But what should you or your organisation do in the case of a similar attack?
Here Elliptic, a Bitcoin intelligence firm that guides corporations through ransomware processes, offers a four-step plan.
1. Assess the risk
Not all ransomware is worth paying. Elliptic’s team of experts may be able to decrypt the ransomware; or there may be indications that the attacker will not decrypt your machine even after payment. In the case of last week’s WannaCry attack, there is no evidence at the time of writing that the attacker will ever decrypt the compromised machines.
Based on its deep experience and extensive network in ransomware investigations, Elliptic provides clients with an expert recommendation on whether to proceed with the ransomware payment.
2. Obtain the Bitcoins
Ransomware operations usually demand payment quickly, sometimes in as little as 24 hours. It can be difficult for a company to secure large quantities of bitcoins at short notice. “Most Bitcoin exchanges have Know Your Customer (KYC) policies that prohibit them from selling new clients a significant amount of bitcoins,” explains Dr. Robinson. “Often a company will have the cash ready to purchase bitcoins, but the exchange cannot legally open an account and complete the transaction before the ransom is due.”
Elliptic helps its clients draw up a plan to rapidly access large volumes of bitcoins and other cryptocurrencies in case of a ransomware attack. Elliptic can help clients obtain bitcoins through its network of exchanges and liquidity providers.
3. Make the payment
Large Bitcoin payments can be confusing for companies that are not used to dealing in cryptocurrencies. “Constructing a large Bitcoin transaction is a technical process. You need to define the right transaction fee, verify the destination, and sign the transaction appropriately.”, explains Dr. Robinson. “Too low a fee and your transaction might never clear; send it to the wrong address and your bitcoins are gone forever. It’s also important that the ransomer knows which of their victims is making the payment.”
Elliptic will prepare and execute your transaction, or we can also dispatch one of our experts to your location to perform the transaction on the premises.
4. Identify the attacker
Bitcoin transactions are difficult but not impossible to trace. Elliptic has developed advanced Bitcoin investigation software and employs a team of investigators with advanced degrees in computer science and decades of experience in the world’s top law enforcement agencies. Elliptic’s software and investigators have delivered actionable intelligence to identify ransomware and cyber-extortion attackers in the US, UK, and EU. “We are able to connect the dots between Bitcoin activity and real world actors,” says Dr. Smith. “We only provide our forensic investigation services in collaboration with law enforcement, and we have a very high success rate in delivering actionable intelligence on complex Bitcoin investigations.”
Dr. Robinson adds: “We actively trace proceeds of ransomware and cyber extortion, and we alert our Bitcoin exchange customers if they receive illegal funds. Our goal is to defeat ransomware by making it extremely difficult to launder the proceeds of these crimes.”