Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot
Zoë Brammer
SUMMARY
The 2021 Ransomware Task Force Report called for the disruption of the ransomware business model to decrease criminal profits from ransomware attacks as a critical avenue to mitigate the ransomware threat. In Fall 2022, IST published Mapping the Ransomware Payment Ecosystem, providing a comprehensive visualization of the process and participants involved in ransomware payments. The map was the first step in understanding the sources of available information to help disrupt the ransomware business model. The ultimate goal is for experts to use the map to take actions that disincentivize threat actors from carrying out attacks.
This mini-pilot, an exercise that tests the map against four cases of ransomware attacks, seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process. To conduct the mini-pilot, IST selected four case studies and overlaid ransomware threat actor behavior onto our original payment ecosystem map. Although this exercise does not capture every ransomware actor or attack, it aggregates many of the entities threat actors commonly leverage to carry out ransomware attacks, including but not limited to antivirus vendors, cloud service providers, hosting providers, cryptocurrency exchanges, and tooling providers.
Cases 1, 2, and 3 are drawn from raw data provided to us by a blockchain analysis firm. Each case describes a unique threat group or actor and identifies the entities consistently leveraged by the group/actor to successfully carry out an attack. Case 4 is drawn from a combination of publications outlining common ransomware actor tactics, techniques, and procedures (TTPs), specifically those required to make an attack possible. These results were cross-referenced with a case study focused on a single threat group provided by an incident response organization. The fifth, composite map aggregates the findings from all four cases to render overall conclusions about the map’s counter-ransomware applications.
download pdf