Whitepaper Wednesday - Tracking Ransomware End-to-end

Misha Yalavarthy
Blog

This is a review/summary of the white paper posted by Google's research team in Security & Privacy. Link to the original paper is at the bottom of the post. The reason why I found this paper particularly interesting at this time is because of its focus on ransomware payments in form of bitcoin. This study is also applicable to other cybercriminal operations that also attempt to use bitcoin as the form of payment. 

Cryptolocker came out in 2013 is typically attributed as the first ransomware that appeared to be asking for payment in Bitcoin. 

On a somwhat related note, cases where machines were infected cryptomining malware has gone up significantly from this time last year. In 2017, 2.7 million users had experienced cryptomining attacks. Attackers are quickly shifting their modus operandi from the more "traditional" methods of attack, payloads, ddos, ransomware, to cryptomining. With the greater interest in bitcoin and as the price went up at the end of last year,  the changes that the technology of cryptocurrency is bringing to the security world means that more security vulnerabilities will be taken advantage of. Numerous articles are stating that cryptomining or cryptojacking is the new ransomware. It is not just a buzzword or the next security trend. Anyway....I digress. I will go into more detail on what I have learned so far on cryptomining in an other post, seen here. [link to post on cryptomining]. 

Back to this research paper on ransomware. 

To begin with, ransomware is when an endpoint is infected with a malware that encrypts their machine (or specifically, files, documents, media, etc) and demands a form of payment in exchange for decryption. Needless to say, granting the payment does not guarantee that the attacker will decrypt the machine and at that point, the information on the machine could be completely compromised. 

This paper is based on 2 years worth of research on ransomware cases. The paper leveraged multiple data sources: labeled ransomware binaries, victims’ ransom payments, victim telemetry (collected through an IP sinkhole we deploy), and a large database of Bitcoin addresses annotated with their owners. They looked at various data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of Bitcoin addresses annotated with their owners to build an outline of this rapidly expanding ecosystem and associated third-party infrastructure. Many operators were found to cash out using BTC-e. Bitcoin is not centralized, is largely unregulated, and all parties in a transaction are hidden behind pseudo-anonymous identities. While transactions are irreversible, all transactions are public. This gives the ones looking at the transactions the opportunity to do research and potentially map out operations by tracing. 

Slack WebHook Integration using Python and JSON

Related Posts