Ransomware has never been more of a national security concern after a string of hacks against the fuel supplier Colonial Pipeline, meat giant JBS and perhaps thousands of others compromised after a breach at a large IT firm.
Few people, if any, seem to grasp the breadth and cost of the scourge, as there are no legal requirements for victims to disclose when they pay hackers to unlock their network. That, combined with the suspicion that most victims don’t report their digital extortion payments, makes it harder for law enforcement and security firms to combat attacks, or even understand how to fight them.
That’s the impetus behind a project that Stanford University student and security researcher Jack Cable launched on Thursday, dubbed “Ransomwhere,” a plan to track payments to bitcoin addresses associated with known ransomware gangs.
“Having public transparency around the impact of ransomware, especially as we’re proposing and considering different actions to try to combat ransomware — we’ll need a way of seeing whether those actions actually work,” Cable said in an interview with CyberScoop.
Cable, who besides his college studies works as a security architect at the Krebs-Stamos Group consultancy and a hacker at the Defense Department’s Defense Digital Service, said he will head the crowdsourcing project in his spare time. He’s also hoping to team up with other security and blockchain analysis companies that track ransomware data via other means.
A June tweet about the ransomware data gap from Katie Nickels, director of intelligence for cybersecurity company Red Canary, helped inspire Ransomwhere, Cable said. He’s been working to build a starting trove of information since, tracking nearly $57 million in payments so far. Anyone can download the resulting database.
In terms of total payments received, the NetWalker gang leads all-time in the data Cable has collected to date, with more than 3,000 payments compared to nearly 750 payments to Ryuk, the gang receiving the second most.
Nickels told CyberScoop she thought that Cable’s idea “comes with some challenges,” namely in verifying the accuracy of data submitted to the site. She also said that while it might offer an avenue for organizations cautious about disclosing data to government agencies to share information, it won’t be a complete database.
“Ransomwhere is a great example of how members of the cybersecurity community are working together to try to combat ransomware,” she said via email. “While it’s an imperfect solution, when it comes to the ransomware problem, we’re at the point where trying new ideas and approaches is worthwhile to try to put a dent in this pervasive global threat.”
Cable said he’s aware of the risk of someone submitting false data.
“The remedy is that I make all the data public, and I also manually approve the reports, and people are required to share in a public way,” such as documentation or a screenshot, he said. It’s not “surefire,” but there are safeguards, Cable said.
He doesn’t worry about running afoul of law enforcement efforts — the Justice Department notably recovered $2 million worth of cryptocurrency that Colonial Pipeline paid to DarkSide ransomware operators, in part by tracking a bitcoin ledger — because Cable expects that savvy ransomware gangs are already wise to cops’ techniques. Cable himself has helped victims avert potential losses.
Ransomwhere is “never going to be a complete picture of everything that’s happening,” Cable said. “But I think it’s still better than nothing, to know at least what we can see and have some public transparency here to assess it.”