Ransomware attacks have become increasingly common in recent years. These malicious programs encrypt files on a victim’s computer and demand payment in order to decrypt them. Victims are eager to regain access to their data and are often willing to pay the ransom. But how exactly are these ransom payments made?
What is ransomware?
Ransomware is a form of malicious software (malware) that encrypts files on a victim’s computer, preventing the victim from accessing their own data. The attackers demand ransom payment in cryptocurrency, such as Bitcoin, in exchange for the decryption key needed to restore access. If the ransom is not paid, the data remains locked forever.
Some of the most common ransomware variants include:
- CryptoLocker
- WannaCry
- Ryuk
- Sodinokibi
- Phobos
Ransomware is typically spread through phishing emails containing malicious attachments or links. Once executed on the victim’s machine, the ransomware encrypts files and displays a ransom note demanding payment to decrypt them.
Why do victims pay the ransom?
There are several reasons why victims end up paying the ransom demand:
- To quickly regain access to important or sensitive data that is essential for business operations
- When backups are non-existent, insufficient, or also encrypted by the attack
- To prevent customers or partners from discovering the attack and losing trust
- To avoid costs associated with rebuilding systems and restoring data far exceeding the ransom amount
Cybersecurity experts actually advise against paying ransoms, as it incentivizes and funds cybercriminals to continue attacks. However, when access to critical data and systems is at stake, victims often feel compelled to pay up.
How do victims pay the ransom?
Ransomware operators generally provide instructions to victims on how to pay the ransom demand. Most ransomware groups establish difficult-to-trace cryptocurrency wallets to receive payments.
Some common methods for ransom payment include:
- Bitcoin – The most popular cryptocurrency used for ransom payments given its pseudonymous nature.
- Monero – A more anonymous alternative to Bitcoin gaining favor among ransomware groups.
- Ransomware site – Many ransomware operators host sites on the dark web for victims to manage payment.
- Negotiation platform – Some large ransomware cartels have negotiation platforms for victims to communicate with affiliates and arrange payment.
Victims are given a Bitcoin address or Monero wallet address to submit payment to. Ransomware sites and negotiation platforms generally provide step-by-step instructions for buying cryptocurrency through exchanges and transferring it to the criminals’ wallet.
Obtaining cryptocurrency
For victims unfamiliar with cryptocurrency, obtaining Bitcoin or Monero to pay a ransom can be complicated. Options include:
- Purchasing through a cryptocurrency exchange
- Withdrawing from a Bitcoin ATM
- Using a crypto wallet provider’s ‘buy’ feature
- Purchasing prepaid cryptocurrency vouchers (available offline)
Exchanges allow bank transfers or card purchases of cryptocurrency, but they require identity verification through KYC checks. ATMs also facilitate quick cryptocurrency purchases with cash, but charge high fees.
Making the payment
Once victims acquire the demanded cryptocurrency, they paste the attacker’s wallet address into their crypto wallet app and authorize the transfer. Smaller ransomware operations may require the full payment upfront, while sophisticated groups sometimes allow partial advance payment and staggered payment over time.
Victims are expected to submit the payment transaction ID to the ransomware operators as proof that payment was sent. The operators validate they received the funds before sending the decryption software and keys.
Payment via ransomware decryptors and customer support sites
Some ransomware cartels operate almost like legitimate businesses, offering sophisticated ransom payment and data recovery solutions. Examples include:
REvil/Sodinokibi “Happy Blog”
The REvil ransomware syndicate operates the hidden service “Happy Blog” site to manage ransom payments. Victims can log in to negotiate with affiliates, make payments, and receive decryption keys.
DarkSide customer support site
The DarkSide gang, behind the Colonial pipeline attack, ran a customer support site on the dark web for victims to communicate with operators and make ransom payments.
Maze decryption site
The Maze ransomware had a dedicated site for victims to upload encrypted files and purchase decryption keys to restore their data.
These centralized platforms allow ransomware groups to streamline extortion of multiple victims and mimic legitimate transaction systems.
Are ransom payments traceable?
The pseudonymous nature of cryptocurrency helps shield the identity of ransomware attackers receiving payments. But law enforcement uses advanced blockchain analytics tools to track and trace cryptocurrency transactions.
With Bitcoin, they can follow the money trail on the public blockchain ledger. Monero offers stronger anonymity protections, but still risks traceability through network monitoring.
If ransomware operators fail to launder cryptocurrency through mixers and tumblers, payments could get traced back to them. Law enforcement also looks for slip-ups that identify attackers, such as re-using Bitcoin addresses.
Should ransom payments be illegal?
Some argue ransom payments should be banned because they encourage more criminal ransomware activity. But others counter that organizations should be free to make pragmatic decisions when under duress. The debate involves weighing pros and cons around issues like:
- Incentivizing attacks – Paying ransoms fuels ransomware-as-a-service models and funds criminal organizations.
- Encouraging non-payment – Taking payment options off the table could lead to more destructive attacks.
- Loss of data – Forbidding payments risks permanent data loss in absence of backups.
- Promoting security – Paying ransoms reduces incentive to invest in security measures.
In the U.S., paying cyber ransoms is not illegal. But any concessions to attackers could violate laws against support of terrorism or sanctions. Companies also risk being investigated for knowingly financing criminal activity.
Should ransomware payments be insurable?
Another debated point is whether cyber insurance should cover ransomware payments. The arguments around insurability include:
- Fuels attacks – Insurance coverage for ransoms contributes to the ransomware business model.
- Necessary evil – Covering ransoms helps victims recover from unavoidable attacks.
- Promotes security – Insurers require security standards, discouraging lax practices.
- Moral hazard – Insurance reduces incentive to implement best security protections.
Insurance regulator guidance discourages policies from covering ransoms. But the market reality is that insurers often will cover ransom payments to help restore businesses. Cyber policies may also cover costs of incident response, negotiation, and data restoration.
How are ransom payments evolving?
Ransomware groups continuously adapt their payment methods and infrastructure for greater scalability, efficiency, and anonymity. Some emerging trends include:
- Ransomware-as-a-service – Developers lease malware to affiliates who split ransoms with them, enabling mass attacks.
- Targeted extortion – Lucrative “big game hunting” sees gangs thoroughly investigate targets before making huge demands.
- Anonymity enhanced cryptocurrency – Growing use of privacy-focused coins like Monero to better obfuscate payments.
- Hard-to-trace infrastructure – Attackers leverage dark web sites, mixers, and covert payment channels.
Ransomware attacks are also becoming “double extortion” campaigns, combining data encryption with theft and threats to publish sensitive stolen files.
And cryptocurrency is opening up new hard-to-trace payment options like Tor-routed coins, unhosted wallets, and decentralized exchanges.
As a result, ransomware payments are getting tougher to track, while providing organized criminal groups with bigger payouts through scaled business models.
Conclusion
Paying cyber ransoms is fraught with ethical concerns, but remains a calculated risk decision for victimized organizations lacking data backups or alternatives. Ransomware operators have developed advanced cryptocurrency payment methods enabling anonymous extortion at scale.
Traversing the world of ransomware payments means victims must navigate the complexities of cryptocurrencies, dark web sites, tough negotiations, and evasive criminals. And the ransomware business continues to evolve in sophistication and profitability, despite the best efforts of cyber defenders.