RansomWare – The dark side of Bitcoin

The latest ransomware attack has resulted in the attacker receiving $25,000 dollars so far (15-05-2017).

You may wonder why people have given in to the demands of the attacker, after all,

“We don’t negotiate with terrorists criminals”… Right?

Well no, actually not only do many companies give in to these demands, so do many individuals. The reason is simple, and is best shown with a diagram:

Clearly if you don’t have any way of paying, you can’t. However most people who can afford a computer and have things on that computer worth more than the ransom amount (£230) can afford the ransom. That is why I have not included a ‘Can you pay’ section in the diagram. If you have something that is worth more than the ransom YOU WILL find a way to raise the money to pay the ransom. If you cannot it suggests that the value of your encrypted data is actually below the ransom demand.

But why would I trust this Criminal!! What if they take my money (bitcoin) and run away? 

This is the most common reaction to hearing that you have to trust your attacker by sending money before having your hard drive decrypted. But lets look at the diagram again, this time with this option added in.

The worry is that you will end up in the red NO box. You will have paid the ransom & lost your data. However this worry is overestimated because the brain assumes that the 2 possible outcomes (Attacker Does or Doesn’t decrypt) are equally likely. This is not the case… Another Diagram is needed.

Now we have probabilities, we can begin to see why almost everyone without a backup WILL pay. Say there is a X% chance that the attacker is ‘reliable’. Clearly if X = 100% the diagram collapses back to the one showed Prior, and if X=0% there is no point paying the ransom at all. However the point of ransomware is to make the attacker richer. If X=0% they will be no richer as no-one will pay the ransom as everyone knows that X=0%. If this were the case Official Advice would be ‘Don’t Pay’.

But the official advice is not ‘Don’t Pay’… It’t the opposite.

“To be honest, we often advise people just to pay the ransom.” – FBI’s CYBER and Counterintelligence Programs’ Joseph Bonavolonta

This is because, for the reason explained, once your data is encrypted your aims and objectives are relatively aligned with those of the attacker. You want your data, and will pay because you value the data, and the attacker wants your money, and will decrypt your data because it will improve the chance that the next person targeted will pay because they will have a ‘good reputation’… i.e. They have shown that X<0%.

In summary, it is clear that you will pay the ransom demand provided:

  •  X>0%
  • You have no backups
  • You value the content on the computer more highly than the ransom ($300 / £230)
  • You can afford it, or can raise funds to afford it.


So now you wish to pay the attacker… which sounds strange.

But how? How can an attacker accept payment without getting caught. In this case, the attacker has decided to use Bitcoin. The reason is simple… it is currently the only viable option.

That is not to say that it is the optimal solution (for reasons which I will explain).

The attack is not targeted! This is VERY important. It means that the attacker needs to use a payment method that is suitable for even the most technically inept. It also means that the payment method must be able to be used Globally. Finally, to encourage people to pay ransomware typically uses a countdown after which the data is wiped. This means that the payment method has to be fast.

Bitcoin is the only payment method that can achieve all of these things, now, to a reasonable level whilst ensuring the attacker has A CHANCE of not getting caught. Any other method is either too complex for most people to perform (monero etc.) due to the extra steps and software required, or would GUARANTEE that the attacker gets caught (Bank Transfer).

Why is this interesting?

This is interesting because in Bitcoin all transactions are published in public. This is the fundamental nature of the current Bitcoin network and this applies to ALL transactions, regardless of the process used be either the sender or the reciever. From screenshots posted on Twitter we can see that there are a number of different payout addresses for this attack.

(12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94)

Being public we can see how many people have paid, and whether the attacker has moved their bitcoin.

So too can law enforcement agencies in all 100+ countries in which people have been affected.

Having affected over 200,000 individual computers these bitcoin addresses will be carefully monitored for a long time.

The attackers are therefore left with one real option… convert this cryptocurrency to another more private currency (such as monero) and back to bitcoin for conversion out into their local currency. Even if they don’t wish to cash out (into Fiat) they will probably need to this in order to eliminate the possibility that they get caught in possession of the private key that provides access to these funds.

This issue with this is that if they use a centralised exchange (such as Shapeshift) Shapeshift will be able to decline the transaction as it is coming from a known attacker who acquired the bitcoin through illegal means. This will be the case for all services which require some level of KYC (Know your customer) for large value exchanges.

Thus, the only option for the attacker is to use a decentralised exchange which operates using a peer to peer model. If the attacker sends funds to their wallet on such an exchange (such as bitsquare) with these tainted funds and then sells their bitcoin on the market (in exchange for monero) all those individual users who bought bitcoin (for monero) will have accepted stolen goods.

Because the bitcoin blockchain is public, and this is a high profile case, it could be argued that those performing this action are knowingly accepting stolen goods. This would be illegal in most of the world.

But what if they argued that they did not know about the attack or the addresses involved?
Do those using decentralised P2P exchanges have a responsibility to check the addresses of those they are exchanging with?
What if they don’t know the source of the funds until the transaction has been completed, are they under a legal (or moral) obligation to turn the funds in?

These questions will only become relevant if this situation were to occur, but in my view, there is no way that this situation will NOT occur. Furthermore, it is very possible that this has already happened in the past.

Please get in touch if you have any thoughts/ideas/questions at @uk_c_c or contact@ukcryptocurrency.com