Ransomware's bitcoin problem: How price surge means a headache for crooks

Ransomware authors are profiting from the rise of the cryptocurrency -- but it's also bringing some unexpected problems for them and other dark web operators.
Written by Danny Palmer, Senior Writer

The value of bitcoin has soared in recent days: at the one point the cryptocurrency was worth almost $19,000 before it dropped back to around $16,500, where it has roughly remained since.

It's almost impossible to predict what will happen next. The price of bitcoin could rise again or it could crash -- but, for now at least, a single unit of the cryptocurrency is worth a significant amount of money.

Bitcoin has become the popular payment method for ransomware over the last two years, as the digital currency provides cybercriminals with a means of collecting ransoms, while also making it difficult to get the ransom-collectors' identities, thanks to the level of anonymity it offers. WannaCry, the biggest ransomware event of the year, for example, hit hundreds of thousands of PCs around the globe, encrypting files and demanding a payment of $300 in bitcoin for the safe return of what was stored on the machine.

In this instance, the ransomware code itself was poorly written and the vast majority of victims were able to restore their systems without giving into the demands of the cyber-attackers.

However, by the time those behind WannaCry had withdrawn funds from the associated Bitcoin wallets -- a full three months after the attack -- it meant the 338 payments victims had made were worth around $140,000, which was an increase in value of just under $50,000 compared to when the majority of payments were made.

If those behind WannaCry have held onto their illicit investment, they could now be sitting on over $1m of bitcoin.

But the sudden spike in bitcoin could actually be problematic for some cybercriminals. Before the surge in value, 1 or 0.5 bitcoin was a common ransom demand, with the idea that if the fee was low enough -- back then the ransom value worked out at a few hundred dollars -- this would encourage the victim to pay up.

Even as the value of bitcoin steadily rose during the summer, some attackers were still using the standard amounts of cryptocurrency as their ransom demand. For example, Magniber ransomware demanded a payment of 0.2 bitcoin ($1,138 in mid-October), rising to 0.4 bitcoin ($2,275 in mid-October) if the payment wasn't received within five days. Two months later, 0.2 bitcoin is currently worth $3,312 while 0.4 bitcoin is up to $6,625. Princess ransomware is another recent example of malware that demanded a set amount of bitcoin.


The spike in the value of bitcoin means some cybercriminals are now sitting on large amounts of money.

Image: iStock

Even if the victim is extremely attached to the encrypted content of their computer, it's likely that the rising cost of bitcoin means the price will be seen as too much to pay -- with the result the attackers make nothing.

It means that those malware writers operating with this model need to be almost constantly changing the ransomware demand in order to take into account fluctuations in the currency.

"We are seeing new ransomware malware families and their variants every week with prices adjusted to bitcoin exchange rate," Param Singh, director of security company Carbon Black's threat analysis unit, told ZDNet.

"The rising cost of bitcoin means that ransomware operators have to constantly change their prices to make sure they remain within the range where they get maximum conversion-rate and profits."

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Many forms of ransomware already ask for the payment of a specified amount of dollars to be made in bitcoin. While it pins hopes on victims being able to buy a specific amount of bitcoin and successfully transfer the payment -- which some criminal gangs get around by manning help desks providing advice on buying cryptocurrency -- it's more likely to result in the victim paying up, especially if the figure is just a few hundred dollars.

"I imagine the volatility of bitcoin pricing has been an unexpected problem for cybercriminals. The average ransom demand has remained somewhere between $300 to $1000, and normally the ransom note will specify a USD amount," Andy Norton, director of threat intelligence at Lastline, told ZDNet.

It isn't just ransomware distributors who might be faced with the problem of valuing items in pure bitcoin: a Dark Web vendor -- whether they are selling malware, weapons, drugs, or any other illegal item -- might find that setting their price in pure bitcoin will quickly result in them pricing themselves out of the market.

With bitcoin prices continuing to rise, sophisticated cybercriminal operators can likely react to it, altering prices on a day-to-day basis to ensure that they're able to sustain their business.

Criminals are trying out alternative pricing models for ransomware already. Some criminals already operate around the idea that they charge victims just enough so that they don't see the ransom as too much to pay -- and that often depends on the country the victims are in. The Fatboy ransomware payment scheme charges victims in poorer countries less than those in richer ones.

Meanwhile, those behind Scarab ransomware have started asking victims to suggest a payment amount for receiving the encryption key for their files.

Another factor: if a cybercriminal group has been active in ransomware for the last two years -- and haven't immediately spent everything they made -- the major rise in bitcoin means they're now sitting a nest egg of cryptocurrency which has a much higher value than it used to.

While ransomware is profitable for now, it might not always be the case and it's likely that ransomware kingpins will take some of what they've made from the rise of bitcoin and put it into other areas of cybercrime.

"The surge in bitcoin prices has also resulted in huge profits for early ransomware operators, therefore opening more choices for them such as purchasing zero-days, Botnets, malware, hosting, and so on to expand their attack operations," said Carbon Black's Singh.

So while the rise of bitcoin might create some problems for some cybercriminals in the short term when it comes to dealing with how to best price their products, others will be hoping the boom continues -- because they're getting rich off the stockpiles they've already acquired.

Recent and related coverage

The nasty future of ransomware: Four ways the nightmare is about to get even worse

WannaCry, NotPetya, Bad Rabbit, and others have demonstrated the power of ransomware -- and new sneaky tricks are only going to make it an even bigger problem.

Ransomware is now big business on the dark web and malware developers are cashing in

Some ransomware sellers are now pocketing salaries of over $100,000 a year.


Editorial standards