The Ransomware Decade: The Creation of a Fine-Grained Dataset and a Longitudinal Study

Ransomware attacks have grown and evolved considerably in the past decade and are now one of the most common and most profitable attack vectors. Successful ransomware attacks have the ability to shut hospitals down, cause massive data and financial losses, tarnish the reputations of organizations, and even cause direct physical harm to people and property. Consequently, considerable attention has been paid to various individual aspects of the ransomware ecosystem in both the research community and the popular press. However, there continues to be a lack of comprehensive long-range census of these events. This presents a significant barrier to any comprehensive analysis of the ecosystem as a whole. In this paper, we present a longitudinal study of a decade of the ransomware attack landscape. This study is built upon a sophisticated process we developed to source and curate a unique large-scale dataset of ransomware incidents with fine-grained annotations on the basis of public reports of such incidents. We detail this process in the paper and showcase a variety of analysis enabled by such a dataset. Of particular interest are findings around the downstream impact of a large ransom payment vs. a high-profile refusal to pay, the impact of double extortion, the difference in susceptibility to different attack vectors and in payment attitudes across industry sectors.