Not Swayed by the Bitcoin Hype?

Oran Cohen

May 13, 2018

You May Not Have a Choice

Who do I know who has bitcoin for sale? This question might seem somewhat irrelevant to you right now, especially if you’ve stayed far away from the hype. It is however highly relevant to anyone who has been attacked by ransomware. And you never know where ransomware will hit next – just ask the thousands hit by it daily.

The problem is one of both urgency and timing: Anyone attacked by ransomware needs bitcoin in a real hurry – but the bitcoin rush has made it far more difficult to track bitcoin down. And when dealing with hackers, time is short.

The Bitcoin Rush

Bitcoin hit the headlines in late 2017 as it rocketed in value. It became a wild west of currency, often fluctuating thousands of US dollars a day, a place to win or lose fortunes fast.

Many with little or no idea about crypto-currency or blockchain took a flutter, taken in by the global “pump and dump.” Some crypto ‘noobs’ racked up loans or credit card debt, gambling on the possibility of a potentially effort-free windfall. Many have been left sitting on piles acquired during those heady days, banking on false predictions that bitcoin hit a six figure US dollar payday. Well, the predictions were wrong and bitcoin never came close to six figures. In fact it dropped in value leaving many in the lurch. 

Bitcoin and Ransomware – Partners in Crime

Put aside this aberration for a moment and remember that bitcoin has been the mainstay of ransomware demands and payments for years.

Those unfortunate enough to click the wrong web link or open the wrong attachment have been faced with the choice of permanently losing sole copies of their precious family photos, or paying the bitcoin demanded for a decryption key. How, for example, would they get their hands on the bitcoin required in the time allotted by the hackers before their data was destroyed?

Ransomware: A Case Study

We were recently called in by a business services organization based in Israel who had contracted the Samsam ransomware. By the time they reached out to us, the ransomware had spread across their entire network, effectively shutting them down.

The ransom demanded by the hackers was 4.5 bitcoins or approximately $50,000 at the time, once commissions were factored in.

The Clock is Ticking…

In order to handle this emergency, we split into a couple of teams: One group assessed recovery options and contacted the hackers to get proof of their decryption capabilities – the hackers’ ability to deliver quickly would factor heavily into any decision to pay the ransom. Their openness to negotiating the terms of the ransom could also be assessed.

The other group was tasked with tracking down bitcoins. Despite this being one of the largest ransom demands we had experienced, we didn’t think it would be too problematic to lay our hands on 4.5 bitcoins. After all, the bubble was perpetuated by the masses, some with little technical knowledge, purchasing bitcoin.

So Where Do I Sign?

The recent attention bitcoin has drawn has made things much harder for those who need to get their hands on a large amount of bitcoin in a short amount of time. In early February 2018, a number of financial institutions went as far as to introduce restrictions on cryptocurrency purchases (see: Buying Bitcoin on Your Credit Card? Not Any More).

We contacted Bits of Gold, a local Israeli bitcoin exchange and embarked upon the rigorous corporate client verification process. We scheduled a face-to-face meeting between the broker and the client’s authorized signatory to complete the transaction later that day. We’d be paying a hefty commission and wouldn’t receive the bitcoin until the following day. The cost of downtime was dwarfing the ransom but there was little option.

As we were assembling the paperwork we were informed that the exchange’s legal advisors were nixing our transaction since Israeli government regulations prevent their involvement in ransomware deals. The client’s bank concurred, refusing to transfer this sum of shekels to a crypto-exchange. By this point the recovery team had ascertained that the organization’s backups extended to 2 hours prior to infection of the first computer. Concern was raised however as to whether the backups could’ve been infected too. The decision was made to continue pursuing bitcoin while this was investigated.

Putting Up Barriers

We tried the US-based Coincafe exchange, which the hackers had recommended we use (in their ransom note). But Coincafe’s “create an account” page displays a notice to victims of ransomware:

This policy is commensurate with the FBI’s current party line on paying ransoms – “The FBI doesn’t support paying a ransom in response to a ransomware attack.” Instead they recommend preventative measures “both in terms of awareness training for employees and robust technical prevention controls; and the creation of a solid business continuity plan in the event of a ransomware attack.” (See the FBI’s page on Cyber Crime.) The FBI has flip-flopped back and forth a number of times, both recommending and not recommending paying ransoms.

The FBI’s Issues with Paying Hackers

The FBI’s current reasoning for not supporting payment is that “paying a ransom doesn’t guarantee an organization that it will get its data back—there have been cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

I totally agree that organizations have an absolute necessity to put preventative measures in place. I also believe that paying a ransom qualifies as a business decision to be examined on a case-by-case basis. Considerations to be factored into this decision include efficacy of backups, the cost of downtime and likelihood of receiving the decryption keys should the ransom be paid. When there is no option but to pay, the organization’s survival imperative may override the FBI’s moral concerns.

Continuing our search, we headed to Coinbase, one of the better known US exchanges. Their institutional customer verification procedures made it seem like it could take days before we were approved and in possession of bitcoin.

It’s All About Who You Know…

We concluded that the only route left to us was to find a private bitcoin holder and conduct a transaction with them. We began asking around.

It’s not so easy to find someone you know and trust who has 5 bitcoins and is willing to sell when the market is low. We asked friends. All expressed shock at the size of ransom being demanded. A Google search of the Samsam ransomware variant uncovered an abundance of recent attacks targeting governments, schools, and healthcare and industrial control systems – many paying sums similar to or in excess of those demanded of my client. In fact, a Blockchair search of the bitcoin address given in our ransom note showed this account had received 14 payments in the last 3 weeks totaling more than $300,000 – and most payments were well above $30,000. These hackers were running their operation like a business and people were paying.

We eventually tracked down a suitable vendor – a friend of a friend – and executed a cash transaction. Eight hours after we had begun our search for bitcoin, we were in possession of 5 bitcoins. Later that night a final discussion was held to consider all the options and their cost-benefit. The decision made to go ahead and pay the ransom. The decryption keys arrived a few hours later and the process of recovery continued in earnest.

And We’re Back…

The true costs of this incident are expected to exceed $500,000 – ransom payment, cost of downtime, lost productivity and IT man-hours, a figure which could have destroyed many other companies. Shockingly, this figure has only stayed the bleeding and returned the organization to “business as usual.” It has brought the organization no closer to preventing this from happening again tomorrow.

Bottom line: The implementation of precautionary measures would’ve cost a mere fraction of this.

For more information on how our offensive services can help protect your organization from attacks, please contact Shay Pinsker at [email protected], or visit our website.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.