Unveiling Dynamics and Patterns: A Comprehensive Analysis of Spreading Patterns and Similarities in Low-Labelled Ransomware Families

TL;DR

This paper analyzes Bitcoin transaction graphs of low-labelled ransomware families to identify payment patterns and similarities, revealing potential common control mechanisms and aiding in understanding ransomware evolution and operations.

Contribution

It introduces a novel method for analyzing address behaviors in transaction graphs to detect similarities among ransomware strains, enhancing understanding of their operational mechanisms.

Findings

Ransomware families can connect with millions of addresses rapidly.

Multiple-step analysis is often needed to understand connections.

Behaviors can effectively reveal similarities among different strains.

Abstract

Ransomware has become one of the most widespread threats, primarily due to its easy deployment and the accessibility to services that enable attackers to raise and obfuscate funds. This latter aspect has been significantly enhanced with the advent of cryptocurrencies, which, by fostering decentralisation and anonymity, have transformed this threat into a large-scale outbreak. However, recent reports indicate that a small group of individuals dominate the ransomware ecosystem and try to obfuscate their activity using multiple strains characterised by a short time to live. This scenario suggests that different strains could share mechanisms in ransom collection, fund movement, and money laundering operations. For this reason, this study aims to analyse the address-transaction graphs generated in the Bitcoin network by low-labelled ransomware families. Our goals are to identify payment spreading patterns for evaluating the evolution of ransomware families and to detect similarities among different strains that potentially can be controlled by the same attacker. Specifically, this latter task assigns an address behaviour to each node in the address-transaction graphs according to its dynamics. The distribution of the behaviours in each strain is finally used to evaluate the closeness among different ransomware families. Our findings show that although ransomware families can quickly establish connections with millions of addresses, numerous families require multiple-step analysis. Furthermore, the study demonstrates that the introduced behaviours can effectively be used to highlight similarities among different ransomware strains. The outcome shows that families are similar primarily due to behaviours usually associated with ransom collection and money laundering operations.+