New research brings the shady ecosystem of ransomware payments into focus.
Ransomware attacks, which encrypt and hold a pc user’s files hostage in exchange for a payment, extort millions of dollars from individuals each and every month and now comprise the fastest-growing forms of cyber attack.
In a research paper they’ll present at the IEEE Symposium on Security and Privacy in May, researchers provide the first detailed account of the ransomware payment ecosystem, from the initial attack to the cash-out portion.
The researchers’ important findings include the discovery that ransomware campaigns disproportionately impact South Koreans, with analysis revealing that $2.4 million of the $17 million in ransomware payments tracked by the researchers was paid in South Korea.
The research paper’s authors call for additional research to determine the reason that these attacks victimize so many South Koreans, and how to protect them.
The researchers further estimate that at least twenty thousand individuals made ransomware payments over the past two years, at a confirmed cost of $17 million, although the actual payment total is likely far higher.
Damon McCoy, assistant professor of computer science and engineering at the Tandon School of Engineering at New York University, and his collaborators took advantage of the public nature of the bitcoin blockchain technology to trace ransom payments over a two-year term. Bitcoins are currently the most common currency of ransomware payments, and because most victims don’t own them, the initial bitcoin purchase provides a starting point for tracking payments.
Each ransomware victim is often given a unique payment address that directs to a bitcoin wallet where attackers collect the ransom. The research team then tapped public reports of ransomware attacks to identify these addresses and correlate them with blockchain transactions.
In order to boost the number of transactions available for analysis, the research team also executed real ransomware binaries in a controlled experimental environment, essentially becoming victims themselves and making micropayments to real ransom wallets in order to follow the btc trail.
“Ransomware operators inevitably direct bitcoin to a central bank account that they cash out periodically, and by injecting a little bit of our own funds into the larger flow we could identify those central accounts, see the other payments flowing in, and begin to understand the number of victims and the amount of funds being collected,” stated Damon McCoy, an assistant professor of computer science at the NYU Tandon School of Engineering.
The research team does acknowledge that ethical issues prevent exploration of certain aspects of this ransomware ecosystem, including determining the percentage of victims who actually do pay to recover their files.
Damon McCoy further explains that despite having the ability to check for activity connected to a specific payment address, doing so would effectively begin the countdown and potentially cause the victims to either pay a double ransom or lose the potential “opportunity” to recover their computer files altogether.