The flaw in their plan is that the intersection of people capable of figuring out how to pay a ransom payment in Bitcoin, and people still using Windows XP, is pretty small.
But their price point was set too high for their market.
Turns out that for a lot of victims wiping their old computer was deemed less expensive than the cost, nuisance, and risk of paying criminals through some shady internet fake money thing to possibly avoid having to wipe their computer.
For anyone with a recent backup of their data, I can't think of why they'd pay.
A lot of the high-profile systems getting hit are embedded mission-critical systems. They'd be getting some amount of IT attention. And systems that aren't that important might not be important enough to ransom - just wipe and start over.
Have you seen the banner ad at the top of the page: "Kevin Mitnick Security Awareness Training 2016". So who knows, maybe there's more in it for them longer term.
Would they make more money if they demanded $10 instead of $300? While $300 isn't crazy money, it's more than enough to be painful, and definitely feels like ransom.
I wonder how many people facing a locked computer would sigh, say a few choice swearwords, and dig out their cards had it been a relatively low amount.
Asking to get paid in Bitcoin is already a stiff barrier to entry for most users, so probably not. $300 feels close to the upper threshold where people who already care enough to not balk at the Bitcoin requirement also won't balk at the sticker price.
They passed up a good opportunity for price discovery: have the ransomware pick a random number between, say, 10 and 1000 and learn from that for future attacks.
Is this a point to the downside of bitcoin? Im not against it at all still, but this does prove it to be a viable method of payment for shady business that can't reasonably be tracked... without bitcoin (or other crytocurrency), what methods would be in place to collect this money that wouldnt be easily tracked?
Western Union? Scammers have had means of collecting payouts since the beginning of scams.
One interesting counter point here is that the money hasn't disappeared. Literally every cent that has been paid to one of these Bitcoin addresses can be traced through all future purchases by anyone on the internet. The money will, of course, be combined with other amounts as transactions occur but that doesn't kill the trail. If any of it does end up in a wallet which a government can tie to a real person, an investigator can start working backwards. This is no different from marked bills in a more traditional ransom payment. Not perfect, but proven effective.
Western Union at least requires ID to recieve money, and you have to go into a location to do so (you cant claim it online) ... so you will be on camera...
Checks and money orders have to be cashed...
Im not ranting against anything, just a curiosity...
"The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard.
[...]
By August 2012, a new variant of Reveton began to spread in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.
The only reason to care about centralized currency is the possibility that whoever owns the central bank will simply print more. This is equivalent to taxation.
If this were me, I'd be running away from it as fast as possible.
It's entered meatspace, with players like the FBI, FSB, China (not sure about their acronyms), and anyone else who feels they have a stake.
If you aren't state-sponsored and protected (by a competent state, however corrupt), you aren't going to win against them. Not when you have a physical body, family, and friends to protect.
(And even if you aren't state-sponsored, do you want to be on high-vigilance for 10+ years? No trips abroad? And how do you stay useful enough to maintain that protection? And how, regardless of internal political turmoil?)
P.S. Not to mention, the competent (as opposed to the other) and very resource rich aspects of their intelligence services. Which can add up to a lot of haystack sifting.
What a shame. They've surely done many orders of magnitude more than $26k worth of damage. They've done a really really bad job at monetising their impact.
True, the damages they have done far surpass the ransom income, but the inflation of the currency itself based on global attacks probably helps them over the long haul. Sort of crazy that bitcoin markets react to ransom hauls in a positive way and to me - that is the biggest danger to bitcoin and a large source of potential revenue.
What would be really interesting to me is the reverse-engineering of the outbound bitcoin to trace this back to real/named individuals.
Consider that every transaction is public information - so any bitcoin spent from that wallet has to go somewhere.
A friend threw out a stat for me while we were discussing this the other day that something like 80% of existing wallets are owned within places like coinbase where they are associated with named individuals. (I don't know if that is true, but for the purposes of this strategy it's the assumption I'll stick with)
Anyways - assuming 80% of wallets can be traced by law enforcement to named individuals. Imagine that you set an alert to watch all outbound transactions from any of those three wallets.
After each transaction, do a lookup on the owner of the receiving wallet. If it is a named individual, interview them to find out how they got this money. Who just sent them a bitcoin?
If the wallet is not owned by a named individual, add it to the watch-list. Repeat for all outbound transactions from that wallet until you can trace it back.
I'm interested to know how many steps it would take to arrive at the actual criminal.
Once the BTC goes through an exchange, and withdrawn in another cryptocurrency, it would be almost impossible to trace without cooperation of the exchange. I'm sure there are plenty of exchanges out there that wouldn't cooperate with law enforcement.
If bitcoin were truly that ineffective for use by extortionists, why is it so commonly used? Note: I'm truly asking a question, I know very little about the subject.
Honestly, I'm repeating this question for years. I still didn't come-up with a good answer.
The best that I got is that those criminals rely on living in countries with weak rule of law, and Bitcoin makes for just enough obfuscation that those countries won't investigate them, while countries wiling to investigate don't want to disclaim they have the ability.
Besides, anonymity is not the only feature of Bitcoin useful for criminals. There's also the fact that transactions can not be stopped or undone. Those may be even more important.
Interesting! So there are laundering services. Still, even if that were a 'terminal' point, you'd know at least where they were going. I'd love to read the story of 'follow the money'
Considering nobody has had their files decrypted yet, I'm almost surprised how high this figure is. You'd think some people would do at least a bit of research before throwing $300 down the drain.
Did they actually decrypted the files after getting money from victims?
It would be interesting, if some white-hat security researcher, pays the $300 money and gets the solution (reverse engineering) . Make its available for free to everyone :)
As much as parts of the worm do look kind of amateur-ish, it's probably still a stretch to assume that they used the same encryption key for every infection.
Article is a couple of days old now. If you do the math right as im writing this it'd be 33.8 bitcoins. at $1721 per coin the total is over $58,000.
All points Krebs mentions are still valid however.
Ah yes, the old: "This action harms no one but yourself, but we wish to protect you from yourself, so the solution is to turn you into a criminal when you perform said action. For your own good of course."
It's not to protect you from yourself, it's to protect you from others. It's like how some shops have "cashier cannot access safe" signs -- it's not necessarily that they don't trust the cashier, it's that it prevents the cashier from becoming a target.