Ransomware attacks have become a major concern for law enforcement and security professionals around the world. Recent prominent attacks by ransomware including WannaCry, Locky and SamSam affected hundreds of thousands of people around the world. Ransomware infects the device of a victim with malicious software that blocks access until they pay a ransom to the attacker, most often by cryptocurrency. Due to this payment method ransomware attacks also offer a valuable opportunity to measure the financial impact of cybercrime by tracing movements of Bitcoin cryptocurrency.
Paquet-Clouston, Haslhofer and Dupont analyzed the transaction data from many types of ransomware using an open-source cryptocurrency analytics platform. They analyzed Bitcoin transactions related to ransomware attacks that occurred between 2013 and the middle of 2017. They extracted 7,222 Bitcoin addresses, each of which identify a Bitcoin wallet related to 67 ransomware families. From these addresses they were able to study 35 ransomware families. They did this by finding the addresses related to each ransomware family, identifying the payer and payee accounts and tracking the flow of money. They have made their data extraction and analysis procedures available for use by other researchers.
The collector addresses for each ransomware family were found by creating an outgoing-relationships graph for each ransomware family and grouping outputs. Characteristics of the relationships and contextual information were used to group the addresses. The collector addresses were not necessarily part of the cluster containing the family’s seed and expanded addresses. Some collector addresses are part of larger clusters from Bitcoin exchange services gambling sites, or ‘mixer’ services, all of which are used to obscure money flows.
The market for ransomware payments for the 35 ransomware families is at least $ 12,768,536 USD; or 22,967.44 in Bitcoin. Interestingly, most of the ransomware appeared to be controlled by a few operators. Three families of ransomware accounted for 86% of the market. Not all ransomware contributes equally to the direct financial costs on victims. More than 50% of the nearly thirteen million dollars was from the ‘Locky’ strain of ransomware. The methods developed for this research could be applied to other illicit activities using cryptocurrencies to provide evidence-based insights for policymakers.
Identifying Bitcoin transactions used in ransomware attacks can help understand the size of the illicit market of ransomware payments and direct responses more effectively.