Back to the list

Bitcoin ransom viruses

11 February 2018 21:00, UTC
Andrey Semyonov, Denis Goncharenko
Virus. This word was not fearful for any advanced computer user before. Winlockers, worms, Trojans – all of them were no big danger. They could be detected and destroyed by most antiviruses. As the whole world dove into the cryptocurrency mania in 2017-2018, new players arrived on the scene – fraudsters who have Bitcoin ransomware in their possession. Even intelligence agencies are hampered. Individual and corporate computers are going through waves of attacks of ransom viruses, which extort bitcoins, litecoins and other coins.

“What are you?”

A crypto virus is a ciphered file which can arrive on a computer with the help of e-mail, laziness of the one who doesn’t check the downloaded file for viruses, or through some other way. After some time, it opens remote access to your computer for a malefactor. Then the criminal launches the random key encryption manually. Very secure encryption algorithms are used, the kind the military prefers: Blowfish of AES. The encryption key is generated randomly and only the malefactor knows it. There are no ways to cope with the virus at the moment. Only two solutions remain: pay the fraudsters ransom in exchange for unlock or re-install the whole system, leaving the lost files behind.

Viruses are often disguised as files with the following extensions:  *.jpg, *.xls, *.doc and even 1С databases. That is, hackers mask ransomware as all that can be a valuable information.

Anamnesis research: virus history

One of the first virus attack attempts ever made was the dissemination of the Trojan called AIDS on the Web in 1989. After getting on the computer, this virus blocked data and demanded to transfer a sum of ransom to unblock it. This Trojan is still being called the first Bitcoin ransomware, but it was released long before the emergence of Bitcoin. Interestingly, the members of the medical conference had been chosen to test the program. The participants simply acquired floppy disks with the AIDS Trojan and after launching them, effectively made their computers a new home for a virus.


Throughout the following 15 years, extortionists were not very active. But in the year 2006, they came back. While Bitcoin was still in its development phase, the antivirus labs were researching the Archievus product. That Trojan’s activity was in the form of asymmetrical data encryption. The My Documents folder was affected. Users who in most cases lost access to their files were offered to pay for “access services” via filling in information on special websites. Naturally, the actions of a victim were followed by transferring money on the benefit of the third party.


The next decade, if we look at the virus activity, was marked by the arrival of the virus called Reveton. The malicious application started to block executable files and disrupt the work of the system once it reached the computer’s storage. Even the experienced users could not do anything about it. And again, one had to pay ransom in exchange for unlock. Experts noted that the first actions of advanced Trojans were not worrying users very much. When the computing power of devices was used to mine bitcoins in the background, most complained only about the performance drops. After the issue of cryptocurrency became more difficult, miscreants decided to compare the overall trading volume on exchanges with non-tradable assets. They found out there’s still some room to grow. Most users simply stored bitcoins, the price of which was growing, on their personal wallets.


A new wave of digital attacks swept throughout entire world in May 2017. One of the first malicious programs has been called WannaCry or WannaCrypt. Users of India, Ukraine, Taiwan and Russia were the majority of those the ransom virus has managed to harm. Just in one day, the Bitcoin ransom virus has infected approximately 200,000 computers.

Because of the actions it performs, WannaCry belongs to the Trojan type. The result of infiltration of this application in the file system is the block of access to the PC user data. For example, a user wants to open some document he works with and has to finish today. Nothing happens, the virus demands bitcoins as an access ransom. The average amount of money for the deletion of this Trojan variates from 300 to 600 dollars in Bitcoin. There is no guarantee that the deletion would actually take place and not many people know how to delete this Bitcoin virus.


Despite the fact that Bitcoin is at the press time the most expensive cryptocurrency, malefactors do not mind to receive ransom in other forms. For example, the virus activity of the Kirk Trojan that blocks user files is aimed at getting Monero, an altcoin.

The end justifies the means

Aside the efficiency, modern viruses have a precise goal. Now that advertising became targeted, the “pests” are searching for victims on specialized resources. A fraudster finds people who might own cryptocurrency: mining pools members, exchange players. The contact opportunities with the victim are also considered. These contacts can be e-mail accounts, social media pages, often visited websites. These opportunities can be provided by sites on satoshi cranes, investment marketplaces, exchanges, overhyped projects and so on. Using all this, the virus arrives on the computer (files become encrypted and the system locked). And voila, the extortion of cryptocurrency or “the real money”.

Bitcoin virus – how to find it and protect yourself?

Firstly, one must not agree to install the software of questionable origin, or if you do not remember how exactly it arrived on your computer. Secondly, keep an eye out for the HTTPS encrypted connection while dealing with any cryptocurrency marketplace. This is going to give more confidence in the site you have opened and also prevent phishing, or data theft after entry. Yandex and Google, search engines, recently started to give more output for sites with HTTPS. Thirdly, it’s better to use the anti-viruses you actually pay for, as free versions are mostly made for stats collection and tests of anti-attack defense. As one might say, you are a test subject of a lab that tests software.

The Web hygiene

To ensure full confidence one must remember to conduct several preventive measures: create a backup of all the important files from your computer to an external hard drive, cloud storage or flash drive. Any email messages coming from suspicious addresses must not be opened, it’s better to immediately delete them instead. It’s not recommended to answer to the messages sent by unknown social media accounts, follow the links to external resources or download files.

Industrial solutions

Because the demand to transfer ransom is based on the malefactor’s anonymity, security services could not stand aside. This was the reason why Elliptic, a special algorithm and later – the software package was developed. Using it, one can monitor the circulation of Bitcoin supply. Currently the corporation which owns the product is actively cooperating with the law enforcement and financial organizations. Cryptocurrency exchanges are also actively using this software as well.

What to do if you got baited? How to delete a Bitcoin virus?

If you see the ransom demands, you should not obey the fraudsters. A computer can always be fixed, while the return of money would be much, much harder and will almost certainly not happen. Even with all the special software in the world, the search is conducted after those who committed a crime. Sometimes the transfer of money can be under the cover of unblock services. And who says that those who demand to pay were the ones who infected your computer?

Governmental bodies still have the final word to say, and as of today, they have not decided to regulate the crypto market yet. In this case scenario, they will have to destroy one of the basic features of Bitcoin – the anonymity of transactions on the blockchain. And this, in turn, might lead to the drop of user interest towards the project.

And remember: the main security guarantee of your capital against any infringements will always be simple human attention.