Virtual Library

Our virtual library is an online repository of all of the reports, papers, and briefings that IST has produced, as well as works that have influenced our thinking.

Submit your Content

Fact Sheet

DOD and SBA Launch the Small Business Investment Company Critical Technology (SBICCT) Initiative

Strategic Balancing Initiative

viewpdf

Fact Sheet

White House Releases Outbound Investment Executive Order

Strategic Balancing Initiative

viewpdf

Reports

Strengthening Resilience in 21st Century Crisis Communications

Alexa Wehsener, Sylvia Mishra

viewpdf

Fact Sheet

DoD Releases the National Defense Science and Technology Strategy

Strategic Balancing Initiative

viewpdf

Reports

Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot

Zoë Brammer

viewpdf

Reports

May 2023 Progress Report: Ransomware Task Force: Gaining Ground

Ransomware Task Force

viewpdf

Reports

Castles Built on Sand: Towards Securing the Open-Source Software Ecosystem

Zoë Brammer, Silas Cutler, Marc Rogers, Megan Stifel

viewpdf

Contribute to our Library!

We also welcome additional suggestions from readers, and will consider adding further resources as so much of our work has come through crowd-sourced collaboration already. If, for any chance you are an author whose work is listed here and you do not wish it to be listed in our repository, please, let us know.

SUBMIT CONTENT

Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot

Zoë Brammer

SUMMARY

The 2021 Ransomware Task Force Report called for the disruption of the ransomware business model to decrease criminal profits from ransomware attacks as a critical avenue to mitigate the ransomware threat. In Fall 2022, IST published Mapping the Ransomware Payment Ecosystem, providing a comprehensive visualization of the process and participants involved in ransomware payments. The map was the first step in understanding the sources of available information to help disrupt the ransomware business model. The ultimate goal is for experts to use the map to take actions that disincentivize threat actors from carrying out attacks.

This mini-pilot, an exercise that tests the map against four cases of ransomware attacks, seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process. To conduct the mini-pilot, IST selected four case studies and overlaid ransomware threat actor behavior onto our original payment ecosystem map. Although this exercise does not capture every ransomware actor or attack, it aggregates many of the entities threat actors commonly leverage to carry out ransomware attacks, including but not limited to antivirus vendors, cloud service providers, hosting providers, cryptocurrency exchanges, and tooling providers.

Cases 1, 2, and 3 are drawn from raw data provided to us by a blockchain analysis firm. Each case describes a unique threat group or actor and identifies the entities consistently leveraged by the group/actor to successfully carry out an attack. Case 4 is drawn from a combination of publications outlining common ransomware actor tactics, techniques, and procedures (TTPs), specifically those required to make an attack possible. These results were cross-referenced with a case study focused on a single threat group provided by an incident response organization. The fifth, composite map aggregates the findings from all four cases to render overall conclusions about the map’s counter-ransomware applications. 

download pdf