How to Pay Ransom During Ransomeware attack on your company ?

How to Pay Ransom during a Ransomeware cyber attack in India ?

The demand for ransom is illegal under the IPC, but not the payment. If business exigencies require, ransom may have to be paid under duress. even Section 37 of the income tax Act in India will not come in the way of the claim for deduction of ransom money. Commissioner of Income Tax Vs M/s Khemchand Motilal Jain (Madhya Pradesh High Court (2011))

There are also companies that swoop in at the last minute to handle the logistics. companies like CyberSecOp, DigitalMint, are a full-service, final-mile crypto broker.They are at the end of the process

They hired specialists, after the forensic consultants, the company, and stakeholders have all made the determination victims have exhausted all their options and that paying the ransom from an economics perspective is the best way to move forward. That’s when they come to companies like CyberSecOp, digitalmint in order to help them acquire crypto at any time of day or night,

In the space of 30 to 60 minutes from initial contact, these companies are able to make the ransom payment for the victim. This includes vetting the hacker to make sure they aren’t tied to a U.S.-sanctioned country and going on the open market, order books and exchanges to acquire the cryptocurrency needed to pay the ransom.

They say that 90% to 95% of ransoms are paid in bitcoin, but monero is an increasingly popular option. Monero is considered more of a privacy token and allows cybercriminals greater freedom from some of the tracking tools and mechanisms that the bitcoin blockchain brings.

Since January 2020, DigitalMint alone has facilitated more than $100 million in ransomware settlements with a median payment of $800,000.

Last year, crypto ransomware payments overall more than quadrupled from 2019 levels to $350 million, according to Chainalysis,  that figure is likely understated. But the true number may be closer to $1 billion.

In April, a task force including Amazon Web Services, Microsoft, the FBI and the Secret Service, among others, delivered recommendations to the White House on how to fight the ransomware threat. On the question of whether to ban payments to attackers, the group of more than 60 members was split.

Part of the problem is that the threat actors are getting greedy at pricing their ransom demands. 

If they ask for too much, forensics goes through their feasibility studies and says, ‘Well, that’s too much. Let’s just rebuild our systems, take a risk, and not pay for it,’ 

At a certain point, it is more economically viable to just pay the ransom rather than hemorrhaging cash due to paralyzed operations.

Bitcoin is the most popular currency demanded by ransomware attackers, but other cryptocurrencies they have dictated include Ethereum, Zcash, and Monero.

Other methods

The first step is to contact your organization's bank to determine if they transfer funds to a cryptocurrency exchange, and if there are any limits.

Then set up an account with a cryptocurrency exchange such as CoinDCX or WazirX,  or on coinbased which is FDIC-insured for up to $250,000 held in US currency in a custodial account. Once the US dollars are exchanged for digital currency, Coinbase insures the digital currency should its system be breached, but does not insure the breach of an individual account, according to its website.

Once you create a cryptocurrency exchange account, have your bank transfer/wire its government-issued currency into the wallet or custodial account. From there, you can purchase some cryptocurrency to hold in a digital wallet or custodial Coinbase account.

But you may want to think twice before buying and holding cryptocurrency in custodial accounts because the value of this currency can be highly volatile. 

To seed a cryptocurrency exchange account or Coinbase account in advance of any ransomware attack, you must open an account with one of the cryptocurrency companies such as Bitcoin, Zcash, Ethereum, or Monero.

For Small Ransom Payments, Go to a Bitcoin ATM

Using a Bitcoin ATM is faster than purchasing Bitcoins online, says Neal Conner, a customer service manager for Bitcoin ATM manufacturer Lamassu, which has 300 machines across the globe through independent operators.

These ATM machines are cash-based, no [credit or debit] cards or bank accounts are required. If you're buying online, they certainly are from the brokerage or exchange you are purchasing them from. With online methods of purchasing Bitcoins, most users have to go through registration, verification, and linking of credit cards or bank accounts, a cumbersome process, especially if you have cash and just want Bitcoin immediately.

First, download a Bitcoin mobile wallet app on the Bitcoin site for Android or iOS Phone.

The wallet allows you to access one of the growing network of Bitcoin ATM machines, such as Coinucopia. The Bitcoin wallet app for Android or Breadwallet for the iPhone, for example, work with this particular ATM, for example. Next, download an app for reading QR codes. The ATM reads the wallet information via its QR code displayed on the phone.

The Coinucopia ATM can accept a minimum of $5 to a maximum of $3,000 per transaction, which will then be converted into Bitcoin and loaded onto the phone's Bitcoin wallet. The maximum daily amount that can be purchased for a Bitcoin wallet account is $10,000.

Once the money is loaded onto the digital wallet, the ransomware address can be entered onto your smartphone and the payment sent.

Pay via an Online Cryptocurrency Account

If just a limited number of machines or devices are hit with ransomware, online payment may be a good option.

The decision to use an online cryptocurrency service verses a Bitcoin ATM machine largely depends on the comfort level of the person handling the transaction.

Depending on the cryptocurrency exchange service, a cap generally exists on the amount of Bitcoin, Monero, or other type of cryptocurrency that can be purchased per transaction.

For example, a cap of $5,000 per transaction to purchase Bitcoin or to convert Bitcoin to Monero would require you to execute the purchase process 14 times if you have 50 computers and devices infected with ransomware and a ransom demand of $1,400 per machine. That would total a $70,000 purchase in digital currency, and potentially exceed the daily allotment per account that is available.

Depending on the type of cryptocurrency the attacker demands - Bitcoin, Monero, Zcash, or Ethereum - the type of account you would need to get and number of services differs.

If a ransom demand is in Monero, for example, you need a Monero digital wallet. Additionally, you need to sign up for a digital currency converter service such as ShapeShift, because a number of cryptocurrency exchanges do not accept Monero directly, Spagni explains. You would also need to sign up for a cryptocurrency exchange to purchase the Bitcoin, which would then be converted to Monero using ShapeShift.

Signing up for a digital wallet, cryptocurrency exchange, and digital currency converter service, can take longer to execute a transaction than using a Bitcoin ATM.

Final Advice

Try to Convince decision makers Not to Pay the Ransom

Don't give up hope that your CEO or board of directors will have a change of heart and give up on paying ransom.

Tell them the main reason not to pay: it doesn't necessarily not guarantee access to the locked files, sometimes even cybercriminals don't know the decryption key coz ransomeware seller never sold the decryption key to the cyber criminal.

Sane advice: Don't pay the ransom. Once you do, they may keep coming back for more. That's like Kidnapping. The other thing is that if other cyber criminals in this space know you pay, then they, too, will hit you up next.

Bitcoin Tax by Indian Government: How

TAXATION  OF  BITCOIN  AND  OTHER  CRYPTO CURRENCIES IN  INDIA 😊

To understand the tax implications of Cryptocurrencies in India, the following points need to be understood under the context of the Income Tax Act:

1) Business Income - These are the profits and gains received from any business or profession carried on by the tax payer at any time during the Financial Year. It includes 'any' compensation received or other payment due to be received. Further, the compensation may be received in Cash or Kind.

2) Capital Gains - It means any income which has been derived from a 'Capital Asset' (whether movable or immovable)

3) Capital Asset - It means property of any kind held by the taxpayer, whether or not connected with his business or profession.

However, this does not include any Stock in Trade

Note: Since the cryptocurrencies have not been declared as legal tender by the Reserve Bank of India, these cannot be considered as legal tender (cash) and shall be considered as an asset. With a general understanding of the above terms, we move on to understand how cryptocurrencies would be taxed under different scenarios:

Scenario 1: When a person receives Cryptocurrency as payment for rendering goods or services

If a provider of goods or services receives any payment by cryptocurrency, then, the fair market value of the cryptocurrency received as consideration for rendering the goods or services will be considered as the consideration (that is the sale amount). Hence, the difference between the Fair Market Value of the cryptocurrency and the cost of provision of goods or services will be treated as Business Income in the hands of the taxpayer and the resultant Business Income will be charged to tax at the applicable slab rate.

Let us take the following example to understand the above more clearly:

Mr. A provides services for which he agrees to receive 2 Bitcoins. For simplicity purpose, assume the cost of provision of service as Rs. 5,00,000/- and the Fair Market Value of 1 Bitcoin = Rs. 5,50,000/-. Hence, by applying simple mathematics we can conclude that the total consideration for the services rendered is Rs. 11,00,000/- (5,50,000*2) and therefore the Business Income is Rs. 6,00,000/-

Continuation of Scenario 1: The person receiving cryptocurrency as consideration sells the cryptocurrency

Now as soon as the person receives the cryptocurrency as consideration, it becomes his capital asset under the assumption that it is not Stock in Trade (which is discussed later). Therefore, as and when the person sells the cryptocurrency, the resultant difference between the Fair Market Value on the date of receipt of cryptocurrency (from the provision of goods or services) and the date of sale of cryptocurrency will be treated as Capital Gain.

Further, if the cryptocurrency is held for 36 months or less, it will be treated as Short Term Capital Gain. If it is held for more than 36 months it will be treated as Long Term Capital Gain.

While computing Long Term Capital Gain, the taxpayer will get the benefit of indexation.

The bifurcation of Short Term Capital Gain and Long-Term Capital Gain is important since the Short Term Capital Gains are taxed at Slab Rates and Long-Term Capital Gains are taxed @ 20%.

Let us continue the example taken in Scenario 1:

Suppose the bitcoins received by Mr. A is sold by him @ Rs. 5,75,000/- per Bitcoin then the value of the consideration that will be received by Mr. A is Rs. 11,50,000/-. Hence, the Capital Gains would be Rs. 50,000/- (11,50,000 - 11,00,000) and depending on the period of holding of the cryptocurrency, it will be taxed as Short Term Capital Gain or Long Term Capital Gain

Scenario 2: A person paying consideration by cryptocurrency for receiving any goods or services

If a person availing any goods or currency pays consideration in the form of cryptocurrency, then in such a case there will be aspects which will need to be considered:

i) Capital Gains
ii) Amount (Quantification) of the expense

Capital Gains: The Capital Gains will be determined in the same manner as discussed in 'continuation of scenario 1' and will be taxed accordingly. However, in this case the relevant dates for determination of period of holding shall be the date of acquisition of the currency and the date of payment

Amount of expense: The amount of expense shall be the Fair Market Value of the cryptocurrency on the date of payment

Let us take the following example to understand the above clearly:

Mr. A avails goods worth Rs. 11,50,000/- the payment for which is discharged by paying 2 Bitcoins (5,75,000 * 2). Assuming the cost of acquisition of 2 Bitcoins to be Rs. 10,00,000/- (5,00,000 * 2), the resultant Capital Gain will be Rs. 1,50,000/- and will be taxed as Short Term Capital Gain or Long-Term Capital Gain depending on the period of holding.

The amount of expenditure will be the Fair Market Value of the Bitcoins that is Rs. 11,50,000/-

Scenario 3: A person Investing / Trading in cryptocurrency

This is the simplest to understand. However, the important aspect to be to be considered is whether the activity is to be considered as Investment or Trading.

If the activity is considered as Investment the difference between the sale price and purchase price will be treated as Capital Gains (the treatment will be as discussed earlier) and on the contrary if the activity is considered as Trading, the difference will be treated as Business Income irrespective of the period of holding.

Determining whether the difference will be considered as Capital Gains or Business Income will depend solely upon the intention of the person at the time of acquisition of the cryptocurrency.

Conclusion: The Indian Tax laws do not have a specific mention on how cryptocurrencies are to be taxed in India and remains a grey area, particularly as the exposure of people increases until a specific mention in the law is made. Even thou Chairman of direct tax has announced that the profit earned from bitcoin trading would be taxed.

The cryptocurrencies are not declared as legal tender by the RBI and spelled by Finance Minister himself in the budget speech, it hence may be treated as an asset.

Further, it shall be kept in mind that the cryptocurrency market is an unregulated market and risk of investment remains high without support of Indian Law.