Are people paying ransomware with Bitcoin?

Add to my custom PDF

Behind Closed Doors: Measurement and Analysis of CryptoLocker Ransoms in Bitcoin

CryptoLocker is a family of ransomware using Bitcoin as a payment method. This type of malicious software encrypts all valuable fles on a victim’s system. Once all the fles are encrypted, the program lets the victim know about the infection by sending a message. In order to decrypt the fles, the victim is asked for money. The data will remain encrypted until the ransom is paid. Usually, these ransoms are paid using Bitcoin, which is a decentralized cryptographic currency. Known for its pseudo-anonymity, this digital currency gained popularity over the past few years and is used in different types of cybercrime, such as fnancial fraud. Money transfers in Bitcoin are virtually impossible to reverse and diffcult to trace. All confrmed transactions made in Bitcoin are visible to the public in something called a blockchain. The transactions are issued with a Bitcoin address instead of with a name. Initially, this intended to preserve the user’s anonymity, because nothing was supposed to relate a person to their Bitcoin address. But, with the existence of the blockchain, this technique has been proven ineffective in ensuring anonymity.

Liao, et al. wanted to understand who were the targets of the CryptoLocker malware. They used information collected from forums online to gain insight into this new digital threat and a better knowledge of ransomware criminal enterprise strategies.

During their study, they discovered a total of 968 Bitcoin addresses used by the CryptoLocker operators. Initially, they found two victims had posted addresses on Reddit, a social news networking service. These addresses were considered as seeds. The remaining addresses were found by analyzing Bitcoin transactions linked to these seeds. The researchers then collected data about the payments and identifed 795 ransom payments. CryptoLocker targeted professionals and so the researchers assumed that the payments were processed during business hours. This allowed them to assign a country of origin to the payers. For example, the period from 9:00 a.m. to 5:00 p.m. corresponds to 17:00 UTC to 1:00 UTC in the Pacifc Time Zone, which is UTC-08:00. Therefore, a payment made between 9:00 UTC and 17:00 UTC (UTC±00:00) is more likely to have come from Great Britain.

The results indicate that the top three countries from which ransoms were paid are the United States, Great Britain and Australia. In addition to this, the researchers were able to extract eight communities from the cluster of 968 Bitcoin addresses using an algorithm to detect communities in a network. It provided a better understanding of the CryptoLocker fnancial infrastructure. In some of the communities identifed, they discovered relationships between the Bitcoin addresses used with CryptoLocker and those involved in money laundering activities. They also found the use of Bitcoin fog mixer; a service that mixes and randomizes outgoing transactions for a percentage fee. This kind of service can assist cybercriminals to launder the stolen Bitcoin. In the center of one of the communities, they were able to identify an address belonging to BTC-e, one of the largest currency exchange services for Bitcoin. The losses related to CryptoLocker within four months were estimated at $310,472.38. Furthermore, they identifed possible connections between different forms of crime involving Bitcoin; such as phony black market scams and ransomware.

Ransomware is a signifcant problem, with Cryptolocker alone costing victims more than $300,000 in a single quarter. The current understanding of ransomware and the role of Bitcoin in online crime is insuffcient for the development of effective countermeasures.

The Bitcoin payed in ransomware is significant.