7

Why aren't people who use ransomware to extort money from people arrested?

Given this, it seems like they should be arrested. Is there a reason they aren't?

techraf
  • 9,141
  • 11
  • 44
  • 62
PyRulez
  • 2,937
  • 4
  • 15
  • 29
  • 5
    Why aren't people who steal cars arrested? Stealing cars is illegal, and you have to have a driving licence to drive one, so there must be a register of them somewhere. Same reasoning - there are a limited number of people fighting crimes, so the amount of effort becomes prohibitive. – Matthew Apr 26 '16 at 11:21
  • 5
    @Matthew: that's a bad analogy -- you don't need a driver license to steal a car, and even if the thief had one, you can't make the link. (Unless stupid mistakes, as forgetting his wallet where the car was parked.) :) – Yuriko Apr 26 '16 at 11:31
  • 2
    @Yuriko True, but you don't need bitcoin to use ransomware. Could accept other means of payment which don't link back to the creators - consider a "moral" cryptoware which released your files upon a donation being made to a charity on JustGiving, with a specific key in the comment field. The conclusion still holds... – Matthew Apr 26 '16 at 12:19
  • 3
    @Matthew Or worse, made you donate to Scientology. – WorseDoughnut Apr 26 '16 at 13:11
  • 3
    Yuriko - Matthew's analogy is spot on. You don't need any identifying information to use ransomware. – Rory Alsop Apr 26 '16 at 13:24
  • 2
    _The idea that Bitcoin is anonymous is a myth_: this is only partially true... a more accurate statement would be _The idea that Bitcoin is anonymous **by default** is a myth_. There are ways to make Bitcoin much more difficult to trace, for example "bitcoin mixers" or ZeroCoin and by using TOR to interact with the bitcoin network. – SplashHit Apr 26 '16 at 14:50
  • Does major ransom-ware even ask for bitcoin? I've _tried_ to acquire bitcoin before and it couldn't be done without giving _all_ of my personal details including banking information. Seems like that would be too hard for most people and they'd never get paid. – JPhi1618 Apr 26 '16 at 14:57
  • 1
    Bitcoin is fully anonymous for those who take a few minutes to learn how to make it so. It's not hard to do and it's certainly no myth. – Carey Gregory Apr 27 '16 at 01:35
  • 1
    @SplashHit How would TOR improve BTC address anonymity? I thought the deanonymize danger of an address came when you try to cash in the coins for something which can be traced back to you. – Alexander O'Mara Apr 27 '16 at 01:43
  • 1
    Use of TOR thwarts tracking you through your network communication from your machine to the bitcoin network. Mixing the coins breaks the chain of transactions from the sender (aka ransomware victim) to the eventual recipient. – SplashHit Apr 27 '16 at 15:14

3 Answers3

18

For the same reason for which other kinds of hackers aren't arrested. They may be trackable by the transactions. Unless they have a good system of money laundering. In addition there's usually the problem with international jurisdiction, etc, etc.

The bitcoin transactions may be run via hacked accounts and/or may be run over multiple accounts that are distributed over the world. There are thousands of ways to make money-streams (partially) untrackable. Bitcoin might only be a single station in the path of the money, till it finally reaches the distributor of the ransomware. This may be of interest, regarding the topic of money-laundering, as it (probably) describes a real-world case.

Next point:
It's just like with any other new field of illegal activity: arrest one person, two others pop up and take the place. The resources of police are restricted, the number of developers too high, etc... There actually are cases, where ransomware-devs are arrested (see Lukas's answer), but it's pretty tricky due to the points mentioned above and the number of ransomware software in the wild isn't likely to decrease, as long as there's no proper protection against it. As long as it's lucrative, there'll always be people who do it.

As @alexw already pointed out in his comment, the best way to protect yourself would be to regularly backup your data to an air-gapped system. The reason why ransomware still works is closely linked to the main-problem with this solution: it requires a user with a minimum of education on this topic, which is not the case with the average user.

Community
  • 1
Paul
  • 783
  • 5
  • 12
  • 1
    The best way to stop ransomers is this: don't pay ransoms. Keep a regular, offline and air-gapped backup of your data. – alexw Apr 26 '16 at 17:38
  • 1
    @alexw This would be the best solution to the problem. There's just the usual problem, just like with most other malware-issues: this requires an educated user. And that's where problems start. Just think of e.g. your mom. Do you think she even understands that sentence? The average user can use a few editors and a bit of other software he works with and that's it. – Paul Apr 26 '16 at 17:49
9

The biggest issue surrounding "cyber" related crimes is that of attribution. The second biggest issues lies in collaboration by law enforcement agencies around the world. Let's look at the first issue, attribution: "Where did it come from/who did it." Many attacks are often chained via multiple connections until the attacker ends up at a destination. E.g.:

Attacker (in Ukraine) --> spam --> System in Spain
System in Spain (compromised via spam) --> leverage/compromise system in China
China --> scan blocks in the USA --> send data to system in Romania
Romanian systems --> compromise system the USA

Someone in the United States (SIEM analyst, forensics individual, etc) will see that someone in Romania is attacking them. The amount of time it would take to figure out what occurred would be too costly. Not only would it be too costly, but because of the second biggest issue (collaboration), there WILL BE a dead end. The ASCII above diagrams spam, phishing, and network/system based attacks.

Let's move over to the second biggest hurdle. Collaboration. So we have data that tells us that someone in Romania 'hacked' / phished / etc our systems. So what? Call any law enforcement agency, and unless the crime runs into the millions, they will not give you the time of day. But let's say they do listen, and they really want to help. This is what will occur: (with days extremely conservative)

Your Law Enforcement (LEA) --> submit subpoena for discovery --> Local court (1 day)
Local court grants subpoena --> LEA --> Submit subpoena foreign counterpart in Romania (1 day)
Romanian  LEA --> determine legal validity / jurisdiction (1 day)
Romanian LEA --> good to go --> Subpoena ISP/NSP/etc (1 day)
Romanian ISP/NSP --> go to their lawyers to follow the rules (1 day)
Romanian ISP/NSP --> here are your logs --> Romanian LEA (1 day)
Romanian LEA --> here is your data --> US LEA

US LEA "this attack actually started because this Romanian server was compromised. By someone in China." Do you think that China will deliver any data. See the issue with this? Whether it is bitcoin, phishing, spamming. It is very costly, complex, and time consuming. While many law enforcement organizations understand the complexities, and how bitcoins work, what do you think the outcome would be if say, I was arrested, and I could prove that a "bitcoin" scraping trojan was on my system. That MY system was also compromised. They wasted a lot of time, effort, and money on what?

This is your answer as to why they don't 'trace' the money. Unlike a credit card scam, where say a camera might have recorded someone physically cashing out at a register, things like bitcoin, digital transactions are extremely difficult to investigate and track. Especially when many malware bots/platforms have modules to steal, and or mine bitcoin 'pseudo-anonymously.'

munkeyoto
  • 8,682
  • 16
  • 31
  • isn't the point of the question that it's easier to follow the money trail than the cyber trail? – craq Apr 26 '16 at 13:28
  • Follow the money trail? Bitcoin is not traditional money. If I compromise your machine, rig it to mine, store bitcoin, you are the culprit not me. I can then use your machine to order goods via Amazon, ship them to a mule, then continue the laundering process. What are you following? – munkeyoto Apr 26 '16 at 13:39
  • 2
    @craq easier than "almost impossible" is not that refreshing, is it? – Mindwin Apr 26 '16 at 13:41
  • @munkeyoto ah, that comment clarifies your final paragraph, thanks. Would you agree that the money trail can probably be followed to the mule? Or more precisely the mule's address? – craq Apr 26 '16 at 13:47
  • @Mindwin guess not. – craq Apr 26 '16 at 13:47
3

There are some cases where ransomware authors are arrested (e.g. here and here) - but as long as this crime stays lucrative, people won't stop writing ransomware. And the police will always be at least one step behind.

Lukas
  • 3,138
  • 1
  • 15
  • 20
  • Ransomware is such a clever type of malware, but so very easy to prevent (especially for anyone of the class of small/home business or larger). You just use a NAS for all your file storage, and set the NAS up in a secure way so that A: Nothing can be executed off your NAS drives (mount with noexec, this means that no software on your shared storage drives can be run on the NAS even if it can be run on the end-machine accessing the NAS). B: You are not accessing the files on the NAS as a root (or privileged) account on the NAS. (And this all assumes that ransomware is compatible with Linux/BSD) – Cestarian Apr 26 '16 at 13:52
  • 4
    @Cestarian - The described doesn't seem foolproof solution against Ransomware. If you accidentally execute malware on any of your machines connected to the NAS and your machine has write privileges to the NAS, then you can be screwed. A good backup policy does (e.g., a privileged account does daily version controlled backups that no one else can write to). – dr jimbob Apr 26 '16 at 14:02
  • @drjimbob it is foolproof against full drive encryption based ransomware. So if you just have enough storage on that NAS then yeah you could have backups spread across all your drives that aren't writeable. Also I guess another foolproof method would be to have only one writable directory where all data gets written to on the NAS and on a day-by-day (or hour by hour) basis the data is (maybe reviewed first) moved to read-only storage, this would mean that ransomware could only affect data one day back in time, which might through other means still be recoverable, or a loss that can be taken. – Cestarian Apr 30 '16 at 00:14