Criminals no longer risk exposing themselves at ransom collections but launch ransomware attacks remotely from a computer. This type of attack returned to prominence in the 2010s with the rise of cryptocurrencies, which presented an ideal method of collecting ransoms.
Bitcoin as a Tool for Criminals
Since the renaissance of ransomware, Bitcoin has been the currency of choice for ransom demands. The original cryptocurrency offered criminals obvious benefits: large sums could be sent over long distances quickly, using Bitcoin doesn’t require revealing any identifying information, and the peer-to-peer nature of the network means there is no oversight from governments or banks.
This started in 2013 with the CryptoLocker ransomware, which used infected email attachments to gain access to computers and encrypt files. Victims were then asked to pay Bitcoin ransoms to retrieve their files. In just three months, up to 250,000 systems were thought to have been infected and the criminals had netted an estimated $27.8 million.
Bitcoin ransoms hit the headlines again in 2017 with the WannaCry ransomware attack, which affected about 230,000 computers and caused an estimated $4 billion in losses globally. And ransom attacks have only increased since then. Research by Chainalysis showed that $406 million had been sent to ransomware addresses in 2020 – a more than fourfold increase from the year before.
While Bitcoin may be the first and most popular cryptocurrency used in ransomware attacks, it’s not the only one – and some coins even have a design that makes them more suited to cybercriminals.
The Rise of Privacy Coins
You could be forgiven for thinking that Bitcoin provides complete privacy, but over the years, that has proved not to be true. Bitcoin provides pseudonymity but not anonymity. This means that although you don’t have to provide personal information to use the Bitcoin network, your wallet address and all your transactions are stored on the public ledger, where they are visible to everyone. With the help of blockchain analytics firms like Chainalysis, authorities can sometimes even put together enough pieces of the puzzle to determine the owner of a particular Bitcoin wallet address.
This led to the creation of a new class of cryptocurrencies that provide true anonymity: privacy coins. Monero, which is the largest privacy coin by market cap, uses a technology called ring signatures to protect senders of XMR, as randomly selected public keys are used as decoys to make it impossible to tell who signed the transaction. It also employs ring confidential transactions to obfuscate the amount involved.
These types of technologies clearly make Monero and other privacy coins ideal for users who want to hide their transactions, such as those involved in illicit activities. Indeed, many cybercriminals have already started using privacy coins.
Why Use Bitcoin?
So, if Bitcoin is traceable and privacy coins aren’t, why would any competent cybercriminal choose to use Bitcoin?
Well, for one thing, there is the issue of accessibility. Bitcoin is the easiest cryptocurrency to buy and sell – with a range of available payment methods. Non-crypto-savvy ransomware victims are more likely to be able to pay a ransom in Bitcoin than a privacy coin they’ve never heard of – especially as many regulated exchanges don’t list privacy coins.
What’s more, companies are more likely to pay Bitcoin ransoms if they have cyber insurance, while insurers may refuse to pay out after a Monero ransom payment as it can’t be verified that the payment didn’t go to an entity on the sanctions list.
Also, while Bitcoin’s public ledger could potentially expose cybercriminals, it also makes it easy for them to verify that they’ve been paid. Finally, tools such as Bitcoin mixers or tumblers can obscure the money trail to keep criminals’ identities hidden.
A Shift in Crypto Criminality
Nonetheless, Bitcoin still has its issues as a ransom tool. Colonial Pipeline paid a Bitcoin ransom of $4.4 million in May, but the FBI tracked the funds on the Bitcoin ledger and successfully seized a large portion of them the following month. This wasn’t an isolated incident as law enforcement has made a habit of tracing Bitcoin and sometimes recovering it.
Many cybercriminals, such as Russian ransomware-as-a-service operation REvil, therefore prefer Monero for ransom attacks. The former director of Europol suggested back in 2018 that a shift towards cryptocurrencies other than Bitcoin was likely among criminals.
With the Colonial Pipeline recovery and the ever improving blockchain analysis capabilities of law enforcement, he may have a point, and we may see that shift become more pronounced in the years to come.