The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.,The authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.,The findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.,Limitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.,This research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.

中文翻译：

---

通过勒索软件攻击识别比特币中的付款方式

本文的目的是调查比特币区块链上的可用取证数据，以识别勒索软件攻击的典型交易模式。具体来说，作者探索了这些模式的不同之处，以及它们在支持反勒索软件攻击方面对情报利用的潜在价值。作者创建了一个分析框架，即勒索软件，比特币情报，法医连续体框架，以在区块链中搜索交易模式。实际勒索软件攻击的记录。通过WalletExplorer.com编程接口提取了许多不同勒索软件比特币地址的数据以填充框架。然后，将这些数据组装成目标网络的表示形式，以便在勒索软件种子地址的输入（收款）和输出（收款）端进行模式分析。将不同的图形算法应用于这些网络。将结果与来自比特币慈善机构的“控制”网络进行了比较。研究结果表明，网络中与勒索软件图的输入和输出端有关的可识别模式。但是，这些模式很难与输入端与慈善机构比特币地址相关的模式区分开。但是，随着时间的推移，收集资料比慈善比特币地址更加不稳定。另一方面，勒索软件的输出模式与相关的慈善机构地址有所不同，因为攻击者的兑现策略与慈善机构动员其捐款的方式完全不同。我们进一步认为，图机器学习的应用为将来的分析和数据细化可能性提供了基础。从勒索软件活动和“控制”主体获取的数据的样本数量上明显存在局限性。随着时间的推移，对其他勒索软件活动和“控制”对象的进一步分析将有助于完善和验证本文的初步观察结果。未来的研究还将受益于功能更强大的计算资源和分析平台的应用，这些平台可随所收集的数据量而扩展。通过使用勒索软件-比特币情报-法医分析勒索软件-比特币行为，该研究有助于该领域的成熟连续体 通过结合几种不同的技术来识别比特币网络上的勒索软件活动模式，它可以洞悉勒索软件攻击是否正在发生，并且可以用来触发警报以寻求其他攻击证据，