They are now even willing to negotiate: After initially demanding $70 million (€59 million), the hackers behind last weekend’s Kaseya cyberattack might settle for $50 million. It would nevertheless be the largest ransom demand in the history of cybercrime. In exchange, the hackers would disable encryption malware — so-called ransomware — that has rendered computer networks of around 1,500 companies worldwide unusable since then.
The hacker group REvil is behind the attack. It has demanded the ransom in Bitcoin. Joseph Edwards of cryptobroker Enigma Securities finds it unusual that the extortionists are demanding such a large amount in the cryptocurrency.
“This sounds more like a publicity stunt,” Edwards told DW.
Blackmailers prefer small sums
Typically, extortionists tend to keep the amounts small, between $100,000 and $2 million, Edwards said. “These tend to be amounts that are worthwhile, but also amounts that companies are willing to pay quickly to avoid bad publicity and extended downtime.”
The goal of the criminals, he said, was to prevent authorities from getting involved in the first place, because once investigators are on the trail of Bitcoin transactions, “it’s increasingly common for the criminals to get exposed, lose their money, and avoid arrest only because they’re outside US jurisdiction — in Russia or China, for example.”
Still, Bitcoin is what made ransomware extortion fashionable in the first place, says Mikko Hypponen, head of research at Finnish security services provider F-Secure. He said criminals took a liking to the cryptocurrency in 2013. “It was assumed that Bitcoin was anonymous and untraceable. But since then, criminals have learned that it’s not as untraceable as they once thought.”
The analytics firm Chainalysis analyzes cryptocurrency transactions. One of its studies deals with ransom demands. According to it, the volume of ransom demands in digital currencies is increasing.
Bitcoin has been a favorite by far, but the cryptocurrency Monero also plays a role, Duncan Hoffman, Chainalysis general manager of the European, Middle Eastern and African region, told DW. However, he added that we only know of attacks that have been made public. “There are probably many more cases where organizations are quietly paying ransoms that we don’t know about.”
Bitcoin is not completely anonymous
The advantages of Bitcoin are obvious. The cryptocurrency is the most popular and accessible digital currency. “It makes it easier for victims of extortion to comply with the demand,” said Thomas Faber of the Frankfurt School of Finance & Management.
Anyone who wants to trade needs a digital wallet. And this wallet has an address where every transaction is stored forever and can also be viewed from the outside. “Anyone can see and track the account balance and all transactions of an address without any detours,” Faber said.
Exchanging cryptocoins an Achilles’ heel
Identities can be hidden behind the wallet address “but at some point, the bitcoins have to be exchanged for real money, otherwise the value remains useless for many purposes.” At that point, one generally can’t do without a proof of identity, Faber said. “That’s why people often talk about Bitcoin as being pseudonymous rather than anonymous.”
When a cryptocurrency is exchanged for real money, it offers a great breakthrough prospect for investigators, says Joseph Edwards of Enigma Securities. “Almost all exchanges require significant identity verification for all transactions.”
According to an analysis by Chainalysis, more than 80% of the extorted Bitcoin amounts were transferred to only five exchanges. That suggests many exchanges were doing a good job, Hoffman said. “But it also suggests that a few tend to turn a blind eye or simply don’t monitor activity.”
Both sides are upgrading
Another way to exchange Bitcoin acquired as ransom is through so-called peer-to-peer exchanges, says blockchain expert Faber. This involves a sale between two people that takes place online. Savvy extortionists could also buy services or products in Bitcoin on the darknet.
In both cases, however, the person receiving the bitcoin has a digital coin that may one day be traced back to a ransomware transaction. Here, too, there are ways to additionally disguise the origin of the bitcoins. The so-called mixers make it possible.
Still, tracking tools have become more powerful, says Edwards. “If the ransom is large enough and the authorities focus their full attention on it, it’s easy to track the criminals.”
The hacker group DarkSide learned the pitfalls of demanding ransom in Bitcoin the hard way. They had been paid around $4 million in Bitcoin by Colonial Pipeline in the United States to reinstate its computer systems that they had shut down. However, the FBI tracked the ransom by traversing through 23 wallets and was able to recover a large part in the end. A clear message to the growing number of international hacker groups: We’re on your heels.
Shortly after, however, another group extracted nearly $11 million in Bitcoin from the world’s largest meat manufacturer, JBS. The crime is also believed to be the work of the REvil group.
This article was adapted from the original German.