Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Impact

True scale of Bitcoin ransomware extortion revealed

By tracking the Bitcoin accounts associated with ransomware, researchers have calculated how much cybercriminals extracted from their victims.

Ransomware is one of the more worrying types of malware to emerge in recent years. It works by restricting access to computer files until a ransom is paid. Victims have included the British National Health Service, the Spanish telecom company Telefonica, the Russian oil giant Rosneft, and many others.

Victims are usually required to pay a Bitcoin ransom equivalent to a few hundred dollars to release their files. Typically, the ransom increases over time until a deadline when the files are supposedly destroyed. Many companies and individuals have had little choice but to pay up.

And that raises an interesting question. How much money have Bitcoin ransomware programs generated for their malicious masters?

US dollar value of ransoms paid to CryptoWall Bitcoin accounts

Today we get an answer thanks to the work of Mauro Conti at the University of Padua in Italy and a couple of colleagues. These guys have created a database of Bitcoin accounts used by ransomware criminals and added up the ransoms paid into them. The result is a comprehensive analysis of the gains made by cybercriminals in this emerging area of crime.

While ransomware can ask for payment in kind of currency, Conti and co focus only on those that ask for Bitcoin payments. That’s because Bitcoin transactions are openly recorded and free to view. So in principle, it should be possible to work out exactly how much each account receives. “Our aim was to accurately measure the USD worth of these payments,” says Conti and co.

The team began by creating a database of Bitcoin accounts associated with this kind of activity since 2013, when the ransomware Cryptolocker became the first to ask for payment in Bitcoin. “We found twenty ransomware that fulfilled our selection criteria, i.e., those ransomware: (i) that used Bitcoin as at least one mode of ransom payment, and (ii) for which at least one Bitcoin address is publicly known,” they explain.

For each species of malware, they provide a useful overview of the way it works and spreads and how it has evolved over time.

Not all payments to these accounts are necessarily ransoms. So Conti and co developed a way to distinguish ransom payments from other types. They do this by looking for payments that correspond to the specific amounts that the malware demands in ransom.

Finally, Conti and co add up all the ransom payments received by each type of malware. Their work reveals the most profitable ransomware but also raises questions about the way these accounts are used and how they can be tracked.

By far the most profitable form of ransomware turns out to be CryptoWall, which began infecting Windows computers in November 2013. It encrypted the files using the RSA-2048 encryption algorithm and then demanded a payment of up to $1,400 to release them.

The malware spread through various vectors, such as download links sent by the Cutwail spam botnet. Some versions of the malware created a unique Bitcoin payment address for each infected user and used the Tor darknet system to provide anonymous links to each victim.

Between its release and December 2015, Bitcoin addresses associated with this malware received $2.2 million in Bitcoin payments and a further $2.3 million in higher-value transactions, which Conti and co suspect may also be ransom payments.

Curiously, the total value of payments received by these Bitcoin addresses was over $45 million. Most of these transactions were not directly linked by Conti and co to ransom amounts. That’s a significant amount of money and raises the obvious question of what it was payment for.

The full ranking of Bitcoin ransomware projects by the US dollar amount they generated is as follows:

Ransomware                     Bitcoin ransom received               USD value

CryptoWall                         5,351.2329                                       2,220,909.12

CryptoLocker                     1403.7548                                         449,274.97

DMA Locker                      339.4591                                           178,162.77

WannaCry                          47.1743                                             86,076.76

CryptoDefense                  126.6960                                           63,859.49

NotPetya                            4.0576                                               9,835.86

KeRanger                            9.9990                                               4,173.12

 

Interestingly, the WannaCry outbreak received huge media coverage as the malware spread widely. But the attack was foiled by the cybersecurity researcher Marcus Hutchins, who discovered and activated a built-in kill switch that prevented the malware from being more destructive.

“The overall impact (including financial losses) due to WannaCry infection could have been worse … thanks to the early detection of the kill switch, which prevented the infected computers from spreading WannaCry further,” say Conti and co.

The team also discuss other forms of malware that asked for but do not seem to have received any substantial ransoms. These include TeslaCrypt, Hi Buddy!, and KillDisk.

Various other groups have carried out similar analyses and come to similar conclusions. However, Conte and co make their data set publicly available so others can build on it. “The dataset contains a detailed transaction history of all the addresses we identified for every ransomware,” they say.

Cybercriminals use Bitcoin because it provides a seemingly anonymous way of gathering and making payments. However, Bitcoin is pseudonymous rather than anonymous. That means users can protect their identify provided that none of their transactions can be linked to their real identity. But as soon as a single transaction is linked to their personal identification data, then all of their transactions become linked in the same way.

A useful analogy is to authors who publish under a pseudonym. As long as the author’s identity is never linked to any of the pseudonymous articles, he or she remains anonymous. But if it is linked to just one pseudonymous article, it is linked to all of them, and then anonymity is lost.

So pseudonymous protection is a fragile thing. A single transaction that links a Bitcoin account to a personal account can reveal the identity of a cybercriminal. And personal data leaks all the time in web-based transactions.

Last year, we wrote about the imperfections in the anonymity of Bitcoin  transactions. That should provide some hope of tracking these criminals.

Conti and co have set this type of investigation as a future goal. “We will attempt to trace how the received ransoms were used and by whom,” they say.

That’s brave and ambitious. But it also raises a question—what are law enforcement agencies doing in the meantime?

Ref: arxiv.org/abs/1804.01341 : On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective

Couldn't make it to EmTech Next to meet experts in AI, Robotics and the Economy?

Go behind the scenes and check out our video
US dollar value of ransoms paid to CryptoWall Bitcoin accounts
More from Business Impact

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.