Repurposed Ransomware Nets $60,000 Replacing Users’ Copied Bitcoin Addresses

Omar Faridi
  • Over $60,000 in cryptocurrency have been reportedly stolen by modified ransomware.
  • The malware modifies users’ BTC addresses to direct payments to attacker’s wallets.

An old ransomware program has reportedly been modified to steal an estimated 8.4 Bitcoins, currently worth over $60,000, from unsuspecting users. The way the malicious program works is by altering BTC address copied to users’ clipboards to their own. This allows the attackers to redirect payments.

The attackers trick users into thinking that their transactions are associated with the intended addresses by using the same characters at the beginning and end of their cryptocurrency addresses as those the user copied.

Several security software products have detected the ransomware program as “file-locking malware” due to minimal changes made to its original code. This, despite the malicious script stealing users’ digital currency. Reportedly, there are other cryptocurrency-stealing programs being developed and posted in secret online forums.

Repurposed Ransomware

Researchers at Fortinet, a California-based cybersecurity company, have traced the cryptocurrency stealing malware’s origins back to a program called Jigsaw. Jigsaw was a ransomware program, discovered in April 2016, that hijacked users’ systems and threatened to delete their files if they did not pay a ransom in crypto.

Notably, the original Jigsaw ransomware program was first labeled BitcoinBlackmailer.exe and it locked the users’ desktop after encrypting their files. The locked screen also showed a picture of Billy the Puppet, a character from the horror film Saw.

Jigsaw is written in the C# programming language and its code has been widely shared online., Any bad actor with basic coding knowledge could potentially modify the malicious program to fit their agenda.

In this recent instance, the source code for the modified program actually mentions that it’s a “BitcoinStealer,” but this can only be seen by people who are able to reverse-engineer the cryptocurrency stealing script.

Notably, crypto malware replacing copied addresses is nothing new. As covered, a malware dubbed “ClipboardWalletHijacker” reportedly infected over 300,000 computers throughout the world to steal by tricking users who copied bitcoin and ethereum addresses.