New research brings the murky ecosystem of ransomware payments into focus.
Ransomware attacks, which encrypt and hold a computer user’s files hostage in exchange for payment, extort millions of dollars from individuals each month and comprise one of the fastest-growing forms of cyber attack.
In a paper they’ll present at the IEEE Symposium on Security and Privacy in May, researchers provide the first detailed account of the ransomware payment ecosystem, from initial attack to cash-out.
The researchers’ key findings include the discovery that ransomware campaigns disproportionately impact South Koreans, with analysis revealing that $2.5 million of the $16 million in ransomware payments tracked by the researchers was paid in South Korea. The paper’s authors call for additional research to determine the reason that these attacks victimize so many South Koreans and how to protect them.
The team also found that most ransomware operators used a Russian bitcoin exchange, BTC-E, to convert bitcoin to fiat currencies. (BTC-E has since been seized by the FBI.) The researchers estimate that at least 20,000 individuals made ransomware payments over the past two years, at a confirmed cost of $16 million, although the actual payment total is likely far higher.
Damon McCoy, assistant professor of computer science and engineering at the Tandon School of Engineering at New York University, and his collaborators took advantage of the public nature of the bitcoin blockchain technology to trace ransom payments over a two-year period. Bitcoins are the most common currency of ransomware payments, and because most victims do not own them, the initial bitcoin purchase provides a starting point for tracking payments.
Each ransomware victim is often given a unique payment address that directs to a bitcoin wallet where attackers collect the ransom. The research team tapped public reports of ransomware attacks to identify these addresses and correlate them with blockchain transactions.
To boost the number of transactions available for analysis, the team also executed real ransomware binaries in a controlled experimental environment, essentially becoming victims themselves and making micropayments to real ransom wallets in order to follow the bitcoin trail.
“Ransomware operators ultimately direct bitcoin to a central account that they cash out periodically, and by injecting a little bit of our own money into the larger flow we could identify those central accounts, see the other payments flowing in, and begin to understand the number of victims and the amount of money being collected,” says Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering.
The research team acknowledges that ethical issues prevent exploration of certain aspects of the ransomware ecosystem, including determining the percentage of victims who actually pay to recover their files. McCoy explains that despite having the ability to check for activity connected to a specific payment address, doing so would effectively “start the clock” and potentially cause victims to either pay a double ransom or lose the opportunity to recover their files altogether.
Funding for the research came from the National Science Foundation, Google, and Comcast. Additional contributors to the research are from the University of California, San Diego; Princeton University; Google; and the blockchain analytics firm Chainalysis.
Source: Hallie Kapner for New York University