On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective

TL;DR

This paper analyzes Bitcoin transactions related to ransomware campaigns, presenting a framework to identify and classify ransom payments, and provides an economic impact assessment along with a dataset of relevant Bitcoin addresses.

Contribution

It introduces a novel lightweight framework for identifying and analyzing Bitcoin addresses involved in ransomware payments, validated against existing literature.

Findings

The framework accurately classifies ransom payments.

Economic impact estimates align with previous studies, with some valuation differences.

Dataset of Bitcoin addresses for multiple ransomware campaigns is released.

Abstract

Bitcoin cryptocurrency system enables users to transact securely and pseudo-anonymously by using an arbitrary number of aliases (Bitcoin addresses). Cybercriminals exploit these characteristics to commit immutable and presumably untraceable monetary fraud, especially via ransomware; a type of malware that encrypts files of the infected system and demands ransom for decryption. In this paper, we present our comprehensive study on all recent ransomware and report the economic impact of such ransomware from the Bitcoin payment perspective. We also present a lightweight framework to identify, collect, and analyze Bitcoin addresses managed by the same user or group of users (cybercriminals, in this case), which includes a novel approach for classifying a payment as ransom. To verify the correctness of our framework, we compared our findings on CryptoLocker ransomware with the results presented in the literature. Our results align with the results found in the previous works except for the final valuation in USD. The reason for this discrepancy is that we used the average Bitcoin price on the day of each ransom payment whereas the authors of the previous studies used the Bitcoin price on the day of their evaluation. Furthermore, for each investigated ransomware, we provide a holistic view of its genesis, development, the process of infection and execution, and characteristic of ransom demands. Finally, we also release our dataset that contains a detailed transaction history of all the Bitcoin addresses we identified for each ransomware.