Have you ever wondered how ransomware attackers manage to escape with their loot given that law enforcement has operations has people dedicated to digital sleuthing and the amounts involved can be so large, they can’t exactly be hidden.

Ransomware payments are demanded in cryptocurrency, typically Bitcoin. If you don’t know, cryptocurrencies are a digital form of money that is created through massive amounts of computing power. They are typically traded virtually through a series of private ‘wallets’ and public ‘exchanges.’

Exchanges are organized markets, managed by companies, where people bring their cryptocurrencies to switch them into dollars, pounds or other forms of money. Essentially they operate like currency exchanges at banks.

With most cryptocurrencies, every transaction is recorded on a ledger, known as the blockchain. This digital ledger is publicly available online and lists all cryptocurrency transactions. These transactions can’t be rescinded one a transaction has been made. In short, each transaction is cast in digital stone on the ledger.

Wallets and trading exchanges

Ransomware victims are typically told to make a payment into a designated digital wallet. The funds are scattered across hundreds of private wallets. This disperses the money immediately and makes it extremely difficult to track down where it went.

Private wallets are difficult to access by law enforcement because they require an encryption key, a long string of numbers and letters, that only the wallet holder possesses. Before being received in the wallets however, the cryptocurrency can be ‘washed’ in a digital mixer. Mixers use software to blend and swap one bitcoin for another, all with the purpose of breaking the chain so the history of a single coin is more difficult to trace.

From cryptocurrency to cash

Cyber villains tend to get caught when they want to exchange their digital currency for traditional cash. Investigators try to identify and label funds on the blockchain to keep track of them. If the money is ever moved from a private wallet to a public exchange, law enforcement can directly contact the exchange operators and ask them to lock the account in question while they investigate.

Many exchanges will cooperate with these requests. They comply with common financial regulations, such as knowing their customers, so they have physical identification account holders. But there are exchanges that ignore or try to resist requests, or are based in different countries that have lax regulations or look the other way. This is how ransomware attackers get away with their crimes.