Showing the Receipts: Understanding the Modern Ransomware Ecosystem
Jack Cable, Ian W. Gray, Damon McCoy
TL;DR
The paper tackles the lack of transparent public data on modern ransomware payments and the need to quantify the ransomware economy. It introduces negotiator-centric heuristics that trace ransomware payments on the public Bitcoin blockchain, focusing on clusters likely tied to negotiators and OTC desks. Using these methods, it identifies over 700 million USD in payments and releases the largest public dataset to date (approximately 917 million USD across 1,013 addresses), enabling large-scale ecosystem analyses. Findings reveal rising ransom amounts, extensive overlap and rebranding among families, and varying splitting practices, with implications for research and policy.
Abstract
Ransomware attacks continue to wreak havoc across the globe, with public reports of total ransomware payments topping billions of dollars annually. While the use of cryptocurrency presents an avenue to understand the tactics of ransomware actors, to date published research has been constrained by relatively limited public datasets of ransomware payments. We present novel techniques to identify ransomware payments with low false positives, classifying nearly \$700 million in previously-unreported ransomware payments. We publish the largest public dataset of over \$900 million in ransomware payments -- several times larger than any existing public dataset. We then leverage this expanded dataset to present an analysis focused on understanding the activities of ransomware groups over time. This provides unique insights into ransomware behavior and a corpus for future study of ransomware cybercriminal activity.