Lucian Milasan - stock.adobe.com

Charities warned over ‘Robin Hood’ cyber criminals

Accepting donations from cyber criminal groups could be deemed as profiting from crime, money laundering or handling stolen goods – so don’t do it

Charities, non-profits and related organisations should be on their guard against a new development in the world of cyber crime that has security experts puzzled and legal experts alarmed – the donation of money extorted from ransomware victims to charity.

First reported by the BBC, the tactic has been adopted by a relatively new ransomware group known as DarkSide, one of a growing number of increasingly sophisticated and professionalised cyber crime groups that take a businesslike approach to the ransomware game.

DarkSide, on its emergence earlier in 2020, went so far as to produce an actual press release revealing how it carefully analyses its targets’ financials before an attack, and makes a point of never attacking medical organisations, non-profits or government bodies.

Now the group has taken the decision to “give something back” and in a blog post made on 13 October, said it was “only fair” that some of the money it has extorted should go to charity. It made two payments of 0.88 bitcoin, or $10,000, to two US-based charities, Children International in Missouri and The Water Project in New Hampshire, through The Giving Block, an entity set up specifically to manage cryptocurrency donations to charity. The DarkSide group also posted tax receipts for the donations.

According to initial reports, Children International has said it has no intention of keeping the money, while The Giving Block has already begun an investigation into where the funds came from and how to return them.

But what are the ramifications for organisations that might find themselves on the receiving end of such a donation? For Judy Krieg, a partner at law firm Fieldfisher, it’s not a tricky question. “In short, the answer is: don’t do it,” she told Computer Weekly.

Under the law, technically speaking, the acceptance of ransomware payments in any form would constitute money laundering.

Money extorted through ransomware attacks becomes proceeds of crime, which is also known as criminal property. Therefore, said Krieg, under section 329 of the UK Proceeds of Crime Act 2002, the primary UK money laundering law, an organisation or individual that acquires, uses or possesses criminal property is committing an offence.

Moral dilemma

Even though the law is crystal clear on profiting from cyber crime, Javvad Malik, security awareness advocate at KnowBe4, says such acts of supposed philanthropy would still have presented the recipients with a moral dilemma, albeit one that should be easy to overcome.

“One should not look past the fact that the money was obtained illegally through criminal actions and no amount of charitable contributions can erase that,” said Malik.

“Whenever an organisation is extorted via ransomware or other means, that money impacts actual individuals. Many people have lost their jobs over the years, there have been organisations that have ceased to exist, and there has even been some talk recently of the role that ransomware had to play in the unfortunate death of a patient transported to a different hospital.

“Criminals need to understand that there is a very real impact of their actions, and simply giving an amount to charity cannot make up for that.”

Public relations

Kelvin Murray, a senior threat researcher at Carbonite’s Webroot, said the donations seemed to be line with a growing trend among ransomware operators to try to whitewash their image.

“We have seen this with the Maze gang, among others, where throughout the Covid-19 pandemic they have continuously reminded us that they have not been targeting hospitals out of moral concern,” he said.

“This also coincides with their relatively new tactic of stealing data from their victims and threatening to publicly post it on websites. These large gangs also do a lot of public posting on the dark web as they court customers and form business alliances.

“I would imagine that public relations is more of a concern for them now, because they are relying more on publicity and good faith from their stakeholders and victims in order to make their extortion tactics successful.”

Read more about ransomware

  • The volume of ransomware attacks has jumped 50% in the past three months, according to data produced at Check Point.
  • Raccine, an open source ‘vaccine’, prevents ransomware threat actors from using a Windows utility to delete shadow copies of a system’s data, but there are a few drawbacks.
  • Ransomware threatens to put your data beyond reach, so the best way to prepare is to have good-quality data you can restore from backup. We look at the key things to consider.

Comparitech.com security specialist Brian Higgins takes a similar line. “I doubt this is anything more than attention-seeking on the part of the DarkSide group,” he said.

“Firstly, $10,000 is a paltry sum in comparison to the vast amounts of money they have extorted from their victims, so it’s hardly a grand philanthropic gesture, and secondly, no credible charity is ever going to accept donations that are demonstrably the proceeds of crime.”

According to Higgins, there remains a tiny possibility that in making these donations, DarkSide was testing the waters to try to launder the proceeds of its ventures, but he said it is more likely that the criminals just have too much time on their hands, not to mention “too much” stolen money knocking about. There is, after all, a limit to the number of Lamborghinis one can prominently display on Instagram without attracting attention.

“If they were really serious about ‘making the world a better place’, they would all sell their laptops and stay off the internet,” said Higgins.

Read more on Hackers and cybercrime prevention