In a recent study, FinCEN found that ransomware actors are increasingly demanding payment in Monero instead of Bitcoin. The currency has several features that make it difficult to trace and is untraceable, which makes it an attractive option for criminals. In fact, in some cases, attackers provided their wallet addresses in Monero and accepted Bitcoin after negotiation. According to the report, the average ransomware payment amount is about US$45 million per month.
Several major dark web markets now accept cryptocurrency. In late 2019, the White House Market will transition to a Monero-only market. As the price of Bitcoin falls, threat actors are moving away from it, causing many victims to pay higher amounts than expected. In the meantime, ransomware actors are switching to more obscure currencies, such as Monero. The coin’s anonymity isn’t as good as it once was. In 2017, the Ravil Gang became famous for a supply-chain attack against Kaseya, a company that uses Bitcoin.
These attacks tend to use the smash-and-grab technique, which enables the attacker to quickly capture the target’s money. They also tend to be quick, lasting less than an hour. However, there are outlier campaigns that try to use reconnaissance and lateral movements to land on a machine that is easy to move. The latter is the most dangerous method, but a broader analysis is necessary to understand its risks and how it can be mitigated.
The latest ransomware campaign, named Nemty, does not encrypt files. Instead, it makes the entire hard disk inaccessible. In other words, the attackers encrypt data on machines that are not infected by ransomware. While this is not a new tactic, the use of a blog adds credibility to the threat, since it allows potential victims to navigate to the blog and see what a previous victim has posted.
In June 2015, the FBI released a CryptoWall alert. The ransomware was responsible for over $18 million in losses. Cybercriminals have been using an array of techniques, including the “blue screen of death” and putting ransom notes at the system startup to infect infected computers. In order to keep this malware in the black, they use the name TorrentLocker.
The number of ransomware attacks is on the rise, and the amount of money demanded is rising. Those based in the United States and Europe are at particular risk. The average ransom is around $78,300. Small businesses are more likely to pay than large companies. In some cases, attackers may even include a surcharge of up to 10 percent if the payment is in a privacy-focused cryptocurrency.