How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Regaining your anonymity online

Anonymity has been a longstanding hallmark of the Internet but you should no longer assume that your online activities are anonymous.

A vast amount of information is collected as you use the Internet. Search engines store the key words you search for and the pages you visit, browsers store web history, which may be integrated with the cloud, and websites store information your activities on their sites. Your IP address provides information on your general location and many applications can track your location data, obtained from your address or from GPS.

It takes a concerted effort to regain your anonymity. Anonymity must be protected from end-to-end starting with the operating system and then progressing to your network address, browser and search engine.

Operating System

Last month I wrote about the privacy features and flaws of Windows 10. What many don’t realize is that their operating system is collecting information on their activities which could be retrieved by malware or published to the cloud for data mining. This can be avoided by using an operating system that runs off a CD or DVD. Such systems, called “live” operating systems, run in memory, a storage component of your computer that retains data only while the computer is powered on. This data is not retained when you shut down the computer or restart it. CDs or DVDs are typically read-only, meaning that data cannot be written to them. Files that you are working on can be saved to a flash drive but operating system logs of activity are not stored with live operating systems. Similarly, spyware, malware and other junk cannot install on a live operating system. This further protects you against threats to your anonymity.

Network Address

Each device that connects to the Internet identifies itself with a unique IP address. This address can indicate your location and it can be used to correlate activity collected from multiple sources in order to build a profile on you. One method of obscuring this address is to use a proxy. A proxy requests Internet resources on your behalf and then presents them to you so that the requests appear to originate from the proxy rather than you.

However, one must be careful in using proxies because not all are intended for anonymity. Some send a forwarder that indicates where the data originated and others send data in the clear so that it can be potentially intercepted. Choose a proxy that uses SSL encryption and does not use http “forwarded for” headers. Another limitation of proxies is that attackers see them as a potential target because of the high volume of traffic traversing them. Compromised proxy servers could put your information in the hands of cyber criminals.

The Onion Router (TOR) extends the proxy model by bouncing connections between many computers within its network and then delivering the final request from one of many endpoints. Data within TOR is encrypted using SSL. It is still possible for a TOR server to be compromised but that server would only see a small portion of your traffic or possibly none at all depending on how your traffic was routed through the TOR network. The downside of using TOR is that connections are often slow due to the latency incurred by traversing so many computers.

Browser

The most common browsers are Internet Explorer, Mozilla Firefox and Google Chrome. Internet Explorer or its replacement, Edge, is the default browser on Windows machines. Linux variants often come equipped with either Firefox or Chrome, depending on the distribution. Each of these browsers has their share of privacy flaws but your choice of browser is much less important than the privacy settings you select within the browser. Restrict cookies and set your browser security settings to the highest level that still allows you to browse with ease. Many browsers also include a private browsing mode. This is very useful for restricting information from being collected by your browser on your activities while in this mode.

Search Engine

Most of the search engines collect data on your browsing habits so they can target ads to you and improve their search rankings. Some search engines share or sell this information with other parties. However, Duck Duck Go is a search engine that does none of these things and it is a valuable tool for searching the web anonymously.

These technologies and techniques can all be used to protect your anonymity. However, they provide the best protection when used together. It may not be feasible for you to use all of them. For example, you may need to use an application at the same time while you browse, making a live operating system impractical or you might want to test searches in a specific search engine. I encourage you to use as many as possible.  You may additionally use a virtual private network (VPN) to connect to your workplace or other common resources so that traffic between your computer and the VPN is encrypted and you can use wiping tools to more effectively erase data from your machine after deleting it. However, a discussion on these tools will have to wait for another article.

Continue reading