Ransomware attacks, which encrypt and hold a computer user’s files hostage in exchange for payment, comprise one of the fastest growing forms of cyber-attacks today.
Researchers from the NYU Tandon School of Engineering have studied ransomware payments learning that $16 million in ransomware payments have been tracked in the past two years by researchers with South Korea paying about $2.5 million as the country has been hard hit by the impact of ransomware.
Researchers found that most ransomware operators used the Russian bitcoin exchange, BTC-E, to convert bitcoin to fiat currencies. Subsequently, BTC-E has since been seized by the FBI. Researchers estimate that at least 20,000 individuals made ransomware payments over the past two years and more than likely the $16 million number is actually much higher than those reported.
The NYU Tandon researchers were able to track the payments over a two-year period due to the public nature of bitcoin blockchain technology. Bitcoin is the most common currency of ransomware payments because most victims do not own them and the initial bitcoin purchase provides a starting point for tracking payments. Each ransomware victim is often given a unique payment address that directs to a bitcoin wallet where the ransom is collected. Researchers used public reports of ransomware attacks and correlated them with the blockchain transactions.
Furthermore, researchers executed real ransomware binaries in a controlled environment — essentially becoming victims themselves and making micropayments to real ransom wallets in order to follow the bitcoin trail.
"Ransomware operators ultimately direct bitcoin to a central account that they cash out periodically, and by injecting a little bit of our own money into the larger flow we could identify those central accounts, see the other payments flowing in, and begin to understand the number of victims and the amount of money being collected," says Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering and who led the research.
Researchers will detail their findings at the upcoming IEEE Symposium on Security and Privacy taking place May 21-23.