Ransomware payments get stuck on bitcoin's learning curve

Register now

An unprecedented cyberattack swept across the globe over the weekend, but the majority of victims — so far — have not paid up a ransom.

After users began being hit by the ransomware on Friday, they were given 72 hours to pay $300 in bitcoin — chosen by the hackers because the crypto currency is harder to track than conventional payments — otherwise the fee would double. If they refused to pay after seven days, their computer would be permanently locked — a serious problem for those who have not backed up their data.

Since the deadline passed for those hit on Friday, only $50,000 has been paid in ransom so far, as of early Monday, according to Elliptic Enterprises Ltd., a London-based company that tracks illicit use of bitcoin. The company calculated the total based on payments tracked to bitcoin addresses specified in the ransom demands, adding that he expects the total to rise.

"The amount is indeed low," said Michela Menting, digital security research director at ABI Research. "This is likely due to the fact that organizations have initiated their backup and recovery procedures."

Moreover, for those who didn’t save their data on a separate system, paying a ransom isn’t like buying something from Amazon by entering their credit or debit card information. Even though the hackers provided a helpful link for those new to paying in bitcoin, the crypto currency is a black box for most people.

"If you’re presented with something that says pay this amount in bitcoin, most people don’t know where to start with that," said James Smith, the CEO and co-founder of Elliptic.

There are several steps. First, a person or business has to obtain the bitcoins by registering with one of the various online exchanges and going through its verification process. After that, money can be deposited into the exchange. For those living in countries that don’t have an exchange, including the U.K., money must be converted into another currency.

Once the money is deposited on the exchange, the bitcoins can be sent to the address provided by the extortionist. "It looks like a long garbled string of text," Smith said. After the fee is paid, the hackers supposedly free the affected computer.

"A large amount of bitcoin is actually somewhat difficult to source quickly," said Alex Sunnarborg, an analyst at bitcoin research company CoinDesk, adding it might take a few days to create an account at a bitcoin brokerage or exchange, connect a bank account, and then receive the bitcoin.

Although harder than tracking a traditional bank payment, hunting down the bitcoin payments will be a key way law enforcement authorities attempt to track down those responsible. It’s nearly impossible to know who the perpetrators are based on the bitcoin addresses they give to victims, according to Elliptic, but once the bitcoins are moved from that address, it can be tracked, potentially helping lead to the culprits.

"There are things you can do to identify the actors behind suspicious addresses or transactions," says Kevin Beardsley, head of business development at Elliptic, which also works with law enforcement.

Bloomberg News