Discerning payment patterns in Bitcoin from ransomware attacks
| DOI | https://doi.org/10.1108/JMLC-02-2020-0012 |
| Published date | 05 July 2020 |
| Pages | 545-589 |
| Date | 05 July 2020 |
| Author | Adam B. Turner,Stephen McCombie,Allon J. Uhlmann |
| Subject Matter | Accounting & Finance,Financial risk/company failure,Financial compliance/regulation,Financial crime |
Discerning payment patterns in
Bitcoin from ransomware attacks
Adam B. Turner,Stephen McCombie and Allon J. Uhlmann
Department of Security Studies and Criminology, Macquarie University,
Sydney, Australia
Abstract
Purpose –The purpose of this paper is to investigate availableforensic data on the Bitcoin blockchain to
identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct
these patterns are and theirpotential value for intelligence exploitation in supportof countering ransomware
attacks.
Design/methodology/approach –The authors created an analytic framework –the Ransomware–
Bitcoin Intelligence–Forensic Continuum framework –to search for transaction patterns in the blockchain
records from actual ransomware attacks.Data of a number of different ransomware Bitcoin addresses was
extracted to populatethe framework, via the WalletExplorer.com programminginterface. This data was then
assembled in a representation of the target network for pattern analysis on the input (cash-in) and output
(cash-out) sideof the ransomware seed addresses. Different graph algorithmswere applied to these networks.
The resultswere compared to a “control”network derivedfrom a Bitcoin charity.
Findings –The findings show discerniblepatterns in the network relating to the input and output sideof
the ransomwaregraphs. However, these patterns are noteasily distinguishable from those associatedwith the
charity Bitcoin address on the input side. Nonetheless,the collection profile over time is more volatile than
with the charity Bitcoinaddress. On the other hand, ransomware output patternsdiffer from those associated
charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their
donations. We further argue that an application of graph machine learning provides a basis for future
analysisand data refinement possibilities.
Research limitations/implications –Limitations are evident in the sample size of data taken on
ransomware campaignsand the “control”subject. Further analysis of additionalransomware campaigns and
“control”subjectsover time would help refine and validate the preliminary observationsin this paper. Future
research will alsobenefit from the application of more powerful computing resources and analyticsplatforms
that scalewith the amount of data being collected.
Originality/value –This research contributes to the maturity of the field by analysing ransomware-
Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several
different techniquesto discerning patterns of ransomware activity on the Bitcoin network,it provides insight
into whether a ransomwareattack is occurring and could be used to trigger alertsto seek additional evidence
of attack,or could corroborate other information in the system.
Keywords Bitcoin, Cryptocurrency, Ransomware, Graph analysis, Illicit money flows
Paper type Research paper
Introduction
Ransomware attacks continue to evolve as a significant threat to global cyber security.
Although consumer ransomware detection rates declined in 2018, there has been an
alarming 365 per cent increase in enterprise detections from quarter two (Q2) 2018 to Q2
2019, and on average as Q4 2017 enterprise detections increased by 112 per cent, according
to August 2019 Malwarebytes ransomware report (Kujawa et al., 2019). Furthermore,
AlešJanda for the use of the www.walletexplorer.com API to access blockchain data.
Bitcoin from
ransomware
attacks
545
Journalof Money Laundering
Control
Vol.23 No. 3, 2020
pp. 545-589
© Emerald Publishing Limited
1368-5201
DOI 10.1108/JMLC-02-2020-0012
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/1368-5201.htm
ransomware security expert group, Coverware (2019), shows the average ransom payment
inflicted on enterprises in Q2 2019increased by 184 per cent to US$36,295, in comparison to
Q1 2019 when the average payment was US$12,762 (Osborne, 2019). This suggests
cybercriminals are increasingly targeting industry, rather than individuals, and enjoying
greater return on infections(ROI –Turner et al., 2019), with the top three industries targeted
in the first half of 2019 being governments (27 per cent), manufacturing (20 per cent) and
health care (14 per cent) (TrendMicro,2019;Clay, 2019).
With the threat of ransomware rapidly evolving and new families of malwareemerging,
it is ever more pertinent to understand the patterns and the footprint these attacks leave in
the cryptocurrencyecosystem to understand and possibly circumvent ransomware attacks.
In what follows, we rely on various analytic techniques to identify these patterns. We
compare the emergent patterns to a “control”case of a charitable organisation receiving
Bitcoin. Specifically, we will examine the time series and network patterns formed during
the course of a ransomware campaign.These techniques are performed within the bounds of
the Ransomware–Bitcoin Intelligence–Forensic Continuum framework and build on the
findings of each other.
The day-of-the-week analysisshows how, over time, ransom is collected into and moved
out of a ransom seed address. Specifically,the number of transactions that are used to move
funds emerge as important in differentiating ransomware campaigns from the charity
control subject. This is because of the unique ways the attackers control the movement of
ransomware yields and to theuniformity of demanded ransom amounts compared with the
highly variabledonation amounts that are collected by the charity.
We then turn to a visual graph representation that reveals both similarities between the
collection or cash-in graphs, and the differences in the cash-out graphs between the
ransomware campaignsand the charitable organisation.
Building on the graphs created from the data on the Bitcoin blockchain, community
detection patterns reveal the dominanceof the collection address in the network with a high
in-degree common across the different ransomware and “control”subject. However, in the
cash-out communities,the patterns show no signs of commonality between them.
By performing graph embedding analysis and visualisation through reduced
dimensionality we are able to clustercommon nodes and separate out anomalies for further
investigation of suspiciousactivity. We suggest ways to enhance the methodologyin future
research through an increase in sample size and data labelling. We further suggest that
curating blockchain data and meta-data sets and making them openly available for
researchers couldenhance future practical research.
Ransomware–Bitcoin Intelligence–Forensic Continuum
Figure 1 shows the intelligence–forensic continuum with respect to a ransomware
campaign. If we denote the ransomware campaign commencing at time t=t
0
, we can then
divide our analysis scope into three parts. First,at time t#t
0
, Intelligence, Surveillanceand
Reconnaissance (ISR) is the mode that is in operation referring to the “reconnaissance and
mobilization”phase, wherebehaviours leading to a ransomware campaign could be evident
across different campaignsand provide an indicator for future campaigns using intelligence
gathered from the Bitcoin blockchain.The time window between t
0
and t
1
, (C2 phase), is seen
as the period where ransom collection has hit a maximum and after a short period of time
new payments to the ransomware seedaddress (es) taper off. Furthermore, at some time t
t
1
,(“actions on objects”phase), the perpetrators of the ransomware attack will start to
transfer funds collected from the ransom by placing, layering or integrating the collected
bitcoin into other wallets in the Bitcoinecosystem, other cryptocurrency systems or services
JMLC
23,3
546
and possibly even into thetraditional economy. Each of these three phases yields a typology
of funds movement worth investigatingfor the purposes of discovering discernable patterns
of ransomware activity.
Pattern analysis and findings
Finding patterns in large graph networks and looking at sub-graphs can reveal interesting
patterns in the context of Ransomware–Bitcoin behaviour. Comparing the occurrence of
such patterns across different ransomware graphs is a powerful way of identifying illicit
activity on the Bitcoin network (Fokker and Beek, 2019). The campaigns analysed in this
paper are WannaCry, CryptoDefense and NotPetya. These campaigns were chosen due to
the limited number of ransom seed addresses used, keeping a manageable limit on the
amount of data to analyse. Nonetheless, these attacks still yielded a significant number of
transactions collectedfrom victims and also provided evidence of cash-out activity.
The dedicated Bitcoincharity collection address for “The Water Project
”
[
1
] was chosen as
a control subject to test the analysis methodology against a Bitcoinaddress that is not used
for ransomware purposes. This charitywas chosen over others that accept Bitcoin because
they are formally registered as a charity with the Internal RevenueService in the USA and
provide fully auditable financials as a result. The charity has been ongoing for more than
ten years and therefore provides a rich source of transactional data. Furthermore, this is in
line with an established practice of using charities and similar fund raising activities as a
comparative backdrop in researchinto money laundering (Evans and Schneider, 2019). The
Bitcoin addresses and respectiveransomware campaigns analysed are presented in Table 1
and Table 2 below.
Significantly, the time period for the data collected against each of the addresses began
prior to and stretched well beyondthe identified time period for the ransomware campaign.
This way it might be possible to discover what activity on the address may precede or
follow the campaign.
Bitcoin research has profitably leveragedsub-graphs on the Bitcoin network. These sub-
graphs include peeling activitywhere a single Bitcoin address starts with a large amount of
Bitcoin and then bit by bitsmall amounts are transferred to another address and thispattern
continues for multiple similar transactions through the constant use of change addresses
Figure 1.
Ransomware–Bitcoin
Intelligence–Forensic
Continuum
Bitcoin from
ransomware
attacks
547
To continue reading
Request your trial