Hein Alberts, junior security researcher, SensePost SecureData Labs
Hein Alberts, junior security researcher, SensePost SecureData Labs

In March, a new ransomware variant was reported that was unremarkable in every aspect, except for how the ransom was to be paid.  The Kirk program operates in much the same way as previous ransomware attacks, using an AES key to encrypt files, and then encrypting the key with RSA-4096 bit public key encryption for later recovery and use. However, in order to receive the Spock decryption payment needs to be made using Monero, rather than the cyber-criminal's “traditional” cryptocoin of choice – Bitcoin. So, why the change and is this the start of a new trend?

Why the change from Bitcoin?

The emergence of Bitcoin at exactly the same time as ransomware created the perfect economic storm, enabling an attacker to anonymously monetise a target. However, Bitcoin is currently undergoing some challenges and there is some uncertainty regarding what the outcome will be. The issue is that the Bitcoin block sizes are too small to handle the large amounts (millions) of transactions that occur daily. Previously, it took just a few seconds to send funds from one wallet to another, yet now it can take from thirty minutes to eight hours for payment confirmation. This is not ideal for the criminal who wants to make it as easy as possible for the victim to pay the ransom, confirm the transaction and release them.

Bitcoin is also traceable with enough resources, and with enough time the transactions between wallets can be traced to see where the funds have been travelling. Again, this is not ideal for cyber-criminals who are focused on anonymity, as the chain means there is a risk (albeit a small one) that they could be caught. Here is where Monero and other altcoins like Zcash have a role.

A crypto-currency of choice for cyber-criminals

Monero isn't new and has been available on darknet forums and crypto exchanges for more than two years. It makes use of ring signatures to protect user anonymity and provides plausible deniability, meaning cyber-criminals are able to fly under the radar, with even less risk of being caught than if using Bitcoin. And, if the finger is pointed at them, there will be no hard evidence to secure a conviction. Another altcoin that is likely to make the headlines in the next few months in the darknet space is Zcash, which focuses on zero-knowledge proofs. It hides the metadata of a transaction (payment, recipient, sender etc), which, like Monero, protects user anonymity and makes it an appealing currency to use.

Monero has significantly jumped up in value the last few months. Last year, it was trading at sub US$10 (£8) per coin, whereas now it is above US$20 (£16). This sharp increase in value coupled with a vast amount of coins available has meant that cyber-criminals have identified an opportunity to make use of an alternative to Bitcoin that also protects their identity and makes it easier to spend the funds they stole. They can then make transactions to exchanges, swap the Monero coins for any other altcoins or Bitcoin and have a USD value amount and cash it out.

Follow the money to catch the criminals

The process of monetising cyber-breaches is evolving rapidly with attacks, such as those from ransomware, becoming more sophisticated, audacious and ultimately more profitable for the criminals than anything we've seen before.

The protection benefits that Monero and other altcoins afford cyber-criminals, along with transaction speed problems facing Bitcoin, means that these relatively unknown crypto-currencies will inevitably make their way into more and more ransomware and malware attacks. Kirk is just one of the first to be widely reported. This represents a big challenge for the good guys trying to thwart attacks.

''Follow the money. Always follow the money,” said the anonymous source quoted by Bob Woodward and Carl Bernstein in their book All the President's Men about the Watergate scandal. If we're going to stem the rising tide of ransomware, then that's what we need to do, too.

Contributed by Hein Alberts, junior security researcher, SensePost SecureData Labs

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.