Ransomware has become one of the most lucrative criminal business models in the history of malware. The ransoms demanded by cybercriminals continue to rise, with the average ransom payment in 2021 reaching over $570,000 according to Coveware. Understanding how ransomware actors collect these payments can help organizations defend against attacks.
What is ransomware?
Ransomware is a form of malicious software (malware) designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Attackers demand ransom payments in cryptocurrency from victims in exchange for the decryption key to restore access. If victims refuse or fail to pay, they risk permanent data loss.
Ransomware attacks have increased significantly in recent years. They pose a serious threat to businesses, hospitals, schools and government entities. High-profile incidents have resulted in widespread disruption of critical services.
Why do victims pay the ransom?
There are several reasons why victims end up paying ransomware demands:
- Prevent business disruption – Organizations rely on access to their data and systems to operate. Restoring from backups can take days or weeks, during which time they may be unable to provide services, resulting in significant financial losses.
- Avoid data loss – If current backups are unavailable, paying may be the only way to recover encrypted data. This data may be irreplaceable or difficult and costly to reproduce.
- Compliance requirements – Regulations like HIPAA mandate data preservation. Failure to recover health data after an incident may result in legal liability.
- Cyber insurance – Insurance policies may cover ransom payments, making paying the simplest option for insured victims.
However, experts caution that paying the ransom should be a last resort. Doing so fuels the ransomware business model and does not guarantee the criminals will provide working decryption keys. There are also concerns about potential liability for facilitating criminal activity.
How do victims make ransomware payments?
Ransomware groups instruct victims how to pay through ransom notes left on infected systems. Most demand payment in cryptocurrencies like Bitcoin or Monero. Cryptocurrency enables fast, international payments while protecting the anonymity of recipients.
Specific payment methods ransomware groups may require include:
- Bitcoin wallets – Victims are given a ransomware group’s Bitcoin address to send payment to.
- Tor websites – Payment portal sites accessible through the Tor browser to anonymize transactions.
- Cryptocurrency exchanges – Victims told to open accounts on exchanges like Binance to purchase and pay cryptocurrency.
Some Things to note about ransomware payments:
- Attackers often impose time limits for paying, adding pressure with threats of non-recovery or increased ransom demands.
- Most ransomware groups provide proof of decryption capability before victims pay, by decrypting sample files.
- Payments are usually substantial, with demands ranging from thousands to millions of dollars.
Challenges with ransom payments
Trying to pay a ransomware demand can present victims with the following challenges:
- Navigating complex cryptocurrency systems – Victims unfamiliar with cryptocurrency may struggle purchasing, transferring or managing it securely.
- Cryptocurrency volatility – Fluctuations during the time a ransom is paid may result in overpayment.
- Regulatory requirements – Laws like Know Your Customer (KYC) may complicate or prevent hasty exchange account openings required to pay ransoms.
- Anti-money laundering controls – Banks may block transfers to exchanges or transactions with suspected criminal ties.
- Technical issues – Errors in Bitcoin addresses or problems with exchange interfaces can obstruct payment.
- Limited windows to pay – Short payment deadlines may not provide enough time to resolve payment problems.
These issues result in some ransomware victims failing to pay ransoms within demanded timeframes. This can prompt threats from attackers or make decryption impossible if ransomware infrastructure is abandoned.
How do threat actors manage ransom payments?
Ransomware groups utilize various technical and operational security practices for managing payments, including:
- Automated payment tracking – Bitcoin payment API services like Blockchain.info used to monitor transactions to ransom addresses.
- Cryptocurrency tumbling/mixing – Funds from ransoms laundered through intermediary wallets to obscure transaction tracing.
- Anonymizing infrastructure – Use of Tor, VPNs, anonymous email and other technologies to maintain anonymity while negotiating and processing payments.
- Decentralized infrastructure – Distributing infrastructure across many compromised hosts protects against takedowns.
- Manual payment verification – Some groups manually confirm payments before releasing decryption keys.
These measures help maximize criminal profits from ransomware while minimizing risk. As a result, identifying and arresting the individuals behind ransomware groups is extremely difficult for law enforcement.
Third-party ransomware payment services
A cottage industry of third party services has emerged to facilitate ransomware payments for victims:
- Incident response firms – Security vendors like Coveware that offer to negotiate with attackers and handle payments on victims’ behalf.
- Cryptocurrency exchanges – Some exchanges openly cater to ransomware victims with easy fiat currency swaps.
- Cryptocurrency tumblers – Services like ChipMixer that accept funds from victims and obfuscate transaction trails for a fee.
- Insurance partners – Cyber insurers may have contracted assistance from forensic firms to manage incidents end-to-end.
The availability of external payment services reduces barrier for victims to pay ransoms. But it also undermines efforts to cut off ransomware extortion models.
Recent trends around ransomware payments
Some developments around ransomware payments in the past few years include:
- Shift from Bitcoin to privacy coins like Monero to better anonymize payments.
- Price negotiation between victims and threat actors becoming more common.
- Creation of ransomware Payment portals to streamline payment processing.
- Ransomware groups stealing data and threatening release if ransom goes unpaid, adding additional pressure.
- Growth of ransomware actors offering victims payment plans if unable to pay lump sum.
These trends point to ransomware becoming more “professionalized”, with specialized tools and segments mirroring traditional businesses. This could make dismantling ransomware groups’ financial operations more challenging.
Law enforcement actions around ransom payments
Law enforcement discourage ransomware payments as they incentivize cybercriminals. Actions authorities are taking around payments include:
- Seizing cryptocurrency paid to sanctioned ransomware groups when possible.
- Prosecuting third party ransom negotiators for enabling cybercrime.
- Obtaining legal injunctions to block payments in extreme cases.
- Pressuring cryptocurrency exchanges to block or report suspicious transactions.
- Tracing and seizing cryptocurrency ransoms to identify threat groups.
- Issuing advisories warning organizations of payment risks and liabilities.
However, the pseudonymous nature of cryptocurrency makes systematically identifying and interdicting ransom payments challenging for law enforcement.
Options besides paying the ransom
Paying ransoms should only be a last option after exhausting other recovery methods, including:
- Isolating and containing infections to prevent spread.
- Checking backups to see if encrypted data can be restored.
- Rebuilding compromised systems from scratch.
- Hiring incident response firms to diagnose and remediate.
- Seeking assistance from law enforcement and cybersecurity agencies.
- Negotiating with insurers to cover costs related to the incident.
Some victims successfully negotiate ransom payment amounts down or even get initial decryption keys by pressuring groups via their negotiation channels. But there are no guarantees.
Should ransomware payments be banned?
Some policymakers have proposed completely outlawing ransomware payments to eliminate the profit motive driving attacks. But a ban raises concerns that victims would resort to circumventing controls, for example:
- Trying to pay ransoms using non-cryptocurrency methods like gift cards or cash.
- Obtaining cryptocurrency through unregulated channels to bypass official exchange bans.
- Paying through third party intermediaries in regions without bans as proxies.
- Classifying ransom payments as a legitimate expense or disguise their purpose.
This “dark channel” activity might sustain ransomware while making payments more difficult to track and ransomware groups harder to identify. A better approach may be creating a transparent environment where ransom payments can be analyzed and used to pursue attackers.
Reporting and disclosing ransomware payments
If victims determine paying a ransom is their only recourse, experts recommend taking measures such as:
- Notifying law enforcement to obtain advice and reporting the attack.
- Disclosing payments to regulators as required under breach notification laws.
- Informing insurers to verify policy coverage and document the incident.
- Recording details like wallet addresses that could aid future tracking of the threat actors.
- Seeking legal counsel to ensure compliance with all relevant regulations.
Proper documentation and reporting of ransom payments may support future efforts to identify attackers, recover funds and enforce bans if they are enacted.
Should victims negotiate ransom amounts?
If the decision is made to pay, trying to negotiate down ransom demands could result in substantial cost savings. But it does carry risks such as:
- Angry threat actors retaliating with data leaks or heightened ransom demands.
- Negotiations delaying payment past ransom deadlines, resulting in decryption keys being withheld.
- Attackers realizing they underpriced initial demands and asking for more money.
Careful negotiation may be worth attempting. But organizations should set firm limits based on a calculated maximum reasonable payment before starting conversations with threat actors.
Can law enforcement help recover from an attack?
It depends. Recovering encrypted files without paying is challenging, but reporting ransomware incidents to law enforcement can enable actions like:
- Identifying other victims to pool information on the attackers.
- Disrupting ransomware group infrastructure to prevent future attacks.
- Seizing ransom payments from custodial accounts before criminals withdraw them.
- Decrypting files if encryption flaws are uncovered or master keys obtained.
- Prosecuting perpetrators to provide some restitution to victims.
Law enforcement recoveries are difficult and not guaranteed. But they can occasionally get some data back without enriching adversaries.
Should cyber insurance cover ransom payments?
Views are mixed on whether cyber insurance should cover ransom payments. Potential benefits include:
- Empowering negotiated solutions between insurers and threat actors.
- Preventing business failures resulting from uninsured ransomware events.
- Incentivizing organizations to have quality security controls to get coverage.
But concerns around insurers funding criminal activity have prompted proposals to restrict ransomware coverage. Banning insurance support for payments could leave many victims without options though.
How can cryptocurrency exchanges combat ransomware?
Cryptocurrency exchanges play a key role as they facilitate transactions between victims and ransomware groups. Actions they can take include:
- Monitoring accounts and transactions for suspicious indicators like ties to ransomware infrastructure.
- Proactively blocking transactions associated with known ransomware attackers.
- Developing smart contracts that restrict how account funds can be withdrawn or spent.
- Seeking legally viable ways to seize cryptocurrency tied to ransomware groups.
- Banning accounts engaged in ransomware even at a cost to profits.
Exchanges self-regulating to prevent illicit activity could significantly disrupt ransomware extortion without the need for outright payment bans.
Ransomware presents challenging dilemmas around whether victims should meet extortion demands. There are reasonable arguments on both sides of paying ransoms. Each organization must weigh the risks, costs and likelihood of successful file recovery based on their unique circumstance. But understanding modern ransomware monetization methods can inform smarter responses to attacks.