It’s estimated that total global ransomware payments approached $350 million last year, up more than 300% from 2019. To stem the rising tide of ransomware attacks, a new site wants to shed some much-needed light on where payments from victims are going.
Cleverly called Ransomwhere, the site is the creation of security researcher Jack Cable. Cable worked with the Cybersecurity and Infrastructure Security Agency (CISA) as security advisor for the 2020 elections. He’s also spent years hunting bug bounties and working as a red team hacker — acting as an adversary to help organizations discover and mitigate weaknesses in their cyber defenses.
In an interview with TechCrunch, Cable states that he was inspired to create Ransomwhere after reading a tweet from Red Canary Director of Intel Katie Nickels. Responding to a question about whether the infosec community could estimate total losses tied to the notorious TrickBot malware, Nickels noted that “No one knows the real impact.” She added that it’s therefor difficult to know whether specific victim actions — like paying or refusing to pay ransoms — makes a difference.
Cable chimed in, adding that it “would be awesome to have raw data or a dashboard tracking payments by strain.” Since no such thing existed he set about creating one… and Ransomwhere was born.
To date, Ransomwhere has tracked over $56 million in ransomwhere payments. So far, Netwalker dominates the leaderboard with more than 520 payments made. That includes several payments of hundreds of Bitcoin — the two biggest converting to $7.4 and $8.6 million at today’s exchange rate.
The largest single payment: 413 Bitcoin — or just shy of $14 million — sent to the operators of the RagnarLocker ransomware in July of 2020.
The data that powers Ransomwhere is crowdsourced, and all reports must include a screenshot of the ransom demand for verification purposes. Currently, Cable is verifying submissions personally.
All of the information that is entered into the Ransomwhere database is made freely available for other security professionals to download and analyze. No data about the victims is ever shared.