New 'Ransomwhere' Site Tracks Ransom PaymentsWebsite Uses Crowdsourced Data to Track Payments to Ransomware Gangs
A white-hat hacker has created a crowdsourced website, Ransomwhere, dedicated to tracking payments made to ransomware gangs to help create a better understanding of the cybercriminal ecosystem.
Jack Cable, a security architect at the Krebs Stamos Group, announced the site Thursday. As of Monday, it listed more than $60 million in ransoms paid in 2,500 incidents dating back to 2015. The numbers loaded so far represent a preliminary sampling of ransoms paid, based on information gathered from victims and cybersecurity pros and tracked in publicly viewable bitcoin transactions, Cable says.
Cable says he created Ransomwhere on his own; it's not connected with his employer, Krebs Stamos Group.
"Ransomwhere aims to fill that gap by tracking bitcoin transactions associated with ransomware groups. It's public, so anyone can view and download the data," Cable wrote on Twitter. "And it's crowdsourced, so anyone can submit reports of ransomware they've been infected with or otherwise observed.
The researcher added: "Today, there's no comprehensive public data on the total number of ransomware payments. Without such data, we can't know the full impact of ransomware and whether taking certain actions changes the picture."
Cable hopes the website will call attention to the size of the ransomware problem.
"As we consider policy proposals to change the state of ransomware economics, we will need data to assess whether these actions are successful. Ransomwhere can help fill that gap," Cable says. "Furthermore, this data may be of use on the law enforcement side: As we saw with the Colonial Pipeline hack, law enforcement does have the ability to recover some payments, so it would be great if Ransomwhere can further aid their efforts."
Cable says he was inspired to create Ransomwhere by a tweet posted by Katie Nickels, director of intel at Red Canary, who on June 8 said the overall impact of cybercrime is essentially unknown.
Seriously, though, I think this is a huge part of the problem, especially around the ransomware ecosystem, but for cybercrime in general. No one knows the real impact, so it's hard to know if actions change that impact or not.— Katie Nickels (@likethecoins) June 8, 2021
Tallying Up Payments
The new Ransomwhere site includes data on total payments, latest transactions and latest reports of attacks.
The site also lists payments by week, month and year.
Overall, Netwalker, Ryuk, RagnarLocker, SynAck and REvil/Sodinokibi have received the most payments, according to the statistics posted to the site so far.
Ransomware victims are not listed on the site, but Cable says he might eventually include this information. In the meantime, some payments can be traced to a specific attack.
"While I am not currently connecting payments to specific attacks, I may in the future add links to publicly reported attacks," Cable says.
The site lists information on 2,508 incidents, including the ransomware family, date of attack, bitcoin ransom paid, wallet address and hash. It also offers links to relevant news reports.
The site depends primarily upon ransomware victims and cybersecurity pros to submit data, which is then collated with the ransomware gang associated with the demand and the bitcoin wallet the attacker supplied for payment so payments can be tracked once they have been made, Cable says.