tracking ransomware end to end
play

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios - PowerPoint PPT Presentation

Nov 05, 2023 •256 likes •799 views

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

  1. Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy

  2. Ransomware causes financial damages

  3. Ransomware causes financial damages

  4. Ransomware causes financial damages

  5. Ransomware causes financial damages How much ransomware revenue? How to shut down ransomware?

  6. How typical ransomware works 1. Distribution 2. Infection Spam, compromised websites, etc 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  7. How typical ransomware works 1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  8. How typical ransomware works 1. Distribution All your files are encrypted! 2. Infection 3. Victim pays bitcoins Send 0.5 bitcoins to the following address. 4. Decryption 175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b 5. Criminal liquidates bitcoins

  9. How typical ransomware works 1. Distribution All your files are encrypted! 2. Infection 3. Victim pays bitcoins Send 0.5 bitcoins to the following address. 4. Decryption Cerber: median ~$1,000 175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b 5. Locky: median ~$1,800 Criminal liquidates bitcoins

  10. How typical ransomware works 1. Distribution All your files are encrypted! 2. Infection 3. Victim pays bitcoins Send 0.5 bitcoins to the following address. 4. Decryption 175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b 5. Criminal liquidates unique ransom bitcoins wallet address

  11. How typical ransomware works Victim’s money 1. Distribution 2. Infection 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  12. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins 4. Decryption 5. Criminal liquidates bitcoins

  13. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins Ransom wallet address 4. Decryption Ransomware’s 5. Criminal liquidates bitcoins bitcoins

  14. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins Ransom wallet address 4. Decryption Ransomware’s 5. Criminal liquidates bitcoins bitcoins

  15. How typical ransomware works Victim’s money 1. Distribution Exchange 2. Infection Victim’s bitcoins 3. Victim pays bitcoins Ransom wallet address 4. Decryption Ransomware’s 5. Criminal liquidates bitcoins bitcoins Exchange Ransomware’s money

  16. Research questions How to estimate the total ransom paid (or revenue)? - $16 million over two years, 20k unique payments How to identify chokepoints? - 40% of revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  17. Research questions How to estimate the total ransom paid (or revenue)? - $16 million over two years, 20k unique payments How to identify chokepoints? - 40% of revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  18. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families How to identify chokepoints? - 40% of revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  19. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e - 3% of affiliates of one ransomware caused 50% infections

  20. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e - 3% affiliates of one ransomware caused 50% infections

  21. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families 1 How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e - 3% affiliates of one ransomware caused 50% infections

  22. Overview of results How to estimate the total ransom paid (or revenue)? - 10 families, >$16 million over two years; 90% made by two families 1 How to identify chokepoints? - 40% revenue of one ransomware sent to BTC-e 2 - 3% affiliates of one ransomware caused 50% infections

  23. 1 Blockchain Analysis

  24. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  25. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  26. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  27. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  28. Methodology: Follow the money 1. Identify known victims 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  29. Methodology: Follow the money 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  30. Methodology: Follow the money 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  31. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  32. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  33. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 1.0 3. Estimate total ransom 1.3 4. Identify exchanges

  34. Methodology: Follow the money Co-spending 1. Identify known known 0.5 victims victim 2. Infer unknown victims 1.0 potential 3. Estimate total victim ransom 1.3 4. Identify exchanges

  35. Methodology: Follow the money 1. Identify known artificial victims “victim” 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  36. Methodology: Follow the money 1. Identify known artificial 0.001 victims “victim” 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  37. Methodology: Follow the money Co-spending 1. Identify known artificial 0.001 victims “victim” 2. Infer unknown victims 3. Estimate total ransom 4. Identify exchanges

  38. Methodology: Follow the money Co-spending 1. Identify known artificial 0.001 victims “victim” 2. Infer unknown victims 1.0 potential 3. Estimate total victim ransom 1.3 4. Identify exchanges

  39. Total ransom received USD per month

  40. Total ransom received $7.7m $1.8m $69k $6.6m $100k USD per month

  41. Potential liquidation at exchanges $2.6 m $24 k Fraction of revenue sent to exchanges

  42. 2 Reverse Engineering Cerber’s C&C

  43. Cerber’s outbound UDP traffic IP: x.y.z.1 IP: x.y.z.2 IP: x.y.z.3 Infected host IP: x.y.z.254

  44. Cerber’s outbound UDP traffic IP: x.y.z.1 two-week data IP: x.y.z.2 victim IP victim ID IP: x.y.z.3 affiliate ID Infected ... host me IP: x.y.z.254

  45. Number of infected IP addr per affiliate Affiliate ID

  46. 3% of affiliates caused 50% of infected IPs Affiliate ID

  47. 3 Summary

  48. Summary Key Methods Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware

  49. Summary Key Methods Tracked ransom payments for 10 ransomware families using co-spending wallet addr Reverse engineered C&C protocol for Cerber ransomware

  50. Summary Key Methods Key Results Tracked ransom payments for Estimated revenue: 10 ransomware families using 10 families, > $16 million co-spending wallet addr over two years Reverse engineered C&C Possible chokepoints: protocol for Cerber exchanges and affiliates ransomware

  51. Summary Key Methods Key Results Tracked ransom payments for Estimated revenue: 10 ransomware families using 10 families, > $16 million co-spending wallet addr over two years Reverse engineered C&C Possible chokepoints: protocol for Cerber exchanges and affiliates ransomware Danny Y. Huang — Postdoc at Princeton — http://hdanny.org

  52. 4 Appendix

  53. Ransom payments over time Median ransom amount per day (USD) Number of payments per day

  54. Potentially missing Locky’s ransom payments Google results binaries found bitcoin payment

Recommend

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern Ransomware-as-a-Service: An Evolving Business Model Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording

999 views • 23 slides
Preparing for a Ransomware Attack MCCA Global TEC Forum June 19, 2017 Monica Patel, IBM

Preparing for a Ransomware Attack MCCA Global TEC Forum June 19, 2017 Monica Patel, IBM

Preparing for a Ransomware Attack MCCA Global TEC Forum June 19, 2017 Monica Patel, IBM Aravind Swaminathan, Orrick, Herrington & Sutcliffe Darren Teshima, Orrick, Herrington & Sutcliffe What is ransomware? Malicious software

200 views • 17 slides
Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location of one target in video starting from a bounding box in the first frame. When conceived as an instant learning problem, the task is to discriminate

651 views • 39 slides
How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

392 views • 24 slides
Prepping for Ransomware in 2017 Risks change, and so should you. THM Group & Infrascale

Prepping for Ransomware in 2017 Risks change, and so should you. THM Group & Infrascale

Prepping for Ransomware in 2017 Risks change, and so should you. THM Group & Infrascale ABOUT THM GROUP Providing custom end-to-end voice & data solu4ons At a Glance Key Focus Founded: 20 years ago HQ: Barrie, Ontario Businesses

691 views • 38 slides
What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of

What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of

What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of Transportation February March 2018 Topics How It Happened What It Did Timeline How We Responded Business Response Cyber Incident

669 views • 20 slides
Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security

Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security

Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security Services at Northern Arizona University Working in IT at NAU 23 years, from Help Desk to Deskside Support to Sys Admin to InfoSec WHEN, not if

305 views • 8 slides
Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017 Anupam Jagdish Chomal Tech Lead/Principal Software Engineer DellEMC Isilon 1 Who am I? The Eternal Question Who am I? Principal

636 views • 18 slides
Tracking Articulated Objects Alexander (Sasha) Lambert CS7495 Fall 2014 Tracking From Depth

Tracking Articulated Objects Alexander (Sasha) Lambert CS7495 Fall 2014 Tracking From Depth

Tracking Articulated Objects Alexander (Sasha) Lambert CS7495 Fall 2014 Tracking From Depth Infra-red point-clouds (structured light) Affordable sensors (Primesense) Large body of work on people-tracking Complex tracking

409 views • 23 slides

More recommend