How to buy Bitcoin for ransomware payment (if you must)

Law enforcement agencies across the world advise companies that are victims of ransomware attacks not to pay the ransom. Aside from the risk of criminals taking the money and running, paying encouraging further attacks and potentially could be illegal depending on where the money is being sent.

The US Treasury Department’s Office of Foreign Assets Control (OFAC) recently warned against making ransomware payments at the risk of violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers.

Still, when pushed into a difficult situation, some companies may feel like they have no other option than to pay the criminals the fee they demand. The fact is, ransomware attacks are disruptive and costly — whether or not you pay the criminals to return access to locked systems.

Paying cybercriminals will often be done through cryptocurrencies such as Bitcoin, which will need to be mined or bought through an exchange and then stored in a wallet before being transferred to the intended party. In the spirit of helping you prepare for the worst, following is a brief guide to buying Bitcoin.

Where and how to buy Bitcoin (and other cryptocurrencies)

Unless you plan to mine your own, you’ll want to buy cryptocurrency through an exchange. Fiat-to-crypto exchanges like Coinbase, where you trade real money for cryptocurrencies, are the best place to buy Bitcoins. If you already own cryptocurrency but need to exchange it for another type, for example swapping Bitcoin to Ethereum, a crypto-to-crypto exchange such as Binance may be more suitable.

Buying cryptocurrencies from exchanges is a simple process and can be done using normal banking methods such as a credit card or bank transfer. Simply decide the type of currency you wish to buy, the amount, and buy. It will then be transferred into your exchange account. There will likely be fees for buying, trading, and moving cryptocurrencies on exchanges and cryptocurrency value will vary among exchanges as no single source dictates the exchange rates.

Regulated exchanges will require you to register to help avoid issues around money laundering regulations. Depending on the exchange, transfers may take a while to process. In time-critical situations, be aware of how long it will take to source cryptocurrencies from exchanges.

Nick Percoco, CSO of cryptocurrency exchange Kraken, says CISOs should be looking to exchanges that visibly allocate significant resources to security. 

“If they aren’t shouting about these things, you can’t just take it on faith that they are secure,” he says. “Cybersecurity is too quickly developing a field to take anything at face value.”

“For instance, the company should regularly “penetration test” their own systems, provide encryption at the system and data level with strictly controlled access, and create a physically secure environment for their servers.”

Words of warning: It is not advisable to hold cryptocurrencies on an exchange. “Tokyo’s Mt. Gox, a hack that siphoned off more than 600,000 Bitcoins, is a cautionary tale for anyone speculating in Bitcoin and exchanges,” says Matthew Rogers, CISO at Syntax. “Currency speculation is a risky move, so many companies have rules forbidding high risk investments like this.  I would not recommend companies buy and hold cryptocurrencies just in case they fall victim to extortion incidents.”

A better option is to move your newly bought assets from the exchange to a personal wallet (more on that below).

Where to store Bitcoin (and other cryptocurrencies)

Cryptocurrencies are held in wallets, programs that hold your public and private keys. Wallets allow you to send and receive payments, show balances, and interact with different blockchains.

The public key is the designated location where transactions are deposited to and withdrawn from, almost like a bank account number. These are usually in the form of 26 to 35 random alphanumeric characters.

Private keys are more like passwords that enable currency to be moved away from the wallet. Private keys on wallets are important. Lose them and your wallet will be inaccessible and its contents will be lost. Have your private key stolen and you run the risk of having your cryptocurrency stolen. Some wallets will create a secure “seed phrase” containing a set of words that will allow you to unlock your wallet if you lose your keys.

There are different kinds of wallets for different purposes: Cold wallets are offline hardware wallets, often in the form of USB sticks, that can only be accessed via physical means. These are more secure that online wallets but have less redundancy in that the loss of that hardware token renders the wallet inaccessible.

Hot wallets are online wallets, often through cloud services or mobile apps, that are connected to the internet and more easily accessible. PayPal recently partnered with Paxos to enable users in the US to buy, hold and sell cryptocurrencies — initially featuring Bitcoin, Ethereum, Bitcoin Cash and Litecoin — directly within the PayPal digital wallet. The company says it plans to expand the features to Venmo and international markets in 2021.

Words of warning: While being more connected and potentially user friendly, online wallets also run the risk of being more easily compromised by attackers.

Rogers says lowering the barrier to entry around cryptocurrencies could further encourage threat actors. “Making it easier to pay ransom will allow for lower ransom requests from hackers. It will also allow for individual people to become targets for ransomware attacks versus just businesses like we’re often seeing. This is likely bad news for the industry and could lead to even more ransomware attacks on a wider range of people and businesses.”

As with other important systems, regular backups, multi-factor authentication (MFA), encrypting hardware and using VPNs when making transfers are all advisable to reduce the chance of compromise. It may even be worth having multiple wallets to spread the risk.

“The best solution for wallet security is to keep your keys stored in a safe location unable to be reached without physical access. This is a case where cybersecurity and physical security can work well together,” says Rogers. Even with offline wallets, your public key and the contents and payment history of your wallet will be saved to the relevant blockchain and publicly accessible on that chain.

Making payments with cryptocurrencies

We’d be remiss if we didn’t take the opportunity here to say again that you should avoid paying ransomware actors if possible. It’s better to have patched systems and security-conscious staff to avoid infection and reliable and well-tested backups that you can use if calamity strikes.

But if the worst does happen, backups aren’t a viable option, and payments need to be made, the process is relatively simple.

To make a payment, select how much to send and enter the receiver’s wallet address (usually in the form of a character string or QR code as defined in the ransom note) into your wallet under the send payment option. Exchanges often have similar capabilities if your crypto-assets are stored there, but there will likely be fees. As with buying or trading cryptocurrencies from an exchange, this process can take time to clear depending on the type of currency and blockchain involved.

The information you need around payments will often be included in the ransomware note, and many criminals now have online helpdesks to help with payments and negotiations.

Transactions made using cryptocurrencies are stored as public records on the relevant blockchain and some security firms offer tracking services that might be able to follow the money to where your payments end up. While it can be difficult to recoup lost assets, knowing where your payments go is useful information for security firms or law enforcement trying to prevent threat actors cashing out.

Things to consider when holding cryptocurrencies

The laws around cryptocurrencies vary country to country and some require you to declare cryptocurrency assets in the same way as other assets. Organizations looking to buy Bitcoin or other cryptocurrencies should ensure their legal and financial departments are aware of the risks and compliance requirements around these types of assets and a clear line of responsibility is made to establish ownership of the crypto-assets.

“Transactions in Bitcoin can be viewed as money laundering under various policies and laws,” warns Rogers. “This is a great way for an internal party to transfer large funds into an unstoppable transaction to flow out of the company. The US federal government has already shown interest in making it difficult to pay the ransom for this reason.”

Having a clear and tested incident response plan is also advisable, including identifying key stakeholders, establishing processes for making payments, deciding whether you’ll negotiate or haggle with attackers, and verifying that attackers have decryption keys. Whether you plan to engage with third parties such as a broker or cyber insurance firm should also be included in your planning.

“Having an identified broker could be useful in a cybersecurity event to pay a ransom,” says Rogers. “Your cyber insurance should include access to such a broker as part of the claim. Having some form of plan in place early can allow you to execute a ransom payment to a threat actor on a weekend even if you’re out of the office. Whatever you have for a plan has to be weekend/holiday capable as we’re seeing these as common attack times due to out of office IT and security teams.”

Rogers warns that anyone stockpiling cryptocurrencies in the event of a ransomware attack is “crazy” and investing time in prevention is imperative. “A better way to prepare for a ransomware attack is to have a comprehensive cloud backup strategy in place so if your systems go offline, you’ll be able to get back online in a timely manner and potentially avoid paying the ransom at all.”