Bitcoin Ransomware Becomes Go-To Hack as Bitcoin Rallies, NSA Tools Leak
A recent outbreak of ransomware attacks, from the WannaCry worm in May to Tuesday’s infection of thousands of computer systems around the globe, shows that digital stickups are becoming the go-to hack for cybercriminals, fueled by powerful leaked U.S. government exploits and the rise of bitcoin and other anonymous digital currencies.
Tuesday’s attack showed no signs of slowing down, as cybersecurity researchers had not found a kill switch similar to the one that allowed them to stop WannaCry after it had infected hundreds of thousands of computer in more than 150 countries, preventing it from becoming one of the worst attacks on record.
The new infections, which appeared concentrated in Ukraine before spreading globally, are a sign that ransomware is becoming a routine risk of doing business, as other forms of attacks get less profitable. Banks and retailers have strengthened their defenses, driving the price for stolen credit card numbers down to as little as 50 cents apiece, according to research from Symantec Corp., the biggest cybersecurity software maker. But ransomware demands are on the rise, nearly tripling from an average of about $300 per computer infected in 2015 to more than $1,000 each last year, Symantec said. Earlier this month, a South Korean web hosting company agreed to pay more than $1 million to unlock its servers in what’s believed to be the biggest ransomware payout on record.
“The new versions of ransomware are the perfect crime,” said Jack Danahy, co-founder of Barkly Protects Inc., a Boston-based cybersecurity firm. “It’s super-easy to do — monkeys could do it — and the profits are remarkably high. And the third thing that makes it perfect is anonymity, because nobody wants to get caught. That’s why this thing is growing.”
It’s possible that Tuesday’s outbreak may not spread as quickly or be as damaging as WannaCry, whose early victims included hospitals in the U.K. that had to shut some services while dealing with cleanup. The new malware uses an exploit called EternalBlue to spread by taking advantage of vulnerabilities in Microsoft Corp.’s Windows operating system, similar to WannaCry. But many of those weaknesses have been patched for months — meaning that many computers already have protection against its key propagation mechanism.
The new malware does have additional capabilities that let it spread by other means through internal networks, so anyone who clicks on a malicious email attachment could put their entire organization at risk.
The rise of ransomware has coincided with two other major changes in the cyber black market. The first is the growing amount of leaked attack tools from the U.S. government available online. The second is the growing use of digital currencies, which give hackers an easy and potentially anonymous way to get paid. The malware unleashed Tuesday demands payment of $300 in bitcoin. The reason many ransomware operators ask for relatively small payments is that the amount needs to be low enough that enough people will pay, but high enough that it’s worth the effort to attack. Given the secretive nature of cryptocurrencies and the shadowy world in which cybercriminals operate, it’s virtually impossible to get an accurate read on exactly how much the hackers rake in.
Because there’s a glut of credit card and identity data for sale on the black market, it’s gotten harder for criminals to get paid, said Jeremiah Grossman, chief of security strategy for SentinelOne. But rather than try to sell data to a third party, attackers instead encrypt it — demanding that the victim pay to get it back.
“Who better to value the data than the owner of the data?” Grossman said. “It’s market forces at work.”
There are signs that hackers are shifting tactics in favor of ransomware. According to a study by IBM, the amount of spam containing ransomware surged to 40 percent by the end of 2016 from just 0.6 percent in 2015. While many ransomware attacks are blocked by security software, the number of infections getting through is growing. Symantec said it detected 463,000 ransomware infections in 2016, 36 percent higher than the year before.
But Tuesday’s attack contained some puzzling elements to security experts, raising concerns that it may not have been about payment at all.
Like WannaCry, which the U.S. government has reportedly linked to North Korea, the new attack does not have the usual characteristics associated with hackers who want to maintain control of the infected computers and facilitate payment and easy decryption of locked files. That the hardest hit country is Ukraine, whose power grid and other critical systems have been the target of repeated high-level hacking attacks blamed on the Russian government, raised suspicions among some researchers that another motive could be at play. Anton Gerashchenko, an aide to the Interior Ministry in Ukraine, wrote on Facebook that the goal appeared to be “the destabilization of the economic situation and in the civic consciousness of Ukraine” even though it was “disguised as an extortion attempt.”
“There’s something weird about this one,” added SentinelOne’s Grossman.