key: cord-0592802-qepv1xv1 authors: Oosthoek, Kris; Cable, Jack; Smaragdakis, Georgios title: A Tale of Two Markets: Investigating the Ransomware Payments Economy date: 2022-05-10 journal: nan DOI: nan sha: bc874da8af8876fcb047be42c580cdc649e4e1ee doc_id: 592802 cord_uid: qepv1xv1 Ransomware attacks are among the most severe cyber threats. They have made headlines in recent years by threatening the operation of governments, critical infrastructure, and corporations. Collecting and analyzing ransomware data is an important step towards understanding the spread of ransomware and designing effective defense and mitigation mechanisms. We report on our experience operating Ransomwhere, an open crowdsourced ransomware payment tracker to collect information from victims of ransomware attacks. With Ransomwhere, we have gathered 13.5k ransom payments to more than 87 ransomware criminal actors with total payments of more than $101 million. Leveraging the transparent nature of Bitcoin, the cryptocurrency used for most ransomware payments, we characterize the evolving ransomware criminal structure and ransom laundering strategies. Our analysis shows that there are two parallel ransomware criminal markets: commodity ransomware and Ransomware as a Service (RaaS). We notice that there are striking differences between the two markets in the way that cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do the same for RaaS. Ransomware, a form of malware designed to encrypt a victim's files and make them unusable without payment, has quickly become a threat to the functioning of many institutions and corporations around the globe. In 2021 alone, ransomware caused major hospital disruptions in Ireland [3] , empty supermarket shelves in the Netherlands [8] , the closing of 800 supermarket stores in Sweden [4] , and gasoline shortages in the United States [20] . In a recent report, the European Union Agency for Cybersecurity (ENISA) ranked ransomware as the "prime threat for 2020-2021" [13] . The U.S. government reacted to high profile attacks against U.S. industries by declaring ransomware a national security threat and announcing a "coordinated campaign to counter ransomware" [21] . Other governments, including the United Kingdom [37] , Australia [22] , Canada [12] , and law enforcement agencies, such as the FBI [38] and Europol [11] , have also launched similar programs to defend against ransomware and offer help to victims. To the criminal actors behind these attacks, the resulting disruption is just 'collateral damage'. A handful of groups and individuals, with names such as NetWalker, Conti, REvil and DarkSide, have received tens of millions in USD as ransom. But this is just the top of the food chain in an ecosystem with many grey areas, especially when it comes to laundering illicit proceedings. In this article, we will provide a closer look at the ecosystem behind many of the attacks plaguing businesses and societies, known as Ransomware as a Service (RaaS). Cryptocurrencies remain the payment method of choice for criminal ransomware actors. While many cryptocurrencies exist, Bitcoin is preferred due to its network effects, resulting in wide exchange options. Bitcoin's sound monetary features as a medium of exchange, unit of account and store of value make it as attractive to criminals as it is to regular citizens. According to the U.S. Department of Treasury, based on data from the first half of 2021, the "vast majority" of reported ransomware payments were made in Bitcoin [28] . Law enforcement agencies have started to disrupt ransomware actors by obtaining personal information of users from Bitcoin exchange platforms. This is realized through anti-money laundering regulations such as Know Your Customer (KYC), which require legal identity verification during registration with the service. While cryptocurrencies such as Bitcoin are enablers of ransomware, blockchain technology also offers unprecedented opportunities for forensic analysis and intelligence gathering. Using our crowdsourced ransomware payment tracker, Ransomwhere, we compile a dataset of 7,321 Bitcoin addresses which received ransom payments, based on which we shed light on the structure and state of the ransomware ecosystem. Our contributions are as follows: • We collect and analyze the largest public dataset of ransomware activity to date, which includes 13,497 ransom payments to 87 criminal actors over the last five years, worth more than 101 million USD. • We characterize the evolving ransomware ecosystem. Our analysis shows that there are two parallel ransomware markets: commodity and RaaS. After 2019, we observe the rapid rise of RaaS, which achieves higher revenue per address and transaction, and higher overall revenue. • We also characterize ransom laundering strategies by commodity ransomware and RaaS actors. Our analysis of more than 13k transfers shows striking differences in laundering time, utilization of exchanges and other means to cash out ransom payments. • We discuss the difficulties defending against professionally operated RaaS and we propose possible ways to trace back RaaS activity in cryptocurrency systems. • To enable future research in this area, we make our tracker, Ransomwhere, and the tracked ransomware payments of our analysis publicly available at [6] . The ransomware ecosystem and its payment traffic can be largely recognized in two categories: commodity ransomware and ransomware as a service (RaaS). In the early years of ransomware, the majority of ransomware that spread can be characterized as 'commodity' ransomware. Commodity ransomware is characterized by widespread targeting, fixed ransom demands, and technically-adept operators. It usually targets a single device [17] . Actors behind commodity ransomware are usually technically savvy, as most of the time it is developed and spread by the same person. Commodity ransomware operators take advantage of preexisting work, often copying and modifying leaked or shared source code, causing the formation of ransomware families. Historically, most commodity ransomware campaigns utilized phishing emails as the primary delivery vector and exploited vulnerabilities in common word processing and spreadsheet software, if not directly via malicious executables. The modus operandi was mass exploitation, rather than targeting specific victims. Exemplary are WannaCry and NotPetya ransomware families, which over a course of only two months impacted tens of thousands of organizations in over 150 countries by exploiting a vulnerability allegedly stolen from the NSA [15] . In today's standards, both families were poorly coded and their payment systems weren't ready for business, although allegedly on purpose for NotPetya [14] . With regards to its mitigation, the conventional advice is to have a proper backup and contingency plan. The initial philosophy was that a quick ability to restore would make it unnecessary to pay, impairing the financial incentive of ransomware operators. But it turned out that what we now regard a commodity was just a proving ground for a higher-impact utilization of ransomware. While the first reports of Ransomware as a Service (RaaS) emerged in 2016, it wasn't until 2019 that RaaS became widespread, rapidly capturing a large share of the ransomware market. We define RaaS as ransomware created by a core team of developers who license their malware on an affiliate basis. They often provide a payment portal (typically over Tor, an anonymous web protocol), allowing negotiation with victims and dynamic generation of payment addresses (typically Bitcoin). RaaS frequently employs a double extortion scheme, not only encrypting victims' data, but also threatening to leak their data publicly. The rise of RaaS has enabled existing criminal groups to shift to a new lucrative business model where lowerskilled affiliates can access exploits and techniques previously reserved for highly-skilled criminals. This was exemplified by a leaked playbook from the RaaS group Conti, which enables novice actors to compromise enterprise networks [34] . RaaS affiliates can differ markedly in their approaches. Some scan the entire internet and compromise any victims they can. Once they have identified the victim, they engage in price discrimination based on the victim company's size. Affiliates may even use financial documents obtained in the attack to justify higher prices [19] . Another strategy, known as big game hunting, targets big corporations that can afford paying a high ransom. Darkside is one of most notable RaaS families whose affiliates practice big game hunting, including the notable Colonial Pipeline attack in 2021 [18] . RaaS families often rely on spear-phishing over the mass phishing mails utilized by commodity ransomware groups. They also exploit recently disclosed vulnerabilities, leaving remote and virtual desktop services vulnerable [9] . RaaS has lowered the barrier to entry into cyber-criminality, as it has removed the initial expenditure to develop effective ransomware. As a result, attacks can be performed with near zero cost. Combined with high ransom demands, this has led to a low-risk, high reward criminal scheme. RaaS has effectively weaponized the unpatched internetfacing technology of many unwitting organizations. Such organizations have significant financial interest to have systems restored and get back to business after a ransomware attack. Cryptocurrencies enable ransomware How ransom payments are executed and laundered 1 Victim assets are infected, ransom notice is displayed actors to directly monetize these vulnerabilities at a scale never seen before. In this paper, we regard the functioning of ransomware actors through what usually is the last mile of the attack. Figure 1 shows the general course of events after a ransomware infection, when the victim decides to pay the attacker (step 1 ). In the case of commodity ransomware families, the ransom demand price is fixed and negotiation with the attacker isn't necessary. With RaaS, attackers usually run chat-based services to interact with victims and negotiate the final ransom amount (step 2 ). After this, a victim will usually exchange fiat legal tender for cryptocurrency such as Bitcoin at an exchange platform (step 3 ) and then send it to the attacker's wallet (step 4 ). The attacker will then usually route the obtained Bitcoin through various services (step 5 ) in order to obfuscate ownership and reduce the risk of deanonymization before cashing out (step 6 ). In this section, we describe how we collected data of ransom payments and ransomware actors in our study. We obtain ransomware Bitcoin addresses from our crowdsourced payment tracker Ransomwhere. The Ransomwhere dataset contains Bitcoin addresses and associated families collected from open-source datasets and publiclysubmitted crowd-sourced reports. In total, the Ransomwhere dataset contains 7,457 Bitcoin addresses and their corresponding ransomware families. To seed the dataset, we collected data from several public sources. We imported addresses from Paquet-Clouston et al. [30] , who collected 7,222 addresses and labeled families representing approximately $12.7 million in payments. This dataset provides us with, among other ransomware families, 7,014 addresses belonging to Locky. We further collected 37 addresses and associated families from the AT&T Alien Labs Open Threat Exchange, an open threat intelligence sharing platform [1] . Members of the public may submit reports at our crowdsourced payment tracker Ransomwhere [6] . We received 99 reports containing 198 addresses over a 6month period from June 2021 to December 2021. While this is a lower number of addresses, they represent the majority of ransomware payment value in our dataset. In order to verify reports, the reporter must include the relevant Bitcoin addresses and the associated ransomware family. In addition, they have to provide evidence of the ransom demand, such as a screenshot of the ransom payment portal or a ransom message on an infected computer. Some addresses were involved in more than one report. All reports were manually reviewed before being added to the dataset. We did not accept reports that were inaccurate or were not related to ransomware (e.g., addresses involved in extortion scam emails). All reported ransom addresses were Bitcoin addresses. Due to the transparent nature of Bitcoin it is possible to verify that the collected addresses indeed received payments. Using our own Bitcoin full node, we scraped all transactions for the addresses in our dataset. Overall, 7,323 out of 7,454 Bitcoin addresses were involved in at least one ransom payment. We discarded 134 addresses that did not receive any payment. We have queried Tor using a solution from a peer researcher [33] for all Bitcoin addresses in our dataset to rule out the chance of an address being used for cybercrime purposes other than ransomware. Based on this, we excluded 2 addresses belonging to a cache of Bitcoin seized by the U.S. Department of Justice after the closing of the SilkRoad darkweb market [23] . After these steps, the final number of addresses considered for our analysis is 7,321. For a summary of our dataset we refer to Table 1 . The transparency of Bitcoin also allows us to collect information about (ransom) payments, i.e., the amount of Bitcoin received. For each address we collected the number of incoming (payments) and outgoing (transfers) transactions, their value in Bitcoin, and their timestamp. We calculated the USD value of each transaction using the BTC-USD daily closing rate on the day of the transaction. This serves as an approximate ransom payment and not the exact amount in USD the criminal actors requested or later profited. The total ransom paid to addresses in our dataset is $101,297,569. The lowest payment received is $1, and the highest is $11,042,163. The median payment value is $1,176. In collaboration with Crystal Blockchain [5] , we tracked the destination of outgoing transactions, i.e., transfers. In order to estimate addresses' potential for illicit use, Crystal Blockchain utilizes clustering heuristics such as one-time change address and common-input-ownership [40] , as well as human collection of off-chain data from various cryptocurrency services. In addition to this, Crystal Blockchain scrapes online forums and other Internet services for Bitcoin addresses and their associated real-world entity. Based on this, it is possible to track payments several hops from the original deposit address. To have the most reliable view, in our analysis we have only regarded the direct destination of ransom payments (first hop). Based on the characterization of the involved addresses across the path, we are able to study the laundering strategies of ransomware groups as well as the time needed to wash out the money (see Section 5). We obtained addresses and labeled families as described in Section 3.1. We categorized each ransomware family as used by either commodity ransomware or RaaS actors. Ransomware is generally categorized as RaaS due to the use of an affiliate structure, with the ransomware developer (operator) selling the ransomware to criminal actors either based on a commission for each ransom paid, or a flat monthly fee (as a service, like many subscription-based services). As there does not exist any comprehensive public list of RaaS groups, we have labeled a family as RaaS if a reliable industry or law enforcement source claims that a given ransomware is sold as a service. A list of commodity and RaaS families in our dataset is presented in Table 2 . Our dataset of Bitcoin addresses is the largest public collection of ransomware payment addresses collected to date, based on total USD value. While this allows for a unique view on the ransomware financial ecosystem, it is not exhaustive. An inherent limitation of any research using adversary artifacts is its dependence on the availability of artifacts that bad actors have an interest to hide. Furthermore victims might have an interest not to report addresses, as they prefer keeping attacks undisclosed. We note that certain families, such as NetWalker, may be overrepresented in our dataset due to us having more complete data on these families. Despite this limitation, we believe that our dataset provides a valuable, if incomplete, representation of ransomware payments over many years. This broad view provides a better reflection of the state of affairs than simply focusing on a few families. We hope that this can lay the groundwork for further public data collection in the future, and encourage anyone to submit data at Ransomwhere [6] . In this section, we analyze 13,497 payments to the Bitcoin addresses owned by ransomware actors in our dataset (see Table 1 ). A payment is a transaction received by an address in our dataset. Table 2 , account for 7,160 out of 7,321 addresses in our dataset. As mentioned previously, for full review our dataset is publicly available [6] . Figure 2 : Revenue per ransomware actor. Ransomware victims typically create an account with a reputable exchange platform to buy Bitcoin with fiat currency. Then, victims perform a transaction (payment) to the address provided by the ransomware actor. In our dataset, payment transactions to ransomware addresses tend to originate one to two hops away from reputable exchange platforms, such as Coinbase and Kraken. In Figure 2 we list 15 ransomware families with the highest revenue. The top-grossing families are dominated by RaaS: NetWalker has the highest revenue, $26.7 million, followed by Conti ($16.4 million), REvil/Sodinokibi ($12.1 million), DarkSide ($9.1 million) and Locky ($8.1 million). All commodity actors combined account for a total revenue of $5.5 million. Although the number of RaaS actors is lower, they together earned $95.7 million. Figure 3 shows the accumulated revenue of both commodity ransomware and RaaS actors. It shows that, from 2015 until 2019, early RaaS actors, primarily Locky, were gaining significant but still relatively low revenues. Commodity actors were also active, but with even lower revenues. As seen in Figure 3 , RaaS revenue reached $8.2 million in April 2020. This can be primarily attributed to NetWalker, which actively targeted hospitals and health care institutions during the first COVID-19 lockdown in that period [24] . Other revenue peaks caused by RaaS groups are in May and June of 2021, with peaks of $13.5 million and $12.8 million respectively. These spikes are caused by large ransom payments by individual victims. One example of this is a payment to REvil/Sodinokibi on June 1st, 2021, accounting for $11 million. This is a payment by the Brazilian meat processing company JBS, which dominated headlines at the time [16] . Locky has a notorious reputation as one of the biggest ransomware strains in 2016-2017. It's also one of the earliest, if not the first, RaaS family. What stands out apart from its high revenue is its address usage. The actors behind Locky issued addresses to each new victim, a novelty at the time. This is evident in our analysis, with many addresses with only 2 or 3 incoming transactions. According to French court documents, Locky's developer is the same individual who owned BTC-e, a fraudulent exchange [7] . Hence, the actor was able to set up a new address for each payment without raising compliance alarms. Locky is an early, less sophisticated example of a RaaS operation which would serve as an example to many cybercriminal actors to follow. RaaS actors are not only more effective in terms of profits, but also in handling payments. They typically have higher revenue per address, while also generating unique addresses for victims. In Figure 4 we show the cumulative distribution of received payments between commodity and RaaS actors. Commodity ransomware actors typically use single wallet addresses to receive hundreds of ransom payments. The highest amount of payments to a single address is 697 to AES-NI, followed by 496 to SynAck and 441 to File-Locker. While these are outliers, Figure 4 shows that using a single address to receive upwards of 100 payments is not unusual. In contrast, RaaS actors almost exclusively use a new wallet address to receive each payment, as observed in Figure 4 (right). An outlier is an address associated with NetWalker which has received 138 payments. This address is likely an intermediate payment address, combining payments from many victims, discovered during McAfee Labs' investigation into NetWalker [35] . The distribution of unique addresses per commodity ransomware and RaaS actor is presented in Figure 5 . In stark contrast to the revenue from ransom activities, presented in Figure 3 , the number of addresses used in recent years are low, on the order of tens per month. We suspect that RaaS actors prefer to create new addresses for each new ransom payment in order to ensure their pseudo-anonymity, and thus make legal investigations and takedowns more difficult. Moreover, our analysis shows that RaaS groups apply better operational security practices when using native Bitcoin functionality for wallets (payment addresses). Bitcoin uses Bitcoin Script to handle transactions between addresses. The script type used defines the wallet type. Pay-to-Public-Key-Hash (P2PKH) addresses have the prefix 1. This is Bitcoin's legacy address format and the most common address format in our dataset with 7,339 addresses. 46 addresses in our dataset are Pay-to-Script-Hash (P2SH) formatted, recognized by the prefix 3. To spend received payments in Bitcoin, the recipient must specify a redeem script matching the hash. The script can contain functionalities to increase security, such as time-locks or requiring co-signatures. We only observe this for select actors in our dataset: Qlocker, Netwalker, REvil, Ryuk and Phobos. This could mean that these groups have a specific interest in operational security, as transactions usually aren't supported by exchange platforms. Another address format is Pay-to-Witness-Public-Key-Hash (P2WPKH), or Segregated Witness (SegWit) protocols, with prefix bc1q. 72 addresses in our dataset, belonging to Conti, Netwalker, SunCrypt, Dark-Side and HelloKitty. These are RaaS actors and could imply that they deliberately use SegWit for additional security instead of a traditional address format. In the previous section, we investigated ransom payments by victims to ransomware actors. In the next section, we investigate 13,097 laundering transactions in our dataset (see Table 1 ) to shed light on how these actors liquidate their illicit earnings. To avoid exposing their identity, ransomware actors will usually launder their revenue. After routing funds through one or more services to obfuscate the money trail, it is cashed out as legal tender or monetized through the purchase of voucher codes or physical goods. In Figure 6 we show the number of transfer transactions per address. The number of transfer (outgoing) transactions provides insights on how actors prefer to initialize their laundering. In short, we see that RaaS actors mostly prefer to empty the deposit address in one transaction, whereas commodity actors prefer multiple smaller transactions, up to hundreds, in some cases more. Hence commodity ransomware actors are less sophisticated. For example, three commodity ransomware actors with the most payments per address (File-Locker, SynAck, AES-NI) also have the most outgoing transactions. While the motivation for this behavior remains unclear, given that law enforcement scrutiny was relatively low, it is likely that the commodity actors took advantage of the ability to cash out more frequently with little risk. This is further supported by their choice of laundering entities. Almost all ransomware actors in our dataset launder their proceedings entirely. The speed with which this happens can be inferred from the time between the first incoming payment to and the last outgoing transaction from the deposit address. We define this time duration in which ransomware actors start laundering after having received the payment as collect-to-laundry time. Note that this is not the total duration for caching the ransom, but rather the time spent between start receiving the ransom payment and transferring the payment received. Figure 7 shows the ECDF of the collect-to-laundry time (in days) for the commodity ransomware and the RaaS actors in our dataset. RaaS actors have a significantly lower collect-to-laundry time compared to commodity actors. Typically, payments to RaaS actors are transferred away from the deposit address in the first minutes to hours after payment. The few outliers in RaaS are caused by NetWalker and individual addresses associated with actors for which we have multiple addresses in our dataset (Ryuk, Conti). As the illicit funds received by RaaS are washed out quickly and, typically, in full, this suggests that it is more difficult to track payments to RaaS and lowering the odds of recovery. Only a small set of families still have significant portions of their proceedings on the original address. This is the case for NetWalker, which has 20.36% still on an address, MedusaLocker (7.98%) and WannaCry (7.92%). In this case, it is likely that the actor has lost the private key or is incapable to safely launder the ransom, for example due to law enforcement scrutiny. It is known that NetWalker's proceedings have been seized by law enforcement [24] , with WannaCry under heavy monitoring and most of the laundering failed [2] . Contrary to popular belief, Bitcoin isn't anonymous but pseudo-anonymous. Forensic analysis might link a Bitcoin address to a real-world identity, especially when an exchange platform is used to convert between fiat currency and Bitcoin. In most jurisdictions, legal entities behind such platforms are held to Know Your Customer (KYC) legislation, which requires them to verify the identity of every user signing up on their service. During an investigation, when known illicit Bitcoin is routed through an exchange that requires KYC, authorities have a chance to identify the culprit. Several industry players support law enforcement in such AML investigations, with technology based on clustering algorithms which can link addresses to a service such as an exchange platform. As seen in Figure 8 , we have grouped the data we obtained through Crystal Blockchain in a select set of entities, which are explained in Table 3 . Laundering can involve routing illicit funds through several hops before cashing out. As it is difficult to know where actual ownership has terminated after several hops, in this analysis we only regard the first hop, i.e., the first transfer transaction. This is the service to which actors transfer funds directly after having obtained them at the deposit address shared with the victim. As this has the closest link to the payment address, this is the first point of investigation for law enforcement. An actor choosing to use a service implies that they trust the service, at least enough not to disclose their identity. Figure 8 shows the proportion of estimated USD value of Bitcoin directly transferred (first hop) to the entities explained in Table 3 for commodity and RaaS actors. Due to limitations in reliably establishing (legal) entities behind an address, the direct transactions in our dataset account for a subset of the total revenue generated by the actors in our dataset. Hence we report using percentages, a best practice used with comparable datasets [39] . Our core observation is that commodity actors don't exhibit a specific laundering strategy, while RaaS actors primarily use fraudulent exchanges and mixers. Mixers are services which take in Bitcoin from cybercriminals or simply privacy-aware users and combine these in many transactions. Through this the accurate tracking of Bitcoin is hindered, as every client gets their initial deposit (minus service fee) back as a mix from other users' Bitcoin. Thus, it is more difficult to trace the laundering activity of RaaS criminal actors. When considering fraudulent exchanges together with low-and high-risk exchanges, commodity authors seem to prefer exchanges, and thus perhaps cash-out to fiat currency or other cryptocurrencies. It is however also known that cybercriminals have wound down the use of fraudulent exchanges [29] . In a sense, commodity actors do not partake in any systematic laundering at all, whereas RaaS actors use fraudulent (non-KYC) exchanges and mixers, a clear laundering strategy. Based on this, we hypothesize that the chances of recovering payments through law enforcement intervention are higher with commodity ransomware than with RaaS. The services of their choice logically leave more user traces (IP address, login session) than mixer services and fraudulent exchanges designed to obfuscate ownership. When an actor's collect-to-laundry time is high, a law enforcement investigation may be able to successfully recover the funds. However, in many such cases there is less incentive to intercept transactions due to the comparatively low ransom amounts. The speed with which RaaS groups transfer funds out suggests criminal sophistication, which is also reflected in their preferred means of laundering. Given this, it is difficult to intercept funds unless law enforcement is already involved at the very moment the payment is made [25] . Ransomware is a severe, growing threat plaguing our world. In this paper, we take a data-driven and "follow the money" approach to characterize the structure and evolution of the ransomware ecosystem. To this end, we report on our experience in operating Ransomwhere, our open crowdsourced ransomware payment tracker to collect information from victims of ransomware attacks. By analyzing a corpus of more than 13.5k ransom payments with a total revenue of more than $101 million, we shed light on the practices of these criminal actors over the last years. Our analysis unveils that there are two symbiotic, parallel markets. Commodity ransomware actors, and (dominant since 2019) Ransomware as a Service (RaaS) actors. The first is operated by individuals or a small group of programmers, the second by professional criminals who offer it on an affiliate basis to typically less technical criminal actors. Due to differences in victimization, the first has low ransom amounts, the latter higher ransom amounts depending on the victim profile. Our analysis of ransom payments (all in Bitcoin) shows that RaaS actors have adopted more sophisticated cryptographic techniques, compared to commodity actors, in their operation and typically generate one address per victim to hide their identity. This allows RaaS to generate more revenue and with higher level of protection, attracting more criminal groups to use RaaS to perform high profile attacks in recent years. RaaS actors are also more efficient to launder ransom payments, as they move to launder funds within hours or days. RaaS actors also transfer revenue from ransom payments to mixers and other sophisticated laundry entities that make difficult for law enforcement agencies to recover ransom payments. AT&T Alien Labs Open Threat Exchange Wannacry money laundering attempt thwarted HSE cyber-attack: Irish health service still recovering months after hack Swedish Coop supermarkets shut due to US ransomware cyber-attack Ransomwhere: A Crowdsourced Ransomware Payment Dataset BTC-e founder sentenced to five years in prison for laundering ransomware funds Dutch supermarkets run out of cheese after ransomware attack Top Routinely Exploited Vulnerabilities darkmarket: world's largest illegal dark web marketplace taken down Ransomware: What you need to know The Untold Story of Not-Petya, the Most Devastating Cyberattack in History The Guardian. 2017. WannaCry, Petya, Not-Petya: how ransomware hit the big time in 2017 JBS Paid $11 Million to Resolve Ransomware Attack Cutting the gordian knot: A look under the hood of ransomware attacks CARBON SPIDER Embraces Big Game Hunting Microsoft. 2021. How cyberattacks are changing according to new Microsoft Digital Defense Report NPR. 2021. Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack 2022. 2021 Cybersecurity Year in Review Australian Government Department of Home Affairs Australia's Ransomware Action Plan United States Files A Civil Action To Forfeit Cryptocurrency Valued At Over One Billion U Department of Justice Launches Global Action Against NetWalker Ransomware Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside Department of Justice. 2021. individual arrested and charged with operating notorious darknet cryptocurrency mixer Department of Justice. 2021. six charged with crimes related to virtual currency exchange business Department of Treasury Financial Crimes Enforcement Network. 2021. Ransomware Trends in Bank Secrecy Act Data Between Cyber Security Threats to Bitcoin Exchanges: Adversary Exploitation and Laundering Techniques Ransomware Payments in the Bitcoin Ecosystem Accuses Russian of Money Laundering for Ryuk Ransomware Gang Crypto Giant Binance Kept Weak Money-Laundering Checks Even As It Promised Tougher Compliance, Documents Show Dark Web Solutions Translated: Talos' insights from the recently leaked Conti ransomware playbook McAfee ATR Operational Intelligence Team. 2020. Take a "NetWalk" on the Wild Side Financial Times. 2022. the rise of crypto laundries: how criminals cash out of bitcoin UK National Cyber Secuirty Centre. 2021. Mitigating malware and ransomware attacks Federal Bureau of Investigation (FBI). 2021. Common Scams and Crimes: Ransomware A Large-scale Empirical Analysis of Ransomware Activities in Bitcoin Blockchain attacks on privacy