Mapping the Ransomware Payment Ecosystem & Threat Actor Behavior

Zoë Brammer

The Institute for Security and Technology stood up the Ransomware Task Force in April of 2021 to counter the scourge of ransomware. Two years later, we continue our work to mitigate this Threat.

At its core, ransomware is an economic endeavor. Thus, one of the most direct ways to disincentivize the use of ransomware is to disrupt the financial processes that facilitate it. Identifying opportunities to weaken the economic incentive structure behind the ransomware threat, however, is only possible with adequate information and a clear picture of the ransomware payment ecosystem. More specifically, we must develop a clear, cooperative, and comprehensive understanding of the steps in the ransomware payment process, the information required and produced at each step, and the entities with visibility into this information.

Last year, IST and Ransomware Task Force members developed a comprehensive map of the ransomware payment ecosystem from attack to cash out. We then identified pieces of information produced at each point in the ransomware payment process, and the entities with visibility into these pieces of information. The result is a comprehensive map of the ransomware payment ecosystem––the first of its kind.

We are currently developing a mini-pilot to align our theoretical map with ransomware threat actor behavior to identify where different types of disruption might be most effective. The pilot also aims to specify key barriers to, and enablers of, ransomware attacks. At Sleuthcon, we hope to present the payment map and paint a clear picture of the people, processes, and information involved in ransomware payments. We will then present the findings from our mini-pilot and illuminate possible friction points, where attendees may be able to contribute by leveraging action to ultimately change the economic incentive structure around ransomware attacks. The implications of this effort will reach beyond the ransomware ecosystem, and highlight the benefits of developing and mapping our understanding of available information for a range of cyberthreats, especially those involving illicit uses of cryptocurrency. Finally, Sleuthcon would present us the opportunity to seek input and feedback on our payment map and identify possible additional areas for further collaboration.