How One Company Rebuffed Its Ransomware Aggressors and Froze Their $1M Bitcoin Wallet

A Canadian insurance company that fell victim to ransomware last year has managed to obtain the decryptor from its aggressors, then went on to freeze their Bitcoin wallet using a clever trick.

An anonymous group of hackers infected the unnamed insurer with the Bitpaymer ransomware in October last year. The operators reportedly locked up 20 servers and over 1,000 of the firm’s computers and demanded $1.2 million in Bitcoin to free them from Bitpaymer’s stranglehold.

The firm’s own insurer stepped in to negotiate with the attackers and talked the ransom down to $950,000 (96 Bitcoin), a sum that eventually made its way into the attackers’ crypto-wallet.

Within 24 hours, the Bitpaymer operators handed over the decryption key. After 10 days and some hard recovery work, the insurer was back on its feet. But it wouldn’t leave things at that, as a new report revealed this week.

A ransomware victim’s options

Once infected, ransomware victims typically are left with two options, neither delightful:

  • they can refuse to pay the ransom and try to recover manually, which doesn’t ensure all the data gets recovered, while the costs typically end up matching or even exceeding the initial ransom demands;
  • or, they can pay the attackers and hope to receive the decryptor; even if they do receive it, they then must hold their fingers crossed for the key to actually work.

And the hurdles don’t stop there. Ransomware victims often incur further damage due to downtime and lost business, loss of reputation and fleeing customers, and can even go bankrupt in severe cases.

But despite recovering relatively unscathed, this Canadian insurer refused to accept losing almost a million dollars to fend off an enemy it hadn’t even provoked. So, it did something clever. Well, its insurer did.

Fighting their aggressors

As reported by, the Canadian firm’s insurer hired a blockchain analytics company to track the ransom. The analysis soon revealed that the 96 BTC ransom had been laundered through cryptocurrency exchange Bitfinex. And it gets better.

The victim convinced a United Kingdom High Court to order Bitfinex to freeze the attackers’ Bitcoin wallet. It leveraged a “proprietary injunction” – essentially an order that freezes someone’s assets if the asset owner becomes subject of a proprietary claim. The law permits the order to be given even if the perpetrator remains unidentified and at large. The case is still ongoing and it remains to be seen if the Canadian company can eventually get its money back from the exchange.

An all-new cat-and-mouse game

As 2020 kicks off, ransomware incidents are following a new fashion. Ransomware gangs now threaten to publish stolen data if their demands are not met, as victims now deny hackers’ demands even though it will cost them more in the long run. In one notable example, a cable manufacturer in Carrollton, Georgia went on to sue its attackers, obtaining an injunction against their hosting provider.

It will be interesting to see how these new tactics play out. While it’s certainly nice to see victims hitting back at their aggressors, the bad guys typically have the upper hand in an attack, and they don’t mind using this advantage, often calling all the shots until they eventually get things their way.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Filip Truta. Read the original post at: