Ransomware: Why the crooks are ditching bitcoin and where they are going next

The popularity of bitcoin is creating problems for criminals dealing in ransomware -- and some are already casting their gaze towards a less volatile cryptocurrency.
Written by Danny Palmer, Senior Writer

While bitcoin has recently found itself in the public eye thanks to its rocketing -- and, more recently, plummeting -- value, it hasn't appeared from nowhere.

The blockchain-based cryptocurrency -- the first decentralised payment method of its kind -- first appeared in 2009. However, for over half a decade, it didn't receive much attention outside of a community of enthusiasts and technologists claiming it to be the future of money.

But there was one group for whom the almost-anonymous nature of bitcoin was highly appealing: cybercriminals. Bitcoin was used to trade in illicit products and services on the dark web, as it was relatively simple to get hold of, reliable, and very hard for anyone to monitor transactions and where the money ended up.

CNET: Cryptocurrency like bitcoin is easy money for criminals

Bitcoin has become the standard currency for ransomware crooks to demand their fee for returning encrypted files and systems to victims, and the hard-to-trace nature of the cryptocurrency has arguably playing a role in the rise of ransomware.

However, before bitcoin came along, criminals used other means of accepting ransom funds, such as Ukash and Paysafecard, to secure their fees, and there are signs that those who deal in ransomware are already casting their gaze towards new forms payment.

"We'll see a progressive shift in 2018 towards criminal use of cryptocurrencies other than bitcoin, making it generally more challenging for law enforcement to counter," Rob Wainwright, executive director of Europol, recently warned.

There are various reasons why cybercriminal operators may want to move their operations away from bitcoin. Those range from its current high profile and its current high value meaning even small fluctuations in its value can dramatically alter the cost of a bitcoin, to worries that the anonymity it offers isn't all it's cracked up to be, as demonstrated by arrests and takedowns after authorities followed a bitcoin trail.

"There have been a number of high profile takedowns of services which relied on bitcoin lately, like AlphaBay, which caused huge disruption to the cybercriminal ecosystem," Jon Condra, director of East Asian research and analysis at Flashpoint told ZDNet.

"Those services relied very heavily on bitcoin, so you get a psychological effect about bitcoin maybe not being as secure as they think it is, so people are trying to find alternatives to the loss of anonymity bitcoin affords," he said.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

The popularity of bitcoin has also caused issues in trading it. For starters, the volatility of the currency has led to some legitimate companies refusing to accept it as a means of payment -- meaning that they're off-limits to those who only want to pay with cryptocurrency.


The volatility of bitcoin is pushing some cybercriminals -- particularly those dealing in ransomware -- to other cryptocurrencies.

Image: iStock

General interest in bitcoin spiked as it went up in value, leading to an increase in the number of consumers attempting to purchase the currency, whether due to the hype or in the hope that they could get rich from it.

That's led to an increase in transaction fees and delays in trading -- which, combined with fluctuations in bitcoin, has the potential to make some transactions virtually worthless for those involved.

"The fact that so many people are legally buying into bitcoin right now has dramatically increased the volume of trading. There's a limited amount of transactions per block, if the block is full those transactions are full and you have to wait," Gabriel Glusman, senior cyber intelligence analyst at Sixgill, told ZDNet.

"So, the time it takes for transactions to confirm, the high volume, and the transaction fees makes it that anything that's less than $200 isn't worth paying in bitcoin, because the transaction fees are crazy."

It all means that buying bitcoin and making purchases with it can now take weeks. But, given that the whole purpose of ransomware is to allow cybercriminals to make a quick buck with minimal effort, waiting around for days before receiving a payment isn't something a ransomware distributor will be prepared to do.

"If you're the guy behind the ransomware campaign, you want people to pay you -- you don't want people not to be able to pay you! You want to make it as easy as possible," said Glusman.

Meanwhile, ransomware victims don't really want to have to pay to get their files back at the best of times - they give in grudgingly - but the incentive to pay might go out the window if it's going to take them days to buy bitcoin and pay the hackers before getting their files back. And there's an even bigger headache: many forms of ransomware offer only a small window for victims to pay the ransom. If that expires, victims risk the ransom going up or even losing their data permanently. Delays in being able to buy bitcoin and then make the payment make it even harder for ransomware victims to be able to get their data back.

This is also a headache for the ransomware crooks: ultimately, there's therefore no point in a ransomware distributor being in the business if they can't get paid for their illicit activity.

See also: Dark Web: The smart person's guide

However, a number of alternatives to bitcoin have emerged in the cryptocurrency space -- and these 'altcoins' are gaining popularly amongst the cybercriminal fraternity, who want speed and security when conducting transactions.

"What we started to see in 2017 was a diversification of cryptocurrencies used on the dark web, like ethereum, which really gained a lot of prominence and is increasingly used for dark web transactions," said Sixgill's Condra.

One alternative which is gaining traction with ransomware distributors in particular is Monero.

Launched in 2014, this cryptocurrency comes equipped with additional privacy and security features which stop transactions from being traced back to users -- and nor can transaction histories be viewed. That improves security for all users, but will also make it harder for authorities tracking those who use Monero as their currency of choice for ransomware demands.

While not yet a widespread payment method for distributors of ransomware, there are a number of examples of ransomware demanding their fee for unlocking be paid in Monero, such as Kirk ransomware.

It might not currently have anywhere near the value of bitcoin, but it comes with stability -- fluctuations in value mean changes of a few dozen dollars rather than a few thousand dollars -- and the knowledge for its illegal users that they're going to be harder to track down.

"The ransomware guys are decisively moving more towards Monero because of the privacy it offers: it's encrypted and all the coins look the same," said Glusman.

Instead of being provided with instructions on how to buy bitcoin -- which, thanks to its popularity, might now prove cumbersome -- it's likely cybercriminals will soon be providing their ransomware victims with instructions on how to buy and exchange Monero. Some companies have reportedly started buying amounts of bitcoin so that they can be ready to pay up if they are hit with ransomware; if crooks start demanding different currencies this may mean corporate security teams will have to managed holdings in varies exotic cryptocurrencies.

But there could still be a use for bitcoin in all of this, even if attackers move onto Monero as their preferred form of ransom payment.

While bitcoin's volatility means its value can rise or drop by thousands of dollars in just a matter of hours, its potential high value could make it something of a savings account or investment opportunity for professional cybercriminals who don't want to spend all their illicit earnings immediately, and prefer to play a long game instead.

"Bitcoin is turning more into a nest egg like grandma's jewels. It's something you want to keep for a long time while it retains value," said Glusman.

Those attackers who already have bitcoin aren't likely to want to cash out now -- even if the value is sliding -- they'll either wait until the hype dies down, or play the very long game in the hope their bundle of bitcoin can be withdrawn for a high value in future.

In the meantime, don't be surprised if when you hear about attackers holding a system hostage with ransomware, they're demanding Monero, not bitcoin.

Related coverage

New ransomware headache as crooks dump bitcoin for rival cryptocurrencies

The switch to new digital currencies will make life more difficult, according to one police chief.

UK firms 'stockpile' Bitcoin to pay off ransomware hackers

Ransomware attacks can cripple a business, leading to a rather sad trend in the industry.

Ransomware's bitcoin problem: How price surge means a headache for crooks

Ransomware authors are profiting from the rise of the cryptocurrency -- but it's also bringing some unexpected problems for them and other dark web operators.


Editorial standards