Your Questions Answered About Ransomware Payments
Something unimaginable has happened to your business. Your system was hacked. You’ve been contacted by a threat actor telling you your files are being held for ransom and will only be released—or the key provided—when you pay the requested cryptocurrency ransom.
You are not alone. While mostly unheard of just a few years ago, ransomware attacks are now the fastest-growing cyber crime. It’s estimated that one will happen every 11 seconds by the end of 2021. And, no industry is spared, with ransomware payment attacks on government institutions, municipalities, and public schools growing over the last six months.
Should you pay the requested sum (or any sum?) If you decide to, how do you pay ransomware with bitcoin or another cryptocurrency? Are there regulations surrounding these transactions? Most companies don’t know. That’s why businesses in your situation often turn to a ransomware payment service such as DigitalMint as part of their Incident Response Plan.
Marc Grens, co-founder and president of DigitalMint, explains. “Once the person held for ransom and the technical experts have decided to pay the ransom rather than try to restore backup files, it opens up many legal, technical, and financial questions. What are ransomware payment methods? Where do they buy cryptocurrency? How do they transfer it? How do they know if they are adhering to financial regulations? Are they dealing with a sanctioned country? Is paying ransomware illegal? DigitalMint takes care of all of that for them. We can provide the significant amounts of cryptocurrency they need in a compliant fashion.”
DigitalMint Handles Ransomware’s Legal and Financial Requirements
Founded in 2014 to convert cash into cryptocurrency, DigitalMint has since grown into a full-service cryptocurrency ransomware settlement practice.
“As a Financial Crimes Enforcement Network (FinCEN) registered Money Services Business that adheres to all federal and state money regulations,” Grens says, “we take off the plate of the insurance company, consultants, and victim all of the financial service responsibilities as charged by the Bank Secrecy Act for these situations.”
Among those responsibilities, DigitalMint handles the research and requirements when it comes to the Office of Foreign Assets Control (OFAC) sanctions.
“We determine if we’re dealing with a threat actor in a sanctioned country. And, we take on the liability of the transaction,” Grens says. “We work very closely with OFAC and their guidelines and document our processes and research thoroughly. That way, if a threat actor becomes sanctioned three months later, OFAC doesn’t punish us because they know we did our due diligence.”
A company will connect with DigitalMint once they’ve decided to make the ransomware payment. They will find out the answers to financial questions such as:
- What it means to purchase cryptocurrency (i.e., what are they actually doing)
- Who is holding the currency
- How it is transferred
- How it is paid
- How much it will cost in U.S. dollars
However, this is not the only cost associated with ransomware. Expenses attributed to data recovery, downtime, strengthening security, lost revenue, and damage to reputation could easily double the cost of the ransomware payment.
With so much to worry about, companies can have the bandwidth to deal with internal repercussions while DigitalMint handles the actual payment’s intricacies and financial requirements. After performing compliance due diligence, DigitalMint purchases the cryptocurrency at current going-market prices and starts the process of sending necessary digital currency to the threat actor in the most secure manner.
Another benefit of working with DigitalMint is that threat actors are often based in remote time zones, and most settlements happen at night or on weekends. DigitalMint is a 24/7 organization that can settle transactions right away, regardless of the time or day of the week.
Why do Threat Actors Demand Bitcoin or Other Cryptocurrencies for the Ransom?
Cryptocurrencies are entirely digital currencies unassociated with any banks or governments. While most of their use is for innocent transactions, cryptocurrencies, unfortunately, have become the threat actor’s payment of choice because of their anonymity. There are practically no ways to identify the recipient. And, after receiving the cryptocurrency, it’s easy to convert the coins to cash on the Dark Web, where all traces of ownership and transactions are erased.
In fact, 98% of ransoms are paid in Bitcoin: Between January 2013 and July 2019, approximately $144.35 million was paid. However, Monero is emerging as another alternative currency because it obscures the breadcrumb trail associated with transactions.
While Bitcoin is the most well-known cryptocurrency blockchain protocol, the general public can view ledger transactions back to the Genesis block first etched in 2009. This means forensic companies could eventually find transaction links to threat actors who attempt to convert those Bitcoins back into the system. Monera has limited transaction data associated with its public ledger, so it is harder to trace and protects the threat actor from discovery.
Monero, however, doesn’t have the high figure market availability and liquidity Bitcoin has. Whereas large amounts of Bitcoin can be handled at one trading desk in one purchase, Monero’s limits mean that purchases may need to be made at several desks. Purchases may take more time because of the complexity of the orders. Sometimes a threat actor has to be told that if they want the ransom quickly, they may need to accept Bitcoin instead or wait longer for the completed payment.
Conversely, sometimes Bitcoin isn’t the fastest payment route, either. Purchases may be impacted depending on when they hit the “block” for mining. If too many hit simultaneously, it can cause a backlog and miners can start to prioritize those transactions with higher fees. The others have to wait for a new block to open up. In these instances, it could take days to confirm a transaction. Some organizations may use a bitcoin accelerator to increase fees and speed up the “mining selection.”
Throughout the negotiation and settlement, DigitalMint stays in constant contact with the company’s incident response team, and they, in turn, keep the threat actor up to date with any changes or issues.
“If Monero is requested, the incident response team may need to tell them that it could take several days for the broker to acquire all of the cryptocurrency to put it together into one wallet and ship it,” Gren says. “But, if they want it now, the broker can do it in Bitcoin, often with a small 5% added as an incentive to change currencies. It’s good planning to have optional scenarios for the threat actor’s consideration because he may change his mind on the currency if it will take too long.”
The critical thing to remember, Gren stresses, is that the threat actor calls all the shots when it comes to ransomware. “Working with a settlement practice like DigitalMint to handle the financial questions and purchases can reassure a company that the ransomware can be resolved and that they can get back to business,” he says.
In closing, we’d like to thank Mr. Grens for his comments on this ever-important topic, as our cyber risk insurance carrier partners are increasingly paying out large demands on behalf of victimized policyholders. DigitalMint works with the victim’s external IR experts, such as a Breach Coach® lawyer or a Ransomware Coach, in order to get the best outcome. This type of service is an essential component of the cyber risk management game plan. Having timely access to cryptocurrency is key when an insured business’ backup system fails, leaving little recourse but to pay the ransom in the hope to restore business operations.
To learn more about DigitalMint and ransomware, watch the video above and contact Marc Gren and his team through their website. You can also learn about DigitalMint inside the NetDiligence® eRiskHub® portal, and Grens will be a future speaker at our NetDiligence Cyber Risk Summit conferences. You can also find out more about Data Breach Planning and Incidence Response with NetDiligence.