Ransomware, Bitcoin, other payment options

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

[Because it was never intended to be a comprehensive general guide to Bitcoin and other cryptocurrencies, this page has not been regularly updated. However, in the light of the more recent upsurge in security concerns with cryptocurrency that go far beyond the use of Bitcoin (et. al.) by ransomware gangs, there is now a page on this blog devoted to Cryptocurrency/Crypto-mining News and Resources which is regularly maintained for the present. DH, 31st March 2018.]

Ransomware gangs are fond of bitcoin, and  some victims who decide to pay up are finding the bitcoin technology somewhat daunting, to the extent that PadCrypt may be intended to offer advice on paying with bitcoin by way of a live chat facility (offline at the time of writing). At any rate, Bleeping Computer’s Lawrence Abrams comments:

“A feature like this could potentially increase the amount of payments as the victim can receive “support” and be guided on the confusing process of making a payment.

Here are some articles that relate to bitcoin:

• If you want a comprehensive explanation of how it’s all supposed to work, I recommend Princeton University’s Bitcoin and Cryptocurrency Technologies by Arvind Narayanan, Joseph Bonneau, Edward Felten,Andrew Miller, and Steven Goldfeder, though it’s long and not particularly cheap. (And, ironically, you can’t buy it with bitcoin.) It assumes that ‘…you have a basic understanding of computer science — how computers work, data structures and algorithms, and some programming experience. If you’re an undergraduate or graduate student of computer science, a software developer, an entrepreneur, or a technology hobbyist, this textbook is for you.’ However, it is written using a fairly conversational tone, so it’s certainly worth a look if you’re reasonably IT-literate.
• This primer from Princeton is about 296 pages shorter and more consumer friendly. And here’s Bitcoin’s own FAQ.
• Richard Chirgwin points out that Bitcoiners are just like everybody else: They use rubbish passwords, which may not reassure you.
• Imperva has published an interesting paper on ‘The secret of Cryptowall’s success‘ based Bitcoin wallet analysis.
• Bitcoin Wiki
• Blockchain Blog

Lucian Constantin reports [15 April 2016]: The CTB-Locker ransomware uses a metadata field in bitcoin transactions to store decryption keys

[29th April 2016] While Bitcoin (and its competitors/peers, potentially, I suppose) have obvious advantages for the extortionist, we’ve seen a curious shift towards other forms of ransom payment recently. I described in Music-Loving Android.Locker Ransomware malware that demands payment in iTunes gift cards, while Lawrence Abrams for Bleeping Computer reports on something called TrueCrypter that demands payment either as 0.2 bitcoins or as $115 in Amazon gift cards: TrueCrypter Ransomware accepts payment in Bitcoins or Amazon Gift Card.

He also mentions an unnamed Android screen locker that also demands Amazon gift cards. He observes:

This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon.  This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.

He has a point, but I’m told there are forums where gift cards might be ‘laundered’ before they turn up in the virtual economy. Still, TrueCrypter looks very amateur for other reasons, too. Just clicking on the ‘Pay’ button decrypts your files. I suspect that won’t always be the case, though.

This BBC article about the creator (apparently) of Bitcoin isn’t about ransomware at all, but might be of interest for its summary of how it works. Craig Wright revealed as Bitcoin creator Satoshi Nakamoto.

Not that everyone is convinced that Craig Wright really is Satoshi Nakamoto, by the way.

• Rob Graham: Satoshi: how Craig Wright’s deception worked
• Dan Kaminsky: Validating Satoshi (Or Not)

[3rd May 2016] Another example of ransomware that likes iTunes gift cards.

• David Bisson for Graham Cluley’s blog: How to recover from an Alpha ransomware attackDo your files have the .ENCRYPT extension? You may have been hit by the Alpha ransomware.
• Lawrence Abrams for Bleeping Computer: Decrypted: Alpha Ransomware accepts iTunes Gift Cards as Payment
• A free decryptor is available.

[Added 25th May 2016]

For Malwarebytes, Chris Boyd reports on the Cyber.Police Android ransomware posing as an ‘Adult Player”, and its ludicrous claim that the victim can pay a ‘Treasury’ fine with iTunes gift cards. Who’d have thought that law enforcement were such dedicated music lovers?

[Added 5th June, 2016]

Not ransomware, but related in that it clearly involves extortion/blackmail: the FBI has issued an alert about Extortion E-Mail Schemes Tied To Recent High-Profile Data Breaches. The threatening messages arrive in the wake of a flood of revelations of high-profile data thefts. The ready availability of stolen credentials is used by crooks to convince victims that they have information that will be released to friends ‘and family members (and perhaps even your employers too)’ unless a payment of 2-5 bitcoins is received.

The generic nature of some of the messages quoted by the FBI doesn’t suggest that the scammer has any real knowledge of the targets or of information that relates to them.

‘If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then…’

This sounds more like mass mailouts in the hope that some will reach a target sufficiently guilt-ridden to pay up just in case. Other messages may well frighten some people, fearful of being ‘doxed’, into paying up in case their personally-identifiable information falls into the wrong hands.

[25th October 2016]

The Guardian and the International Business Times offer a sidebar to the ‘Do/should businesses/organizations pay up?’ discussion, by revealing that financial institutions are amassing bitcoin in case of extortion. However, both articles are focused on DDoS attacks and related extortion demands rather than ransomware. The IBT article doesn’t really go into the question of whether paying up is a Good Thing, except to quote Dr. Simon Moores: ‘”The police will concede that they don’t have the resources available to deal with this because of the significant growth in the number of attacks.” The article in the Guardian (from which the IBT seems to have drawn most of its content) does explore that issue in more depth, but doesn’t discuss ransomware at all.

However, IBT does quote Marcin Kleczynski of Malwarebytes as saying a couple of months ago that he knew of UK banks that have substantial quantities of bitcoin ready to deploy in the event of a ransomware attack. Well, that’s going to discourage the bad guys, isn’t it? 😦

International Business Times: UK banks allegedly stockpiling Bitcoin to pay off cybercrime extortion threats – Police ‘don’t have the resources’ to combat cyber extortion attempts, expert claims.

The Guardian: City banks plan to hoard bitcoins to help them pay cyber ransoms – Experts say blue chip companies have decided it’s cheaper to deal with extortionists than risk damaging attacks

[Added 4th April 2017]

Maria Korolov, CSO Online: Don’t pay ransoms. But if you must, here’s where to buy the Bitcoins – If you’re hit by ransomware and you have to pay the ransom — what do you do?

[Back to the Ransomware Resource Page]