Introduction

As our reliance on digital infrastructure grows, the impact of ransomware attacks becomes increasingly severe, disrupting daily operations, and causing financial losses. Apprehending cyber criminals is more difficult as they resort to sophisticated methods to hide their tracks. One such tool they’ve adopted is cryptocurrency for receiving ransom payments. They take advantage of cryptocurrency’s decentralized and pseudonymous nature as a preferred form of payment. In 2023 alone, ransomware attacks resulted in over $1 billion in ransom payments, as reported by the blockchain analysis firm, Chainalysis.

What is Ransomware?

Ransomware is malicious software designed to encrypt a system’s data, rendering it inaccessible until a ransom is paid. This cyberattack targets individuals, businesses, and government organizations, exploiting vulnerabilities in their systems to gain unauthorized access. Once the malware is deployed, it encrypts files and demands payment, usually in cryptocurrency, to decrypt the data.

While the main objective of ransomware attacks is primarily monetary, in some cases, it is also used to cause operational disruptions, gain unauthorized access to sensitive information, or pressure organizations to comply with other demands. It has also been used as a cyber warfare tool between countries with political tension.

History and Evolution of Ransomware

The first known ransomware attack was the AIDS Trojan in 1988, also called the PC Cyborg Virus. It was distributed via floppy disks to World Health Organization conference attendees. After a certain number of computer reboots, the trojan encrypted files and demanded a ransom of $189 paid to a P.O. Box in Panama. This attack used primitive encryption compared to today’s standards, but it laid the foundation for modern ransomware. As of 2006, Advanced RSA encryption was used to deliver ransomware to websites and through spam email, with ransom payments made with vouchers, paysafecards, and other electronic methods that were difficult to trace.

Source: Chainalysis

By 2010, as Bitcoin gained popularity, attackers began to demand ransom in a pseudonymous currency that was much harder to trace. Since then, newer and more sophisticated models of ransomware have been developed, building a criminal industry that has amassed over $3 billion from 2019 to 2024.

The Role of Cryptocurrencies in Ransomware

One of the key features of cryptocurrencies, especially Bitcoin, is their pseudonymous nature. While transactions are recorded on the blockchain, the identities of the parties involved are masked by wallet addresses, making it difficult to trace back to the attacker. Traditional payment systems, like credit cards and bank transfers, leave clear identity trails that law enforcement can use to investigate cybercriminals.

With Bitcoin transactions publicly traceable on the blockchain, some cybercriminals have shifted to privacy-focused cryptocurrencies like Monero, which offer anonymity features and use stealth addresses and ring signatures to further obscure transaction details.

How Crypto Ransomware Works

Crypto ransomware infiltrates a target system, usually through phishing emails, malicious downloads, or exploiting system vulnerabilities. Once inside, the malware encrypts files on the victim’s computer or network using complex encryption algorithms, making the data inaccessible.

Source: ComodoSSL

The stages of operation are executed in stages;

• Infection
• Encryption
• Ransom Demand

Infection

Crypto-ransomware gets into a victim’s device through channels like;

Phishing Emails: Cybercriminals send emails that appear to come from legitimate sources, tricking recipients into clicking malicious links or downloading infected attachments. These files often masquerade as important documents or updates, disguising their true nature.

Outdated Software: Ransomware can exploit bugs in old versioned software of operating systems or applications. This was evident in the WannaCry attack, which used an exploit in Microsoft Windows.

Malvertising: Users can unknowingly interact with deceptive ads to download fake software updates that lead to the installation of ransomware.

Remote Desktop Protocol Hacks: Remote Desktop Protocol (RDP) is used to maintain a remote connection to a server in situations where employees of an organization work from different locations. The RDP interface on the employee’s computer communicates via encryption protocols with the RDP component on the server. Although encrypted, This mode of connection is prone to hacks that bad actors use to upload ransomware into a company’s server.

Encryption

Once in the system, the ransomware begins encrypting the victim’s files. Crypto-ransomware uses encryption methods such as:

• RSA (Rivest–Shamir–Adleman): An asymmetric encryption algorithm that uses a public and private key pair. The public key encrypts the files, and the private key, which the attacker holds, is needed to decrypt them.
• AES (Advanced Encryption Standard): A symmetric encryption method where the same key is used for both encryption and decryption. The ransomware uses this to encrypt files, and the key is stored with the attacker.

The malware targets file types, including documents, images, videos, and databases, anything that might be of value to the victim. During this process, users might not even notice that their data is being locked away until the encryption is complete, leaving them with no immediate options for recovery.

One of the notable patterns in major ransomware attacks is that they occur during holidays or times when the majority of the staff are not online to avoid detection.

Ransom Demand

Source: Proofpoint

After encrypting the data, the ransomware displays a ransom note to the victim, often through a pop-up window, text file, or HTML page.

A Ransom demand screen requesting Bitcoin in exchange for the private key
Source: Varonis

The ransom amount is usually requested in Bitcoin or Monero with a link to a payment site or a method to contact the attackers (sometimes hosted on the dark web).

Source: Proofpoint

If the victim complies with the demand and transfers the requested amount, the attackers may provide the decryption key to unlock the files. However, paying the ransom does not guarantee the attackers will follow through. In some cases, victims never receive the decryption key even after payment, or they may face additional ransom demands.

Cybersecurity experts and law enforcement agencies discourage paying ransoms, as Cybercriminals can resort to double extortion, where attackers not only encrypt the victim’s files but also steal sensitive data. They then threaten to release or sell the data if another ransom is unpaid.

Notable CryptoRansomware Attacks

WannaCry (2017)

WannaCry is one of the most notorious and widespread ransomware attacks in history. It exploited a vulnerability in Microsoft Windows known as EternalBlue, which the Shadow Brokers hacker group had previously stolen from the NSA. WannaCry affected over 200,000 computers across 150 countries, including major institutions like the UK’s National Health Service (NHS), FedEx, and Renault. It caused widespread disruption, especially in healthcare systems, where patient services were severely impacted.

A WannaCry Ransom Note
Source: CyberSpades

The attackers demanded $ 300$ in Bitcoin in exchange for a decryption key, though many victims could not recover their data even after paying. The attack was eventually halted by a security researcher who activated a “kill switch” embedded in the malware’s code, but not before causing billions of dollars in damages.

NotPetya (2017)

NotPetya was double-havoc malware that served as ransomware and a wiper malware designed to cause destruction rather than to extract a ransom.

A NotPetya Ransom Note
Source: SecurityOutlines

The malware appeared to demand a Bitcoin ransom, but even after payment, recovery of encrypted data was impossible, indicating that financial gain was not the true goal. Unlike traditional ransomware, NotPetya seemed to be politically motivated, targeting Ukraine during a period of geopolitical tension with Russia. Although it eventually spread globally, it damaged large multinational corporations, including Maersk, Merck, and FedEx, resulting in estimated global financial losses of over $10 billion.

DarkSide (2021)

DarkSide gained global attention after its attack on Colonial Pipeline, the largest fuel pipeline in the United States, which led to fuel shortages across the East Coast. The attack disrupted fuel supplies and caused widespread panic buying. Colonial Pipeline eventually paid a ransom of $4.4 million in Bitcoin, although the FBI later recovered a portion of this ransom.

A DarkSide Ransom Note

Source: KrebsonSecurity

Ransomware-as-a-Service

RaaS is a business model in which ransomware creators lease out their malicious software to affiliates or other cybercriminals. Affiliates use this software to carry out attacks, splitting the ransom profits with the ransomware developers.

REvil

REvil (also known as Sodinokibi) is one of the most sophisticated ransomware groups, operating as a ransomware-as-a-service (RaaS) operation.

REvil has been linked to high-profile attacks on global organizations, including JBS (the world’s largest meat supplier) and Kaseya, a software company, This affected over 1,000 businesses relying on its software products.

Clop

Source: BleepingComputer

Clop is another Ransomware as a Service (RaaS) that carries out large-scale spear-phishing campaigns targeting corporations and demanding hefty ransoms. Clop’s operators use the double extortion technique: They steal data before encrypting it and threaten to leak sensitive information if the ransom isn’t paid.

In 2020, Clop was responsible for a massive data breach linked to the Accellion file transfer software, impacting multiple universities, financial institutions, and government agencies.

Defending Against Crypto Ransomware

The most effective defense starts with preventing malware from entering your system. Here are some measures that can protect your computer from ransomware.

Cybersecurity Awareness

Users and employees should be trained to recognize and respond to threats like phishing emails or suspicious attachments. Regular cybersecurity awareness training can significantly reduce the risk of accidental infections.

Software Updates

Regular updates and patches for operating systems, applications, and security software reduce the risk of attacks by limiting exposure to ransomware caused by outdated software.

Backup Data

If a ransomware attack occurs, having a recent backup allows the victim to restore their data without paying a ransom. Backups should be stored offline or in cloud environments that are not directly connected to the network, to protect them from being infected by the ransomware.

Email Filters

Email filtering systems scan incoming messages for suspicious links, attachments, or characteristics. These filters can block emails containing known malicious elements before they reach users’ inboxes.

Network Segmentation and Access Controls

Network segmentation restricts the spread of ransomware once it infiltrates your system, even if one part of the network is compromised, the damage can be contained. Experts advise separating sensitive systems and data from regular operations, limiting access to critical areas.

Access controls such as multi-factor authentication (MFA) and the principle of least privilege (giving users only the access they need) can limit user access. If an attacker gains access to one account or system, segmentation, and access controls can prevent lateral movement across the network, limiting the ransomware’s reach.

Endpoint Detection and Response (EDR) Solutions

EDR solutions provide continuous monitoring and analysis of endpoint activities, helping detect early signs of ransomware infection. These tools can automatically respond to suspicious behavior, isolating infected devices and preventing the spread of ransomware throughout the network.

Conclusion

Crypto Ransomware highlights one of the wrongful uses of cryptocurrency, where criminals take advantage of the anonymity of blockchain technology. While there’s not much to be done regarding cryptocurrency as ransom, the best possible measures are to protect users and systems from ransomware infection by avoiding phishing links and carrying out regular software updates.

Also, maintaining regular data backups ensures that important files can be restored without paying a ransom if an attack occurs. Network segmentation serves as another important defensive measure, as it limits the spread of ransomware, confining it to specific parts of the system and protecting unaffected areas.