Understanding money flow in ransomware

Ransomware is and has been a growing problem for years now and as Ransomware-as-a-Service (RaaS) is becoming increasingly popular, the barrier to entry into deploying ransomware attacks is lowered for anyone, and it has become feasible for users without technical knowledge to deploy a ransomware attack. This study attempts to contribute to knderstanding how ransom profits are split between stakeholders and focuses on crypto locker ransomware, henceforth ’ransomware’. Understanding profit split might contribute to improving the detection of Bitcoin addresses linked to ransomware attackers or to derive information on the amount of work contributed by different parties in relation to the share they receive for it. This study will focus specifically on differences in money flow between RaaS and non-RaaS attacks. The questions posed will be assessed by combining publicly available data sources, the Bitcoin blockchain, and insights from related research.