Purpose: The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.
Design/methodology/approach: The authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.
Findings: The findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.
Research limitations/implications: Limitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.
Originality/value: This research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.
- Graph analysis
- Illicit money flows