Search results

This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains.

This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation.

Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.

The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.

The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.

The authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.

The findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.

Limitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.

This research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.

Ransomware is a relatively new form of financial extortion that is proving a major cyber-security threat to individuals and organisations. This study aims to investigate factors that may influence an individual's willingness to engage in a ransom payment.

This study ran a large survey (n = 1,798) on a representative sample of the UK population. This study elicited willingness to pay (WTP) ransomware and also reasons for not wanting to pay a ransom to criminals. This study then used non-parametric tests and regression analysis to identify factors that influence WTP.

This study finds that women and younger age groups are significantly more willing to pay a ransom, as are those who store photos. There is a strong positive relationship between concern for data breach and WTP a ransom.

To the best of the authors’ knowledge, this is the first large scale study to look at WTP ransomware. This study identifies a range of factors that can help inform law enforcement to target advice about ransomware attacks.

This paper aims to outline how destructive communication exemplified by ransomware cyberattacks destroys the process of organization, causes a “state of exception,” and thus constitutes organization. The authors build on Agamben's state of exception and translate it into communicative constitution of organization (CCO) theory.

A significant increase of cyberattacks have impacted organizations in recent times and laid organizations under siege. This conceptual research builds on illustrative cases chosen by positive deviance case selection (PDCS) of ransomware attacks.

CCO theory focuses mainly on ordering characteristics of communication. The authors aim to complement this view with a perspective on destructive communication that destroys the process of organization. Based on illustrative cases, the authors conceptualize a process model of destructive CCO.

The authors expand thoughts about a digital “corporate immune system” to question current offensive cybersecurity strategies of deterrence and promote resilience approaches instead.

Informed by destructive communication of cyberattacks, this theory advancement supports arguments to include notions of disorder into CCO theory. Furthermore, the paper explains where disruptions like cyberattacks may trigger sensemaking and change to preserve stability. Finally, a novel definition of ‘destructive CCO’ is provided: Destructive Communication Constitutes Organization by disrupting and destroying its site and surface while triggering sensemaking and becoming part of sensemaking itself.

The purpose of this paper is to show how global regulation of cryptocurrencies and other cybercurrencies can assist in addressing the challenges of attribution when investigating ransomware attacks and other types of cybercrime using these payment methods.

A literature review, looking at current academic research and discourse on the topic cryptocurrency regulation, is conducted to highlight current thinking and perceived difficulties in implanting a global regulatory framework. In addition, the research explores how governments have addressed the risks posed by cryptocurrencies and how regulation has been implemented. The research focuses on the regulatory approaches of Australia, Europe and the Americas to determine whether they could feasibly address the risks posed by cryptocurrencies and be implemented on a global scale.

To date, few sustained efforts have been made to regulate Bitcoin or other cybercurrencies. Where regulation has been introduced, it has often proven too costly to implement, thereby, stifling Bitcoin industry growth, or too ad hoc to function effectively. These regulatory pitfalls are substantiated by the continuing difficulty faced by law enforcement agencies, in identifying individual Bitcoin users and separating those that are using them for nefarious purposes from those that are using them for legitimate ones. These challenges appear to grow exponentially when it comes to prosecuting criminals for Bitcoin-related offences, due to the enormous lack of agreement within the justice system of most countries as to the appropriate legal definition for Bitcoin. This research highlights three characteristics that will be vital to the success of any global regulatory framework. These are consistency, clarity and cost-effective implementation. A regulatory framework for Bitcoin that lacks any one of these elements will fail to meet the requirements of every stakeholder in the regulatory process. A framework that is too costly to implement will stifle fintech innovation, subsequently depriving national economies of the multitude of potential benefits promised by fostering fintech entrepreneurship. Equally, a framework that is inconsistent will hamper the global cooperation necessary to combat Bitcoin-related crime.

This research evaluates research, discourse and regulatory responses from academic and governmental sources and discusses how a global response to cryptocurrency regulation will help address the growing problem of attribution when it comes to ransomware attacks, which has experienced a considerable spike in recent months.