Ransomware offers up few absolute certainties, but one that has become a given is that extortion payments are demanded in Bitcoin.
It hasn’t always been so. In the very early days of ransomware from around 2006, extortionists had to rely on traditional channels to receive payments such as credit cards (believe it or not) and the now defunct private currency, e-gold.
This had a lot of disadvantages; credit card accounts were easier to trace to real people while even e-gold accounts required a degree of identity verification and traceability.
It also limited the size of ransoms to a few hundred dollars at most because larger demands would stand out. Bitcoin and blockchain changed everything by making traceability much harder. We can now say with certainty that ransomware would have taken off years before it did had Bitcoin existed during this early period.
Today, the association between ransomware and Bitcoin is so strong it has arguably affected the currency’s public image, irredeemably associated as it now is in some quarters with criminality.
Indeed, the association is so strong that at one point at least one security company wondered aloud whether demand generated by ransomware payments have at times driven up the price of Bitcoin.
Despite all this, criminals will very occasionally deviate from the Bitcoin script.
Take the recent curious example of the WannaFriendMe ransomware which claims to be the notorious Ryuk ransomware to scare victims but is in fact a version of something less impressive called Chaos.
Chaos is significant for reasons we’ll return to in due course, but the biggest oddity of WannaFriendMe is that the group behind it asks victims to purchase a decryption tool from the Roblox’s Game Pass store in a game currency called Robux. As the ransom demand states:
“Don’t panic, your files are decryptable, But your files can only be decrypted with our own decrypter tool! To get this decrypter, you must buy this gamepass: https://www.roblox.com/game-pass/49955147/Ryuk-Decrypter.”
YOU MUST HAVE A ROBLOX ACCOUNT TO BUY THE GAMEPASS, BUY 1700 ROBUX AND THEN BUY THE GAMEPASS ABOVE.
That’s a ransom demand for the equivalent of $20—yes, $20—a price which seems to have dropped further in June. Even in the early days of ransomware 15 years ago, demands were never this low.
What’s going on? The answer is that in 2021 the Chaos ransomware started selling a toolkit allowing opportunist extortionists to create their own campaigns. This appears to be a crude example of that business model.
There’s a sting in the tail, however—WannaFriendMe/Chaos overwrites files larger than 2MB in size, making them unrecoverable. Given that most images will be greater than 2MB in size, this perhaps explains why the decryptor is so cheap.
This behavior might ring a bell. The same behavior was noticed in the Onyx ransomware this site covered last year and to which WannaFriendMe/Chaos is believed to be related.
This is all small beer by ransomware standards. This is not malware that is likely to turn up on business computers. But it underlines how ransomware has now spread to bargain basement extortion attacks on young gamers. Ransomware is everywhere. There is a ransomware out there waiting for everyone.