TY - GEN
T1 - What to Do Against Ransomware? Evaluating Law Enforcement Interventions
AU - Meurs, Tom
AU - Hoheisel, Raphael
AU - Junger, Marianne
AU - Abhishta, Abhishta
AU - McCoy, Damon
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - Ransomware poses an increasing challenge to society, yet there is a notable gap in research on the effectiveness of law enforcement interventions. A key insight from our study is that the presence of victims' details on leak pages following double extortion ransomware attacks offers a unique opportunity to evaluate these interventions. Analyzing a dataset containing victims published by ransomware groups, we assess the impact of five specific types of interventions: arresting group members, taking down leak page server infrastructure, freezing crypto assets, releasing decryptors, and imposing sanctions. From a collected list of interventions, we categorize ransomware groups' responses into three actions: ceasing operations, continuing operations, or rebranding under a new name. Initial results show that nearly half of the interventions led to ransomware groups ceasing operations. Additionally, our findings suggest minimal crime displacement, with fewer victims attacked post-intervention if the groups continued their activities. Observed rebranding among these groups is also limited. We discuss the implications and limitations of our research and conclude with two recommendations for law enforcement: prioritize frequent small interventions over a single large intervention and diversify the set of interventions to better counter the adaptive nature of ransomware groups.
AB - Ransomware poses an increasing challenge to society, yet there is a notable gap in research on the effectiveness of law enforcement interventions. A key insight from our study is that the presence of victims' details on leak pages following double extortion ransomware attacks offers a unique opportunity to evaluate these interventions. Analyzing a dataset containing victims published by ransomware groups, we assess the impact of five specific types of interventions: arresting group members, taking down leak page server infrastructure, freezing crypto assets, releasing decryptors, and imposing sanctions. From a collected list of interventions, we categorize ransomware groups' responses into three actions: ceasing operations, continuing operations, or rebranding under a new name. Initial results show that nearly half of the interventions led to ransomware groups ceasing operations. Additionally, our findings suggest minimal crime displacement, with fewer victims attacked post-intervention if the groups continued their activities. Observed rebranding among these groups is also limited. We discuss the implications and limitations of our research and conclude with two recommendations for law enforcement: prioritize frequent small interventions over a single large intervention and diversify the set of interventions to better counter the adaptive nature of ransomware groups.
KW - Arrest
KW - Crypto
KW - Intervention
KW - Ransomware
KW - Sanctions
KW - Situational Crime Prevention
KW - Takedown
UR - http://www.scopus.com/inward/record.url?scp=105000166886&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=105000166886&partnerID=8YFLogxK
U2 - 10.1109/eCrime66200.2024.00012
DO - 10.1109/eCrime66200.2024.00012
M3 - Conference contribution
AN - SCOPUS:105000166886
T3 - eCrime Researchers Summit, eCrime
SP - 76
EP - 93
BT - Proceedings - 2024 APWG Symposium on Electronic Crime Research, eCrime 2024
PB - IEEE Computer Society
T2 - 19th Annual Conference on APWG Symposium on Electronic Crime Research, eCrime 2024
Y2 - 24 September 2024 through 26 September 2024
ER -