A Tale of Two Markets: Investigating the Ransomware Payments Economy

AI-generated keywords: Ransomwhere Commodity Ransomware RaaS Bitcoin Cybersecurity

AI-generated Key Points

Ransomware attacks pose severe threats to governments, critical infrastructure, and corporations
Collecting and analyzing ransomware data is crucial for designing effective defense mechanisms against these attacks
Ransomwhere is an open crowdsourced ransomware payment tracker that has been instrumental in gathering information from victims of ransomware attacks
Ransomwhere has provided valuable insights into the evolving structure of the ransomware payments economy, with over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million
Researchers have characterized two parallel markets within the ransomware ecosystem: commodity ransomware and Ransomware as a Service (RaaS)
There are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency
It is relatively easy to identify choke points in commodity ransomware payment activity, but more difficult to do so for RaaS
The study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks.

Also access our AI generated: Comprehensive summary, Lay summary, Blog-like article; or ask questions about this paper to our AI assistant.

Authors: Kris Oosthoek, Jack Cable, Georgios Smaragdakis

arXiv: 2205.05028v1 - DOI (cs.CR)

License: CC BY 4.0

Abstract: Ransomware attacks are among the most severe cyber threats. They have made headlines in recent years by threatening the operation of governments, critical infrastructure, and corporations. Collecting and analyzing ransomware data is an important step towards understanding the spread of ransomware and designing effective defense and mitigation mechanisms. We report on our experience operating Ransomwhere, an open crowdsourced ransomware payment tracker to collect information from victims of ransomware attacks. With Ransomwhere, we have gathered 13.5k ransom payments to more than 87 ransomware criminal actors with total payments of more than $101 million. Leveraging the transparent nature of Bitcoin, the cryptocurrency used for most ransomware payments, we characterize the evolving ransomware criminal structure and ransom laundering strategies. Our analysis shows that there are two parallel ransomware criminal markets: commodity ransomware and Ransomware as a Service (RaaS). We notice that there are striking differences between the two markets in the way that cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do the same for RaaS.

Submitted to arXiv on 10 May. 2022

Ask questions about this paper to our AI assistant

You can also chat with multiple papers at once here.

AI assistant instructions?

Results of the summarizing process for the arXiv paper: 2205.05028v1

Comprehensive Summary
Key points
Layman's Summary
Blog article

Ransomware attacks have become a major concern in recent years, posing severe threats to governments, critical infrastructure, and corporations. To better understand the spread of ransomware and design effective defense mechanisms, collecting and analyzing ransomware data is crucial. In this regard, Ransomwhere - an open crowdsourced ransomware payment tracker - has been instrumental in gathering information from victims of ransomware attacks. With over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million, Ransomwhere has provided valuable insights into the evolving structure of the ransomware payments economy. Leveraging the transparency of Bitcoin - the cryptocurrency used for most ransomware payments - researchers have characterized two parallel markets within the ransomware ecosystem: commodity ransomware and Ransomware as a Service (RaaS). While commodity ransomware is typically sold on underground forums or deployed by individual attackers with limited resources, RaaS has effectively weaponized unpatched internet-facing technology of many unwitting organizations. Such organizations have significant financial interests in restoring their systems after a successful attack. The study shows that there are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do so for RaaS. To seed their dataset, researchers collected data from several public sources such as Paquet-Clouston et al., who collected 7,222 addresses representing approximately $12.7 million in payments belonging to various families including Locky. They also gathered 37 addresses and associated families from AT&T Alien Labs Open Threat Exchange platform. Members of the public can submit reports at Ransomwhere where they received 99 reports containing 198 addresses over a six-month period from June 2021 to December 2021. Overall, this study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks. With the insights gained from Ransomwhere, researchers have shed light on the different markets within the ransomware ecosystem and provided valuable information for policymakers, law enforcement agencies, and cybersecurity professionals to combat this growing threat.

- Ransomware attacks pose severe threats to governments, critical infrastructure, and corporations
- Collecting and analyzing ransomware data is crucial for designing effective defense mechanisms against these attacks
- Ransomwhere is an open crowdsourced ransomware payment tracker that has been instrumental in gathering information from victims of ransomware attacks
- Ransomwhere has provided valuable insights into the evolving structure of the ransomware payments economy, with over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million
- Researchers have characterized two parallel markets within the ransomware ecosystem: commodity ransomware and Ransomware as a Service (RaaS)
- There are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency
- It is relatively easy to identify choke points in commodity ransomware payment activity, but more difficult to do so for RaaS
- The study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks.

Ransomware attacks are very bad for important things like governments and companies. To stop these attacks, we need to collect and study information about them. Ransomwhere is a tool that helps us do this by tracking payments made to ransomware attackers. We have learned a lot from Ransomwhere, like how much money has been paid and who the attackers are. There are two types of ransomware markets: one where people buy the software to attack others, and another where people pay someone else to do it for them. It's important to understand both of these markets so we can protect against ransomware attacks in the future. Definitions- Ransomware: a type of computer virus that locks up files until a payment is made - Crowdsourced: when many people work together on something - Infrastructure: the basic physical or organizational structures needed for something to function properly - Insights: new understanding or knowledge gained from studying something - Ecosystem: all the living and nonliving things in an environment working together - Cryptocurrency: digital money that uses encryption techniques for security

Ransomware Attacks: An Overview of the Growing Threat

In recent years, ransomware attacks have become a major concern for governments, critical infrastructure, and corporations. Ransomware is malicious software that encrypts data on a computer or network and demands payment in exchange for unlocking it. These attacks can cause significant financial losses to organizations and individuals alike, making it essential to understand the spread of ransomware and design effective defense mechanisms against them.

The Role of Ransomwhere in Gathering Data from Victims

To this end, researchers have been leveraging an open crowdsourced ransomware payment tracker called Ransomwhere to collect information from victims of ransomware attacks. This platform has provided valuable insights into the evolving structure of the ransomware payments economy with over 13.5k ransom payments to more than 87 criminal actors and total payments exceeding $101 million.

Characterizing Two Parallel Markets within the Ecosystem

By leveraging the transparency of Bitcoin - the cryptocurrency used for most ransomware payments - researchers have characterized two parallel markets within the ecosystem: commodity ransomware and Ransomware as a Service (RaaS). Commodity ransomware is typically sold on underground forums or deployed by individual attackers with limited resources while RaaS has effectively weaponized unpatched internet-facing technology of many unwitting organizations who have significant financial interests in restoring their systems after a successful attack. This study shows that there are striking differences between these two markets in terms of how cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do so for RaaS due to its decentralized nature.

Data Collection Sources Used by Researchers

To seed their dataset, researchers collected data from several public sources such as Paquet-Clouston et al., who collected 7222 addresses representing approximately $12.7 million in payments belonging to various families including Locky; AT&T Alien Labs Open Threat Exchange platform which provided 37 addresses associated with various families; as well as 99 reports containing 198 addresses submitted by members of the public at Ransomwhere over a six-month period from June 2021 to December 2021.

Conclusion

Overall, this study highlights the importance of understanding the evolving nature of the ransomware payments economy and designing effective defense mechanisms against these attacks. With insights gained from platforms like Ransomwhere, researchers have shed light on different markets within this ecosystem providing valuable information for policymakers, law enforcement agencies, and cybersecurity professionals alike so they can better combat this growing threat

Created on 08 May. 2023

Assess the quality of the AI-generated content by voting

Score: 0

Similar papers summarized with our AI tools

50.8%

Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigat…

cs.CR

40.9%

Bitcoin, Currencies, and Bubbles

econ.GN

39.8%

Smart Contract and DeFi Security: Insights from Tool Evaluations and Practiti…

cs.CR

Navigate through even more similar papers through a

tree representation

Look for similar papers (in beta version)

By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.

Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.