Ransomware attacks are among the most severe cyber threats. They have made headlines in recent years by threatening the operation of governments, critical infrastructure, and corporations. Collecting and analyzing ransomware data is an important step towards understanding the spread of ransomware and designing effective defense and mitigation mechanisms. We report on our experience operating Ransomwhere, an open crowdsourced ransomware payment tracker to collect information from victims of ransomware attacks. With Ransomwhere, we have gathered 13.5k ransom payments to more than 87 ransomware criminal actors with total payments of more than $101 million. Leveraging the transparent nature of Bitcoin, the cryptocurrency used for most ransomware payments, we characterize the evolving ransomware criminal structure and ransom laundering strategies. Our analysis shows that there are two parallel ransomware criminal markets: commodity ransomware and Ransomware as a Service (RaaS). We notice that there are striking differences between the two markets in the way that cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do the same for RaaS.
翻译:Ransomware袭击是最严重的网络威胁之一,近年来,通过威胁政府、关键基础设施和公司的运作,这些袭击成为头条新闻。收集和分析赎金软件数据是了解赎金软件扩散和设计有效防御和减缓机制的一个重要步骤。我们报告了我们运行Ransom Where的经验,Ransom Where是一个开放的多方来源的赎金软件付款跟踪器,从赎金软件袭击的受害者那里收集信息。在Ransomwhere,我们收集了超过87个赎金软件犯罪分子的13.5k赎金,总金额超过1.01亿美元。利用Bitcoin的透明性质,即用于大部分赎金软件付款的加密货币,我们描述了不断变化的赎金软件犯罪结构和赎金清洗战略。我们的分析表明,有两个平行的赎金软件犯罪市场:商品赎金软件和Ransomwary软件作为服务(RaaS) 。我们注意到,两个市场之间在使用加密货币资源、每次交易收入和赎金洗钱效率方面存在着巨大的差异。尽管识别商品赎金软件支付活动的锁点相对容易,但对于Raasa来说,这样做更为困难。