On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective

Bitcoin cryptocurrency system enables users to transact securely and pseudo-anonymously by using an arbitrary number of aliases (Bitcoin addresses). Cybercriminals exploit these characteristics to commit immutable and presumably untraceable monetary fraud, especially via ransomware. In this paper, we present our comprehensive study on all recent ransomware and report the economic impact of such ransomware from the Bitcoin payment perspective. To this end, we present a lightweight framework to identify, collect, and analyze Bitcoin addresses managed by the same user or group of users (cybercriminals, in our case) and a novel approach for classifying a payment as ransom. To verify the correctness of our approach, we compared our findings on CryptoLocker ransomware with the results presented in the literature. And, we found that our results align with the results presented in the previous works except for the final valuation in USD. Our aim was to accurately measure the USD worth of these payments. Hence, we used the average Bitcoin price on the day of each ransom payment whereas the authors of the previous studies used the Bitcoin price on the day of their evaluation. Furthermore, for each investigated ransomware, we provide a holistic view of its genesis, development, the process of infection and execution, and characteristic of ransom demands. Finally, we also release our dataset for future investigations in this direction of research.