Well, this happens to be a very good question. However, the answer to this is not all that cut and dried. There have been arrests of Cerber and CTB locker Ransomware viruses. These viruses were spread through fake invoices contained in emails where a user would have to open the invoice in order to activate the infection which would then lock up their computer.
So, part of the answer to the above question is that arrests do happen. But, in order for the investigations to begin, the authorities have to be really interested in the criminals involved. The ransomware targets are not normally ones that can afford to fight back and hire private investigators or others to try to track down the criminals involved.
This means that law enforcement has to have some interest in the criminals involved – they may be linked to other serious crimes, as an example – as small-time crooks are not worth their time. That is not meant as a slight against the authorities, either. It makes sense that if a ransomware criminal targeted a giant operation that crippled a massive network, this would spark an investigation. A ransomware attack on your home computer is not going to pull as much attention.
But here’s why you don’t see a lot of arrests. Once a computer or server is infected, the developers of the ransomware virus used can identify the kind of computer set up you have, right down to the specific computers and all accessories. Because of this, they can afford to be picky about their targets. The smart criminal will actually stay away from giant corporations knowing they may attempt to fight back, hire PI’s or use some other means to track the bad guys down.
Ransomware is actually a tricky and gimmicky business. This is particularly true when international policies and law become part of the equation. As an example, let’s say a Ransomware criminal is based in Bulgaria and the victim happens to be in Canada. This automatically becomes an international crime. The time, paperwork, legal aspects – court subpoenas – that may require several submissions including those for initial discovery to actually receiving the logs from Bulgarian federal agents is immense.
This means that unless the ransomware infection is against a significant agency, company or corporate entity, chances are that law enforcement is not going to even begin to poke around and launch an investigation – period.
Add to this that digital crime is complicated. It is far more complicated than someone being recorded on a video camera and located later. Plus, criminals are not normally that sloppy. They like to stay safe and use encrypted mail servers like cock.li – the server of choice for Dharma and many other ransomware developers.
Another troublesome part of the equation is tracking the ransom payments. Usually, the request is for a cryptocurrency payment and Bitcoin tends to be the preferred choice. Tracking other online payments made with credit cards is far easier than those using cryptocurrencies. In fact, these ‘digital coins’ are actually encrypted currencies and since criminals don’t use the same wallets for each ransomware payment, it is difficult for law enforcement to follow. That is particularly true when ransomware criminals continue to update their wallets keeping at least two steps ahead of the authorities.
What it boils down to is manpower and expense.
The requirements of an investigation related to ransomware are not just too costly, they are time-consuming. With the world of new technology spinning so fast, even if law enforcement agencies could keep up, newer and tougher ransomware viruses are always being developed with more and more targets being hit. It would pull valuable resources away from other criminal investigations which could provide many new opportunities for criminals not well versed in digital crime.
But there may be a ray of sunshine in all of this darkness.
The possibility does exist that should digital criminal activity become a bigger problem than it already is, don’t be too surprised if law enforcement at the federal level looks at combating the situation through the creation of special task forces designed just for this purpose. In fact, this may already be happening and we have not seen evidence of it as ransomware crimes are still relatively new in the overall scheme of things.
So, as you can see, there are times when ransomware criminals are arrested. However, unless the virus target is huge – and most digital criminals at this point are avoiding these – there is not much point in authorities getting involved and pulling resources from other criminal investigations to chase after what are essentially small time internet thieves.