Cryptocurrency-driven ransomware syndicates operating on the darknet: A focused examination of the Arab world

Abstract

Cybercriminals are employing sophisticated techniques to illegally obtain money from victims, with ransomware, that is the most notorious malware utilized for financial gain. This paper focuses on the Arab world, a prime target region for ransomware gangs. Due to rapid economic growth and digitalization in this region, cybercriminals are increasingly targeting it. However, there is a lack of research on ransomware crime syndication in the Arab region. Data on claimed ransomware victims from 2020 to 2023 was collected from the darknet. Analysis of ransomware gangs in this area revealed significant findings. Based on three years of data collection and analysis, 20 ransomware gangs primarily operating in the Arab region were identified in 2023. Three major ransomware gangs-LockBit, ALPHV/BlackCat, and CL0P-are predominantly targeting the Arab world, with the United Arab Emirates and Saudi Arabia being major targets, along with the manufacturing industry. In addition to identifying the ransomware gangs, the tactics, techniques, and procedures (TTP) used by them were also identified. There was 17 TTPs used by ransomware gangs. This study has also developed a platform to track ransomware gangs and cryptocurrency transactions. Bitcoin’s anonymity and popularity made it the most preferred cryptocurrency by ransomware gangs. This research lays the groundwork for further studies to understand the exact trends and data related to ransomware in the Arab world.