Previous articles in this four-part series (see part one, two and three) have discussed the epidemic of ransomware, how it works, and the thorny question of whether to pay. What often catches organizations by surprise is not only the ease with which ransomware can bring operations to a halt, but the difficulty of paying the ransom if you determine that that is your best option. The currency of choice for cyber extortionists is Bitcoin, a digital, completely virtual form of money that can fluctuate wildly in value, offers no protections, and can open you up for other kinds of cyber theft. Most businesses are completely unfamiliar with this “crypto-currency,” but if you’re considering paying a ransom, the dangers of Bitcoin should figure into your choice. So let’s look at some Bitcoin basics. (First basic: “Bitcoin” is used to refer to the whole system of currency, whereas “bitcoins” are individual units.)
Why Bitcoin is not your PayPal
Many of us are familiar with PayPal, which allows people to transfer regular money conveniently on the web. A PayPal account can be pre-loaded with money to make a payment, or it can be tied to a credit card or bank account. The payment is either deducted from your PayPal balance or it will show up on your bank or credit card statement at the end of the month.
The last thing you want is hackers getting away with your organization’s bank account numbers, so if you have to buy bitcoins for a ransom, set up a new bank account to hold the payment funds and close the account as soon as possible afterwards.
While PayPal transfers money, BitCoin IS money—virtual money that exists as a series of transaction records kept by individuals or organizations in a Bitcoin “wallet” (an application) and recognized by other Bitcoin wallets. The value of a bitcoin also fluctuates versus other currencies. So if your organization is hit by ransomware and you have to pay in bitcoins, you have to go to a Bitcoin exchange such as Coinbase, pay dollars for bitcoins at the going rate, and then deliver those bitcoins to the extortionists. Which all sounds straightforward, until you dig into the details.
What could go wrong?
Unlike most other forms of payment, Bitcoin is completely unregulated. There is no central issuer of bitcoins, and there’s no Federal Reserve of bitcoins that keeps track of all the transactions or controls their value. Bitcoin transactions are untraceable. That’s why it’s the preferred currency of the dark web, and why there are so many risks in using it.
The first risk is in buying bitcoins. While there are a few Bitcoin ATMs where you can buy the coins in cash, if there isn’t one near you, or if your organization isn’t prepared to come up with thousands of dollars in cash on short notice, you will need to buy bitcoins from an online exchange. The exchange will require you to supply a bank account or debit card number to fund the transaction, which creates an immediate risk because Bitcoin exchanges are notorious for being hacked. (One of the earliest, Mt. Gox, went bankrupt after it was hacked in 2014, losing an estimated $450 million worth of its customers’ bitcoins.) The last thing you want is hackers getting away with your organization’s bank account numbers, so if you have to buy bitcoins for a ransom, set up a new bank account to hold the payment funds and close the account as soon as possible afterwards.
The second risk is that bitcoins fluctuate in value, whereas ransomware demands are usually specified in fixed dollar amounts. You can check the value of the coins when you buy, but there is no guarantee that if you buy, say, $10,000 worth of Bitcoin, it will be worth that amount by the time you turn it over to the attackers. And if you don’t meet the extortionists’ demands with the full amount by the deadline, they may not release your systems or data. Cyber extortionists want you to be able to pay ransom successfully (because if it doesn’t work, people will stop paying) and some provide customer service which victims can contact to negotiate, but it may be wise to just buy some extra Bitcoin, just in case you have to come up with extra at the last minute. Theoretically, you can cash it in later for whatever it’s worth at that time (assuming the exchange doesn’t get hacked).
The third risk is that you have no leverage with the attackers once a ransom is paid. When you pay with credit cards or PayPal, you can challenge a payment and get it credited back by the seller. With Bitcoin, once the money is paid, it’s gone, the attacker is gone, and if they don’t release your computers or data, or if they left hidden malware so they can turn around and ransom them again, you’re out of luck. Again, smart attackers won’t skip out without your funds because if word gets around, people will quit paying. But since any petty hacker can now get in the ransomware game, you can’t assume that they’re all smart. You have to decide whether losing those funds for nothing is an acceptable risk.
Now how much would you pay?
If a ransomware attack brings your operations to a halt, you have to weigh the costs of paying versus trying to resurrect your systems and data yourself. Realistically, you want to restore everything from clean backups anyway, to minimize the possibility that there is still hidden malware stealing data in the background or waiting to take your systems down again. But if you’re providing time-critical services such as healthcare or controlling a nuclear power plant, you may choose to pay a ransom so that you can continue operations now and restore systems as business demands allow.
Either way, the risks and vagaries of bitcoin payments should figure into your decision. And if you do decide to pay, pay carefully.