Abstract
Ransomware poses an increasing challenge to society, yet there is a notable gap in research on the effectiveness of law enforcement interventions. A key insight from our study is that the presence of victims' details on leak pages following double extortion ransomware attacks offers a unique opportunity to evaluate these interventions. Analyzing a dataset containing victims published by ransomware groups, we assess the impact of five specific types of interventions: arresting group members, taking down leak page server infrastructure, freezing crypto assets, releasing decryptors, and imposing sanctions.
From a collected list of interventions, we categorize ransomware groups' responses into three actions: ceasing operations, continuing operations, or rebranding under a new name. Initial results show that nearly half of the interventions led to ransomware groups ceasing operations. Additionally, our findings suggest minimal crime displacement, with fewer victims attacked post-intervention if the groups continued their activities. Observed rebranding among these groups is also limited.
We discuss the implications and limitations of our research and conclude with two recommendations for law enforcement: prioritize frequent small interventions over a single large intervention and diversify the set of interventions to better counter the adaptive nature of ransomware groups.
From a collected list of interventions, we categorize ransomware groups' responses into three actions: ceasing operations, continuing operations, or rebranding under a new name. Initial results show that nearly half of the interventions led to ransomware groups ceasing operations. Additionally, our findings suggest minimal crime displacement, with fewer victims attacked post-intervention if the groups continued their activities. Observed rebranding among these groups is also limited.
We discuss the implications and limitations of our research and conclude with two recommendations for law enforcement: prioritize frequent small interventions over a single large intervention and diversify the set of interventions to better counter the adaptive nature of ransomware groups.
Original language | English |
---|---|
Title of host publication | Symposium on Electronic Crime Research |
Publication status | Accepted/In press - 2025 |
Event | Symposium on Electronic Crime Research, eCrime 2024 - Boston, United States Duration: 24 Sept 2024 → 26 Sept 2024 |
Publication series
Name | eCrime Researchers Summit, eCrime |
---|---|
Publisher | IEEE |
ISSN (Print) | 2159-1237 |
Conference
Conference | Symposium on Electronic Crime Research, eCrime 2024 |
---|---|
Abbreviated title | eCrime 2024 |
Country/Territory | United States |
City | Boston |
Period | 24/09/24 → 26/09/24 |