Donate to Science & Enterprise

S&E on Mastodon

S&E on LinkedIn

S&E on Flipboard

Please share Science & Enterprise

Analysis Reveals Ransomware Payment, Support Networks


(bykst, Pixabay)

23 March 2018. In a two-year study, engineers and computer scientists trace the networks used by perpetrators to break in, encrypt, and hold for ransom the contents of personal or business computer systems, a growing form of cyber attack. The team from New York University and other institutions and companies plan to describe their analysis at this year’s IEEE Symposium on Security and Privacy, in May 2018 in San Francisco.

The practice known as ransomware is a form of high-tech extortion where malware, an unwanted malicious file placed on a computer system, locks up the system and encrypts the files. The perpetrator then holds the affected system hostage in exchange for ransom. While the practice of ransomware goes back to 2005, according to Wired magazine, the emergence of cryptocurrencies like Bitcoins are making the practice more common, and thus more of a threat to individuals, businesses, and institutions.

Researchers led by computer scientist Damon McCoy at New York University — joined by colleagues from Princeton University, University of California in San Diego, Google, and the blockchain cybersecurity company Chainalysis in New York — uncovered the payment networks and support ecosystem used by ransomware attackers. The team says it’s the first end-to-end investigation of ransomware networks, tracking not only the revenues paid by ransomware victims, but also the affiliates and infrastructure making the practice happen.

McCoy and colleagues gained access to a variety of data sources, including ransomware victims and databases tracking Bitcoin payments. Their sources cover ransomware binary code, victims’ locations and payments, and a large database of Bitcoin addresses and owners maintained by Chainalysis. While Bitcoins are used by perpetrators to disguise the identities of payments’ recipients, their transactions can be clustered and traced, offering a money trail that the researchers followed. That money trail, from the acquisition of Bitcoins by victims to cashing out Bitcoins by perpetrators, says the team, provides details including geographic locations of victims and intermediaries.

“Ransomware operators ultimately direct Bitcoin to a central account that they cash out periodically,” says McCoy in a university statement, “and by injecting a little bit of our own money into the larger flow we could identify those central accounts, see the other payments flowing in, and begin to understand the number of victims and the amount of money being collected.”

The researchers found during this two-year period an extensive pattern of ransomware, which shows little sign of abating. Their results show nearly 20,000 systems were attacked, with ransom payments totaling some $16 million. Systems in South Korea were particularly common targets of ransomware. The team estimates South Koreans paid some $2.5 million for a type of ransomware known as Cerber, accounting for about one-third (34%) of the funds paid as ransom from these attacks.

The team’s analysis also revealed a Russian exchange known as BTC-e was a favorite among ransomware perpetrators for exchanging Bitcoins into cash. In July 2017, federal authorities fined BTC-e $110 million and indicted its operator Alexander Vinnik for violating money laundering laws. Vinnick was arrested in Greece, where he was on vacation, and BTC-e has since shut down.

The team identified potential intervention points to disrupt the payment flows on which perpetrators rely. However, the authors point out ethical issues that authorities need to consider before taking down ransomware networks. For example, interrupting payment networks could increase ransom demands and financial burdens on victims, and prevent them from acquiring the encryption keys to unlock their files.

More from Science & Enterprise:

*     *     *

Comments are closed.