The Role of Cryptocurrency in Ransomware Attacks


Ransomware attacks are on the rise and have recently been front page news with attacks on the Colonial Pipeline, JBS Food and Kaseya. This ever-evolving malware can encrypt your files and block access to them. Previous ransomware attacks stole or accessed data and held that hostage while demanding a ransom and threatening to leak or sell the data.

However, more recent attacks have a change of strategy and target specific companies and encrypt the data, often causing severe disruption to service and often society in general. In exchange for decryption, and service returning to normal, malicious actors demand a ransom. The adjustment in strategy by cybercriminals is largely due to the booming world of cryptocurrency.

Why cryptocurrency? According to the Wall Street Journal, hackers that request payment in the form of cryptocurrency can be “difficult to pursue across digital wallets and national borders.” In addition, these exchanges often take place overseas, severely limiting governmental regulatory power and law enforcement.

What is Cryptocurrency?

Unlike paper money, cryptocurrency, also known as “crypto,” is a form of digital payment used to purchase goods and services online and is not issued by a central authority. Companies like Bitcoin, Ethereum, and Cardano have issued their own forms of currency, or tokens, that users can buy and trade. You can purchase cryptocurrency using real money.

“Cryptocurrency is a form of digital payment you can use to purchase goods and services online.”

These companies use blockchain technology, spread across many different computers that manage and record transactions. It’s a highly secure form of technology, however, it’s also anonymous and hard to trace, making it extremely attractive to cybercriminals today.

Why is Cryptocurrency Used for Ransomware?

Using cryptocurrency, cybercriminals can transport vast amounts of money across international boundaries within seconds. The ease and quickness of transactions, coupled with lack of traceability, have made it the go to solution for ransomware hackers.

With the rise of cryptocurrency in recent years, cybercriminals have shifted from conducting small-scale theft – stealing money from individual bank accounts or credit cards – to extorting huge ransoms from leading corporations and governments (NPR). Many of these cyber thieves live outside of the U.S., in countries like Russia, making it even more difficult to trace them or catch them in the act.

“In recent years, cybercriminals have shifted from conducting small-scale theft to extorting huge ransoms from leading corporations and governments.”

How Does a Ransomware Attack Work?

There are several variants of ransomware (WannaCry, CryptoLocker, Bad Rabbit, GoldenEye, Jigsaw, etc.) with the same goal: gain access to a network, encrypt the data and demand a ransom. Bad actors use different methods for gaining access, with phishing, stealing employee login information and exploiting vulnerabilities such as the zero-day vulnerability of Pulse Secure’s VPN appliances, as some of the more common attack methods.

Using phishing as an example, the main steps to a ransomware attack are:

  1. Hackers deliver ransomware to victims via email attachments masquerading as trustworthy files. By downloading and opening the file, access is given to your system.
  2. The malware then begins encrypting files that cannot be decrypted until the attacker sends you a decryption key.
  3. Once the files are encrypted and the attack is complete, the victim receives a ransom notification with instructions. This is embedded in the malware and often it will replace the computer screen background with a ransom note. Another common method is the malware will place text files with the ransom note in each encrypted directory.
  4. The attacker requires payment via Bitcoin or another form of cryptocurrency in exchange for a decryption key to unlock and release your data.

If paid, the cryptocurrency transactions occur on exchanges, which are organized markets where people exchange cryptocurrencies amongst each other or into dollars (or other currencies). The cryptocurrency is deposited into an anonymous private account or “wallet.” These transactions are recorded on “public ledgers” where anyone can watch transactions take place online. However, while anyone can view the transactions taking place, because the wallets are anonymous, they can be challenging to identify and trace. In addition, most cybercriminals have several wallets enabling them to move currency from one account to another while staying under the radar and out of reach of law enforcement.

This visibility into payments on public ledgers, even without knowing the recipient, and seeing a success rate for cybercriminals in their attacks may lead some companies to see no other way to deal with an attack than to pay.


Who Are the Victims?

Ransomware attacks demanding cryptocurrency can happen to businesses of all sizes and can cost companies hundreds of thousands, or even millions of dollars in ransom payments. In fact, data breaches cost companies an estimated $4.24 million per incident on average — a 17-year high (Fox Business).

No industry is immune to the attacks with the following paying ransom via cryptocurrency in 2020 and 2021:

  • The Colonial Pipeline, providing approximately half of the fuel supply for the East Coast, paid hackers $4.4 million in cryptocurrency. The company shut down the pipeline and paid the ransom the day they received the threatening note. It took six days to get up and running again.
  • The world’s largest meat processing company, JBS, paid an $11 million ransom to cyber thieves. They were forced to stop operations at 13 of their plants by a Russian ransomware gang. Only after they paid the ransomware Bitcoin demand could they resume operations.
  • The University of Utah experienced a ransomware attack on its computer servers and paid more than $450,000 to an unknown hacker.
  • The city of Florence in Alabama paid a ransom of $300,000 in Bitcoin after malicious actors infiltrated its computer system.
  • Hackers attacked the computer servers at the University of California, San Francisco (UCSF) School of Medicine. To regain access to their data, the school paid $1.14 million in Bitcoin.

What Can Be Done Regarding Cryptocurrency and Ransomware Attacks?

While ransomware attacks continue and the amounts demanded increase, there are several defensive moves companies and governments can make to help prevent ransomware attacks in the future.

  1. Create Consistent Policies for International Cooperation

    It’s time to recognize that this is an international issue and that the most effective way to stop ransomware is by developing a global solution. Leaders must work together to readily share information, develop prosecution agreements for cybercriminals and impose sanctions against rogue nations that harbor cyber pirates.

  2. Don’t Pay the Ransom

    Law enforcement agencies encourage individuals and organizations not to pay fees to cybercriminals. However, many organizations choose to pay anyway to restore their data ASAP and protect their data, people, and reputation.However, keep in mind that before paying criminals any money that:

    • What appears to be ransomware may actually be scareware; a fake attack.
    • Criminals may take your money and run without restoring your data. Or they may partially restore your data and request more ransom for the rest.
    • Your business may appear weak and become a target for a repeat attack or other cybercriminals down the road if you pay the ransom.
    • The more “wins” cybercriminals get, the more emboldened they become to commit more attacks.
  3. Integrate Advanced Tracing Skills

    On June 7, 2021, the U.S. Department of Justice and FBI announced their recovery of $2.3 million of the Colonial Pipeline’s ransom. Law enforcement tracked multiple Bitcoin transfers to a specific address. Moving forward, investigative techniques such as these, along with advanced knowledge of cryptocurrency and blockchains, may prove valuable for FBI and law enforcement teams to track payments and activities that can help investigators find and stop cybercriminals.

“Having the skills to track payments and activities can help investigators find and stop cybercriminals in their tracks.”

How to Protect Your Business from Ransomware

As an individual business, you also have steps you can take to defend your company against cybercrimes.

  • Develop a detailed incident response plan so you’re prepared if you face an attack and can act immediately to minimize damage.
  • Backup all systems and consider where the backups are stored. Ensure the backups themselves are not accessible by hackers. When an attack happens, being able to go back by six hours, or one day to the time before the attack happened will help restore systems to working order quickly.
  • Segregate Network access and ensure that employees are only given access to the systems that they need. Putting different systems on different networks, that are only accessible by the groups of employees that need them, is important to ensure that if a breach does happen, fewer systems can be compromised.
  • Update software and install patches immediately to protect your network. Attacks often take advantage of vulnerabilities that may have been reported and have fixes, yet companies procrastinate on updating.
  • Provide Continuous Employee Training. Employee behavior is a top cause for breaches, so training is a critical step to protecting your network. Teach employees about how to recognize suspicious emails, not to open attachments from unknown senders, and to report anything out of the ordinary to the IT team.
  • Use a Next Generation Firewall to scan all network traffic for ransomware and block it before it can get a hold on devices.
  • Secure your corporate network at the edge. Ensure that edge devices, such as your SD-WAN routers in branch offices are secure with a robust security gateway or with their own edge security such as Threat Prevention to block traffic that could harm your network – even if traffic is encrypted.
  • Extend security policies to remote workers. With today’s hybrid working environments, ensure that employees are accessing your corporate network securely as they go between the corporate office and their home office using technologies such as WireGuard VPN.