How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Despite the name, money mules are not good

The life of a money mule begins simply enough. An email arrives, often unsolicited, that asks whether or not you would like to change careers, receive copious amounts of money, and work unsupervised. Who wouldn’t want that? The job ads might call this position a payment processing manager, fund manager, transaction processing agent, or some other legitimate sounding name. Those who accept the position are instructed to transfer funds from one account to another, in the meantime gaining a percentage on the amount transferred. It seems like an easy job with more than adequate compensation so what’s the catch?

If you read the fine print you will see that this is just a basic money-laundering scheme. These money transfers the person engages in are illegal since the funds transferred are stolen. Those who participate could be fined or jailed. In the best case scenario, participating in such a scheme, even unknowingly, could result in a freezing of the victim’s account, while investigations go on.

There is another variation you should be aware of. Instead of transferring money over the wire some scams may ask you to deposit checks and then wire money elsewhere. The check will arrive in the mail and you go to cash it taking your promised percentage. The problem happens when the check bounces and the bank deducts the money from your account along with a fine after you have already wired the money elsewhere.