Why Is South Korea Such A Target For Ransomware?
Share this article
Ransomware attacks demanding cryptocurrency payments have been on the rise, striking police stations, hospitals, and (most recently) the city of Atlanta, Georgia. But no locale is suffering as much, say researchers, as South Korea.
Now a research team led by NYU Tandon School of Engineering cybersecurity expert named Damon McCoy believes that they have a new possible avenue for law enforcement professionals to follow when attempting to determine what happens to cryptocurrencies that are used to pay the demands made by ransomware creators.
Although the public nature of the Bitcoin blockchain has been called a design flaw by individuals like Edward Snowden, the researchers were able to track ransom payments made using Bitcoin by accessing transaction information on the public blockchain over a two-year period.
According to the research team, South Korea is a favorite target for ransomware attackers. $2.5 million of the $16 million in confirmed ransom payments were made by South Koreans who suffered an attack. The researchers have called for additional research to determine what makes South Korea especially vulnerable to ransomware attacks and how South Koreans can better protect themselves.
Could It Be North Korea?
The exceptional targeting of South Korea in ransomware attacks has led to speculation that North Korea is involved. Hacking groups in North Korea have already been implicated in major hacks of exchanges and theft of millions of dollars’ worth of cryptocurrency, which has been allegedly diverted to the country’s nuclear program (despite scant hard evidence).
North Korea is known to have engaged in cyberattacks against its enemies, including the major WannaCry attack last year; so it may not be surprising if ransomware attacks against businesses and civilians in South Korea are sponsored by hackers or agencies within North Korea.
In addition, ransomware attackers typically unloaded the tracked cryptocurrencies on a Russian exchange called BTC-E. (BTC-E has since been seized by FBI authorities.) Russia’s ties to North Korea are closer than many in the western world are comfortable with, and the choice of a Russian exchange may also point to cyberattacks emanating from the peninsula.
Researchers Become Victims of Their Own Research Topic
The researchers also ran ransomware binaries in a controlled environment to study its nature, but eventually became victims of a ransomware attack themselves. They took advantage of the situation to send micropayments to the attackers’ wallets to study what happened.
“Ransomware operators ultimately direct bitcoin to a central account that they cash out periodically, and by injecting a little bit of our own money into the larger flow we could identify those central accounts, see the other payments flowing in, and begin to understand the number of victims and the amount of money being collected,” McCoy said.
The researchers did draw the line at exploring certain aspects of the ransomware ecosystem such as the percentage of victims who paid the ransom to recover their files, citing ethical concerns. McCoy said that doing so could actually cause victims to have to pay a double ransom to recover their files.
An assistant professor of computer science and engineering at the NYU Tandon School of Engineering, Damon McCoy has made criminal use of cryptocurrencies one of his research focuses and has previously used Bitcoin advertising to track human trafficking. The current research on cryptocurrency-related ransomware was supported in part by grants from the National Science Foundation, Google, and Comcast.