Introduction

The Institute for Security and Technology’s Ransomware Task Force (RTF) is working to illuminate the ransomware payment ecosystem as part of our e”orts to improve the information environment and blunt the ability of criminal and other malign actors to pro#t from ransomware attacks.
Central to mitigating the threat of ransomware is the development of a common understanding of the actors, stakeholders, processes, and information, both required for and produced during the ransomware payment process. Yet, when we began this work, such a picture did not exist. IST undertook this e”ort to #ll that gap.

With a clear picture of the ransomware payment ecosystem, a number of opportunities present themselves: #rst, the ability to identify where a particular incident is in the payment process, which can allow counter-ransomware e”orts to disrupt that process; second, the identi#cation of entities involved in the process who may have opportunities to gather information and/or take action; and third, the potential to bring together disparate entities to identify additional ways to add friction to and potentially disrupt the ransomware payment process, thereby complicating the ability of attackers to successfully pro#t from ransomware attacks.

This paper takes the #rst steps toward a more in-depth exploration of these opportunities. It presents a novel, comprehensive ransomware payment map and orients the reader to the actors and entities adapting to the ransomware threat. In future work, IST will analyze how each entity could leverage its position to observe the ransomware payment cycle. Future work will analyze the technical, regulatory and
legal, and other requirements for these actors to access this information. IST will also outline ways each entity could add friction to the ongoing use of ransomware.
Our goal is to enable changes in the economic incentive structure of ransomware attacks, reducing the use of ransomware overall.