Studying Ransomware Attacks Using Web Search Logs

The paper explores new methods for analyzing the origins and scales of ransomware attacks. Since gathering information from individuals about these attacks is challenging, the main sources of data are companies and public databases. However, these sources do not always publish or hold detailed information about the attacks. The proposed solution to this issue is to analyze web searches by identifying “seeking help” queries to track users who have been victimized. In the paper, the authors differentiate between queries for “general information,” which likely come from individuals interested in the attacks rather than from victims, and “seeking help” queries, which are made by victims. By analyzing these queries, the researchers found that it is possible to identify attacks days before they are reported in the news. Furthermore, it is feasible to trace the origin of the attack and monitor its spread across the network. Due to anonymity, the researchers could not confirm that the necessary “seeking queries” came from the attacked users. However, the data they obtained, based on assumptions, aligns with public data regarding the number and timing of attacks. Additionally, the authors studied the “Nemty” attack case as an example and gathered statistics on the time and location where people reported the incidents.