Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis
Only 37% of users backup their data g.co/research/protect
Since 2016 “ransomware” search queries increased by 877% g.co/research/protect
How profitable is ransomware? g.co/research/protect
Agenda 1. How we trace ransom payments at scale 2. Revenue & ecosystem insights 3. The kingpins and the fads
The website ahead contains malware Keeping users safe
The team Google Chainalysis University of New York California, University San Diego g.co/research/protect
Life of a ransomware infection
Victim gets infected
Payment URL Victim is shown ransom note
Victim ID Unique Bitcoin wallet Victim visits payment site via Tor
Victim buys bitcoin at exchange
Why Bitcoin? Pseudonymous No need to show ID card to create wallets Fully Automatable Allows scalable payment processing Irrefutable Transactions can’t be reverted Fungible Bitcoins are easily converted into cash g.co/research/protect
Bitcoin transactions are public Transaction 152Lf[...] on 2016-08-09 4 BTC Sender wallet: 1N1Nn[...] Receiver wallet: 152Lf[...] g.co/research/protect
Life of a ransom payment 1. Victim buys bitcoins at exchange g.co/research/protect
Life of a ransom payment 2. Ransom moves across multiple wallets ... 1. Victim buys bitcoins at exchange g.co/research/protect
Life of a ransom payment 2. Ransom moves across multiple wallets ... 1. Victim buys 3. Criminal accumulates bitcoins bitcoins then sells them at exchange for currency at exchange g.co/research/protect
Measuring revenue
Identifying victims To identify other victims, we look at transactions with the criminal’s accumulation wallet ... g.co/research/protect
Discovering payment network g.co/research/protect
Discovering payment network g.co/research/protect
Discovering payment network ... ... ... g.co/research/protect
Gathering seed bitcoin transactions Victim reports Synthetic “victims” g.co/research/protect
Automating payment tracing Compute near-collision blocks Initial seed Dataset Payment site Payment ransomware expansion & and wallet tracing clustering extraction g.co/research/protect
Initial dataset: 34 families, 154k binaries g.co/research/protect Static/Dynamic signatures
Using clustering for dataset expansion NotPetya - v1 Cerber - v1 Cerber -v2 Shared infrastructure Code similarity g.co/research/protect
Expanded dataset 301,588 binaries 154,227 147,361 Seed dataset Additional binaries g.co/research/protect
Automatically identifying payment sites at scale Tor proxy URL hjhqmbxyinislkkt.1a58vj.top/XXXX Found in 4 files and 1 screenshot + = Bitcoin wallet 1AZvk[...] Found in 16 files and 1 screenshot g.co/research/protect
Tracing payments through the bitcoin chain NotPetya Coinbase Poloniex Huobi BTC-E LocalBitcoin Locky BiThumb BtcBank WannaCry g.co/research/protect
Market insights
$25,253,505 g.co/research/protect
In 2016 ransomware became a multi-million $ business g.co/research/protect
The ecosystem is dominated by a few kingpins g.co/research/protect
A fast changing market g.co/research/protect
In 2017 ransomware increased binary diversity to evade AVs g.co/research/protect
Many victims buy Bitcoins through the “Craigslist of Bitcoin” g.co/research/protect
Split payment Victim payments in multiple transactions 90% 9% Paid the ransom in a single Did not account transaction for transaction fees g.co/research/protect
95% traced ransoms cashed out via BTC-E Cashout list available on request g.co/research/protect
Ransomware notable actors
Locky Bringing ransoms to the masses g.co/research/protect
The first ransomware to make >$1M per month g.co/research/protect
Renting-out cybercriminal infrastructure Dridex Locky Dridex, Locky, Cerber are distributed via the Necurs botnet g.co/research/protect
Cerber Rise of ransomware as service g.co/research/protect
Enrolling low tech criminals made Cerber the new king of the hill in 2017 g.co/research/protect
Consistent income - $200k per month for over a year g.co/research/protect
8 affiliates are responsible for 50% of the infections g.co/research/protect
Embedding ransom site in the blockchain 1AzkuxChzMB4[...] Hardcoded wallet transacts with new wallets periodically. 1Azkux.top Cerber derives ransom site from these wallets. g.co/research/protect
From infection to full encryption in under a minute g.co/research/protect
Spora Ransomware business model refined g.co/research/protect
Wannacry notPetya Rise of the impostors
The (low) bottom line 56 BTC 5 $0 revenue bitcoin wallets cashed-out g.co/research/protect
Testing out the malware, then unleashing it at once g.co/research/protect
No early warning - Activity start on the day of the outbreak g.co/research/protect
Takeaways Multi-million dollar black market Ransomware generates tens of millions of revenue for criminals RaaS is the new black Cerber’s affiliate model is taking the world by storm Rise of the impostors Wipeware pretending to be ransomware is on the rise g.co/research/protect
Questions? Join us tomorrow 12pm | South Seas CD Attacking encrypted USB keys the hard(ware) way
Thank you g.co/research/protect
Recommend
More recommend
