Hacked? Quickly hunt for a few million worth of bitcoins

How do you get a few million euros in bitcoins within 48 hours? That is the pressing problem of companies being held hostage by cybercriminals. Hackers break in, encrypt all computers and make ransom demands, otherwise they won’t release the files. Even if you want to pay, you have to collect the cryptocurrency first.

Those millions are no exaggeration. Colonial Pipeline, the pipeline operator from the US, paid a $4.4 million ransom – in bitcoin – last month to be able to transport oil again. The world’s largest meat processor JBS was also hacked, transferring $11 million to cybercriminals this week.

These are not amounts that scare Steven Dondorp. As the founder and president of security company Northwave, he often handles ransom payments for victims of ransomware – ransomware. “We have seen ransoms rise from tens of thousands to hundreds of thousands of euros since 2017 and often run into the millions since September last year.”

Northwave is one of the cybersecurity companies that is flown in as a digital fire brigade to repair networks and negotiate with blackmailers. If there is no other way out, Dondorp also handles the ransom payments. At the end of December, for example, he still had to “realize” 20 million euros in ransom for a European company that had been hacked. Who the victim was remains a mystery. He does want to explain how such a payment works. “It is difficult to rake together such an enormous amount of bitcoins in one or two days, from all corners of the world. A race against the clock.”

The extortion industry

According to estimates, ransomware gangs demanded $18 billion in ransoms worldwide in 2020, an 80 percent increase from the previous year. This extortion industry is made up of several groups: the hackers who break in and sell access to corporate networks, the software that criminals rent to encrypt computers, and “help desks” that assist victims with ransom payments.

Also read: Negotiating ransomware: ‘Didn’t we agree on 10 million?

The perpetrators are often in Russia, where they are not harassed by the police, as long as they do not take Russian authorities hostage.

The ransom demanded is usually between 0.4 to 2 percent of company revenue. Criminals first find out what the cash flow belongs to the victim, says Dondorp. “They want to see money quickly – and not have to negotiate for months.”

The official advice from the police is: don’t pay, because that keeps the criminal system going. But if IT experts have no way of recovering computers, you still have to pay to get files back or – threat number two – get stolen files back.

Can you just transfer money to criminals? No, says Dondorp. Northwave is licensed by the Department of Justice and Security to arrange ransom payments provided, in Dondorp’s words, “proportionate and reasonable considerations” have been made. Dondorp: „It is tolerated, but we have to record everything. We work closely with the police and are regularly visited by the fraud and counterterrorism departments of banks.”

In a negotiation game via chat, an amount is determined with the blackmailers. The cyber criminals, in turn, have to prove that they have the correct key. Then the clock starts to run: Bitcoins have to be purchased. Stocking in advance is not an option: the course is far too shaky for this.

A buffer of bitcoins

Northwave does not pay itself, but works together with the Dutch bitcoin company Bitonic. Co-founder Niels van Groningen has seen ransoms rise into the millions in recent months – including those of other IT companies that turn to Bitonic for their ransomware cases. “Steven often calls me at impossible times: late at night, at the weekend, or on a holiday.”

Bitonic maintains a buffer for regular customers’ trading, including on weekends. But that is not enough to transfer 10 or 20 million euros in bitcoins in one go. Bitonic buys such a large amount on three international exchanges at the same time. Van Groningen: “We only buy from exchanges that we know well. There are quite a few shady exchanges that can disappear with the northern sun or say they have been hacked – then all the money is suddenly gone.”

By buying bitcoins in different places, Bitonic spreads the risk. You don’t immediately get into trouble if a site is down for a while, and you avoid rushing the price by buying in large in one place.

The impact of ransomware payments on the total trading volume is not great, says Van Groningen: “Less than 0.1 percent, I think. Liquidity has increased enormously as many people have moved into bitcoin.”

Once the amount is collected, Bitonic transfers the amount to the bitcoin address provided by the cybercriminals. A meticulous job: the addresses consist of a long string of characters. Van Groningen: “Before I send such a large amount, I check a hundred times whether it is correct.”

Bitonic charges transaction costs for the ransomware transfers, but less than usual. The company uses a rate for the ransomware payments that is half lower than for regular customers. Van Groningen: “We have to ask something, because we also run a price risk.”

Steven Dondorp: “As Northwave, we do not earn anything from these transactions – it is not a service in itself but part of our digital emergency response. I see it as a necessary evil to help companies out – but then they need to better secure their systems in the future.”

Bitcoins are transferred in a few minutes, regular banking traffic is a bigger obstacle in paying the blackmailers. To buy bitcoins, the accountant of the affected company must first transfer money to Bitonic via the bank. Such a transaction sometimes takes days.

For larger amounts, the bitcoin company then buys bitcoins on the international exchanges with iDeal payments – a maximum of 50,000 euros at a time. Dondorp: “A red light often lights up at the bank when you try to transfer 10 million euros in a few hundred iDeal payments. The fraud detection system then blocks everything. Then someone has to look at it – and you have to wait another day.”

Discount on the ransom

As the clock ticks, the blackmailers are increasing the pressure to cash in as quickly as possible. They threaten and lure at the same time. On the website of the ransomware group, on which every victim gets their own account, with chat support, the counter continues in hours, minutes and seconds. Those who fail to meet the deadline will have to pay twice as much ransom. It’s like looking at a temporary holiday offer.

The blackmailers also promise a 10 or 20 percent discount if you pay in Monero. This cryptocurrency offers more privacy than bitcoin, which makes it easier to launder the loot.

Crypto transactions are kept in a ledger, the famous blockchain. With bitcoin, you as an outsider do not know who is behind the crypto address, but you can see in the ledger in which wallets the amounts disappear. Monero is a currency that better hides transaction history and balances from the outside world. Dondorp: „We do not make payments in Monero. If customers really want that, they have to arrange it themselves.” According to him, the few percent discount is nothing compared to the enormous losses that the affected companies suffer every day when the tent is flat. The digital extortion machine therefore runs on bitcoins for the time being.

Where are those wrong bitcoins?

Although bitcoin transactions are stored and searchable, criminals still find ways to anonymously cash out or convert bad bitcoins into ‘clean’ cryptocurrencies. They can divert the amount to shady crypto exchanges that don’t verify the identities of their customers, or go up in smoke after a few months. In doing so, the blackmailers themselves run the risk of losing some of their loot.

There are also services that anonymize amounts, by breaking them into small fragments, or converting them into other currencies. If you analyze the underlying transaction history, fragments can still be recognized in portfolios later on.

Niels van Groningen: „We sometimes see such a splinter of money that we once paid for ransomware. But that says little. With large amounts, we ask the customer what is wrong.”

Measures have now been taken against money laundering in the crypto world. In the Netherlands, crypto exchanges must report transfers above 15,000 euros to the Finance Intelligence Unit of the police and verify the identities of their customers. Bitonic recently successfully objected to an even stricter registration requirement. Supervisor DNB wanted traders in crypto coins to check whether someone really owns the digital wallet. This should prevent money from being transferred to persons on the international sanctions lists. However, it is still a piece of cake to transfer bitcoins to an exchange or a country where the rules are less strict.

A symbolic victory

Bitcoin offers guidance to follow the money trails and map the criminal network. Blackmailers do not always create a separate bitcoin address for each victim. For example, the transfers show how ransomware groups make multiple victims before they divert the money.

Also read: Hackers overplay their hand with disruptive cyber hostages

Dondorp: “There are only a few services where these criminals move their money to cash out. Our estimate is that more than half of all money laundering goes to just 300 deposit addresses. Investigative authorities can respond to that.”

Paid bitcoins are not always lost. Last week, the FBI confiscated most of Colonial Pipeline’s ransom from a crypto exchange. “There is no place to hide the loot from us,” FBI Deputy Director Paul Abbate wrote in a press release.

After the cyberattack on Colonial Pipeline, which led to a spike in fuel prices and local shortages, the US is giving the fight against ransomware the same priority as terrorism.

“Everything and everyone in the Colonial Pipeline case was focused on hunting down the perpetrators. The responsible DarkSide group does indeed seem out of the blue,” says Steven Dondorp. “But there is also luck involved. Due to haste, hubris or ignorance, some criminals send their cryptocurrencies too quickly to an exchange to be paid out.”

In any case, the seizure is an important symbolic victory for the FBI. There is, however, one small caveat: due to the sharp fall in bitcoin price – partly due to stricter crypto regulation announced by the US – the value of the seized loot has halved in a month. So Colonial only gets half of his dollars back.

Hacked? Quickly hunt for a few million worth of bitcoins
Source link Hacked? Quickly hunt for a few million worth of bitcoins

Back to top button