The FBI notes in its annual IC3 report that ransomware is uniquely underreported, and its statistics can’t really be trusted. Various blockchain analysis groups have the means to compile ransomware statistics, but only for a price.
That is unfortunate, as the information would be invaluable as researchers hope to get a handle on the scope of ransomware and what could be done to prevent further outbreaks. A new effort seeks to change that.
“We don’t have at least publicly comprehensive data sets for payments. And without that, it can be hard to gauge the impact of whether what we’re doing makes a difference,” said Jack Cable, a Krebs Stamos Group researcher.
In his spare time Cable’s working on Ransomwhere, an open visualization website analyzing Bitcoin wallet transactions. Cable formally launched the site last week, based on publicly available wallet information, user wallet submissions and bulk information donations from researchers.
If the project goes well, Cable sees it as a means to evaluate the success of different ransomware prevention policies. Right now, it is really just a guess.
“People have proposed different ways of combating ransomware via economic means, whether that’s outright banning payments or other methods, such as [pressuring] Putin to get some of this under control. But we need to actually know how well things are working and whether these actions are changing the game,” said Cable.
Based on limitations in the amount of data Cable has been able to aggregate, the site currently tracks $60 million in ransomware transactions over the course of history. The FBI, in the statistic it worried was wildly underreported, saw $29 million in transactions last year alone. The blockchain analytics group Chainalysis pegs the yearly number at close to $350 million.
The $60 million Cable can currently track is not a representational sample. It’s heavily biased towards a trove of data provided by McAfee concerning the group NetWalker, which currently comprises around $30 million of the total data.
But the site is young, and Cable is reaching out to find new partners to beef up his archive of data. He is currently reaching out to ransomware negotiators, security vendors, and anyone else who sees wallet information in bulk.
McAfee chief scientist Raj Samani says the company is optimistic about Ransomwhere’s potential.
“Any initiatives that provide transparency into the problem is to be applauded,” he said.
Cable said his interest in creating the ransomware site was sparked by a tweet from Red Canary researcher Katie Nickels in early June lamenting the lack of data about ransomware and its impact on potential policy decisions. “No one knows the real impact, so it’s hard to know if actions change that impact or not,” she wrote.
While that is the intended focus of the site, he believes Ransomwhere might provide enterprises with a greater awareness of the effects of paying ransom and contributing to that economy.
One issue Cable foresees as the site grows is that blockchain analysis of this type is really only possible for cryptocurrencies like bitcoin and not those which do a better job protecting privacy. Ransomwhere would need to change tactics if ransomware groups widely adopted Monero, for example.
Until then, McAfee will be eager to help the effort.
“We will share content as long as it does not impinge on open law enforcement investigations,” said Samani.