Why Do Ransomware Viruses Require Payments in Bitcoins?

On May 12, the world was struck by the biggest epidemic of the ransomware virus called WannaCry, also known as WannaCrypt. Infosec experts recorded attacks in 150 countries. The virus hit more than 200 thousand computers in a single day. At the same time, the largest number of attacks was recorded in Russia and Ukraine.

WannaCry is a Trojan that encrypts files on infected computers and blocks access to data. In order to be able to open files, users must send 300-600 USD in Bitcoins to the wallet of the intruders behind WannaCry. Of course, there are no guarantees of decryption and unblocking of your files after the payment. But why do malware authors extort money from victims asking for Bitcoins?

It is worth taking a look into the history of the extortion viruses and the evolution of their methods of receiving funds from the victims.

The WannaCry mentioned at the beginning of the article refers to the type of ransomware that existed on the market for several decades, long before the appearance of Bitcoins, the first crypto currency.

For the first time, this type of viruses was detected in 1989 – around 20 years before Bitcoins. Then the malicious program called AIDS Trojan spread on floppy disks during the medical conference. The virus encrypted all files on the computer’s C drive and demanded to send 189 USD to a mailbox in Panama.

In 2006, three years before the appearance of Bitcoins, a new extortion virus called Archievus was widely spread. It started to use asymmetric encryption methods. The malicious program prevented users from accessing the My Documents folder. To unlock access, Archievus offered to purchase a password through special websites.

In 2008 – 2009 fake software disguised as antiviruses required 100 USD for “eliminating” problems in users’ machines.

In 2012, the Reveton Trojan forced users to pay for unlocking their computer with the help of the voucher of the prepaid services like Ukash or Paysafecard.

The quickly growing crypto-currencies market reached 55.5 billion USD in May 2017. It creates for the cyber criminals the ideal opportunity to receive money to their accounts while remaining anonymous.

The popularity of BTC (Bitcoin) in illegal schemes is not accidental in the digital space. A distributed database – a blockchain lies at the heart of Bitcoin transactions. It is controlled by the users themselves, and the central regulatory body is absent at all. Transaction history is transparent for all users of the network, but it is extremely difficult to determine who exactly is behind any specific transaction.

In addition to Bitcoin, cybercriminals also use other crypto-currencies – altcoins. For example, Kirk ransomware, which encrypts about 625 types of different files using the RSA-4096 protocol, requires payment in the Montero crypto-currency.

Despite the reputation of being anonymous means of payment, there are already solutions on the market that allow tracking transactions and identify criminals. For example, Elliptic is designed to monitor illegal trafficking in Bitcoins. The company cooperates with financial organizations and law enforcement agencies. In addition, it is known that Elliptic also cooperates with crypto-currency exchanges, allowing them to follow the principle of KYC (know your customer) and identify their counterparties. Thus, it became possible to recognize intruders at the stage of withdrawing funds.

Using the Elliptic solution, you can determine which wallet the attacker is collaborating with. For example, it has already been possible to identify balances of three Bitcoins wallets associated with WannaCry.

The wallet can be identified by address clustering, developed in close cooperation with service providers. The essence of the solution lies in the fact that each cluster is assigned its own risk score, which makes it possible to determine the probability of the connection of a wallet to the darknet. Thanks to the clustering of addresses, Bitcoin services like Coinbase, Mycelium or Wirex, can immediately identify a translation and block it.

Whatever the method of sending funds, security experts advise not to pay ransom under any circumstances, as nothing can be guaranteed when you deal with hackers. In addition, by paying to criminals, users support new malware creation and encourage hackers to spread new viruses like Lukitus ransomware.

The market of crypto-currencies is diverse and the degree of anonymity depends on the elaboration of the code laid by the creators of a particular crypto-currency or blockchain platform. But the development of address clustering technology suggests that anonymity no longer serves as an unquestioned trump card in the hands of intruders. New technologies that can monitor Bitcoin transactions and cooperation with law enforcement bodies will eventually make operations with altcoins more transparent. Perhaps, in the short term, while different countries will take the first steps in regulating crypto-currencies, private projects will naturally form the environment for controlling this market. Counteraction to money laundering within various blockchain frameworks is quite a new technology, but all players are interested in its development because such a tool contributes to improving the reputation of Bitcoin and reduce the volume of illegal operations around the world.