How to Make a Ransomware Payment - Fast
Paying ransom in a ransomware attack isn't recommended, but sometimes, it's necessary. Here's how to pay by cryptocurrency.
Against their better judgment, sometimes IT security professionals are pressured to help their CEOs, chief financial officers, or boards of directors make a ransomware payment.
Paying ransom in a ransomware attack is not as easy as wiring money from a bank, or filling a suitcase full of hundred-dollar bills. Ransomware attacks typically call for sending cryptocurrency to unlock kidnapped data, with values ranging from a few hundred to even millions of dollars
And although traditional financial institutions reportedly are beginning to show interest in cyrptocurrencies, that payment avenue will likely remain blocked for ransomware payments under anti-money laundering and know-your-customer regulations that institutions must abide by. Last year, New York prosecutors charged a Bitcoin exchange operator with violating anti-money laundering laws when it facilitated making a ransomware payment, according to a Fortune report. However, Coin Center, a nonprofit cryptocurrency research and advocacy group, contended it should not be a crime to help ransomware victims.
Meanwhile, cybercriminals are ramping up the deadlines for victims to make ransom payments, or face the potential of having their locked up data, files, photos, and video destroyed. Some attacks delete files if a victim can't meet tight deadlines in time.
"People are being put on a countdown timer and data will be deleted if they don't pay. As a result, companies want to make the payment as fast as possible. Jigsaw, for example, will delete an individual file every hour that you don't pay," says Rick McElroy, security strategist for Carbon Black.
Nearly 60% of employees hit by a ransomware attack at work personally paid the extortion money, according to a new report released today by Intermedia.
While law enforcement as well as security experts in general don't recommend paying ransom, here are seven tips for how to make a ransomware payment in that dire case where there is no other choice.
Whether just one computer or device in your enterprise falls victim to a ransomware attack, or hundreds of computers or devices get locked up, advanced planning for ransom payment is strongly advised by security experts.
Without prior planning, it can take anywhere from four- to five hours from the time a ransom attack is launched to when a payment is made, says Riccardo Spagni, lead maintainer of the decentralized, community-built cryptocurrency called Monero.
Adam Meyers, vice president of intelligence at CrowdStrike, says it could even take days or weeks.
Bitcoin is the most popular currency demanded by ransomware attackers, but other cryptocurrencies they have dictated include Ethereum, Zcash, and Monero.
The first step is to contact your organization's bank to determine if they transfer funds to a cryptocurrency exchange, and if there are any limits.
Then set up an account with a cryptocurrency exchange such as Coinbase, which is the most popular and is FDIC-insured for up to $250,000 held in US currency in a custodial account, according to Meyers. Once the US dollars are exchanged for digital currency, Coinbase insures the digital currency should its system be breached, but does not insure the breach of an individual account, according to its website.
Once you create a Coinbase account, have your bank wire its government-issued currency into the custodial account. From there, you can purchase some cryptocurrency to hold in a custodial Coinbase account.
But you may want to think twice before buying and holding cryptocurrency in custodial accounts because the value of this currency can be highly volatile, warns McElroy. For example, at the start of September a single Bitcoin was going for $4,991, but then plummeted to $2,989 by the middle of the month, a CNBC report states. And at the end of October, the price has rocketed to over $6,000 per Bitcoin, according to a CoinDesk chart.
To seed a Coinbase account in advance of any ransomware attack, you must open an account with one of the cryptocurrency companies such as Bitcoin, Zcash, Ethereum, or Monero.
Using a Bitcoin ATM is faster than purchasing Bitcoins online, says Neal Conner, a customer service manager for Bitcoin ATM manufacturer Lamassu, which has 300 machines across the globe through independent operators.
"Since our machines are cash-based, no [credit or debit] cards or bank accounts are required. If you're buying online, they certainly are from the brokerage or exchange you are purchasing them from," Conner explains. "With online methods of purchasing Bitcoins, most users have to go through registration, verification, and linking of credit cards or bank accounts, a cumbersome process, especially if you have cash and just want Bitcoin now."
First, download a Bitcoin mobile wallet app on the Bitcoin site for Android, iOS, BlackBerry, or Windows Phone.
The wallet allows you to access one of the growing network of Bitcoin ATM machines, such as Coinucopia. The Bitcoin wallet app for Android or Breadwallet for the iPhone, for example, work with this particular ATM, for example. Next, download an app for reading QR codes. The ATM reads the wallet information via its QR code displayed on the phone.
The Coinucopia ATM can accept a minimum of $5 to a maximum of $3,000 per transaction, which will then be converted into Bitcoin and loaded onto the phone's Bitcoin wallet. The maximum daily amount that can be purchased for a Bitcoin wallet account is $10,000.
Once the money is loaded onto the digital wallet, the ransomware address can be entered onto your smartphone and the payment sent.
"If you are facing a multi-million dollar ransom demand, you will not want to do this yourself and will want to use a [consultant]," Spagni says.
Cybersecurity consultants tend to be familiar with ransomware cases and know who to speak with to get a lot of cryptocurrency in a hurry, he adds.
Meyers, whose company CrowdStrike has served as a ransomware consultant, agrees companies usually find it's easier to contact someone who knows what they are doing and to walk them through the process.
In cases were companies are facing 100 infected machines and multi-million dollar ransoms, Spagni says it is likely their attackers are willing to give them more time to make a payment.
Crafting a consulting contract between the company hit with a ransomware attack and the party that will make the ransom payment is generally the area that can create the greatest time delay, Meyers says.
"When both parties are super-motivated, it could take just a couple hours to do a contract and if not it could take days or weeks," he notes.
Regardless of the size of the ransomware infection, a common mistake victim organizations make is adding the cost of the cryptocurrency transaction fees. That mistake can cost companies time in making the payment, says Spagni.
"If a ransom is 50 Monero, you have to pay more because there is a transaction fee. The fee is not based on the amount of the transaction, but is based on the size of the bytes in the transaction," he says. "Typically, it would not be more than $20 more at the upper end over what the ransom is."
Without sufficient cryptocurrency funds in your account, transactions won't go through, Spagni explains.
Keep Key Documentation on Hand
If you need access to a sizable amount of cryptocurrency that exceeds the daily limit of the exchange service, you will need to supply certain corporate documents, Spagni says. And that can result in a delay in making the ransom payment.
Documentation needed typically includes business registration paperwork, tax identification or a tax clearance certificate, proof of the company's address, and a passport or driver's license of the company's owner, he adds.
"We have deep access with the people who work at these exchanges, who can help with the verification process to speed it up," Spagni says.
Don't give up hope that your CEO or board of directors will have a change of heart and give up on paying ransom.
Give them the main reason not to pay: it doesn't necessarily not guarantee access to the locked files, says McElroy.
Meyers offered this advice: "Don't pay the ransom. Once you do, they may keep coming back for more. That's like Kidnapping 101. The other thing is that if actors in this space know you pay, then they, too, will hit you up next."
Don't give up hope that your CEO or board of directors will have a change of heart and give up on paying ransom.
Give them the main reason not to pay: it doesn't necessarily not guarantee access to the locked files, says McElroy.
Meyers offered this advice: "Don't pay the ransom. Once you do, they may keep coming back for more. That's like Kidnapping 101. The other thing is that if actors in this space know you pay, then they, too, will hit you up next."
Against their better judgment, sometimes IT security professionals are pressured to help their CEOs, chief financial officers, or boards of directors make a ransomware payment.
Paying ransom in a ransomware attack is not as easy as wiring money from a bank, or filling a suitcase full of hundred-dollar bills. Ransomware attacks typically call for sending cryptocurrency to unlock kidnapped data, with values ranging from a few hundred to even millions of dollars
And although traditional financial institutions reportedly are beginning to show interest in cyrptocurrencies, that payment avenue will likely remain blocked for ransomware payments under anti-money laundering and know-your-customer regulations that institutions must abide by. Last year, New York prosecutors charged a Bitcoin exchange operator with violating anti-money laundering laws when it facilitated making a ransomware payment, according to a Fortune report. However, Coin Center, a nonprofit cryptocurrency research and advocacy group, contended it should not be a crime to help ransomware victims.
Meanwhile, cybercriminals are ramping up the deadlines for victims to make ransom payments, or face the potential of having their locked up data, files, photos, and video destroyed. Some attacks delete files if a victim can't meet tight deadlines in time.
"People are being put on a countdown timer and data will be deleted if they don't pay. As a result, companies want to make the payment as fast as possible. Jigsaw, for example, will delete an individual file every hour that you don't pay," says Rick McElroy, security strategist for Carbon Black.
Nearly 60% of employees hit by a ransomware attack at work personally paid the extortion money, according to a new report released today by Intermedia.
While law enforcement as well as security experts in general don't recommend paying ransom, here are seven tips for how to make a ransomware payment in that dire case where there is no other choice.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024