tracking desktop ransomware payments end to end
play

Tracking desktop ransomware payments end to end Elie Bursztein, - PowerPoint PPT Presentation

Dec 26, 2023 •111 likes •746 views

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

  1. Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis

  2. Only 37% of users backup their data g.co/research/protect

  4. Since 2016 “ransomware” search queries increased by 877% g.co/research/protect

  5. How profitable is ransomware? g.co/research/protect

  6. Agenda 1. How we trace ransom payments at scale 2. Revenue & ecosystem insights 3. The kingpins and the fads

  7. The website ahead contains malware Keeping users safe

  8. The team Google Chainalysis University of New York California, University San Diego g.co/research/protect

  9. Life of a ransomware infection

  10. Victim gets infected

  11. Payment URL Victim is shown ransom note

  12. Victim ID Unique Bitcoin wallet Victim visits payment site via Tor

  13. Victim buys bitcoin at exchange

  14. Why Bitcoin? Pseudonymous No need to show ID card to create wallets Fully Automatable Allows scalable payment processing Irrefutable Transactions can’t be reverted Fungible Bitcoins are easily converted into cash g.co/research/protect

  15. Bitcoin transactions are public Transaction 152Lf[...] on 2016-08-09 4 BTC Sender wallet: 1N1Nn[...] Receiver wallet: 152Lf[...] g.co/research/protect

  16. Life of a ransom payment 1. Victim buys bitcoins at exchange g.co/research/protect

  17. Life of a ransom payment 2. Ransom moves across multiple wallets ... 1. Victim buys bitcoins at exchange g.co/research/protect

  18. Life of a ransom payment 2. Ransom moves across multiple wallets ... 1. Victim buys 3. Criminal accumulates bitcoins bitcoins then sells them at exchange for currency at exchange g.co/research/protect

  19. Measuring revenue

  20. Identifying victims To identify other victims, we look at transactions with the criminal’s accumulation wallet ... g.co/research/protect

  21. Discovering payment network g.co/research/protect

  22. Discovering payment network g.co/research/protect

  23. Discovering payment network ... ... ... g.co/research/protect

  24. Gathering seed bitcoin transactions Victim reports Synthetic “victims” g.co/research/protect

  25. Automating payment tracing Compute near-collision blocks Initial seed Dataset Payment site Payment ransomware expansion & and wallet tracing clustering extraction g.co/research/protect

  26. Initial dataset: 34 families, 154k binaries g.co/research/protect Static/Dynamic signatures

  27. Using clustering for dataset expansion NotPetya - v1 Cerber - v1 Cerber -v2 Shared infrastructure Code similarity g.co/research/protect

  28. Expanded dataset 301,588 binaries 154,227 147,361 Seed dataset Additional binaries g.co/research/protect

  29. Automatically identifying payment sites at scale Tor proxy URL hjhqmbxyinislkkt.1a58vj.top/XXXX Found in 4 files and 1 screenshot + = Bitcoin wallet 1AZvk[...] Found in 16 files and 1 screenshot g.co/research/protect

  30. Tracing payments through the bitcoin chain NotPetya Coinbase Poloniex Huobi BTC-E LocalBitcoin Locky BiThumb BtcBank WannaCry g.co/research/protect

  31. Market insights

  32. $25,253,505 g.co/research/protect

  33. In 2016 ransomware became a multi-million $ business g.co/research/protect

  34. The ecosystem is dominated by a few kingpins g.co/research/protect

  35. A fast changing market g.co/research/protect

  36. In 2017 ransomware increased binary diversity to evade AVs g.co/research/protect

  37. Many victims buy Bitcoins through the “Craigslist of Bitcoin” g.co/research/protect

  38. Split payment Victim payments in multiple transactions 90% 9% Paid the ransom in a single Did not account transaction for transaction fees g.co/research/protect

  39. 95% traced ransoms cashed out via BTC-E Cashout list available on request g.co/research/protect

  40. Ransomware notable actors

  41. Locky Bringing ransoms to the masses g.co/research/protect

  43. The first ransomware to make >$1M per month g.co/research/protect

  44. Renting-out cybercriminal infrastructure Dridex Locky Dridex, Locky, Cerber are distributed via the Necurs botnet g.co/research/protect

  45. Cerber Rise of ransomware as service g.co/research/protect

  46. Enrolling low tech criminals made Cerber the new king of the hill in 2017 g.co/research/protect

  47. Consistent income - $200k per month for over a year g.co/research/protect

  48. 8 affiliates are responsible for 50% of the infections g.co/research/protect

  49. Embedding ransom site in the blockchain 1AzkuxChzMB4[...] Hardcoded wallet transacts with new wallets periodically. 1Azkux.top Cerber derives ransom site from these wallets. g.co/research/protect

  50. From infection to full encryption in under a minute g.co/research/protect

  51. Spora Ransomware business model refined g.co/research/protect

  53. Wannacry notPetya Rise of the impostors

  56. The (low) bottom line 56 BTC 5 $0 revenue bitcoin wallets cashed-out g.co/research/protect

  57. Testing out the malware, then unleashing it at once g.co/research/protect

  59. No early warning - Activity start on the day of the outbreak g.co/research/protect

  60. Takeaways Multi-million dollar black market Ransomware generates tens of millions of revenue for criminals RaaS is the new black Cerber’s affiliate model is taking the world by storm Rise of the impostors Wipeware pretending to be ransomware is on the rise g.co/research/protect

  61. Questions? Join us tomorrow 12pm | South Seas CD Attacking encrypted USB keys the hard(ware) way

  62. Thank you g.co/research/protect

Recommend

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

799 views • 54 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
More than payments ePassi Payments ePassi mobile payments ePassi Fringe Benefits Sport

More than payments ePassi Payments ePassi mobile payments ePassi Fringe Benefits Sport

More than payments ePassi Payments ePassi mobile payments ePassi Fringe Benefits Sport & Culture 2008 Commuting 2013 Lunch 2014 Wellbeing 2015 General payments Alipay 2016 Siirto 2018

321 views • 17 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
The K Desktop Environment (KDE) Page 1 We Shall be Covering ... Desktop environment The

The K Desktop Environment (KDE) Page 1 We Shall be Covering ... Desktop environment The

The K Desktop Environment (KDE) Page 1 We Shall be Covering ... Desktop environment The KDE Desktop Control Center Konqueror Help Center Page 2 The Desktop Environment A common graphical user interface and platform

323 views • 17 slides
The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL)

The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL)

The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL) September 23, 2006 1 2 The State of the Linux Desktop Riding the Open Software Wave The Linux Desktop Markets Linux Desktop Market Data The Linux

544 views • 40 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
UNIFIED PAYMENTS AT A GLANCE DEAR MERCHANT, WELCOME TO UNIFIED PAYMENTS! At Unified Payments,

UNIFIED PAYMENTS AT A GLANCE DEAR MERCHANT, WELCOME TO UNIFIED PAYMENTS! At Unified Payments,

UNIFIED PAYMENTS AT A GLANCE DEAR MERCHANT, WELCOME TO UNIFIED PAYMENTS! At Unified Payments, we strive to make our customers our #1 priority. Running a busi - ness is already complicated enough, we're here to make it easier for you so that

105 views • 9 slides
The Dynamic Desktop Agenda 5 signs of a broken desktop Jonty Pearce, Editor, Call Centre

The Dynamic Desktop Agenda 5 signs of a broken desktop Jonty Pearce, Editor, Call Centre

The Dynamic Desktop Agenda 5 signs of a broken desktop Jonty Pearce, Editor, Call Centre Helper The Dynamic Desktop Paul White, CEO mplsystems Customer Case Study Richard Wilcox, Operations Manager, Express Medicals

145 views • 12 slides
S7797 Tobii Eye Tracked Foveated Rendering for VR and Desktop Peter Vincent VP SW R&D

S7797 Tobii Eye Tracked Foveated Rendering for VR and Desktop Peter Vincent VP SW R&D

S7797 Tobii Eye Tracked Foveated Rendering for VR and Desktop Peter Vincent VP SW R&D Ritchie Brannan Principal Engineer Foveated Rendering 2017-05-08 4.00 PM 1 Eye tracking is hitting a tipping point IDENTIFICATION About Tobii -

912 views • 33 slides
FEDERAL RESERVE BANK OF CHICAGO 2008 PAYMENTS CONFERENCE PAYMENTS FRAUD: PAYMENTS FRAUD:

FEDERAL RESERVE BANK OF CHICAGO 2008 PAYMENTS CONFERENCE PAYMENTS FRAUD: PAYMENTS FRAUD:

FEDERAL RESERVE BANK OF CHICAGO 2008 PAYMENTS CONFERENCE PAYMENTS FRAUD: PAYMENTS FRAUD: PERCEPTION VS. REALITY Duncan Douglass Partner Partner Alston & Bird LLP 1201 W. Peachtree Street Atlanta, GA 30309-3424 (404) 881-7768

367 views • 7 slides
Thorium desktop reader app made with the Readium SDK Desktop reader app

Thorium desktop reader app made with the Readium SDK Desktop reader app

Thorium desktop reader app made with the Readium SDK Desktop reader app Windows Mac Linux Free (of charge) Free (Open Source Software) Developed by EDRLab A Few Key Features Accessible User Interface

793 views • 50 slides
Using Digital Payments to Curb the Covid-19 Pandemic Camilo Tellez-Merchan Digital Payments

Using Digital Payments to Curb the Covid-19 Pandemic Camilo Tellez-Merchan Digital Payments

Using Digital Payments to Curb the Covid-19 Pandemic Camilo Tellez-Merchan Digital Payments Innovation Hub May 14 2020 WWW.BETTERTHANCASH.ORG AGENDA 2 Digital Payments as Frontline Response Building Trust and making Payments Responsibly

423 views • 13 slides

More recommend