Ransomware attacks have become a major concern in recent years, posing severe threats to governments, critical infrastructure, and corporations. To better understand the spread of ransomware and design effective defense mechanisms, collecting and analyzing ransomware data is crucial. In this regard, Ransomwhere - an open crowdsourced ransomware payment tracker - has been instrumental in gathering information from victims of ransomware attacks. With over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million, Ransomwhere has provided valuable insights into the evolving structure of the ransomware payments economy. Leveraging the transparency of Bitcoin - the cryptocurrency used for most ransomware payments - researchers have characterized two parallel markets within the ransomware ecosystem: commodity ransomware and Ransomware as a Service (RaaS). While commodity ransomware is typically sold on underground forums or deployed by individual attackers with limited resources, RaaS has effectively weaponized unpatched internet-facing technology of many unwitting organizations. Such organizations have significant financial interests in restoring their systems after a successful attack. The study shows that there are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do so for RaaS. To seed their dataset, researchers collected data from several public sources such as Paquet-Clouston et al., who collected 7,222 addresses representing approximately $12.7 million in payments belonging to various families including Locky. They also gathered 37 addresses and associated families from AT&T Alien Labs Open Threat Exchange platform. Members of the public can submit reports at Ransomwhere where they received 99 reports containing 198 addresses over a six-month period from June 2021 to December 2021. Overall, this study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks. With the insights gained from Ransomwhere, researchers have shed light on the different markets within the ransomware ecosystem and provided valuable information for policymakers, law enforcement agencies, and cybersecurity professionals to combat this growing threat.
- - Ransomware attacks pose severe threats to governments, critical infrastructure, and corporations
- - Collecting and analyzing ransomware data is crucial for designing effective defense mechanisms against these attacks
- - Ransomwhere is an open crowdsourced ransomware payment tracker that has been instrumental in gathering information from victims of ransomware attacks
- - Ransomwhere has provided valuable insights into the evolving structure of the ransomware payments economy, with over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million
- - Researchers have characterized two parallel markets within the ransomware ecosystem: commodity ransomware and Ransomware as a Service (RaaS)
- - There are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency
- - It is relatively easy to identify choke points in commodity ransomware payment activity, but more difficult to do so for RaaS
- - The study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks.
Ransomware attacks are very bad for important things like governments and companies. To stop these attacks, we need to collect and study information about them. Ransomwhere is a tool that helps us do this by tracking payments made to ransomware attackers. We have learned a lot from Ransomwhere, like how much money has been paid and who the attackers are. There are two types of ransomware markets: one where people buy the software to attack others, and another where people pay someone else to do it for them. It's important to understand both of these markets so we can protect against ransomware attacks in the future.
Definitions- Ransomware: a type of computer virus that locks up files until a payment is made
- Crowdsourced: when many people work together on something
- Infrastructure: the basic physical or organizational structures needed for something to function properly
- Insights: new understanding or knowledge gained from studying something
- Ecosystem: all the living and nonliving things in an environment working together
- Cryptocurrency: digital money that uses encryption techniques for security
Ransomware Attacks: An Overview of the Growing Threat
In recent years, ransomware attacks have become a major concern for governments, critical infrastructure, and corporations. Ransomware is malicious software that encrypts data on a computer or network and demands payment in exchange for unlocking it. These attacks can cause significant financial losses to organizations and individuals alike, making it essential to understand the spread of ransomware and design effective defense mechanisms against them.
The Role of Ransomwhere in Gathering Data from Victims
To this end, researchers have been leveraging an open crowdsourced ransomware payment tracker called Ransomwhere to collect information from victims of ransomware attacks. This platform has provided valuable insights into the evolving structure of the ransomware payments economy with over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million.
Characterizing Two Parallel Markets within the Ecosystem
By leveraging the transparency of Bitcoin - the cryptocurrency used for most ransomware payments - researchers have characterized two parallel markets within the ecosystem: commodity ransomware and Ransomware as a Service (RaaS). Commodity ransomware is typically sold on underground forums or deployed by individual attackers with limited resources while RaaS has effectively weaponized unpatched internet-facing technology of many unwitting organizations who have significant financial interests in restoring their systems after a successful attack.
This study shows that there are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do so for RaaS due to its decentralized nature.
Data Collection Sources Used by Researchers
To seed their dataset, researchers collected data from several public sources such as Paquet-Clouston et al., who collected 7222 addresses representing approximately $12.7 million in payments belonging to various families including Locky; AT&T Alien Labs Open Threat Exchange platform which provided 37 addresses associated with various families; as well as 99 reports containing 198 addresses submitted by members of the public at Ransomwhere over a six-month period from June 2021 to December 2021.
Conclusion
Overall, this study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks. With insights gained from platforms like Ransomwhere, researchers have shed light on different markets within this ecosystem providing valuable information for policymakers, law enforcement agencies, and cybersecurity professionals alike so they can better combat this growing threat