Jack Cable and Kris Oosthoek
April 15, 2022 at 11:00 AM on Zoom / Soda Hall
Ransomware: A Tale of Two Markets
Abstract: Ransomware attacks are among the most severe cyber threats. They have made headlines in recent years by threatening the operation of governments, critical infrastructure, and corporations. Collecting and analyzing ransomware data is an important step towards understanding the spread of ransomware and designing effective defense and mitigation mechanisms. We report on our experience operating Ransomwhere, an open crowdsourced ransomware payment tracker to collect information from victims of ransomware attacks. With Ransomwhere, we have gathered 13.5k ransom payments to more than 87 ransomware criminal actors with total payments of more than $101 million. Leveraging the transparent nature of Bitcoin, the cryptocurrency used for most ransomware payments, we characterize the evolving ransomware criminal structure and ransom laundering strategies. Our analysis shows that there are two parallel ransomware criminal markets: commodity ransomware and Ransomware as a Service (RaaS). We notice that there are striking differences between the two markets in the way that cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do the same for RaaS.
Bio: Jack Cable is a hacker who works at the intersection of cybersecurity and public policy. He most recently was a security architect at the Krebs Stamos Group. Jack has worked on the Cybersecurity and Infrastructure Security Agency's election security team and at the Defense Digital Service. Jack holds a B.S. in computer science from Stanford University, and does research in election security, computer security, and mis/disinformation. Website: cablej.io
Bio: Kris Oosthoek is Cyber Threat Intelligence lead with the Dutch government. He is a part-time PhD candidate at Delft University of Technology. His research focuses on cyber-criminal use of Bitcoin. Kris has worked in various technical positions based from the US, UK and Afghanistan. He holds an MSc from Erasmus University and several commercial cyber security certifications such as CISSP, GICSP, GCTI, GXPN, GRID. Website: krisk.io