Ransomware crims drop Bitcoin faster than Google axes services

RSA 2015 The falling price of Bitcoin is forcing ransomware masterminds to convert the crypto-currency as soon as they can. Rather than holding on to their ill-gotten BTC, the crims are simply laundering the ransom money as soon as possible.

"I've seen this discussion in underground forums among Russian criminals," Etay Maor, senior fraud prevention strategist at IBM Security, told The Register today in San Francisco.

"They use Bitcoin for the money laundering part and take payment with it, but they'll move it out almost immediately. Most of them won’t keep bitcoins – they don't like the valuations Bitcoin has – so they just use it as a layer of obfuscation, and move it to a different form of money."

Today, one Bitcoin is worth US$238 (£158, AU$306, CAN$289, €216), rather less than the highs of US$1,147 in December 2013.

Up, up, and down, down, down ... Bitcoin prices from mid-2013 to now (Source: Coindesk BPI)

Bitcoin has played a huge part in the ransomware market, where the currency is almost exclusively used. When ransomware malware infects a PC, it encrypts all the documents it can find, and will only hand over the secret decryption key once the victim pays up in BTC.

Maor said the malware operators are adept at laundering their ransoms into other online currencies or farming the job out to money mules who launder the funds through their accounts in exchange for a commission.

Mules are typically recruited online, and Maor noted the type of soul who gets caught up in this criminal endeavor depends on where they are in the world. In Europe, mules are typically retirees looking to supplement their income by working from home, but in Asia and Australasia overseas students are recruited to do the job, typically for a 15 or 20 per cent commission on funds they process.

Such mules usually don't know exactly what they are doing – until the police come knocking. Then they find themselves in the big house while the malware operator goes free.

There's still no sign that the ransomware fad is going away any time soon. Far too many people are willing to pay up to have their data decrypted; for the crims, this is so much easier than the arduous process of stealing money from others through identity theft.

Maor said botnet owners are also getting in on the scam by offering to install ransomware on thousands of machines, and net a tidy cut.

Ransomware spreaders are also targeting websites with their malware. By gradually encrypting an entire web server's database, the attacker can extract loadsa cash from businesses – the gradual process often causes backups to be rendered useless.

So in short, don’t open any email attachment unless you're sure of the source, and always, always, back up data regularly and store the archives offline, disconnected from your computers. So far the security industry has little to offer in the way of blocking ransomware. ®