How are ransomware payments made to cybercriminals?

Ransomware is a form of malicious software that encrypts a victim’s files, making them inaccessible. The cybercriminals then demand a ransom payment in cryptocurrency to decrypt the files. Ransomware attacks have seen a dramatic rise in recent years. According to Statista, there were over 154 million ransomware attacks globally in Q4 2022, up from just 51 million in Q1 2020. This increasing prevalence of ransomware represents a serious threat for businesses, governments, healthcare organizations and everyday internet users.

This article provides an in-depth look at how ransomware payments are made, tracing the flow of funds from victims to cybercriminals. It aims to demystify the payment process and shed light on this key aspect of ransomware attacks.

How Ransomware Works

Ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files. The typical ransomware attack unfolds in the following stages:

First, the attacker gains access to a victim’s network, often through phishing emails or by exploiting vulnerabilities. The attacker then installs the ransomware software, which begins encrypting files on the infected system using encryption algorithms that only the attackers have the decryption keys for.

Once the encryption is complete, the ransomware displays a ransom note threatening to delete or publicly release the encrypted files if the demanded ransom is not paid, usually in cryptocurrency. The note includes instructions for paying the ransom, typically within a short timeframe before the price increases or encrypted files will be deleted.

By encrypting files and holding the decryption keys hostage, ransomware prevents victims from accessing their own data. Paying the ransom is often the only way victims can restore access, which is why many choose to pay, further fueling the ransomware business model.

Payment Methods

Cybercriminals demand payment in hard-to-trace methods to avoid getting caught. The most common payment methods for ransomware include:

Cryptocurrencies

Bitcoin is the most popular cryptocurrency for ransomware payments due to its pseudonymous nature (Veeam). Bitcoin allows cybercriminals to receive payments without revealing their identity. Other cryptocurrencies like Monero and Dash are also sometimes demanded. Cryptocurrencies enable international payments that are difficult to trace or reverse.

Prepaid Cards

Prepaid gift cards have emerged as a payment option, according to NetDiligence. Attackers may demand the card numbers and PINs to drain the funds. The cards provide convenience for international payments while being hard to track.

Money Mules

In some cases, ransomware gangs coerce victims into recruiting money mules to physically transport cash payments, per Investopedia. This avoids electronic payments entirely but puts the mules at legal risk for enabling cybercrime payments.

Cryptocurrencies

Cryptocurrencies, especially Bitcoin, are the most common method of payment for ransomware attacks. According to Marsh, Bitcoin accounts for approximately 98% of ransomware payments. Cryptocurrencies like Bitcoin and Monero are preferred by cybercriminals because transactions are difficult to trace and provide more anonymity compared to traditional payment methods.

Bitcoin is the most popular for ransom payments because it is the largest and most liquid cryptocurrency market. However, Bitcoin transactions are pseudo-anonymous and can potentially be traced back to individuals. Monero provides more privacy through ring signatures and stealth addresses, making payments nearly untraceable. This anonymizing feature makes Monero the second most common cryptocurrency used in ransomware schemes.

According to the Senate Report on Cryptocurrency and Ransomware, the broad availability and ease of transferring cryptocurrencies globally enables cybercriminals to efficiently collect ransom payments while maintaining anonymity. The report also notes concerns that the rise in untraceable cryptocurrencies like Monero poses risks to national security.

Prepaid Cards

Cybercriminals are increasingly using prepaid cards purchased from retailers to collect ransomware payments. According to research from Cyble, the Obsidian ransomware operation specifically demands payment in the form of gift cards from Amazon, Target, and other major retailers (Cyble). Prepaid cards allow cybercriminals to remain anonymous when redeeming funds. Cards can be purchased with cash at brick-and-mortar locations, making transactions difficult to trace.

Once cards are funded, victims are instructed to provide the prepaid card number and PIN so that cybercriminals can drain the funds. Prepaid debit cards linked to major card networks like Visa and MasterCard provide broad usability for cashing out payments. According to a 2021 advisory from the Financial Crimes Enforcement Network (FinCEN), some ransomware groups are suspected of using an extensive network of money mules to help liquidate prepaid cards (FinCEN).

Money Mules

Cybercriminals often recruit unsuspecting money mules to help launder ransom payments. Money mules are people who allow their bank accounts to be used to transfer illegal funds. The mule may be an unwitting accomplice promised a cut of the profits, or a victim of identity theft.

After a ransom is paid in cryptocurrency, criminals need to convert it to traditional currency and deposit it in bank accounts without raising suspicions. So they recruit mules, often using romance or job scams, to open accounts or hand over login credentials. Large sums of money are briefly routed through mule accounts and withdrawn as cash or laundered in other ways.

In December 2022, a global crackdown led to the arrest of over 1,000 suspected money mules involved in laundering ransomware funds (https://www.infosecurity-magazine.com/news/police-arrest-1000-suspected-money/). But cybercriminals constantly recruit new accomplices to provide access to the banking system. Law enforcement efforts to track and shut down money mule networks continue.

Tracking Payments

While ransom payments are often made using cryptocurrencies like Bitcoin for anonymity, the public ledger of blockchain transactions means payments can sometimes still be tracked and traced. There are firms specializing in ransomware payments analysis that work to “follow the money” and identify the flow of funds on the blockchain [1].

For example, cryptocurrency tracking firm Chainalysis has found that between May 2021 and June 2022, there were an estimated 3,640 successful ransomware payments worth over $602 million [2]. By analyzing the blockchain ledger and clustering related wallet addresses, payments associated with specific ransomware variants can be identified. This can help authorities with investigations and developing strategies to counter illicit financial flows.

However, the degree of success in tracking payments varies. Ransomware groups often utilize money laundering techniques and intermediaries to obscure the money trail. Law enforcement has warned paying ransoms should be avoided, as it incentivizes and funds criminal activity while recovery is not guaranteed.

Refusing to Pay

Many experts advise against paying ransomware demands. There are several alternatives organizations can pursue instead of paying the ransom:

Backups: Having regular backups of critical data and systems provides a way to restore systems without paying the ransom. Organizations should ensure they have isolated, offline backups that can’t be accessed by attackers. Restoring from backups can minimize downtime and prevent feeding criminal enterprises.

Decryption tools: In some cases, decryption tools are available that can unlock files without paying the ransom. For common ransomware strains like Ryuk, Phobos and Dharma, decryptors have been developed by cybersecurity firms. However, decryption tools are not available for every type of ransomware.

Law enforcement: Working with law enforcement provides additional options, as they may be able to trace ransom payments or apprehend attackers. The FBI advises ransomware victims to report attacks to law enforcement. However, the chances of recovering stolen data without paying the ransom are low.

Refusing to pay limits the financial resources available to ransomware groups. However, organizations will likely face data loss, costs for remediation, and business disruption from outages. Each organization must weigh the pros and cons of paying ransoms given their unique circumstances.

[1] [https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to]

[2] [https://www.reuters.com/technology/alliance-40-countries-vow-not-pay-ransom-cybercriminals-us-says-2023-10-31/]

Paying Ransom

Paying the ransom demand is often seen as the easiest way for victims to get their files back, but it comes with risks. According to research, the percentage of ransomware victims who pay the ransom has increased in recent years, from around 50% in 2021 to 70% in 2020 and 76% in 2019 [1]. Paying the ransom provides a quick solution to retrieve encrypted files, but it also perpetuates attacks by making them profitable for cybercriminals. There is no guarantee that files will be recovered after payment, as attackers may simply take the money without restoring systems. Victims are essentially funding future crimes when they pay ransoms.

However, refusing to pay the ransom often means accepting permanent data loss. Companies may determine the potential damage from losing files outweighs the risks of paying. Cyber insurance policies may cover ransom payments, further incentivizing victims to pay up rather than lose critical data. While the FBI recommends not paying ransoms, the decision ultimately comes down to each organization’s unique situation.

Conclusions

In summary, ransomware continues to pose a serious cyber threat in 2023, with attacks and payments reaching record highs. Though cryptocurrencies remain the preferred payment method for cybercriminals due to their anonymity, prepaid cards and money mules are emerging payment channels. Tracking ransomware payments is possible but challenging given the use of cryptocurrency mixers and privacy coins. While refusing to pay ransom demands may seem like the ethical choice, most victims feel compelled to pay, often repeatedly, to recover their data and resume operations.

Looking ahead, ransomware is expected to continue evolving, with new variants and business models like ransomware-as-a-service empowering less sophisticated actors. Companies of all sizes are at risk and must prioritize cybersecurity, offline data backups, and incident response planning. Though progress has been made on regulations and law enforcement efforts, ransomware will likely remain a highly profitable enterprise for cybercriminals until major cryptocurrency reforms allow better tracking of illicit funds. For now, vigilance and preparation are an organization’s best defense against the ransomware epidemic.

To protect against ransomware, organizations should implement best practices like keeping software updated, training employees on phishing risks, requiring strong passwords, restricting administrator privileges, and maintaining immutable offline backups. Seeking expertise from cybersecurity firms at the first sign of compromise can also mitigate damage and help navigate the response. While ransomware presents evolving challenges, prioritizing cybersecurity can significantly limit risks and impacts.