Ransomware Payment Tracker: Increasing Visibility into Cybercrime

The Rise of Ransomware and a New Tracking Initiative

The proliferation of ransomware attacks has surged, becoming a significant source of revenue for cybercriminals, particularly amidst the disruptions caused by the COVID-19 pandemic. The number of incidents notably increased throughout 2020.

Recent High-Profile Attacks

This trend of file-encrypting attacks has persisted throughout the current year. Recent events include the compromise of Colonial Pipeline, which necessitated a shutdown of systems and impacted gasoline distribution across the eastern United States.

Similarly, a cyberattack against meat processing company JBS led to the suspension of operations at its facilities globally. Furthermore, a supply chain attack targeting IT vendor Kaseya resulted in numerous downstream victims being locked out of their systems just this month.

Challenges in Assessing the Full Impact

Despite the frequent headlines, a comprehensive understanding of the true impact of ransomware remains elusive. It is also unclear if decisions like paying ransom demands have any measurable effect on the overall situation.

Introducing Ransomwhere: A Crowdsourced Tracking Platform

Jack Cable, a security architect at Krebs Stamos Group and formerly with CISA, has launched Ransomwhere, a crowdsourced website designed to track ransom payments. This initiative aims to address the lack of publicly available data on the financial aspects of these attacks.

Cable explained to TechCrunch that he was motivated by a tweet from Katie Nickels highlighting the unknown extent of cybercrime, especially ransomware. Recognizing the absence of a central repository for this information and the relative ease of tracking bitcoin transactions, he began developing the platform.

How Ransomwhere Works

The website maintains a current record of ransoms paid to cybercriminals in bitcoin, leveraging the transparency of blockchain technology. Data is gathered through self-reported incidents submitted by users.

To ensure data integrity, each submission requires a screenshot of the ransomware payment request. Cable personally reviews every case before it is published. Reports whose authenticity is questioned will be removed from the database.

Data Availability and Intended Use

The growing database, which contains no personally identifiable information, is freely available for download by cybersecurity professionals and law enforcement agencies. Cable hopes this will foster greater transparency regarding the current state of the ransomware problem.

“Data is essential when evaluating the effectiveness of policy changes aimed at altering the economics of ransomware,” Cable stated. “For law enforcement, the ability to recover some payments, as demonstrated in the Colonial Pipeline case, could be further enhanced with this resource.”

Current Ransom Payment Statistics

As of this writing, Ransomwhere is tracking over $32 million in ransom payments for 2021. The majority of these payments have been directed to REvil, a Russia-linked ransomware group responsible for the attacks on JBS and Kaseya.

REvil has accumulated more than $11 million in ransom payments this year, a figure that could increase substantially if their $70 million demand related to the Kaseya attack is fulfilled.

Top Ransomware Groups

Netwalker, a popular ransomware-as-a-service offering, ranks second with over $6.3 million in payments for 2021. However, Ransomwhere’s data indicates that Netwalker has received the highest total amount of ransom payments, approximately $28 million.

RangarLocker, DarkSide, and Egregor complete Ransomwhere’s current top five, having amassed $4.6 million, $4.4 million, and $3.2 million respectively.

Future Development Plans

Cable is exploring partnerships with security and blockchain analysis firms to integrate their existing data on ransomware activity. He is also investigating support for other traceable cryptocurrencies, such as Ethereum, and the ability to track downstream bitcoin addresses.

“Complete tracking is unattainable – criminals utilizing Monero will remain difficult to trace,” Cable acknowledged. “However, my goal is to achieve the most comprehensive picture possible.”