Decrypting Ransomware Operations

Abstract

Ransomware attacks, orchestrated by cybercriminal organizations, pose a global threat in our digital era by exploiting system vulnerabilities and demanding ransoms for seized and encrypted data. Conti, a Russian ransomware group, ceased to exist after a 2022 data leak, offering a unique opportunity to study their modus operandi. The leak includes chat transcripts containing indicators of value, like compensation agreements and digital transaction details. By using the value chain lens, these indicators can be used to determine how ransomware groups create and allocate value within their operations. This understanding is essential for law enforcement aiming to disrupt ransomware activities more effectively, as targeting the most valuable components of their operations can result in significant disruptions to the organization. This value attribution is currently unknown. The question this thesis attempts to answer is: How do ransomware groups allocate value to the activities of the ransomware value chain, and how can this inform law enforcement in developing effective intervention strategies? The methodology involves an exploratory research approach to Conti's public chat transcript data, supported by blockchain analysis. The final deliverable includes a value analysis through the value chain lens and recommendations for the FIOD. These recommendations include insights gained from studying the value creation, compensation, and allocation of ransomware groups, highlighting strategic points along the value chain where disruption would result in the most significant impact. These insights are crucial for enhancing criminal investigations and guiding authorities to disrupt valuable and critical activities within ransomware operations effectively.