tracking ransomware end to end
play

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios - PowerPoint PPT Presentation

Nov 05, 2023 •256 likes •798 views

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

  1. Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy

  2. Ransomware causes financial damages

  3. Ransomware causes financial damages

  4. Ransomware causes financial damages

  5. Ransomware causes financial damages How much ransomware revenue? How to shut down ransomware?

  6. How typical ransomware works 1. Distribution 2. Infection Spam, compromised websites, etc 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  7. How typical ransomware works 1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  8. How typical ransomware works 1. Distribution All your files are encrypted! 2. Infection 3. Victim pays bitcoins Send 0.5 bitcoins to the following address. 4. Decryption 175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b 5. Criminal liquidates bitcoins

  9. How typical ransomware works 1. Distribution All your files are encrypted! 2. Infection 3. Victim pays bitcoins Send 0.5 bitcoins to the following address. 4. Decryption Cerber: median ~$1,000 175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b 5. Locky: median ~$1,800 Criminal liquidates bitcoins

  10. How typical ransomware works 1. Distribution All your files are encrypted! 2. Infection 3. Victim pays bitcoins Send 0.5 bitcoins to the following address. 4. Decryption 175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b 5. Criminal liquidates unique ransom bitcoins wallet address

  11. How typical ransomware works Victim’s money 1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  12. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  13. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins Ransom wallet address 4. Decryption Ransomware’s 5. Criminal liquidates bitcoins bitcoins

  14. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins Ransom wallet address 4. Decryption Ransomware’s 5. Criminal liquidates bitcoins bitcoins

  15. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins Ransom wallet address 4. Decryption Ransomware’s 5. Criminal liquidates bitcoins bitcoins Exchange Ransomware’s money

  16. Research questions How to estimate the total ransom paid (or revenue)? - $16 million over two years, 20k unique payments How to identify chokepoints? - 40% of revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  17. Research questions How to estimate the total ransom paid (or revenue)? - $16 million over two years, 20k unique payments How to identify chokepoints? - 40% of revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  18. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families How to identify chokepoints? - 40% of revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  19. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  20. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e - 3% affiliates of one ransomware caused 50% infections

  21. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families 1 How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e - 3% affiliates of one ransomware caused 50% infections

  22. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families 1 How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e 2 - 3% affiliates of one ransomware caused 50% infections

  23. 1 Blockchain Analysis

  24. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  25. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  26. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  27. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  28. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  29. Methodology: Follow the money 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  30. Methodology: Follow the money 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  31. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  32. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  33. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 1.0 3. Estimate total ransom 1.3 4. Identify exchanges

  34. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 1.0 potential 3. Estimate total victim ransom 1.3 4. Identify exchanges

  35. Methodology: Follow the money 1. Identify known artificial victims “victim” 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  36. Methodology: Follow the money 1. Identify known artificial 0.001 victims “victim” 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  37. Methodology: Follow the money Co-spending 1. Identify known artificial 0.001 victims “victim” 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  38. Methodology: Follow the money Co-spending 1. Identify known artificial 0.001 victims “victim” 2. Infer unknown victims 1.0 potential 3. Estimate total victim ransom 1.3 4. Identify exchanges

  39. Total ransom received USD per month

  40. Total ransom received $7.7m $1.8m $69k $6.6m $100k USD per month

  41. Potential liquidation at exchanges $2.6 m $24 k Fraction of revenue sent to exchanges

  42. 2 Reverse Engineering Cerber’s C&C

  43. Cerber’s outbound UDP traffic IP: x.y.z.1 IP: x.y.z.2 IP: x.y.z.3 Infected host IP: x.y.z.254

  44. Cerber’s outbound UDP traffic IP: x.y.z.1 two-week data IP: x.y.z.2 victim IP victim ID IP: x.y.z.3 affiliate ID Infected ... host me IP: x.y.z.254

  45. Number of infected IP addr per affiliate Affiliate ID

  46. 3% of affiliates caused 50% of infected IPs Affiliate ID

  47. 3 Summary

  48. Summary Key Methods Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware

  49. Summary Key Methods Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware

  50. Summary Key Methods Key Results Tracked ransom payments for Estimated revenue: 10 ransomware families using 10 families, > $16 million co-spending wallet addr over two years Reverse engineered C&C Possible chokepoints: protocol for Cerber exchanges and affiliates ransomware

  51. Summary Key Methods Key Results Tracked ransom payments for Estimated revenue: 10 ransomware families using 10 families, > $16 million co-spending wallet addr over two years Reverse engineered C&C Possible chokepoints: protocol for Cerber exchanges and affiliates ransomware Danny Y. Huang — Postdoc at Princeton — http://hdanny.org

  52. 4 Appendix

  53. Ransom payments over time Median ransom amount per day (USD) Number of payments per day

  54. Potentially missing Locky’s ransom payments Google results binaries found bitcoin payment

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern Ransomware-as-a-Service: An Evolving Business Model Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording

998 views • 23 slides
Distribution Ring-fencing Guideline Update Stakeholder workshop 28 & 29 August 2019

Distribution Ring-fencing Guideline Update Stakeholder workshop 28 & 29 August 2019

Distribution Ring-fencing Guideline Update Stakeholder workshop 28 & 29 August 2019 aer.gov.au 1 Introduction Ring-fencing guideline p rogress so far guideline observations. Purpose of this consultation: review of

562 views • 31 slides
Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*, Damon McCoy, Stefan Savage, Geoffrey M. Voelker 2 3 4 5 6 Spam was 70% of total email traffic in 2013 7 buydrugs.com canadianpharmacy.com

686 views • 49 slides
THE DIFFERENCE BETWEEN A KILLER DEAL AND A DEAL KILLER MARKUS JAKOBSSON PAYPAL THAT DIFFERENCE

THE DIFFERENCE BETWEEN A KILLER DEAL AND A DEAL KILLER MARKUS JAKOBSSON PAYPAL THAT DIFFERENCE

THE DIFFERENCE BETWEEN A KILLER DEAL AND A DEAL KILLER MARKUS JAKOBSSON PAYPAL THAT DIFFERENCE IS OFTEN SMALL 2 Confidential and Proprietary PART 1/3: DEALING WITH WEB SPOOFING JOINT WORK WITH HOSSEIN SIADATI 3 Confidential and

567 views • 32 slides
Rural Mentoring: Leveraging Community Assets and Creating a Culture of Mentoring March 21, 2019

Rural Mentoring: Leveraging Community Assets and Creating a Culture of Mentoring March 21, 2019

Collaborative Mentoring Webinar Series Rural Mentoring: Leveraging Community Assets and Creating a Culture of Mentoring March 21, 2019 2019 Collaborative Mentoring Webinar Series Planning T eam The Collaborative Mentoring Webinar Series is

654 views • 41 slides
Clinical Trials Network Awards and Texas Clinical Trials Participation Program Awards RFA -

Clinical Trials Network Awards and Texas Clinical Trials Participation Program Awards RFA -

Clinical Trials Network Awards and Texas Clinical Trials Participation Program Awards RFA - Webinar October 19, 2020 AGENDA 12:00 12:05 Welcome James Willson, M.D., CPRIT Chief Scientific Officer Patty Moore, Ph.D., Senior Program

450 views • 12 slides
ASCO STATE ADVOCACY RESOURCES Tracey Weisberg MD New England Cancer Specialists 20162017

ASCO STATE ADVOCACY RESOURCES Tracey Weisberg MD New England Cancer Specialists 20162017

ASCO STATE ADVOCACY RESOURCES Tracey Weisberg MD New England Cancer Specialists 20162017 State Affiliates Chairperson NNECOS is Important!!! State societies are first to usually learn about key mandates that are ongoing in their state

310 views • 15 slides
EB-5 Myth Busters: Separating Fact from Fiction about Raising EB-5 Capital Aaron Goforth, W right

EB-5 Myth Busters: Separating Fact from Fiction about Raising EB-5 Capital Aaron Goforth, W right

Panel 1B EB-5 Myth Busters: Separating Fact from Fiction about Raising EB-5 Capital Aaron Goforth, W right Johnson LLC Brian Su, Artisan Business Group Lili W ang, New City Group Mike Schoenfeld, EB5 Affiliate Network Moderator: Nima

633 views • 21 slides
AACVPR Headquarters Update & Overview Adam deJong, MA, FAACVPR, FACSM AACVPR President

AACVPR Headquarters Update & Overview Adam deJong, MA, FAACVPR, FACSM AACVPR President

AACVPR Headquarters Update & Overview Adam deJong, MA, FAACVPR, FACSM AACVPR President About AACVPR Vision and Mission Mission To reduce morbidity, mortality, and disability from cardiovascular and pulmonary disease through

582 views • 27 slides

More recommend