Discerning payment patterns in Bitcoin from ransomware attacks
Journal of Money Laundering Control
ISSN: 1368-5201
Article publication date: 7 July 2020
Issue publication date: 25 October 2020
Abstract
Purpose
The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.
Design/methodology/approach
The authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.
Findings
The findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.
Research limitations/implications
Limitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.
Originality/value
This research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.
Keywords
Acknowledgements
Aleš Janda for the use of the www.walletexplorer.com API to access blockchain data.
Citation
Turner, A.B., McCombie, S. and Uhlmann, A.J. (2020), "Discerning payment patterns in Bitcoin from ransomware attacks", Journal of Money Laundering Control, Vol. 23 No. 3, pp. 545-589. https://doi.org/10.1108/JMLC-02-2020-0012
Publisher
:Emerald Publishing Limited
Copyright © 2020, Emerald Publishing Limited