Ransomware attacks & cryptocurrencies: what, why and how?

In short, ransomware is a type of illegal software designed to block access to a device or computer system until a sum of money (= ransom) is paid. Ransomware attacks have grown significantly in both number and scale over the last few years according to the latest FATF Report Countering Ransomware Financing (March 2023): The estimated number of incidents of this cybercrime more than doubled from 2020 (304.6 million ransomware attacks) to 2021 (623.3 million ransomware attacks), the estimated number of ransom payments has increased fourfold from 2019 to 2021, and the average amount of ransom payment was USD 800’000 in 2021, a figure nearly five times higher than in 2020. What the report also shows is that ransom payments and the subsequent laundering of these illicit proceeds are almost exclusively conducted through virtual assets.

Learn in this article about the what, why, and how of ransomware attacks and the role of cryptocurrencies in this cybercrime.

What & Why — and introduction

In a ransomware attack malicious software (also called malware) gets installed by criminals on the victim’s device. This malware then denies access to data, systems, or even whole networks that the compromised device is connected to, commonly involving data encryption, data exfiltration, and disruption of operations because of inoperable systems. At the same time, a ransom payment is demanded by the criminals in exchange for unlocking the access and decrypting the data. Ransom demands range from several hundred dollars when targeting individuals to millions of dollars in cases targeting large corporations, critical infrastructure or organisations holding sensitive information. Consequently, besides the financial implications, ransomware attacks may also pose security threats by disrupting critical infrastructure and services. The Financial Action Task Force (FATF) classifies ransomware attacks as a form of extortion and the FATF Recommendations subsequently require that jurisdictions criminalise it as a predicate offence for money laundering.

Turning the focus to crypto, the FATF report concludes that criminals demand ransomware payments almost exclusively in virtual assets (VAs) and that victims often use virtual asset service providers (VASPs) to pay the ransom. On the other hand, criminals then also predominantly use VASPs to launder the received ransom payments and eventually exchange the illicit funds for fiat currency. Reasons why malicious actors prefer cryptocurrencies as ransom payment are that they provide a certain degree of (pseudo-)anonymity and allow for transfers without having a bank or other financial institution involved. Lastly, ransomware attacks are generally an international phenomenon, which makes crypto due to its international character an ideal mean for payments.

How — examples

Various ransomware attack techniques have been developed by malicious actors to maximise the efficacy and profitability of their attacks. One of them is double/triple/multiple-extortion: in addition to the original ransom demand other forms of extortion are used in the same attack, including threatening to publish the compromised data or extorting money not only from the original victim, but also from additional people, who for example would be impacted by the release of the compromised data. Malicious groups also carry out ‘ransomware as a service’ (RaaS) attacks, an illicit ‘business model’ in which criminals offer ransomware software kits and/or other attack elements on the Dark Web, including distribution of the malware or initial compromise of a victim’s network, in exchange for a fee or percentage of the ransom.

Let’s look at a concrete example: the Colonial Pipeline ransomware attack. On 7. May 2021, Colonial Pipeline, a US oil pipeline system, was successfully compromised with malware that impacted the digital pipeline management. The attack forced Colonial Pipeline to shut down more than 8’500 km of fuel pipelines, leading to a disruption of nearly half of the East Coast fuel supply. It is believed that the criminal organization DarkSide, that sells RaaS services carried out the attack. Colonial Pipeline paid approximately 75 Bitcoins (worth around USD 5 million at that time) as ransom. Interestingly, on 7. June 2021, the FBI announced that it was able to recover a large part of the ransom payment by using investigative techniques and on-chain analysis tools (read in our previous article more about the what, why and how of on-chain data analysis). This success demonstrates the potential of on-chain analysis tools to trace and recover funds.

To support the timely detection of transactions related to ransom payments as well as the laundering of these illicit proceeds, the FATF released a compilation of Potential Risk Indicators drawn from data provided by the jurisdictions in its network. These ‘red flag’ indicators may be used by VASPs and other financial service providers in their transaction monitoring systems to flag suspicious transactions related to this financial crime.

Would you like to learn more about other financial crime schemes involving digital assets and cryptocurrencies? Then have a look at our previous article about crypto hacks & exploits.