Eu FLag
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No101022004

Cyber-extortion and ransomware: Is it new?

Ransomware incidents continue to cause disruption throughout the world with several high-profile incidents occurring in 2021. An attack on Colonial Pipeline brought the U.S. fuel supply chain to a standstill. Managed service provider Kaseya was targeted, affecting 1,500 businesses worldwide and making the $70 million ransom demand the largest on record. Cyber criminals have put a great effort into capitalising on cybersecurity vulnerabilities for extorsion. Cyber-extorsion is not much different from conventional extorsion: a criminal takes possession of an asset and threatens to cause damage or release it unless money is paid. In context of cybercrime, the target asset is digital, such as information systems, databases, multimedia material, or confidential communications. 

From cyberstalking individuals to ransomware attacks on businesses, cyber-extorsion is a form of global organised crime, so effective that it is commercially available on athe crime-as-a-service basis. But is it new?  


While other forms of cyber-extortion exist, the popularity of ransomware has scaled up significantly while the ransom demand increased by over 80%. Last year at least $18 billion was paid in ransom demands worldwide; the cost-of-service disruption in the private and public sectors added billions more in damages. As a crime, ransomware is cost effective and attractive for a criminal aiming to gain a foothold on the victim’s infrastructure. Once a vulnerability is detected, malware is installed, files copied and encrypted with a secret key, then originals deleted, and a ransom note is displayed. If the victim wants to regain access to files, they must pay a sum of money. According to recent data over 25% of companies affected pay the ransom demand.

Despite only becoming a serious problem in the last 5 years or so, ransomware is not a new concept. In 1989, when a laptop could cost £5000 and weighed 10kg, PC Cyborg, the first ever ransomware virus documented, demonstrated the same concept, only at that time distributed on floppy disks. It was easily reversed as cryptography at the time was still nascent and yet to become mainstream. Despite the tactical simplicity of modern ransomware (lock files, get ransom) we see it capitalising on several technical advancements. Another concern is the ease of ransom payment. This was problematic in 1989, as it had to be done in cash. Nowadays, cryptocurrencies are used in criminal activity providing a certain level of anonymity, effectively providing a more concealed way of moving funds.


Since the mid 2010s, cyber-extorsion quickly evolved into a complex scenario for both those launching and those investigating attacks. Unsurprisingly, a well-established modus operandi has evolved, as most (large-scale) attacks in cybersecurity showed when financial gain is in sight. Ransomware is underpinned by an organised crime ecosystem of different parties working together, such as buyers and sellers, using the dark web. The figure below shows the wider process and the business model interactions. 

Three key actors can be identified:

  • The creators of ransomware malware, who license it for use to anyone and take a cut on criminal proceedings;  
  • The (black hat) security researchers who find vulnerabilities in the digital infrastructure of an organisation and sell the information to other criminals; 
  • And those that effectively launch the attack and collect the ransoms. 

Law Enforcement Agencies 

Despite the sophistication of the attack, Law Enforcement Agencies (LEAs) leverage several tools to investigate the crime proceeds leading to locating the criminals. Two are of special importance: moving funds and leaving trails. 

Moving and accessing funds is still difficult for criminals. The figure below shows the typical channels over which cryptocurrencies flow to avoid detection. Contrary to what is commonly heard, most cryptocurrencies are not anonymous at all; and if they are to be converted in fiat (US Dollars, Pound Sterling, Euros, etc.), they will have to use cryptocurrency exchanges which are no longer shadow businesses and follow AML/KYC regulations. Some channels that are difficult to trace still exist (such as the centuries-old, informal Hawala system), but they are equally difficult to use at scale while avoiding associating with a state-issued identity at which point LEAs can act. 

The second tool LEAs have is that criminals (nearly) always make mistakes. In many cases, if not most, criminals make basic mistakes such as revealing a bitcoin address online that is known to be linked to a crime as transactions in cryptocurrencies are public and trivially traceable from a web browser. Often, criminals simply boast about the crime under a pseudonym that is easily linked to other public online activity – again, often using a simple web browser. Once LEAs have a credible suspect, it is only a matter of time to issue official requests to email providers, crypto exchanges, etc., and confirm the involvement.

As the TRACE project was able to confirm first hand by interviewing LEAs, it seems that exploiting the “good old” mistakes of criminals is still the most expediente way of solving a crime. This reminds us of the old saying that “the criminal always returns to the scene”. This is another reason why the perception of anonymity of cryptocurrencies enables investigations and successful prosecution. 

Challenges faced by LEAs

Investigating a complex – and so technical – crime is difficult, time-consuming, and requires specific expertise that LEAs have only but recently acquired and to a small scale. Two major challenges exist. One is that cyber-extorsion is inherently a global crime which require cooperation between countries and organisations. A request to a crypto exchange may take weeks to be answered, sometimes only to return information of limited use. 

The second hurdle is scraping the public (and dark) web for publicly disclosed information that can be linked to a crime. This is generally known as Open Source Intelligence (OSINT) and has been used effectively by LEAs worldwide. Gathering fragments of information together from public sources is both a problem for our online privacy and a blessing for LEAs. 

TRACE’s contribution 

EU funded project TRACE is working with LEAs to develop technologies and procedures that will expedite the tracing of criminal proceedings. Ransomware and Cyber-extorsion is thus a paradigmatic case.

By comprehensively reviewing past incidents and cases, particularly cross-border, and taking first hand perspectives of LEAs and relevant stakeholders, TRACE is directly tackling these challenges.  A key direction is to use novel OSINT tools combined with AI, which can take advantage of the increasingly broader footprint our digital lives leave. Developing such methods requires a combination of technical and socio-legal skills, which is why the project is rich in a variety of expertise. Furthermore, LEAs need better tools and automation of investigative and evidence capture processes to achieve better automation levels: what is normally a manual procedures taking days could be made into “button clicks” that can take minutes. 

Please contact us for more information regarding our research in this area.

Author: Aston University (AU)