As the value of Bitcoin plunged in the last eight months, some security firms have observed an impact on ransomware activity.
Since the beginning of the year, for example, ransomware attacks have dropped by about a quarter, according to cybersecurity firm Arctic Wolf. In another measure of the disruption, most of the fly-by-night cryptocurrency exchanges serving to launder ransoms have stopped advertising their services, suggesting that as cash-outs surged — essentially, creating a bank run — they could not satisfy demand, according to a new blog post from cyber-threat intelligence firm Cybersixgill.
Most major ransomware groups cash out cryptocurrency quickly, but smaller players are more likely to hold onto their assets, leading to a panicked response, says Dov Lerner, security research lead at Cybersixgill.
“I don’t know how much reserves Binance or Coinbase might have, but these Dark Web exchanges, they certainly don’t have millions of dollars in reserves,” he says. “If everyone is dumping cryptocurrency for dollars, they can’t keep up.”
Behind the financial culling is a 71% drop in the value of Bitcoin — and similar drops in other cryptocurrencies — since November 2021.
Dark Web Shaken by Crypto’s Decline
The underground market has fared no better. In an analysis of 34 Dark Web cryptocurrency exchanges, which typically charge high fees of 2% to 15% of transactions for anonymity, Cybersixgill found that every one of them no longer advertises any capability to exchange cryptocoins for cash.
Yet cybercriminals are typically agnostic to fluctuations in cryptocurrency. They typically sell services and tools in US dollars, and they research business victims’ revenues before making a ransom demand in dollars or euros.
“If the value of Bitcoin declines, ransomware attackers will simply ask for more Bitcoin,” says Jackie Koven, head of threat intelligence at cryptocurrency-monitoring firm Chainalysis. “They generally cash out ransom payments quickly and do not hold them in crypto as investments.”
The shake-up in Dark Web cryptocurrency exchanges could account for the drop in ransomware since the beginning of the year. However, cybercriminals may also be shifting tactics.
Business email compromise (BEC), for instance, has always outpaced ransomware in terms of profitability for the cybercriminals and damages to companies. In 2017, for example, ransomware accounted for only 0.2% of losses tracked by the Internet Crime Complaint Center (IC3), while BEC accounted for 27% of losses. In 2021, BEC accounted for 35% of dollar losses, while ransomware had climbed slightly to 0.7%, according to IC3 data.
As governments focus more on dissuading the criminal use of cryptocurrencies, schemes that do not rely on cryptocurrency — BEC steals actual funds from businesses — will take off, says Crane Hassold, director of threat intelligence for cybersecurity firm Abnormal Security. The company has observed a growing number of BEC-related emails over the past five years — a trend he expects to continue.
“Inserting more friction into cryptocurrency transactions and making them more difficult to use for illicit purposes … are things that cybercriminals can’t compensate for and would likely drive down the overall ROI for cryptocurrency-driving cybercrimes, like ransomware,” he says, adding: “We’ve … observed a growing number of more sophisticated actors from countries like Russia and Israel enter the BEC space in recent years, which indicates that an expanding population of actors are realizing how lucrative BEC attacks can be.”
Other explanations for a drop in ransomware attacks include the disruption of the Conti — associated with an 18% drop in ransomware activity — and Russia’s invasion of Ukraine, since both countries are home to some of the primary actors in the ransomware scene.
“Ebb and Flow”
However, other data suggests that ransomware groups are recovering quickly. Threat intelligence firm Digital Shadows found that the 88 data-leakage websites that it tracks had listed 705 victims in the second quarter of 2022, up 21% from the previous quarter.
The recovery suggests that ransomware groups are fairly immune to the price fluctuations in their primary way of monetizing infections. The groups have few other options for getting paid, and until cryptocurrency poses more risk, they will continue, says Mark Manglicmot, senior vice president of security services at Arctic Wolf.
“There is no good alternative to cryptocurrency at this point, so I don’t see cybercriminals asking for anything else,” he says. “I don’t think that cryptocurrency will totally collapse and go away, so what we see happening — the ebb and flow — will continue.”
However, the volatility may convince cybercriminals to make the handling of cryptocurrency more flexible in their tools kits. The cryptocurrency used in different campaigns could just be a swappable piece that cybercriminals will change regularly, like servers, IP addresses, and malware signatures, says Manglicmot.
“Changing the way they way you operate, changing the infrastructure, while maintaining the fundamental infrastructure behind the operations is something that they already do, so I could see them seeing them using one cryptocurrency for some time and then switching to another,” he says. “It would be almost like diversifying their portfolio.”