Tracking Ransomware End-to-end

Danny Y. Huang
Maxwell Matthaios Aliapoulios
Vector Guo Li
Kylie McRoberts
Jonathan Levin
Kirill Levchenko
Alex C. Snoeren
Damon McCoy
Security & Privacy 2018 (2018)

Abstract

Ransomware is a type of malware that encrypts the
files of infected hosts and demands payment, often in a cryptocurrency
such as bitcoin. In this paper, we create a measurement
framework that we use to perform a large-scale, two-year,
end-to-end measurement of ransomware payments, victims, and
operators. By combining an array of data sources, including
ransomware binaries, seed ransom payments, victim telemetry
from infections, and a large database of bitcoin addresses
annotated with their owners, we sketch the outlines of this
burgeoning ecosystem and associated third-party infrastructure.
In particular, we trace the financial transactions, from the
moment victims acquire bitcoins, to when ransomware operators
cash them out. We find that many ransomware operators cashed
out using BTC-e, a now-defunct bitcoin exchange. In total we
are able to track over $16 million in likely ransom payments
made by 19,750 potential victims during a two-year period. While
our study focuses on ransomware, our methods are potentially
applicable to other cybercriminal operations that have similarly
adopted bitcoin as their payment channel.