Crypto prices continue to plunge, but cybercriminals still need the currencies for ransomware attacks.
Some experts say the price drops might be pushing cybercriminals away from ransomware and toward other kinds of cybercrime that involve stealing traditional money.
The collapse of cryptocurrencies is rippling through the world of ransomware, security researchers say, even though bitcoin, ether and other digital tokens remain the payment of choice for cybercriminals locking up corporate computer systems.
Over the past few months, the value of cryptocurrencies has plummeted amid rising inflation, economic shocks caused by the war in Ukraine and falling global stock markets. Hundreds of billions of dollars in value has been wiped out over that period, which is starting to be known as crypto winter. On one day alone, more than $200 billion in value was wiped from the broad crypto market.
The widespread fall has forced cybercriminals to recalculate their ransoms, security professionals say, and has pushed out of business some of the services that handle their ill-gotten gains, such as dark web crypto-swapping marketplaces. It’s also accelerating a preexisting shift toward crimes such as malware attacks and corporate phishing scams that target actual dollars, rather than crypto.
Mark Lance, vice president of cyberdefense and a ransomware negotiator at GuidePoint Security, notes that ransomware demands are generally based on US dollar amounts, so cybercriminals are simply doing the math and asking for greater amounts of crypto. That makes the bitcoin demand look larger, even though ransoms haven’t changed much in dollar terms.
Lance says many ransomware attacks fly under the radar these days because the attacks aren’t as novel as they once were. Many ransoms get little attention unless they have the type of consumer fallout that last year’s headline-grabbing attack on Colonial Pipeline did.
“Ransomware is still as prevalent as it ever was,” Lance said, “and still making a ton of money.”
Business isn’t as good at the largely shady crypto exchanges that cater to small-time cybercriminals. Many of those organizations are feeling the chill of crypto winter.
Last year, a team of researchers at Cybersixgill, an Israel-based threat intelligence firm, watched the activities of roughly 30 small dark web exchanges for several months. The exchanges, which the company didn’t specifically name, have all been shut down since April.
The reason: Cybercriminals act a lot like many investors. When the values of assets start to tumble, they panic and cash out as fast as possible in hopes of cutting their losses.
“It’s just like what we see when there are bank runs,” said Dov Lerner, who runs Cybersixgill’s security research. He says the people behind the exchanges are still active in cybercrime even though the exchanges have “just vanished.”
Some observers say crypto winter has put a permanent chill on ransomware attacks.
Not that long ago, cybercriminals could demand $1 million to $3 million in payment after locking up a corporate computer system, notes Sherrod DeGrippo, vice president of threat research at Proofpoint, an email security company.
“But I think those heydays might be over,” she said, noting that criminals aren’t seeing the same success they once did. She notes that many organizations, along with the US government, have stepped up their ransomware defenses recently, pushing cybercriminals toward other activities.
Her company has seen upticks in attacks involving remote-banking trojans, malware designed to steal credentials or access to financial accounts, along with phishing attacks that scam company officials into paying fake invoices or otherwise send criminals real money. There’s even been an uptick in the harvesting of credit card numbers.
With any of those crimes, the criminals make off with conventional currency, rather than crypto.
Criminals also like trojans because the malware can sit on systems quietly siphoning money overtime. For example, an attacker might be able to scam a company into paying a fake invoice month after month, or a banking trojan could continue to harvest access to financial accounts over time without the company knowing.
“Getting an organization’s payroll, pensions and retirement makes for a massive payday,” DeGrippo said. “It’s a lot bigger, quieter and easier than ransomware.”