Encrypting your files is a good security practiceâexcept when someone else is doing it for you, with no good intentions at all.
Such is the case with ransomware, a type of fraudulent malware that locks the users out of their precious computer files, and demands a ransom to decrypt them again. The use of this scam is on the rise, as digital hostage-takers rake in fortunes.
To estimate the profits of this kind of market is not an easy task because most of ransoms are paid in Bitcoin, the peer-to-peer decentralized electronic currency system. One of the main characteristics of Bitcoin is the ability to obscure usersâ identities. Anyone can send and receive bitcoins without giving any personally identifying information. Instead of names or email addresses, a so-called wallet addressesâa string of arbitrary numbersâis used to move funds.
Bitcoin is not, however, a completely anonymous system. In a way, it is quite the oppositeâevery transaction ever performed appears on a ledger, called the blockchain, which is public. It is from this blockchain that researchers have extracted data using a specialized tool that scrapes and analyzes relevant information from the blockchain and Bitcoin addresses posted on the Web. In this way, they managed to track some ransomwareâs financial transactions.
Developed by three researchers from Italyâs Politecnico di Milano, a piece of software called BitIodine tracks money trails on the Bitcoin network by parsing the blockchain, clustering addresses that seem to belong to the same user or group of users, classifying users into categories, and labeling them with identifying information that is automatically scraped from openly available online sources, such as forums. Finally, it visualizes the data into a readable form.
As Italian computer security researcher Stefano Zanero explains it to the DailyDot:
As a Bitcoin user, you can create different addresses, and this helps obscuring the usersâ identity. BitIodine deploys some techniques to cluster different addresses belonging to the same user. And once you have that, you can scrape information from Bitcoin forums and exchanges, where users talk and publish their addresses. So, at that point, BitIodine relates a specific âaddress cloudâ to a specific user.
By using this tool, the researchers were able to investigate some activities involving Dread Pirate Roberts, founder of Silk Road. They were also able to estimate the profits made through the use of various ransomware viruses.
Criminals who use one such ransomeware, called CryptoLocker, retain the only copy of the decryption key on their server and ask for ransoms to be paid with MoneyPak or Bitcoin within 72 hours. Once they receive payment, they promise to decrypt the files. (Not that you can necessarily trust them to do so.) Researchers used BitIodine to detect the clusters of addresses belonging to the CryptoLocker authors, and compiled some statistics about ransoms paid by the victims.
Over a period of four months of last year, the researchers managed to identify 771 ransoms paid, for a total of 1,226 BTC (approximately $1,100,000 on Dec. 15, 2013). Some addresses received a single payment, others were reused several times. While BitIodine was not able to identify the creators of CryptoLocker, we still know that the malware generated hefty profits.
Another French security researcher, Cedric Pernet, investigated a new ransomware called BitCrypt using BitIodine to do the same. BitCrypt is a malware that encrypts all pictures on the computer it infected, asking the user to pay a ransom to get the files back and offering different payment methods: Bitcoin, MoneyGram or Western Union money transfer. The problem in this case was that Bitcryptâs ransom was changing through time: sometimes 0.4 BTC (around $200, at the time of this writing), sometimes 0.2 BTC ($101), or 0.5 BTC ($250), etc. Doing this made tracking the hostage-holders incredibly difficult.
âThe cybercriminals were changing the ransomâs amount in order to adjust to the changing Bitcoin trading value, as well as to make it more difficult to identify addresses belonging to them, since if you always ask the exact same amount is easier to track your transactions,â says Zanero, who worked together with Pernet and the other two BitIodine creators, Federico Maggi and Michele Spagnuolo.
Nonetheless, by using BitIodine, they managed to analyze the payments sent to the known Bitcoin addresses used by the cybercriminals, during a period covering the Feb. 5, 2014, when BitCrypt first appeared to March 21. During this time, victims paid 164 ransoms totalling 46.877971 BTC (about $21,270 at the time of their analysis).
âOne might think this is a very lucrative activity for someoneâ, writes Pernet in a blog post. âYet the cybercriminals rarely work alone, and have to share the profits. $21,000 a month (roughly) sounds like a good salary, yet if there are 10 people working on it, the profit is greatly reduced.â
Thatâs probably the reason why BitCryptâs creators decided to add a new âfeatureâ: In addition to asking for a ransom, they also use the malware to steal Bitcoins from infected machines.
Photo via William Hook/Flickr | Remix by Jason Reed (CC BY SA 2.0)
