Virtual Library

Our virtual library is an online repository of all of the reports, papers, and briefings that IST has produced, as well as works that have influenced our thinking.

Submit your Content

Reports

Why Venture Capital Is Indispensable for U.S. Industrial Strategy: Activating Investors to Realize Disruptive National Capabilities

Michael Brown and Pavneet Singh

viewpdf

Reports

The Implications of Artificial Intelligence in Cybersecurity: Shifting the Offense-Defense Balance

Jennifer Tang, Tiffany Saade, Steve Kelly

viewpdf

Fact Sheet

IST’s Efforts in the Age of AI: An Overview

viewpdf

Reports

Unlocking U.S. Technological Competitiveness: Proposing Solutions to Public-Private Misalignments

Ben Purser, Pavneet Singh

viewpdf

Articles

The Phone-a-Friend Option: Use Cases for a U.S.-U.K.-French Crisis Communication Channel

Daniil Zhukov

viewpdf

Articles

China: Nuclear Crisis Communications and Risk Reduction

Dr. Tong Zhao

viewpdf

Articles

Use-Cases of Resilient Nuclear Crisis Communications: A View from Russia

Dmitry Stefanovich

viewpdf

Contribute to our Library!

We also welcome additional suggestions from readers, and will consider adding further resources as so much of our work has come through crowd-sourced collaboration already. If, for any chance you are an author whose work is listed here and you do not wish it to be listed in our repository, please, let us know.

SUBMIT CONTENT

Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot

Zoë Brammer

SUMMARY

The 2021 Ransomware Task Force Report called for the disruption of the ransomware business model to decrease criminal profits from ransomware attacks as a critical avenue to mitigate the ransomware threat. In Fall 2022, IST published Mapping the Ransomware Payment Ecosystem, providing a comprehensive visualization of the process and participants involved in ransomware payments. The map was the first step in understanding the sources of available information to help disrupt the ransomware business model. The ultimate goal is for experts to use the map to take actions that disincentivize threat actors from carrying out attacks.

This mini-pilot, an exercise that tests the map against four cases of ransomware attacks, seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process. To conduct the mini-pilot, IST selected four case studies and overlaid ransomware threat actor behavior onto our original payment ecosystem map. Although this exercise does not capture every ransomware actor or attack, it aggregates many of the entities threat actors commonly leverage to carry out ransomware attacks, including but not limited to antivirus vendors, cloud service providers, hosting providers, cryptocurrency exchanges, and tooling providers.

Cases 1, 2, and 3 are drawn from raw data provided to us by a blockchain analysis firm. Each case describes a unique threat group or actor and identifies the entities consistently leveraged by the group/actor to successfully carry out an attack. Case 4 is drawn from a combination of publications outlining common ransomware actor tactics, techniques, and procedures (TTPs), specifically those required to make an attack possible. These results were cross-referenced with a case study focused on a single threat group provided by an incident response organization. The fifth, composite map aggregates the findings from all four cases to render overall conclusions about the map’s counter-ransomware applications. 

download pdf