Inside the $1 million Bitcoin ransomware scams

Encrypting your files is a good security practice—except when someone else is doing it for you, with no good intentions at all.

Such is the case with ransomware, a type of fraudulent malware that locks the users out of their precious computer files, and demands a ransom to decrypt them again. The use of this scam is on the rise, as digital hostage-takers rake in fortunes. 

To estimate the profits of this kind of market is not an easy task because most of ransoms are paid in Bitcoin, the peer-to-peer decentralized electronic currency system. One of the main characteristics of Bitcoin is the ability to obscure users’ identities. Anyone can send and receive bitcoins without giving any personally identifying information. Instead of names or email addresses, a so-called wallet addresses—a string of arbitrary numbers—is used to move funds.

Bitcoin is not, however, a completely anonymous system. In a way, it is quite the opposite—every transaction ever performed appears on a ledger, called the blockchain, which is public. It is from this blockchain that researchers have extracted data using a specialized tool that scrapes and analyzes relevant information from the blockchain and Bitcoin addresses posted on the Web. In this way, they managed to track some ransomware’s financial transactions.

Developed by three researchers from Italy’s Politecnico di Milano, a piece of software called BitIodine tracks money trails on the Bitcoin network by parsing the blockchain, clustering addresses that seem to belong to the same user or group of users, classifying users into categories, and labeling them with identifying information that is automatically scraped from openly available online sources, such as forums. Finally, it visualizes the data into a readable form.

As Italian computer security researcher Stefano Zanero explains it to the DailyDot:

As a Bitcoin user, you can create different addresses, and this helps obscuring the users’ identity. BitIodine deploys some techniques to cluster different addresses belonging to the same user. And once you have that, you can scrape information from Bitcoin forums and exchanges, where users talk and publish their addresses. So, at that point, BitIodine relates a specific ‘address cloud’ to a specific user.

By using this tool, the researchers were able to investigate some activities involving Dread Pirate Roberts, founder of Silk Road. They were also able to estimate the profits made through the use of various ransomware viruses.

Criminals who use one such ransomeware, called CryptoLocker, retain the only copy of the decryption key on their server and ask for ransoms to be paid with MoneyPak or Bitcoin within 72 hours. Once they receive payment, they promise to decrypt the files. (Not that you can necessarily trust them to do so.) Researchers used BitIodine to detect the clusters of addresses belonging to the CryptoLocker authors, and compiled some statistics about ransoms paid by the victims.

Over a period of four months of last year, the researchers managed to identify 771 ransoms paid, for a total of 1,226 BTC (approximately $1,100,000 on Dec. 15, 2013). Some addresses received a single payment, others were reused several times. While BitIodine was not able to identify the creators of CryptoLocker, we still know that the malware generated hefty profits.

Another French security researcher, Cedric Pernet, investigated a new ransomware called BitCrypt using BitIodine to do the same. BitCrypt is a malware that encrypts all pictures on the computer it infected, asking the user to pay a ransom to get the files back and offering different payment methods: Bitcoin, MoneyGram or Western Union money transfer. The problem in this case was that Bitcrypt’s ransom was changing through time: sometimes 0.4 BTC (around $200, at the time of this writing), sometimes 0.2 BTC ($101), or 0.5 BTC ($250), etc. Doing this made tracking the hostage-holders incredibly difficult.

“The cybercriminals were changing the ransom’s amount in order to adjust to the changing Bitcoin trading value, as well as to make it more difficult to identify addresses belonging to them, since if you always ask the exact same amount is easier to track your transactions,” says Zanero, who worked together with Pernet and the other two BitIodine creators, Federico Maggi and Michele Spagnuolo.

Nonetheless, by using BitIodine, they managed to analyze the payments sent to the known Bitcoin addresses used by the cybercriminals, during a period covering the Feb. 5, 2014, when BitCrypt first appeared to March 21. During this time, victims paid 164 ransoms totalling 46.877971 BTC (about $21,270 at the time of their analysis).

“One might think this is a very lucrative activity for someone”, writes Pernet in a blog post. “Yet the cybercriminals rarely work alone, and have to share the profits. $21,000 a month (roughly) sounds like a good salary, yet if there are 10 people working on it, the profit is greatly reduced.”

That’s probably the reason why BitCrypt’s creators decided to add a new “feature”: In addition to asking for a ransom, they also use the malware to steal Bitcoins from infected machines.

Photo via William Hook/Flickr | Remix by Jason Reed (CC BY SA 2.0)