Ransomware Bitcoin Demands and How Coinfirm’s Investigations Help


In 2021, the damage from cybercrime is predicted to hit $6 trillion (that’s India’s nominal GDP, twice). 

Late last month it was revealed SolarWinds, a company supplying tech infrastructure to 400 out of the Fortune 500, suffered a prolonged malware attack that affected at least 250 US government agencies – including the Nuclear Weapons Agency – and corporations.

But this revelation of a massive supply-chain backdoor malware cyber-attack follows a record year of digital crime, specifically cyber-blackmail or ‘ransomware’. Year-on-year, ransomware attacks have more than doubled. With cybercrime currently the fastest growing form of crime in the U.S., and ransomware the fastest growing subsector, this is a threat to pay attention to.

Ransomware, malicious software that infects your computer and displays messages demanding a fee to be paid (often requested in cryptocurrency) in order for your system to work again is a class of malware installed through deceptive links in an email, instant message or from visiting the wrong website.

REvil, Sodinokibi, Nemty, Nephilim, NetWalker, DoppelPaymer, Ryuk, Maze, CLOP, Tycoon and Sekhmet – brand names to a malicious few, fear inciting to everybody else – were some of the top ransomware viruses last year. According to Kroll – Coinfirm’s strategic partner in forensic crypto-crime investigations – the threat was the most observed year-to-date of cyber incident response cases, accounting for over one-third of all.

Your Money or Your Life

The pandemic has brought two forces into a head-on collision; the soft targets of hospitals desperately needing to get back to life-or-death operations and criminals ‘working from home’ – taking the up-skilling concept to heart and shifting into cybercrime.

With more than 80 publicly reported ransomware attacks on health care providers in 2020, malicious actors have been holding hospitals to ransom more than any other sector. And recently, this threat has accelerated. In the last two months, the jump in worldwide cyber-attacks on the healthcare sector, 44%, is double the increase in cyber-attacks on all other industry sectors, at 22%. 

Hospitals are soft targets for attackers; organizations with valuable data (medical and personal records), heavily bureaucratic (unable to function without their well-oiled system), often reliant on legacy technology (vulnerable) and pressed for time (surgery, administration of medication, etc). The pandemic has greatly accentuated these challenges.

In a German hospital a woman lost her life as a direct result of a ransomware attack, in the US attacks on hospitals have coincided with spikes of Covid-19 cases and in November, the Australian Cyber Security Centre (ACSC) issued warnings to health-care providers that it had observed an increase in cyber incidents targeting the sector.

Targeting hospitals is not new and Coinfirm has investigated ransomware attacks on hospitals before, such SamSam – ransomware that specifically targeted medical facilities (the sector accounted for one-quarter of the virus’ attacks).

WannaCry – a notorious ransomware attack that rapidly spread across 150 countries in 2017 – hit the UK’s NHS especially hard and demanded Bitcoin in exchange for private keys for the decryption of files. The spate of attacks cost the National Health Service £92m, disrupted 1% of all care and infected 200,000 computers.

Crypto Payments and Countering the Threat

State institutions that are typically heavily centralized are vulnerable to systematic threats as seen from the examples of SolarWinds and the NHS. 

Data on the blockchain is encrypted, decentralized and stored meaning that if some servers are compromised, the system can be rebooted and the data remains intact. Prevention is the best protection. 

However, not every organization is foresighted enough to deploy blockchain data risk management solutions and much work happens after the fact, i.e. after a ransom note is received.

Because Bitcoin is the primary method of payment for ransomware demands (first rising to widespread use by gangs in the CryptoLocker ransomware in 2013), with around 98% of payments being made in Bitcoin (‘privacy coins’ appear in relation to ransomware demands in only around 2% of attacks), and cryptocurrency being the method of payment for ransomware software ‘licences’ on the darknet – Coinfirm can counter ransomware in two distinct ways. 

Tracking the Sale of Ransomware

Ransomware is sold off-the-shelf through darknet marketplaces (DNMs), where users go to purchase or sell malware en mass. Often malware will not only be purchased but may also include an ‘affiliate program’. Israeli cyber threat intelligence monitoring firm Kela notes that “the share paid to affiliates is 10% to 25%, depending on the size of the ransom.”

Additionally, plenty of hackers are offering ransomware as a service (RaaS), essentially letting anyone hire a hacker from DNMs. Both purchasing/leasing ransomware and hiring black hat hackers are services that can be paid for in cryptocurrency. 

A notable ransomware market change identified this year by Kroll has been the increased use of the exfiltration of data, now appearing in almost half of attacks – where attackers threaten to not just hold the data hostage but begin periodically releasing it onto the dark web, where it will inevitably be bundled and sold on DNMs. In May 2020, the Sodinokibi ransomware gang (the second most-linked ransomware gang to healthcare attacks last year) added an auction site to their shaming site where they offer data to the highest bidder.

Read: Evolution of Cryptocurrency Crime in the Darknet

Coinfirm maintains a dedicated department to monitor darknet flows from more than 1,500 cryptocurrencies and protocols. Monitoring of blockchain addresses enables our network to shut off malicious actors’ revenue streams and operating webs. Blockchain allows tracing all transactions involving a given bitcoin address, all the way back to the first transaction, giving law enforcement records needed to ‘follow the money’ in a way that would never be possible with cash.

Investigating Attacks

We are alerted to attacks by various in-house developed avenues. 

Coinfirm’s industry-leading AML Platform encompasses 330+ risk indicators including those that are able to associate transactions and wallets related to darknet illicit services points-of-exchange and cybercrime of ransomware and hacking. 

The system is able to alert, in real-time, financial institutions, cryptocurrency exchanges and other obliged entities to the counterparty risk of doing business with individuals or addresses associated with DNMs and cybercriminals – thus reporting and freezing accounts. Allowing an investigation to be kickstarted that takes advantage of on-chain clustering algorithms, fingerprinting and ownership analysis.

6AMLD Forces Honesty Around Breaches 

The 6th Anti-Money Laundering Directive (6AMLD), the EU’s latest AMLD that member states began to implement in December of 2020, includes cybercrime for the first time as a predicate offence. 

Taken with 5AMLD’s requirement which makes reporting suspicious activity to Financial Investigative Units a must – countering ransomware will get easier as businesses become more honest about vulnerabilities – the true scale of the problem caused by ransomware can be tallied, as currently many cases go unreported owing to having no requirement to report cybercrime-related issues and 95% of demand payments resulting in the restoration of the encrypted data (in other words, why go through the train wreck of adverse media if you could pay up fast?). 

To further strengthen cross-jurisdiction collaboration we will soon be announcing an intelligence alliance. The initiative will add strength to the ecosystem of more than 200 financial institutions, cryptocurrency exchanges and protocols leveraging Coinfirm’s RegTech solutions and will aid practical financial crime work to combat a $6 trillion problem.

Authored by Pawel Kuskowski, CEO

To find out more about the Intelligence Alliance and how Coinfirm combats Ransomware Contact Us today.