Showing the Receipts: Understanding the Modern Ransomware Ecosystem

TL;DR

This paper introduces new methods to identify and analyze ransomware payments, resulting in the largest public dataset of over $900 million, which enhances understanding of ransomware group activities over time.

Contribution

The paper presents novel techniques for detecting ransomware payments with low false positives and releases the largest public dataset of ransomware transactions to date.

Findings

Classified nearly $700 million in previously unreported ransomware payments.

Published the largest public dataset of over $900 million in ransomware payments.

Provided insights into ransomware group behaviors over time.

Abstract

Ransomware attacks continue to wreak havoc across the globe, with public reports of total ransomware payments topping billions of dollars annually. While the use of cryptocurrency presents an avenue to understand the tactics of ransomware actors, to date published research has been constrained by relatively limited public datasets of ransomware payments. We present novel techniques to identify ransomware payments with low false positives, classifying nearly \$700 million in previously-unreported ransomware payments. We publish the largest public dataset of over \$900 million in ransomware payments -- several times larger than any existing public dataset. We then leverage this expanded dataset to present an analysis focused on understanding the activities of ransomware groups over time. This provides unique insights into ransomware behavior and a corpus for future study of ransomware cybercriminal activity.