Cryptocurrencies have become the enterprising cybercriminal’s best friend, offering easy conduits for moving money and getting paid for jobs that don’t necessarily offer W-2s and retirement plans. The infrastructure that underpins these currencies also has attracted quite a bit of attention from the criminal underground, but for much different reasons.
Criminals value privacy, anonymity, and money, not necessarily in that order, and cryptocurrencies can offer all of those to varying degrees. That’s one of the reasons that cybercriminals were among the earliest adopters of Bitcoin, Ethereum, and other cryptocurrencies. Ransomware gangs since have latched onto these currencies as their preferred method of payment from victims, even going so far as to offer tutorials for people who don’t know what Bitcoin is or how to obtain it. And an entire ecosystem of services has sprung up to help cybercriminals move their ill-gotten gains from one cryptocurrency to another, launder it, and exchange it for hard currency. There's a complete support system lying beneath the surface.
Think of it as The Continental for cybercrime.
Underground markets rely on payments in cryptocurrencies and will often accept payments in less-well-known ones. Part of the reason for this is that the people behind the markets sometimes put some of their own money into the cryptocurrencies and then hope to benefit from value increases as transactions increase.
“The administrators of those sites will buy up those cryptocurrencies at the beginning and then charge fees for each transaction. So they’re making money on every transaction and benefitting later, too,” said Rick Holland, CISO and vice president of strategy at Digital Shadows, a security firm that monitors underground activity and attackers.
“You can’t just sit here and tell people not to pay. It’s not your business, it’s theirs.”
In addition to running ransomware and other payments through cryptocurrencies, cybercriminal groups often target other holders of various cryptocoins for attacks. Stealing a victim’s cryptocurrency holdings in most cases is the equivalent of stealing cash. The stolen loot can be run through one or more tumblers--services that will mix various cryptocoin deposits to hide their origins--if need be and come out the other side clean and ready to use. Cybercrime groups and individual criminals will attack each other to steal cryptocurrency stashes, but there’s another class of victims for whom this is a problem too: enterprises.
As ransomware has become more and more of a concern for enterprises, government agencies, and other organizations, some of these potential victims have begun acquiring Bitcoin and other cryptocurrencies in anticipation of an infection. There also are law firms that will hold Bitcoin in escrow for their corporate clients for the same purpose.
“Some organizations have their own Bitcoin wallets. The volatility in the cryptocurrency markets is an issue, but the criminals still need to get paid,” Holland said. “You can’t just sit here and tell people not to pay. It’s not your business, it’s theirs.”
Those organizations that are accumulating Bitcoin or other cryptocurrency for use in the event of a ransomware attack, or for any other purpose, may find themselves targeted for those assets, as well.
Cybercrime groups and individual criminals will attack each other to steal cryptocurrency stashes.
Attackers are using the blockchain technology that cryptocurrencies rely on for other purposes, too. Researchers have found that malware groups are using domains generated through the Namecoin system as an alternative to the traditional model of hosting malware command-and-control servers. Normally, groups will register domains with bulletproof hosting providers or use other methods such as domain-generation algorithms to prevent their C2 servers from being taken down. But the use of Namecoin domains eliminates the need for those efforts altogether.
“Namecoin is a cryptocurrency based on the Bitcoin code that is used to register and manage domain names with the top-level domain (TLD) .bit. Everyone who registers a Namecoin domain is essentially their own domain registrar; however, domain registration is not associated with an individual's name or address. Rather, domain ownership is based on the unique encrypted hash of each user. This essentially creates the same anonymous system as Bitcoin for internet infrastructure, in which users are only known through their cryptographic identity,” researchers at FireEye wrote in a recent report on this phenomenon.
“As Namecoin is decentralized, with no central authority managing the network, domains registered with Namecoin are resistant to being hijacked or shut down. These factors, coupled with the comparative anonymity, make Namecoin an increasingly attractive option for cyber criminals in need of supporting infrastructure for their malicious operations.”
To make life easier for their peers, cybercriminals are offering services that will help make existing malware families compatible with .bit domains. And several prominent malware variants already have been seen using Namecoin domains for communications, including Necurs, Neutrino, and SmokeLoader. The infrastructure around these cybercrime operations continues to grow, making life more and more difficult for those on the other side of the ball.
“There’s such a high barrier to entry for defenders and for attackers it’s so low,” Digital Shadows’ Holland said.