온라인수색 이용 랜섬웨어 조직의 가상자산 압수방안

Ransomware extends the scope of attacks from individuals to government agencies and companies, encrypting key data and requiring virtual assets as recovery costs. The amount of damage caused by ransomware has been increasing, reaching 4.742 trillion won over the past five years, but the results of confiscating the paid criminal proceeds are insufficient. Crimes using virtual assets can be traded anonymously and have transnational characteristics, so there is a limit to response with traditional investigative techniques. Therefore, in this study, memory and disk analysis are conducted to determine whether information necessary for the seizure of virtual assets can be checked when searching for PCs online used for virtual asset laundering. An experiment was conducted on four types of virtual asset wallets (MetaMask, BitPay, Exodus, Phantom) to obtain a mnemonic code, wallet private key, virtual asset private key, and wallet password. As a result of the experiment, it was confirmed that wallet restoration information can be obtained from MetaMask, BitPay, Exodus, and Phantom, and virtual assets can be seized. This study can contribute to urging the start of discussions on the introduction and utilization of online search as a way to seize virtual assets used in ransomware crimes.