Virtual Library

Our virtual library is an online repository of all of the reports, papers, and briefings that IST has produced, as well as works that have influenced our thinking.

Submit your Content

Reports

Ransomware Task Force: Doubling Down

Ransomware Task Force

viewpdf

Reports

Information Sharing in the Ransomware Payment Ecosystem: Exploring the Delta Between Best Practices and Existing Mechanisms

Zoë Brammer

viewpdf

Memo

Testimony: Held for Ransom: How Ransomware Endangers Our Financial System

Megan Stifel

viewpdf

Memo

Roadmap to Potential Prohibition of Ransomware Payments

Ransomware Task Force Co-Chairs

viewpdf

Reports

Unlocking U.S. Technological Competitiveness: Evaluating Initial Solutions to Public-Private Misalignments

Ben Purser, Pavneet Singh

viewpdf

Reports

Public Private Partnerships to Combat Ransomware: An inquiry into three case studies and best practices

Elizabeth Vish, Georgeanela Flores Bustamante

viewpdf

Reports

Unlocking U.S. Technological Competitiveness: Public-Private Misalignments in Biotechnology, Energy, and Quantum Sectors

Ben Purser, Pavneet Singh

viewpdf

Contribute to our Library!

We also welcome additional suggestions from readers, and will consider adding further resources as so much of our work has come through crowd-sourced collaboration already. If, for any chance you are an author whose work is listed here and you do not wish it to be listed in our repository, please, let us know.

SUBMIT CONTENT

Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot

Zoë Brammer

SUMMARY

The 2021 Ransomware Task Force Report called for the disruption of the ransomware business model to decrease criminal profits from ransomware attacks as a critical avenue to mitigate the ransomware threat. In Fall 2022, IST published Mapping the Ransomware Payment Ecosystem, providing a comprehensive visualization of the process and participants involved in ransomware payments. The map was the first step in understanding the sources of available information to help disrupt the ransomware business model. The ultimate goal is for experts to use the map to take actions that disincentivize threat actors from carrying out attacks.

This mini-pilot, an exercise that tests the map against four cases of ransomware attacks, seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process. To conduct the mini-pilot, IST selected four case studies and overlaid ransomware threat actor behavior onto our original payment ecosystem map. Although this exercise does not capture every ransomware actor or attack, it aggregates many of the entities threat actors commonly leverage to carry out ransomware attacks, including but not limited to antivirus vendors, cloud service providers, hosting providers, cryptocurrency exchanges, and tooling providers.

Cases 1, 2, and 3 are drawn from raw data provided to us by a blockchain analysis firm. Each case describes a unique threat group or actor and identifies the entities consistently leveraged by the group/actor to successfully carry out an attack. Case 4 is drawn from a combination of publications outlining common ransomware actor tactics, techniques, and procedures (TTPs), specifically those required to make an attack possible. These results were cross-referenced with a case study focused on a single threat group provided by an incident response organization. The fifth, composite map aggregates the findings from all four cases to render overall conclusions about the map’s counter-ransomware applications. 

download pdf