Monday, June 05, 2006

Ransomware - How do they cash out

The BBC reports that the Archiveus extortion virus code has been cracked. The scheme was somewhat naive in that every system that is attacked is encrypted under the same key so defeating the virus is not so challenging.

Various schemes to fix this particular issue have been proposed but none of these schemes appear to me to address the real weakness of the scheme which is how the perpetrators expect to get their hands on the money.

In the reported Archiveus attack the victims were directed to visit 'their' online pharmacy and buy something. Then they would get the key to decrypt their files. The perpetrators attempted to explain that they were not doing anything bad:

We do not want to do you any harm, we do not ask you for money, we only want to do business with you.

I doubt that a court would see it that way. Clearly this is extortion and clearly any party that knowingly facilitates the transfer of the proceeds of the extortion racket to the perpetrators should expect to be going to jail.

If I paid a ransom of that type I would immediately contact the credit card company and dispute the charge as extortion. At that point I would expect the card association would probably cancel the merchant account entirely. Either way the chance that the perpetrator would actually receive any of the extorted funds is very small.

One possibility here is that the online pharmacies are not accomplices in the fraud and the perpetrators are exploiting some sort of associate marketing scheme. Again this has the problem for the perpetrators that the length of time take to discover the fraud is much much less than the typical payment schedule for an associate marketing scheme. Most associate schemes pay quarterly and at best payment is monthly. It does not seem likely that any affiliate scheme would make cleared funds available within hours of a purchase being made. The organizer of any legitimate scheme is always going to wait for the funds to fully clear before making payments to affiliates.

Another mechanism that has been attempted for cashing out is to make use of the E-Gold anonymous Internet payment scheme or similar. The use of anonymous cash to facilitate extortion has been a very longstanding concern of regulators and people like myself.

In practice any commercial payment scheme has to ensure that it has the means to ensure accountability if it is to be viable in the long term. If E-Gold cannot work out where the extorted funds are being directed that is their problem and if they fail to deal with it there are plenty of US based regulators who are looking for an excuse to put them out of business permanently.

This is a rather easier thing to achieve than the supporters of anonymous cash believe. At root an anonymous cash scheme has the same weakness as an other unregulated bank: if the bank becomes illiquid the investors will loose all their money. Therefore it is prudent for investors to withdraw their funds at the least sign of a liquidity problem. Thus the 'run on the bank' which were so common in Victorian times before the principle was firmly established that the government be responsible for guaranteeing bank deposits and regulate a central bank that would always available as the lender of last resort.

There are plenty of ways in which an imaginative aggressive regulator could engineer such a situation. For example prohibiting transfers to or from the manager of the anonymous cash scheme. Pressure can certainly be applied on the Caribean states where such activities are typically located.

While Archiveus is certainly not going to be the last ramsomware virus it is unlikely that we will see a great number of these occurring unless and until the perpetrators find a way to solve the problem of cashing out. Until then the strategy of following the money will inevitably betray them.

No comments: