The murky ecosystem of ransomware payments comes into focus in new research led by Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering.
Ransomware attacks encrypt and hold a computer user’s files hostage in exchange for payment. The attacks extort millions of dollars from individuals each month. As a category, ransomware comprises one of the fastest-growing forms of cyber attack.
In a paper destined for presentation at the IEEE Symposium on Security and Privacy in May, McCoy and a team including researchers from the University of California, San Diego, Princeton University Google, and blockchain analytics firm Chainalysis provide the first detailed account of the ransomware payment ecosystem, from initial attack to cash-out.
According to McCoy: “Ransomware operators ultimately direct bitcoin to a central account that they cash out periodically, and by injecting a little bit of our own money into the larger flow we could identify those central accounts, see the other payments flowing in, and begin to understand the number of victims and the amount of money being collected.”
Selected key findings
Amongst the most striking findings are:
- the discovery that South Koreans are disproportionately impacted by ransomware campaigns ($2.5M of the $16M in ransomware payments tracked by the researchers was paid in South Korea
- most ransomware operators used a Russian bitcoin exchange, BTC-E (now seized by the FBI), to convert bitcoin to fiat currencies; the research estimates at least 20,000 individuals made ransomware payments over the past two years, at a confirmed cost of $16 million (the true payment total is likely higher).
McCoy and his collaborators took advantage of the public nature of the bitcoin blockchain technology. Bitcoins are the most common currency of ransomware payments. Because most victims do not own them, the initial bitcoin purchases provide a starting point for tracking payments. In addition, each ransomware victim often receives a unique payment address. This directs payments direct to a bitcoin wallet from where the ransomers collect their ill-gotten gains.
Tracing ransomware payments
The researchers traced ransom payments over a two-year period. The research team tapped public reports of ransomware attacks to identify these addresses and correlate them with blockchain transactions.
To boost the number of transactions available for analysis, the team executed real ransomware binaries in a controlled experimental environment. In effect they made:
- victims of themselves
- micropayments to real ransom wallets in order to follow the bitcoin trail.
The research team acknowledges that ethical issues prevent exploration of certain aspects of the ransomware ecosystem. This includes not being ‘able’ to investigate the percentage of victims who actually pay to recover files. Despite having the ability to check for activity connected to a specific payment address. Doing so would ‘start the clock’ and potentially cause victims:
- either to pay a double ransom
- or lose the opportunity to recover their files.
What does this mean
Ransomware payments research matters. Understanding the criminal use of cryptocurrencies, one of McCoy’s research foci (he and fellow researchers previously tracked human traffickers through their use of Bitcoin advertising), assists those who are trying to build legal and dependable systems.
The paper’s authors call for additional research to determine the reason that so many South Koreans suffer and how to protect them. While it is unfortunate that South Koreans become victims, it is as important to draw lessons applicable to all.
For blockchain advocates the concern has to be that cryptocurrencies and cryptoexchanges are poisoning the well of potential distributed ledger applications. If one adds other complications (for example the GDPR v blockchain contradictions), there ‘may’ come a time when the risks and difficulties of blockchain outweigh its usefulness.
