Ransomware: This new ransom tracker reveals how much bitcoin gangs have been paid

The new Ransomwhere site crowdsources bitcoin payments to wallets associated with ransomware gangs.
Written by Liam Tung, Contributing Writer

A security expert has launched a site to keep a publicly trackable record of bitcoin payments to key ransomware gangs, such as REvil. 

The ransomwhe.re site has been created by Jack Cable, a security researcher who works with the Krebs Stamos Group cyber consultancy and the US Defense Digital Service. 

The Ransomwhere site is an open, crowdsourced ransomware payment tracker, offering a breakdown of victim payments in bitcoin to wallets linked to a dozen major ransomware variants. The payment figures can be broken down by 'all time', this year, this month, and this week. 

SEE: Network security policy (TechRepublic Premium)

Ransomware attacks are on the rise and now the subject of debate between world leaders after attacks on Colonial Pipeline, meat processor JBS, and last week's attack against enterprise software management firm Kaseya, which saw REvil ransomware spread to dozens of managed service providers and over 1,000 of their customers.  

Across all time, the Mailto/Netwalker ransomware leads the ransomware pack, but – isolating payments to this year – the REvil/Sadinokibi – which was behind the JBS and Kaseya attacks – is the leader with $11.3 million payments received. 

REvil's total for 2021 could rise significantly if it receives the $70 million it demanded last week in the Kaseya attack. 

Cable joined the US Cybersecurity and Infrastructure Security Agency under then CISA director Chris Krebs to help secure election systems ahead of the US 2020 presidential elections.

Cable explained his motives for building the site in a thread on Twitter, noting the data about victim payments can change the response to ransomware. 

"Today, there's no comprehensive public data on the total number of ransomware payments. Without such data, we can't know the full impact of ransomware, and whether taking certain actions changes the picture," he wrote.  

"Ransomwhere aims to fill that gap by tracking bitcoin transactions associated with ransomware groups. It's public, so anyone can view and download the data. And it's crowdsourced, so anyone can submit reports of ransomware they've been infected with or otherwise observed."

SEE: Ransomware: Paying up won't stop you from getting hit again, says cybersecurity chief

According to an FAQ on Ransomwhe.re, the Bitcoin's transparency in payments makes it easy to track payments and receipt addresses. 

The site calculates the US dollar value of bitcoin payments based on the exchange rate of the day a payment was made, so it's an estimate of how much victims paid, but not how much ransomware gangs sold it for. 

Editorial standards