets. Consequently, tracking such operations makes it possible to expand the list of victims and simultaneously find the address of the central wallet where the funds are transferred.

Having studied the financial flows through the wallets over a two-year period, the researchers gained an idea of cybercriminals’ revenues and the methods used to launder funds.

Main takeaways

The researchers’ key finding was that in the space of two years, 19,750 victims transferred approximately $16 million to the operators of the five most common types of ransomware. Admittedly, the figure is not entirely accurate (it’s unlikely they traced all transactions), but it provides a rough estimate of the scale of cybercriminal activity a few years ago.

Interestingly, about 90% of the revenue came from the Locky and Cerber families (the two most active ransomware threats at the time). What’s more, the infamous WannaCry earned no more than a hundred thousand dollars (although many experts classify the malware as a wiper, not ransomware).

Estimating the revenue of the creators of the most widespread ransomware of 2016–2017.

Estimating the revenue of the creators of the most widespread ransomware of 2016–2017. Source

Of far greater interest was investigating how much of that revenue the cybercriminals took, and how they did it. For that, the researchers used the same method of analyzing transactions to see which of the cybercriminals’ wallets popped up in joint transactions involving the known wallets of online digital currency exchange services. Not all funds can be traced that way, of course, but the method enabled them to establish that cybercriminals most commonly withdrew money through BTC-e.com and BitMixer.io (authorities closed both exchanges later for, you guessed it, laundering illegal funds).

Unfortunately, the RC3 website does not provide the full video presentation, but the full text of the report is available.

How to guard against ransomware

Bumper profits from ransomware have led cybercriminals to behave ever more brashly. One day they position themselves as modern-day Robin Hoods by investing in charity, the next they fund an ad campaign to further harass victims. In this study, the researchers tried to locate the pressure points that would stop the financial flows and sow doubt in cybercriminals’ minds about the profitability of new ransomware.

The only truly effective method to combat cybercrime is to prevent infection. Therefore, we recommend sticking closely to the following rules:

  • Train employees to recognize social engineering techniques. Outside of a few rare cases, attackers usually try to infect computers by sending users a malicious document or link.
  • Update all software, especially operating systems, regularly. Very often, ransomware and its delivery tools exploit known, but not yet patched, vulnerabilities.
  • Use security solutions with built-in antiransomware technologies — ideally, ones capable of dealing with both known and yet-undetected threats.
  • Back up data regularly, preferably storing backups on separate media that are not permanently connected to the local network.