Ransomware attacks, fueled by COVID-19 pandemic turbulence, have become a major money earner for cybercriminals, with the number of attacks rising in 2020.
These file-encrypting attacks have continued largely unabated this year, too. In the last few months alone we’ve witnessed the attack on Colonial Pipeline that forced the company to shut down its systems — and the gasoline supply — to much of the eastern seaboard, the hack on meat supplier JBS that abruptly halted its slaughterhouse operations around the world, and just this month a supply chain attack on IT vendor Kaseya that saw hundreds of downstream victims locked out of their systems.
However, while ransomware attacks continue to make headlines, it’s near-impossible to understand their full impact, nor is it known whether taking certain decisions — such as paying the cybercriminals’ ransom demands — make a difference.
Jack Cable, a security architect at Krebs Stamos Group who previously worked for the U.S. Cybersecurity and Infrastructure Agency (CISA), is looking to solve that problem with the launch of a crowdsourced ransom payments tracking website, Ransomwhere.
“I was inspired to start Ransomwhere by Katie Nickels’s tweet that no one really knows the full impact of cybercrime, and especially ransomware,” Cable told TechCrunch. “After seeing that there’s currently no single place for public data on ransomware payments, and given that it’s not hard to track bitcoin transactions, I started hacking it together.”
The website keeps a running tally of ransoms paid out to cybercriminals in bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain. As the site is crowdsourced, it incorporates data from self-reported incidents of ransomware attacks, which anyone can submit. However, in order to make sure all reports are legitimate, each submission is required to take a screenshot of the ransomware payment demand, and every case is reviewed manually by Cable himself before being made publicly available. If an approved report’s authenticity is later called into question, it will be removed from the database.
The already-burgeoning database, which doesn’t include any personal or victim-identifying information, is available as a free download for the cybersecurity community and law enforcement officials, which Cable hopes will help give some much-needed public transparency about the current state of the problem.
“As we consider policy proposals to change the state of ransomware economics, we will need data to assess whether these actions are successful,” Cable said. “For law enforcement, as we saw with the Colonial Pipeline hack, law enforcement does have the ability to recover some payments, so it would be great if this can further aid their efforts.”
At the time of writing, the site is tracking a total of more than $32 million in ransom payments for 2021. The bulk of these payments have been made to the REvil, the Russia-linked ransomware gang that took credit for the JBS and Kaseya hacks. The group has racked up more than $11 million in ransom payments this year, according to Ransomwhere, an amount that could increase dramatically if its recent demands for $70 million as part of the Kaseya attack are met.
Netwalker, one of the most popular ransomware-as-a-service offerings on the dark web, comes in second with more than $6.3 million in payments for 2021, though Ransomwhere’s tally shows that the group has racked up the most ransom payments in total, with roughly $28 million to its name based on the site’s data.
RangarLocker, DarkSide, and Egregor round out Ransomwhere’s top five list — for now at least — having amassed sums of $4.6 million, $4.4 million, and $3.2 million, respectively.
Cable says that going forward, he’s exploring ways of partnering with companies in the security and blockchain analysis spaces in order to integrate data that they already have on ransomware actions. He’s also looking at ways to support other traceable cryptocurrencies, such as Ethereum, as well as at the potential to track downstream bitcoin addresses.
“It’ll never be possible to get the full picture — criminals who are using Monero will be near-impossible to track”, Cable says. “But I would like to get as complete of a picture as possible.”
Read more:
As ransomware gets craftier, companies must start thinking creatively
Are we overestimating the ransomware threat?
Fujifilm becomes the latest victim of a network-crippling ransomware attack
Kaseya hack floods hundreds of companies with ransomware
Maze, a notorious ransomware group, says it’s shutting down
CD Projekt hit by ransomware attack, refuses to pay ransom