Dealing with Cryptowall and Ransomware

by Michael Perklin

As a digital investigator who spent years tracking cyber criminals online, and as someone who has launched a Bitcoin security consulting company, I’ve been contacted a number of times by victims of digital ransom, looking for ways out. The story is always the same: they see a warning on their computer screen telling them that their files are encrypted, and unless they pay a hefty ransom (with Bitcoin) before the clock runs out, they will never gain access to their files again.

I’ve decided to write this blog post to answer some questions about this type of ransomware and help the thousands of Canadians who must be affected by it.

Jump to the bottom to read the four suggestions on how to deal with this ransomware, or continue reading for more details about it.

In late 2013, a new form of ransomware titled CryptoLocker hit the Internet, indiscriminately encrypting portions of every file it could get its hands on. Files stored in “My Documents” folders, external drives and even shared folders hosted on other computers in the local network had portions of the contents encrypted using an RSA encryption key. The decryption key was made available to victims of this attack for the price of $300, paid in Bitcoin.
Although the CryptoLocker’s command and control servers were taken down in May 2014 thanks to a joint US Department of Justice raid on servers hosted in Kiev and Donetsk, this hasn’t stopped ransomware from spreading.

A new piece of ransomware has made its rounds lately: CryptoWall. My research into CryptoWall shows it is essentially the same code as CryptoLocker, but is designed to use a different command-and-control methodology to hopefully outlive its CryptoLocker predecessor. It also asks for $500 in ransom instead of CryptoLocker’s $300. Thankfully, this newest variant seems to use much of the same code as the old one, including all of its flaws.

The older CryptoLocker software had a few flaws in how it a) chose encryption keys to encrypt the victim’s files, and b) how it used these keys to encrypt the files in the first place.
Performing cryptographic operations with software in a secure manner is not easy. Care must be taken when using the encryption key in software to ensure it is only used to encrypt, and is removed from the system immediately afterwards. If this care isn’t taken, the encryption key can linger in a few places including RAM, pagefiles on the hard drive, and even cached locations on disk. These can be written inadvertently by the application, the application’s framework (.NET, JavaVM, Rails and other frameworks) or by the Operating System itself (in this case, Windows).
This is one of the services that my company, Bitcoinsultants, provides our clients: advice on using cryptography properly to ensure their applications don’t succumb to any of the 7 classes of attacks on information systems (Information Leakage being one).

In a true case of irony, this difficulty of securely using encryption keys has left CryptoLocker insecure, leaving copies of the key on victims’ computers. Where this would normally be an example of an Information Leakage vulnerability, in this case it is a bastion of hope for all of CryptoLocker’s (and CryptoWall’s) victims.

Dealing with Ransomware

There are a few suggestions that I regularly give to people looking for help. I’ve listed them here:

  1. Keep a backup of your data before you get hit. This may seem like a cop-out suggestion, but the fact is if you have a safe copy of your encrypted data you don’t need to pay a ransom to recover the files; you already have them. External hard drives and large USB keys make this easy; simply drag and drop your files to your external drive, and unplug it when the copy is finished. This hard drive can be used to recover your files in the event your system becomes infected;
  2. Try to decrypt the files on your own. If you have experience with programming and are an advanced technical user of computers, you may want to visit these technical resources which can help you understand and decrypt the files on your machine. Keep in mind this will take a significant amount of time and experience with the more technical aspects of computers in order to execute.
  3. As much as I hate to suggest this, consider paying the ransom. Every case I’ve helped with has had their files decrypted after paying the ransom. As dishonourable as the attackers may be in writing this ransomware, they at least keep their word when it comes to decryption. I’ve had people offer to pay for my services to decrypt their files for them out of principle – they’d rather pay a whitehat hacker than a ransom – but the fact is the amount of time and effort required costs more than the ransom. I believe the authors of this ransomware priced the ransom purposely to ensure that it will always be cheaper to pay than to hire professionals to decrypt it on their own.
  4. Canadians can report the incident to the Canadian Anti-Fraud Centre. They keep tabs on scams affecting Canadians and coordinate resources where necessary to combat them. Residents of other countries can find the counterparts to the CAFC in their country, such as the Fraud.org website in the United States;

One of the victims that I’ve helped made a comment regarding this virus and its use of Bitcoin:

“This just proves that Bitcoin is illegal, and it’s only a matter of time until governments ban it for taking advantage of people like me.”

I sympathize with all of the victims of this ransom, but personally I feel that blame should be placed squarely on the attacker and not on the medium of payment demanded. After all, people have held others hostage in demand of $1000s of dollars in unmarked bills; should the Canadian or US dollars be banned for taking advantage of people? Making these counter-arguments helped this victim see that the payment processor was not at fault, however I imagine many others who are less familiar with Bitcoin have jumped to the same erroneous conclusions, making the job of the Bitcoin Alliance of Canada that much more difficult.

The fact is, the easiest way to deal with these types of attacks is to be prepared in advance. If you don’t have a backup of your data, now is the best time to make one.

Until next time,

Michael Perklin

What You Need to Know About the New Canadian “Bitcoin Law”

This post was written by Addison Cameron-Huff, a tech lawyer who works for Decentral. Addison is a lawyer but he is not your lawyer. You should seek legal advice before acting on any of the legal information presented in this article.

image

Photo by @spettacolopuro.

What’s Happened?

A Canadian federal law affecting Bitcoin passed last Thursday. Bill C-31, an omnibus budget act, contains provisions that will eventually bring certain Bitcoin businesses into Canada’s anti-money laundering regime. The new rules are not in effect yet.

Who Will Be Affected?

In short: anyone engaged in the business of buying or selling of virtual currencies and who has Canadian customers. 

Any person or business who “ha[s] a place of business in Canada and that [is] engaged in the business of providing … the following [service]: … dealing in virtual currencies”. 

Also affected: any person or business who “do[es] not have a place of business in Canada, that [is] engaged in the business of providing at least one of the following services that is directed at persons or entities in Canada, and that provide those services to their customers in Canada: … dealing in virtual currencies.”

Citations for above: Bill C-31, s. 256(2): http://www.parl.gc.ca/content/hoc/Bills/412/Government/C-31/C-31_3/C-31_3.PDF (pgs. 164-165).

What is “Dealing”?

Dealing isn’t defined in the act but generally means buying or selling. Coupled with the requirement that someone be “in the business of”, it’s likely that this law won’t affect people buying or selling for personal use or merchants using Bitcoin.

The law can be expected to be similar to how car dealing works: selling your own car doesn’t require a license but running a car dealership does. 

What is “Virtual Currency”?

The new law doesn’t define “virtual currency”. The definition will be in the regulations that will eventually be passed (see below). 

What Will the Rules Be?

Anyone covered by the new rules will have to register as a “Money Services Business” (MSB) and comply with the anti-money laundering regime (please see previous Decentral blog posts).

Probably the most significant MSB rule is that companies may only do business in amounts up to a certain threshold before requiring that customers provide identification. The threshold will likely be either $1000 (current MSB rules for the money transmission/remittance category) or $3000 (foreign exchange category).

The exact rules won’t be known until the corresponding regulations are published (here). The final rules will probably be preceded by a notice of proposed regulation posted in Part I of the Canada Gazette.

When Will the New Rules Take Effect?

The new rules won’t take effect until the government declares them in effect.

Section 298(3) of the law states that s. 256(2) (the key Bitcoin-regulating part of the law) will “come into force” (become a law people are required to follow) “on a date to be fixed by Order of the Governor in Council”. 

What is an Order in Council? An Order in Council is one of the pathways by which laws can come into force. They are published on the Orders in Council site (hard to navigate/monitor) and in the Canada Gazette Part II (easier to monitor, it’ll be published as a “Statutory Instrument” [e.g. “SI/2014-XXX”]). The only way to know that an order has been published is to check every day and see if something’s been published. 

What Should Bitcoin Businesses Do?

Find a lawyer and attempt to understand how money laundering rules apply to your business and what the registration/compliance steps are.

FINTRAC (the regulatory agency for anti-money laundering) offers some guidance for money services businesses on its website: http://www.fintrac-canafe.gc.ca/msb-esm/intro-eng.asp.

Registering as an MSB is free and quite straightforward. Compliance is complicated and will likely affect involve hiring a lawyer.

What’s Going to Happen?

1. Canadians may be banned from some online virtual currency services. Although Canada is a base for many Bitcoin businesses, Canadians are a small market. The money laundering rules have such severe penalties that probably services will just not allow registration by Canadians rather than attempt to comply. 

2. Some Bitcoin businesses may have business models that aren’t compatible with the new regulatory regime. They’ll have to adapt their model to the new environment. 

3. Small businesses may not be able to afford the compliance costs. This may lead to consolidation in the industry.

4. The new regulatory regime may provide a big boost to the Canadian Bitcoin industry. Canada will soon have the world’s first nationally regulated virtual currency industry. 

Decentralized Bitcoin Exchanges: A Solution with Three Big Challenges

The author, Addison Cameron-Huff, is a lawyer who serves as part-time in-house counsel for Decentral. Decentral is Canada’s main decentralized application business development centre.

 

Bitcoin Exchanges

Bitcoin exchanges are businesses that connect buyers and sellers of Bitcoin to each other and the banking system. Exchanges pose three problems:

  1. they sometimes go out of business and lose everyone’s money + bitcoins (“counterparty risk”); and,
  2. they are easy targets for regulation that can be easily and suddenly shut down by authorities (they are “centralized”); and,
  3. they have a limited number of options for accepting payment (e.g. a US exchange is unlikely to support M-Pesa transfers).

Decentralized Exchanges: Solution?

Many cryptocurrency enthusiasts think decentralized exchanges are the solution to the problems that Bitcoin exchanges currently pose.

 

A decentralized exchange is an exchange that uses peer-to-peer (P2P) networking technology to enable users to directly trade with each other. Although a regular Bitcoin exchange allows users to trade with each other they can only do so with the exchange as an intermediary.

 

When thinking about the difference between a decentralized exchange and today’s exchanges, it’s helpful to think about the difference between Napster and BitTorrent. Napster worked by having a central server that every user’s computer checked in order to see what files were available to download from other users. Napster was shut down in 2001 by a court order that forced them to turn off the central servers. BitTorrent can’t be shut down because users connect directly to each other and not through an intermediate central server.

 

A decentralized Bitcoin exchange would solve problem #2 (see above) because there wouldn’t be a central server. Problem #1 would be solved with respect to the exchange itself but a decentralized exchange would (depending on how it works) probably introduce a new form of counterparty risk: the risk of dealing with other users. Problem #3 would probably also be solved because users could find the payment methods that work for them in their jurisdiction.

 

At a high level it would appear that decentralized exchanges are the solution to the problems identified at the beginning of this post but the devil is in the details. The devil lies especially in the details of how a decentralized exchange would handle the interface between “fiat” currency (e.g. Canadian dollars) and Bitcoin.

 

Canadian Dollars to Bitcoin

A hypothetical decentralized Bitcoin exchange would probably operate along these lines for a $ to BTC transaction:

  1. Alice and Bob agree on price and quantity (e.g. $3000 for 2 bitcoins) through the decentralized order matching system
  2. Alice sends $3000 to Bob
  3. Alice sends a message indicating payment sent
  4. Bob receives $3000
  5. Bob sends a message indicating payment received
  6. Bob sends 2 bitcoins to Alice
  7. Bob sends a message indicating the bitcoins have been sent
  8. The system marks the transaction as complete

 

The steps above pose at least three big challenges:

  1. What does step #2 mean? How will Alice send the money to Bob? Will the decentralized exchange interface with the thousands of payment systems around the world?
  2. How can Bob be sure that the money he receives in step #4 won’t be taken back by Alice after step #8? If Alice uses a payment method like a credit card then Alice can later reverse the transaction and potentially get back her money and keep the bitcoins. There are very few methods of payment that can’t be reversed.
  3. How will disputes be handled? What if Alice didn’t actually send the money? What if Bob doesn’t send the bitcoins? How can Alice prove she sent the payment? What if Alice backs out of the transaction before sending payment? Who will be responsible for offline enforcement?

 

Flickr photo shown on laptop is by @jalavega

What is a Compliance Officer?

compliance officer

This blog post explains what a compliance officer is within Canada’s money laundering regime. It was written by Addison Cameron-Huff, a lawyer who specializes in Bitcoin. He highly recommends that you seek legal advice when faced with money laundering compliance issues.

 

image

 

Photo from http://www.flickr.com/photos/23912576@N05/2962194797/

 

Compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act may require the appointment of a “compliance officer”.

 

A compliance officer typically performs the following roles:

 

“Puts in place and maintains the compliance regime.

Ensures that all employees are trained as required.

Monitors and observes that all policies and procedures are respected and applied.

Reports on a regular basis to the board of directors or senior management, or to the owner or chief operator.”

 

http://www.fintrac-canafe.gc.ca/msb-esm/compliance-conformite/officer-agent-eng.asp

 

In a small business the compliance officer could be the owner/operator of the business. At a larger organization (e.g. a bank) a compliance officer is typically a full-time role.

 

FINTRAC also refers to their own inspectors as compliance officers: http://www.fintrac-canafe.gc.ca/publications/brochure/05-2005/4-eng.asp.

A Smart Property Real Estate System for Ontario

This blog post is about how the ideas of Bitcoin could be applied to Ontario’s land ownership records system (POLARIS). It was written by Addison Cameron-Huff, a lawyer retained by Decentral in Toronto.

 

“Smart property” is a concept of great interest in the cryptocurrency industry. Smart property is property for which:

 

the ownership can be verified through a decentralized trust system (like the Bitcoin protocol); and,
transfers can take place using the electronic system.
Could Ontario adopt a smart property system for land records?

 

Knowledge of how Bitcoin works is a prerequisite to thinking about how a property system based on it could function.

 

Explaining Bitcoin: Provable Transactions + Ownership

The Bitcoin protocol allows anyone to verify the transactions that have taken place within the system (the “blockchain”). This is possible because Bitcoin creates a snapshot every ten minutes of the last ten minutes of activity and adds that to the list of transactions that have happened since the start of Bitcoin (this is called “mining”). The records can’t be changed after the fact due to the use of hashing functions.

 

Bitcoin allows the holder of bitcoins to prove that they are the owner because they are the only person with the password (see this explanation of public key cryptography for details). The person with the password can “sign” a transaction with their password to prove that they are the owner.

 

If anyone can prove that they are the holder of a certain item and everyone else can see the history of transactions that led to them being the holder, then you have the basis of a system of provable ownership and secure transfer.

 

Real Estate Smart Property: POLARIS

How could smart property concepts be applied to real estate?

 

At the heart of smart property is the idea of electronic records that prove ownership. For most kinds of property there is no official record of ownership that can be consulted – it’s generally up to the buyer to ascertain who the owner of something is. One notable exception is POLARIS: the database of ownership of real property in Ontario.

 

POLARIS is a part of the Land Titles System, the legal regime for property ownership that covers most land in Ontario. It is is the central repository for all records of who owns what real estate. You can read more about it here: http://www.teranet.ca/node/131.

 

POLARIS and smart property are complicated concepts so the following discussion can only touch on a few points of comparison but will hopefully illustrate the contrast between the two systems. This blog post considers a block chain-based smart property system.

 

POLARIS: Disadvantages

POLARIS has a few disadvantages:

  1. it is centralized and access is provided only through a private company called Teranet (they bought the right to run the system until 2067 for $1 billion + royalties and are owned by Borealis, the investment arm of OMERS); and,
  2. it’s very difficult to prove that the person transferring land is the possessor of that land (the problem is currently handled by only lawyers doing transfers); and,
  3. it’s expensive to look up ownership of property (about $30 per search + $600 to register); and,
  4. it’s not possible to build new applications that use property records.

 

Smart Property System: Benefits

A smart property system for land ownership could improve upon POLARIS in a few ways:

  1. anyone could inspect any property record in real-time (because everyone has an up-to-date version of all of the records); and,
  2. access to records would cost almost nothing (<1 cent); and,
  3. authenticating the holders of property would be easy (because the holder is the one with the password) so owners could transfer land without using lawyers; and,
  4. transactions fees could be very low; and,
  5. anyone could build applications on top of the property system to provide new ways of accessing records (e.g. an automated mortgage fraud detection system).

 

Despite the upsides of a smart property system, changing the real estate database system would pose a number of significant challenges.

 

Smart Property Real Estate System: Challenges

POLARIS has been in place since the 1980s. It may not be ideal but a new system is likely to introduce “bugs” that would have enormous costs for some people (e.g. a bank might foreclose on the wrong person).

 

There would also be problems that are specific to switching to smart property:

  1. passwords would have to be distributed to the current owners of land; and,
  2. if a user loses their password they’d lose ownership of the land (and if they didn’t, the ownership database would be out-of-sync, defeating the purpose of having the system); and,
  3. theft of real estate passwords would become a massive fraud issue (although real estate fraud is currently a major problem for banks, consumers and insurers).

 

Any sane system that follows smart property principles would have to figure out a method of “recovering” ownership when the password is lost. (This problem could be mitigated by implementing “multisignature transactions”).

 

Although there would be advantages to a smart property system, many of them would be hard to quantify, such as the benefit from new applications that are impossible to create under the current system. In 1980 no one could have calculated the value of the Internet (and what is Wikipedia worth?). Furthermore, many people misplace their car keys – they’re not going to be able to keep track of the password for their home ownership record.

 

In addition to the practical issues of switching to smart property the province would be forced to pay billions to Teranet (the operator of POLARIS) if it cancelled its 57 year monopoly agreement.

 

Conclusion: Looking Forward

2014 isn’t going to be the year of smart property real estate records. That said, it will be a year where these ideas move closer to application, and the power of decentralized crypto trust systems gains wider recognition. By 2067 we’ll probably have something better than POLARIS.

 

Discussion

Smart property and real estate are big, challenging topics. Please do contact the author (addison@bitcoindecentral.ca) if you think a mistake has crept in or there’s an aspect you’d like to see explored in a follow-up blog post.

It’s legal to do business in bitcoin

This blog post discusses the legality of doing business using bitcoins. It was written by Addison Cameron-Huff, a lawyer who specializes in Bitcoin. He highly recommends that you seek legal advice when considering Bitcoin legal issues.
http://www.flickr.com/photos/10710442@N08/4034636727/

Businesses are adopting bitcoin (BTC) as a payment method at an ever faster rate (20,000 merchants use the BitPay network and coinmap.org has mapped >3000 businesses). Despite the growing adoption, some people wonder whether “it’s legal”. This blog post takes a look at the legality of doing business with Bitcoin.

The starting point for any discussion about what’s legal or illegal is this default principle in Canadian law: it’s legal unless it’s not. You are permitted to do anything so long as there isn’t a (valid) rule that prohibits/ regulates that conduct.

There have not been any laws passed in Canada that specifically address Bitcoin (although there will be). But there are laws of general application that apply to all transactions, and more specifically, barter transactions (trading good X for good Y). Canada has always taxed barter transactions and the Canadian Revenue Agency has provided guidance on bartering with digital currencies.

Beyond tax implications, the question of whether it’s legal to use Bitcoin can usually be rephrased as whether the transaction is legal. The use of bitcoins doesn’t affect a transaction any more than substituting soybeans for dollars would. Legal business remains legal and illegal business remains illegal.

The technology may be new but the legal principles are not.

Source: posts