Blockchain & Cryptocurrency
Business Continuity Management / Disaster Recovery
Guidance Has Changed on Socking Away Bitcoins ‘Just in Case’ to Pay a Ransom
April 29, 2022
Don’t stockpile cryptocurrency in case your organization falls victim to ransomware-wielding attackers and might need to quickly pay a ransom.
This might seem obvious to anyone who’s watched the value of Bitcoin behave in wildly unpredictable ways in recent years. But not too many years ago, at least some organizations were reportedly stockpiling bitcoins in the event they got hit by a ransomware group (see: Ransomware Extortion: A Question of Time).
“The first place that people go to steal money is from digital wallets. … It’s a headache you don’t need.”
“One question we used to get more – and I don’t hear it as much now – is: ‘Should we have a wallet with bitcoins ready to pay a ransom?'” says attorney Guillermo Christensen, a partner at Indianapolis-based law firm Ice Miller who manages its Washington office.
“My answer to that, for almost every organization I’ve dealt with, is absolutely no,” he says. “The value fluctuates a lot. If you’re doing it for investment reasons, that’s fine. But the first place that people go to steal money is from digital wallets. … It’s a headache you don’t need, and there are plenty of reliable companies out there that will help you procure the Bitcoin or the Monero.”
Cryptocurrency Wallets at Risk
On the wallet front, criminals continue to use malware to not just infect systems, but to ransack them for cryptocurrency wallets. One of the typical terms and conditions of using a malware-as-a-service offering, for example, is that the user must share all stolen wallet information with the operator.
Trojanized versions of popular wallet apps – for both Android and iOS – also continue to be deployed by criminals, and Chinese cryptocurrency users are the top targets, says Lukas Stefanko, a malware researcher at security firm ESET.
“These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket or OneKey,” he writes in a research report.
Hitting a hot wallet allows attackers to capture the seed or recovery phrase that gets generated when a cryptocurrency wallet is first created. “This phrase is generated as a list of words that allow the wallet’s owner to access the wallet’s funds,” Stefanko writes. “If the attackers have a seed phrase, they can manipulate the content of the wallet as if it were their own.”
Hence the advice from Christensen to not try to keep your own “rainy day ransom payment” cache of cryptocurrency.
But what happens if your organization gets hit by ransomware and makes the decision to pay a ransom? Doing so is not illegal, at least in North America and Europe, provided the funds are not being sent to a sanctioned entity such as North Korea’s Lazarus Group or Russia-based Evil Corp, which runs ransomware such as WastedLocker (see: Russia’s War Further Complicates Cybercrime Ransom Payments).
Many ransomware groups prefer ransoms to be paid in Monero, aka XMR, since the privacy coin is by design tougher to trace. “Payments in Bitcoin – such as the one in the Colonial Pipeline attack – are made on an open, immutable public ledger that allows law enforcement to use tools like TRM to follow the flow of funds,” says Ari Redbord, head of legal and government affairs at blockchain analytics firm San Francisco-based TRM Labs and a contributor to Information Security Media Group.
Given the cost of attempting to launder Bitcoin – often via tumbler or mixer services, which are not free – ransomware groups often charge a premium for victims who choose to pay in Bitcoin, aka BTC. “Instead of it being a matter of ‘only accepting Bitcoin,’ we have received demands in Monero with an upcharge of 10% to 15% if payment is made via Bitcoin,” says attorney Catherine Lyle, the head of claims at Coalition, a San Francisco-based cybersecurity insurance company.
Other experts I spoke with say they’ve seen premiums for paying in Bitcoin that range from 5% to 20%.
Even so, Bitcoin remains “the prominent crypto requested by threat actors,” Lyle says. Beyond Monero, while other cryptocurrencies are available, ransomware incident response experts tell me attackers rarely, if ever, offer them as a payment option. Likewise, it’s the rare group that only seeks Monero (see: Ransom Payments: Monero Promises Privacy; Bitcoin Dominates).
How to Source Bitcoin or Monero
For any ransomware victim that wants to pay in Monero, however, it’s relatively difficult to obtain. “It is highly illiquid as compared to BTC and not traded on most domestic venues,” says Bill Siegel, CEO of ransomware incident response firm Coveware, based in Westport, Connecticut.
Supply of Monero is more restricted because numerous exchanges have de-risked by dropping support for Monero over concerns about how the privacy coin can be used for money laundering, and under pressure from governments as well as industry partners, Redbord at TRM Labs says.
The vast majority of cryptocurrency transactions are not for illicit purposes, he says. But by not handling Monero, it’s easier for exchanges to better comply with “know your customer” and anti-money laundering regulations.
Hence, coming up with enough Monero on your own to pay a ransom can be challenging. “While not recommended, organizations who attempt to manage ransomware negotiations and payments themselves may find it marginally harder to acquire Monero over Bitcoin due to some popular exchanges that do not offer purchases of Monero,” says Jason Rebholz, CISO at Boston-based commercial insurance provider Corvus Insurance.
But firms that assist ransomware victims will be able to source Bitcoin or Monero on short notice. “For third-party providers who specialize in ransomware negotiations and payments, there is no increased difficulty in obtaining Monero – aside from the ethical factor that it will knowingly be more difficult for law enforcement to track payment paths,” Rebholz says.
Working With Experts Can Pay
This is one more reason why experts recommend ransomware victims always work with experienced responders. Last year, for example, it emerged that security firm Emsisoft had been quietly working with partners and victims to help exploit cryptography weaknesses in DarkSide and later in its BlackMatter spinoff. These weaknesses allowed some victims to decrypt their files without having to pay for a decryptor (see: Memo to Ransomware Victims: Seeking Help May Save You Money).
Ransomware incident response firms, law firms, and others who help victims will amass intelligence on specific attackers, including their propensity to provide a decryption tool if a victim pays, how often such tools work and how the group negotiates when it comes to talking down their initial ransom demand.
Such information can help a victim more rapidly make informed decisions about how to proceed. “It’s one of the reasons why I’ve been working very hard to try to build a combination of the legal, the threat intelligence, the negotiations, to try to integrate them in a way that allows us to be able to put all that information together and get maximum value from every little bit of data we get in that negotiation,” Ice Miller’s Christensen says.
The goal with these types of playbooks, with each one tailored to a particular threat group, he says, is “to be able to give our client the best advice: This is what you should do, this is what this is worth, this is what they’re going to want, this is how they’re going to negotiate with us, and yes, we can make this payment. Or, if we figure it out very early on that no, we can’t, then we spend a lot more money recovering, because that’s your only way out.”