Tracking Ransomware End-to-end
Venue
Security & Privacy 2018 (2018)
Publication Year
2018
Authors
Danny Y. Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
BibTeX
Abstract
Ransomware is a type of malware that encrypts the files of infected hosts and
demands payment, often in a cryptocurrency such as bitcoin. In this paper, we
create a measurement framework that we use to perform a large-scale, two-year,
end-to-end measurement of ransomware payments, victims, and operators. By combining
an array of data sources, including ransomware binaries, seed ransom payments,
victim telemetry from infections, and a large database of bitcoin addresses
annotated with their owners, we sketch the outlines of this burgeoning ecosystem
and associated third-party infrastructure. In particular, we trace the financial
transactions, from the moment victims acquire bitcoins, to when ransomware
operators cash them out. We find that many ransomware operators cashed out using
BTC-e, a now-defunct bitcoin exchange. In total we are able to track over $16
million in likely ransom payments made by 19,750 potential victims during a
two-year period. While our study focuses on ransomware, our methods are potentially
applicable to other cybercriminal operations that have similarly adopted bitcoin as
their payment channel.