Unveiling Dynamics and Patterns: A Comprehensive Analysis of Spreading Patterns and Similarities in Low-Labelled Ransomware Families
Francesco Zola, Mikel Gorricho, Jon Ander Medina, Lander Segurola, Raul Orduna-Urrutia
TL;DR
The paper investigates whether low-labelled ransomware families show shared dynamics in ransom collection and fund laundering within the Bitcoin network. It builds address-transaction graphs from seed addresses, defines seven local-topology behaviours, and analyzes 2-step spreading patterns to compare across families using PCA and Euclidean distance. Key contributions include a taxonomy of spreading patterns (slow, moderate, fast, exFast) and a behavioural distribution framework that clusters related families and reveals cross-strain similarities, including patterns associated with money laundering. The study provides a scalable, graph-based approach that can aid law enforcement in tracing ransomware operations and understanding common structural mechanisms across strains, while acknowledging limitations and outlining avenues for future enhancement.
Abstract
Ransomware has become one of the most widespread threats, primarily due to its easy deployment and the accessibility to services that enable attackers to raise and obfuscate funds. This latter aspect has been significantly enhanced with the advent of cryptocurrencies, which, by fostering decentralisation and anonymity, have transformed this threat into a large-scale outbreak. However, recent reports indicate that a small group of individuals dominate the ransomware ecosystem and try to obfuscate their activity using multiple strains characterised by a short time to live. This scenario suggests that different strains could share mechanisms in ransom collection, fund movement, and money laundering operations. For this reason, this study aims to analyse the address-transaction graphs generated in the Bitcoin network by low-labelled ransomware families. Our goals are to identify payment spreading patterns for evaluating the evolution of ransomware families and to detect similarities among different strains that potentially can be controlled by the same attacker. Specifically, this latter task assigns an address behaviour to each node in the address-transaction graphs according to its dynamics. The distribution of the behaviours in each strain is finally used to evaluate the closeness among different ransomware families. Our findings show that although ransomware families can quickly establish connections with millions of addresses, numerous families require multiple-step analysis. Furthermore, the study demonstrates that the introduced behaviours can effectively be used to highlight similarities among different ransomware strains. The outcome shows that families are similar primarily due to behaviours usually associated with ransom collection and money laundering operations.+