Fraud Management & Cybercrime , Ransomware

New 'Ransomwhere' Site Tracks Ransom Payments

Website Uses Crowdsourced Data to Track Payments to Ransomware Gangs
New 'Ransomwhere' Site Tracks Ransom Payments
The new Ransomwhere site attempts to compare ransoms gained by various ransomware gangs.

A white-hat hacker has created a crowdsourced website, Ransomwhere, dedicated to tracking payments made to ransomware gangs to help create a better understanding of the cybercriminal ecosystem.

See Also: The Gorilla Guide to Modern Data Protection

Jack Cable, a security architect at the Krebs Stamos Group, announced the site Thursday. As of Monday, it listed more than $60 million in ransoms paid in 2,500 incidents dating back to 2015. The numbers loaded so far represent a preliminary sampling of ransoms paid, based on information gathered from victims and cybersecurity pros and tracked in publicly viewable bitcoin transactions, Cable says.

Independent Effort

Cable says he created Ransomwhere on his own; it's not connected with his employer, Krebs Stamos Group.

"Ransomwhere aims to fill that gap by tracking bitcoin transactions associated with ransomware groups. It's public, so anyone can view and download the data," Cable wrote on Twitter. "And it's crowdsourced, so anyone can submit reports of ransomware they've been infected with or otherwise observed.

The researcher added: "Today, there's no comprehensive public data on the total number of ransomware payments. Without such data, we can't know the full impact of ransomware and whether taking certain actions changes the picture."

Cable hopes the website will call attention to the size of the ransomware problem.

"As we consider policy proposals to change the state of ransomware economics, we will need data to assess whether these actions are successful. Ransomwhere can help fill that gap," Cable says. "Furthermore, this data may be of use on the law enforcement side: As we saw with the Colonial Pipeline hack, law enforcement does have the ability to recover some payments, so it would be great if Ransomwhere can further aid their efforts."

Cable says he was inspired to create Ransomwhere by a tweet posted by Katie Nickels, director of intel at Red Canary, who on June 8 said the overall impact of cybercrime is essentially unknown.

Tallying Up Payments

The new Ransomwhere site includes data on total payments, latest transactions and latest reports of attacks.

Latest ransomware payment transactions as tracked by Ransomwhere

The site also lists payments by week, month and year.

Overall, Netwalker, Ryuk, RagnarLocker, SynAck and REvil/Sodinokibi have received the most payments, according to the statistics posted to the site so far.

Ransomware victims are not listed on the site, but Cable says he might eventually include this information. In the meantime, some payments can be traced to a specific attack.

"While I am not currently connecting payments to specific attacks, I may in the future add links to publicly reported attacks," Cable says.

The site lists information on 2,508 incidents, including the ransomware family, date of attack, bitcoin ransom paid, wallet address and hash. It also offers links to relevant news reports.

The site depends primarily upon ransomware victims and cybersecurity pros to submit data, which is then collated with the ransomware gang associated with the demand and the bitcoin wallet the attacker supplied for payment so payments can be tracked once they have been made, Cable says.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.