To read this content please select one of the options below:

Discerning payment patterns in Bitcoin from ransomware attacks

Adam B. Turner (Department of Security Studies and Criminology, Macquarie University, Sydney, Australia)
Stephen McCombie (Department of Security Studies and Criminology, Macquarie University, Sydney, Australia)
Allon J. Uhlmann (Department of Security Studies and Criminology, Macquarie University, Sydney, Australia)

Journal of Money Laundering Control

ISSN: 1368-5201

Article publication date: 7 July 2020

Issue publication date: 25 October 2020

794

Abstract

Purpose

The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.

Design/methodology/approach

The authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.

Findings

The findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.

Research limitations/implications

Limitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.

Originality/value

This research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.

Keywords

Acknowledgements

Aleš Janda for the use of the www.walletexplorer.com API to access blockchain data.

Citation

Turner, A.B., McCombie, S. and Uhlmann, A.J. (2020), "Discerning payment patterns in Bitcoin from ransomware attacks", Journal of Money Laundering Control, Vol. 23 No. 3, pp. 545-589. https://doi.org/10.1108/JMLC-02-2020-0012

Publisher

:

Emerald Publishing Limited

Copyright © 2020, Emerald Publishing Limited

Related articles