kirill levchenko, alex c. snoeren, damon mccoy luca ...yuxingh/static/oakland-18-slides.pdf ·...
TRANSCRIPT
Tracking Ransomware End-to-endDanny Y. Huang
Maxwell Matthaios Aliapoulios, Vector Guo LiLuca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan LevinKirill Levchenko, Alex C. Snoeren, Damon McCoy
Ransomware causes financial damages
Ransomware causes financial damages
Ransomware causes financial damages
Ransomware causes financial damages
How much ransomware revenue?
How to shut down ransomware?
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
Spam, compromised websites, etc
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
All your files are encrypted!
Send 0.5 bitcoins to the following address.
175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
All your files are encrypted!
Send 0.5 bitcoins to the following address.
175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1bCerber: median ~$1,000
Locky: median ~$1,800
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
All your files are encrypted!
Send 0.5 bitcoins to the following address.
175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b
unique ransom wallet address
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
Victim’s money
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
Exchange
Victim’s bitcoins
Victim’s money
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
Exchange
Victim’s bitcoins
Ransom wallet address
Ransomware’s bitcoins
Victim’s money
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
Exchange
Victim’s bitcoins
Ransom wallet address
Ransomware’s bitcoins
Victim’s money
How typical ransomware works
1. Distribution
2. Infection
3. Victim pays bitcoins
4. Decryption
5. Criminal liquidates bitcoins
Exchange
Victim’s bitcoins
Ransom wallet address
Ransomware’s bitcoins
Victim’s money
Exchange
Ransomware’s money
Research questions
How to estimate the total ransom paid (or revenue)?
- $16 million over two years, 20k unique payments
How to identify chokepoints?
- 40% of revenue of one ransomware sent to BTC-e
- 3% of affiliates of one ransomware caused 50% infections
Research questions
How to estimate the total ransom paid (or revenue)?
- $16 million over two years, 20k unique payments
How to identify chokepoints?
- 40% of revenue of one ransomware sent to BTC-e
- 3% of affiliates of one ransomware caused 50% infections
Overview of results
How to estimate the total ransom paid (or revenue)?
- 10 families, >$16 million over two years; 90% made by two families
How to identify chokepoints?
- 40% of revenue of one ransomware sent to BTC-e
- 3% of affiliates of one ransomware caused 50% infections
Overview of results
How to estimate the total ransom paid (or revenue)?
- 10 families, >$16 million over two years; 90% made by two families
How to identify chokepoints?
- 40% revenue of one ransomware sent to BTC-e
- 3% of affiliates of one ransomware caused 50% infections
Overview of results
How to estimate the total ransom paid (or revenue)?
- 10 families, >$16 million over two years; 90% made by two families
How to identify chokepoints?
- 40% revenue of one ransomware sent to BTC-e
- 3% affiliates of one ransomware caused 50% infections
Overview of results
How to estimate the total ransom paid (or revenue)?
- 10 families, >$16 million over two years; 90% made by two families
How to identify chokepoints?
- 40% revenue of one ransomware sent to BTC-e
- 3% affiliates of one ransomware caused 50% infections
1
Overview of results
How to estimate the total ransom paid (or revenue)?
- 10 families, >$16 million over two years; 90% made by two families
How to identify chokepoints?
- 40% revenue of one ransomware sent to BTC-e
- 3% affiliates of one ransomware caused 50% infections
1
2
1 Blockchain Analysis
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
known victim
0.5
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
known victim
0.5
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Co-spending
known victim
0.5
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Co-spending
known victim
0.5
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Co-spending
known victim
0.5
1.0
1.3
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Co-spending
known victim
0.5
1.0
1.3
potential victim
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
artificial “victim”
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
artificial “victim”
0.001
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Co-spending
artificial “victim”
0.001
Methodology: Follow the money
1. Identify known victims
2. Infer unknown victims
3. Estimate total ransom
4. Identify exchanges
Co-spending
artificial “victim”
0.001
1.0
1.3
potential victim
Total ransom received
USDper
month
Total ransom received$7.7m$1.8m
$69k$6.6m$100k
USDper
month
Fraction of revenue sent to exchanges
Potential liquidation at exchanges
$2.6 m
$24 k
2 Reverse Engineering Cerber’s C&C
Cerber’s outbound UDP traffic
Infected host
IP: x.y.z.1
IP: x.y.z.2
IP: x.y.z.3
IP: x.y.z.254
Cerber’s outbound UDP traffic
Infected host
IP: x.y.z.1
IP: x.y.z.2
IP: x.y.z.3
IP: x.y.z.254me
two-week data
victim IPvictim ID
affiliate ID...
Number of infected IP addr per affiliate
Affiliate ID
3% of affiliates caused 50% of infected IPs
Affiliate ID
3 Summary
Summary
Tracked ransom payments for 10 ransomware families using co-spending wallet addr
Reverse engineered C&C protocol for Cerber ransomware
Key Methods
Summary
Tracked ransom payments for 10 ransomware families using co-spending wallet addr
Reverse engineered C&C protocol for Cerber ransomware
Key Methods
Summary
Tracked ransom payments for 10 ransomware families using co-spending wallet addr
Reverse engineered C&C protocol for Cerber ransomware
Estimated revenue: 10 families, >$16 million over two years
Possible chokepoints: exchanges and affiliates
Key Methods Key Results
Summary
Tracked ransom payments for 10 ransomware families using co-spending wallet addr
Reverse engineered C&C protocol for Cerber ransomware
Estimated revenue: 10 families, >$16 million over two years
Possible chokepoints: exchanges and affiliates
Key Methods Key Results
Danny Y. Huang — Postdoc at Princeton — http://hdanny.org
4 Appendix
Ransom payments over time
Number of payments per day
Median ransom amount per day
(USD)
Potentially missing Locky’s ransom payments
Google resultsbinaries found
bitcoin payment