Fraud Management & Cybercrime , Ransomware

Ransomware Payments: Where Have All the Bitcoins Gone?

Researchers Track Cryptocurrency Ransoms Paid by Cerber, Locky and Other Victims
Ransomware Payments: Where Have All the Bitcoins Gone?

Ransomware isn't an easy area to study. Organizations and individuals that fall victims to file-encrypting malware rarely publicize their anguish, and cybercriminals running ransomware campaigns don't publish annual revenue reports.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Some researchers estimate that ransomware is a billion-dollar industry, although no one knows for sure.

But a new study due to be presented at the IEEE Symposium on Security and Privacy in May in San Francisco contains new insights into the economy and infrastructure behind ransomware, which may help information security experts to design better defenses against it (see Ransomware Outlook: 542 Crypto-Lockers and Counting).

The study comes from researchers at Princeton University, New York University, the University of California San Diego, Google and Chainalysis, which specializes in blockchain-analysis tools. The researchers sought to study the entire cycle of ransomware from the point at which a computer is infected to final destination of ransom funds.

Over the two-year period covered by the study, the researchers conclude that at least $16 million in ransoms was paid by 19,750 likely victims. South Korea appeared to be a disproportionately affected locale, with $2.5 million in payments alone going to whoever was running the family of ransomware known as Cerber, according to the study.

Damon McCoy

Damon McCoy, an assistant professor in the computer science and engineering department at New York University and one of the study's 10 co-authors, says the study is a very conservative snapshot of the ransomware economy.

"It's definitely an underestimate, but it's nice in that it's a rigorous underestimate," McCoy says. "We can fairly confidently say they made no less than that $16 million, which is nice because a lot of these other studies throw out these huge numbers of billions of dollars but not supported by any rigorous measurement or methodology."

Follow the Blockchain Trail

Criminals have, at least historically, typically demanded ransoms payable in the virtual cryptocurrency called bitcoin (see Bitcoin's Reign on the Dark Web May Be Waning). Bitcoin transactions are pseudonymous: payments are made from one 32-character address to another, which are recorded in the blockchain, which is the digital ledger of all bitcoin transactions.

The researchers' study relied on taking bitcoin addresses supplied to ransomware victims and tracing the payments and transfers through bitcoin's blockchain. The researchers also purposely infected their own test machines and made micropayments in bitcoin to see where the money flowed.

Paper: "Tracking Ransomware End-to-End."

Finding real victims, and the bitcoin addresses supplied to them, proved difficult. But researchers collected payment addresses from public reports of ransomware where screenshots of ransom notices had been published, as well as via proprietary data sets of payment addresses.

After a victim pays a ransom to a unique bitcoin address, whoever is running the ransomware campaign typically moves all of the payments into a new, single address, researchers say.

One challenge for criminals who run ransomware campaigns, however, remains converting bitcoins into cash. Virtual currency exchanges are coming under increasing scrutiny from regulators, and many exchanges now follow anti-money laundering and know-your-customer requirements (see Criminals Hide 'Billions' in Cryptocurrency, Europol Warns).

Researchers studied transactions involving clusters of Locky and Cerber ransomware victims who paid a ransom to their attackers.

Unsurprisingly, the most popular destination for bitcoins paid as ransoms was BTC-e. The exchange, which was based in Russia, shut down in July 2017.

That month, the U.S. Department of Justice unsealed an indictment against one of its operators, Alexander Vinnik, on money laundering charges. Vinnik has been charged with laundering funds stolen from Mt. Gox, a Tokyo-based exchange that shut down in 2014 after more than $400 million in bitcoin was stolen (see Feds Indict Russian Over BTC-e Bitcoin Exchange).

BTC-e turned out to be the destination for at least $3.2 million in ransoms paid by victims hit by just Locky ransomware, as well as for the majority of other types of ransomware, the researchers found. Since BTC-e converted bitcoin to fiat currency, it may still hold the records that would be needed to connect anonymous ransomware operators to real people.

Despite the prevalence of ransomware, prosecutions of criminals who run these types of campaigns seems to remain all too rare.

"If law enforcement agencies were able to obtain BTC-e's internal transaction records (which presumably map bitcoin wallet addresses to banking information), they could potentially trace 41 percent of Locky's outflow values to real-world entities," according to the researchers' paper.

Conversion Rates

One interesting statistic the researchers were not able to calculate is an accurate percentage of how many ransomware victims actually pay their attacker, which in marketing parlance is known as attackers' "conversion rate."

The researchers did figure out a method to calculate the conversion rate for a type of ransomware called Cerber, but called off further investigation due to ethical concerns.

The ransom note that Cerber victims see is a unique URL that can be calculated with the right formula, which was reverse-engineered by the researchers. Visiting the URL would indicate whether a victim had paid. But to further pressure victims, a clock starts ticking whenever someone first visits their custom ransom note. Often, it warns that the payment will double if a ransom isn't paid within a set period. Hence if the researchers visited the page, the clock would start ticking for the victims, potentially making it more financially painful for victims considering paying.

"As such, the risks of the analysis outweigh the benefit of estimating the conversion rate," according to the study.

Profitable Industry

Ransomware may increasingly have been displaced in the headlines by malware that mines virtual currency, but McCoy says it doesn't appear the scheme will recede as long as some victims feel an urgency or necessity to pay (see Please Don't Pay Ransoms, FBI Urges).

"Until that day happens, unfortunately we're going to continue to be plagued by ransomware," McCoy says. "As long as there's people that don't backup their files, I think ransomware unfortunately is a going to be a fairly profitable industry."

Executive Editor Mathew Schwartz contributed to this article.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.