Website monitors data from ransomware attacks

Sheila Zabeu -

July 16, 2021

Designed to monitor ransom payments as a result of ransomware attacks, the Ransomwhere website aims to create a centralized, open, and free database to help assess the spread of ransomware, the size, and profit of operations, and the effectiveness of attempts to combat and mitigate this type of cybercrime.

This is a personal project of Jack Cable, a Stanford University student and security researcher at Krebs Stamos Group who previously worked for the US Security and Infrastructure Agency (CISA). “After seeing that there is currently no single place with public data on ransomware payment, and seeing that it is not difficult to track bitcoin transactions, I decided to gather this information,” the researcher said.

The website allows victims of ransomware attacks or cybersecurity professionals to send a screenshot of the ransom demand, with the respective amount requested and the address where payment in cryptocurrencies should be made. The database with the information gathered from all reports will be available for free download while preserving the privacy of the personal data of the victims or the claimants is guaranteed.

While it is impossible to verify with complete certainty that the ransomware report is true and accurate, the site says it relies on collective knowledge to avoid false or mistaken reports. Data coming from different sources is given priority, and all elements of the report will be publicly available. If there is any suspicion that the information is untrue, the respective reports will be removed from the Ransomwhere database.

Considering only the year 2021 and data totaled in mid-July, the site showed the chart below and a tracked value of more than $46 million in ransom payments. Much of it went to the REvil gang that took over the attacks on JBS and Kaseya companies.

The researcher hopes to go beyond victim contributions to also partner with companies in the cybersecurity or blockchain analytics fields to integrate more ransomware actor data. For example, Bitcoin analytics companies such as Chainalysis have worked in the past to gather addresses for cryptocurrency deposits in malware samples and ransom demands and then detect whether, in fact, payment was made.

In this way, one can estimate the profit of ransomware groups, such as:

However, this type of research is restricted to the larger ransomware gangs. It is precisely to close this and other loopholes that the Ransomwhere website intends to act. “It might be interesting to follow the path of bitcoins – for example, after the criminals get paid, where do the bitcoins go? As the project progresses, I may do this on my own or through partnerships with specialist companies,” Cable explains in an interview with The Record.