Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios - - PowerPoint PPT Presentation

tracking ransomware end to end
SMART_READER_LITE
LIVE PREVIEW

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios - - PowerPoint PPT Presentation

Nov 05, 2023 256 likes •799 views

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

slide-1
SLIDE 1

Tracking Ransomware End-to-end

Danny Y. Huang

Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy

slide-2
SLIDE 2

Ransomware causes financial damages

slide-3
SLIDE 3

Ransomware causes financial damages

slide-4
SLIDE 4

Ransomware causes financial damages

slide-5
SLIDE 5

Ransomware causes financial damages

How much ransomware revenue? How to shut down ransomware?

slide-6
SLIDE 6

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

Spam, compromised websites, etc

slide-7
SLIDE 7

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

slide-8
SLIDE 8

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins All your files are encrypted! Send 0.5 bitcoins to the following address.

175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b

slide-9
SLIDE 9

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins All your files are encrypted! Send 0.5 bitcoins to the following address.

175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b

Cerber: median ~$1,000 Locky: median ~$1,800

slide-10
SLIDE 10

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins All your files are encrypted! Send 0.5 bitcoins to the following address.

175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b

unique ransom wallet address

slide-11
SLIDE 11

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

Victim’s money

slide-12
SLIDE 12

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

Exchange Victim’s bitcoins Victim’s money

slide-13
SLIDE 13

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

Exchange Victim’s bitcoins Ransom wallet address Ransomware’s bitcoins Victim’s money

slide-14
SLIDE 14

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

Exchange Victim’s bitcoins Ransom wallet address Ransomware’s bitcoins Victim’s money

slide-15
SLIDE 15

How typical ransomware works

1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

Exchange Victim’s bitcoins Ransom wallet address Ransomware’s bitcoins Victim’s money Exchange Ransomware’s money

slide-16
SLIDE 16

Research questions

How to estimate the total ransom paid (or revenue)?

  • $16 million over two years, 20k unique payments

How to identify chokepoints?

  • 40% of revenue of one ransomware sent to BTC-e
  • 3% of affiliates of one ransomware caused 50% infections
slide-17
SLIDE 17

Research questions

How to estimate the total ransom paid (or revenue)?

  • $16 million over two years, 20k unique payments

How to identify chokepoints?

  • 40% of revenue of one ransomware sent to BTC-e
  • 3% of affiliates of one ransomware caused 50% infections
slide-18
SLIDE 18

Overview of results

How to estimate the total ransom paid (or revenue)?

  • 10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

  • 40% of revenue of one ransomware sent to BTC-e
  • 3% of affiliates of one ransomware caused 50% infections
slide-19
SLIDE 19

Overview of results

How to estimate the total ransom paid (or revenue)?

  • 10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

  • 40% revenue of one ransomware sent to BTC-e
  • 3% of affiliates of one ransomware caused 50% infections
slide-20
SLIDE 20

Overview of results

How to estimate the total ransom paid (or revenue)?

  • 10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

  • 40% revenue of one ransomware sent to BTC-e
  • 3% affiliates of one ransomware caused 50% infections
slide-21
SLIDE 21

Overview of results

How to estimate the total ransom paid (or revenue)?

  • 10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

  • 40% revenue of one ransomware sent to BTC-e
  • 3% affiliates of one ransomware caused 50% infections

1

slide-22
SLIDE 22

Overview of results

How to estimate the total ransom paid (or revenue)?

  • 10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

  • 40% revenue of one ransomware sent to BTC-e
  • 3% affiliates of one ransomware caused 50% infections

1 2

slide-23
SLIDE 23

1

Blockchain Analysis

slide-24
SLIDE 24

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

slide-25
SLIDE 25

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

slide-26
SLIDE 26

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

slide-27
SLIDE 27

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

slide-28
SLIDE 28

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

slide-29
SLIDE 29

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

known victim 0.5

slide-30
SLIDE 30

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

known victim 0.5

slide-31
SLIDE 31

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

Co-spending

known victim 0.5

slide-32
SLIDE 32

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

Co-spending

known victim 0.5

slide-33
SLIDE 33

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

Co-spending

known victim 0.5 1.0 1.3

slide-34
SLIDE 34

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

Co-spending

known victim 0.5 1.0 1.3 potential victim

slide-35
SLIDE 35

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

artificial “victim”

slide-36
SLIDE 36

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

artificial “victim” 0.001

slide-37
SLIDE 37

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

Co-spending

artificial “victim” 0.001

slide-38
SLIDE 38

Methodology: Follow the money

1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

Co-spending

artificial “victim” 0.001 1.0 1.3 potential victim

slide-39
SLIDE 39

Total ransom received

USD per month

slide-40
SLIDE 40

Total ransom received

$7.7m $1.8m $69k $6.6m $100k USD per month

slide-41
SLIDE 41

Fraction of revenue sent to exchanges

Potential liquidation at exchanges

$2.6 m $24 k

slide-42
SLIDE 42

2

Reverse Engineering Cerber’s C&C

slide-43
SLIDE 43

Cerber’s outbound UDP traffic

Infected host IP: x.y.z.1 IP: x.y.z.2 IP: x.y.z.3 IP: x.y.z.254

slide-44
SLIDE 44

Cerber’s outbound UDP traffic

Infected host IP: x.y.z.1 IP: x.y.z.2 IP: x.y.z.3 IP: x.y.z.254 me

two-week data victim IP victim ID affiliate ID ...

slide-45
SLIDE 45

Number of infected IP addr per affiliate

Affiliate ID

slide-46
SLIDE 46

3% of affiliates caused 50% of infected IPs

Affiliate ID

slide-47
SLIDE 47

3

Summary

slide-48
SLIDE 48

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware

Key Methods

slide-49
SLIDE 49

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware

Key Methods

slide-50
SLIDE 50

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware Estimated revenue: 10 families, >$16 million

  • ver two years

Possible chokepoints: exchanges and affiliates

Key Methods Key Results

slide-51
SLIDE 51

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware Estimated revenue: 10 families, >$16 million

  • ver two years

Possible chokepoints: exchanges and affiliates

Key Methods Key Results

Danny Y. Huang — Postdoc at Princeton — http://hdanny.org

slide-52
SLIDE 52

4

Appendix

slide-53
SLIDE 53

Ransom payments over time

Number of payments per day Median ransom amount per day (USD)

slide-54
SLIDE 54

Potentially missing Locky’s ransom payments

Google results binaries found bitcoin payment