Tracking Ransomware End-to-end

Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.

    Original languageEnglish (US)
    Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages618-631
    Number of pages14
    Volume2018-May
    ISBN (Electronic)9781538643525
    DOIs
    StatePublished - Jul 23 2018
    Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
    Duration: May 21 2018May 23 2018

    Other

    Other39th IEEE Symposium on Security and Privacy, SP 2018
    CountryUnited States
    CitySan Francisco
    Period5/21/185/23/18

    Fingerprint

    Telemetering
    Malware
    Ecosystems
    Seed

    Keywords

    • bitcoin
    • blockchain
    • malware
    • ransomware

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications

    Cite this

    Huang, D. Y., Aliapoulios, M. M., Li, V. G., Invernizzi, L., Bursztein, E., McRoberts, K., ... McCoy, D. (2018). Tracking Ransomware End-to-end. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (Vol. 2018-May, pp. 618-631). [8418627] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00047

    Tracking Ransomware End-to-end. / Huang, Danny Yuxing; Aliapoulios, Maxwell Matthaios; Li, Vector Guo; Invernizzi, Luca; Bursztein, Elie; McRoberts, Kylie; Levin, Jonathan; Levchenko, Kirill; Snoeren, Alex C.; McCoy, Damon.

    Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Vol. 2018-May Institute of Electrical and Electronics Engineers Inc., 2018. p. 618-631 8418627.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Huang, DY, Aliapoulios, MM, Li, VG, Invernizzi, L, Bursztein, E, McRoberts, K, Levin, J, Levchenko, K, Snoeren, AC & McCoy, D 2018, Tracking Ransomware End-to-end. in Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. vol. 2018-May, 8418627, Institute of Electrical and Electronics Engineers Inc., pp. 618-631, 39th IEEE Symposium on Security and Privacy, SP 2018, San Francisco, United States, 5/21/18. https://doi.org/10.1109/SP.2018.00047
    Huang DY, Aliapoulios MM, Li VG, Invernizzi L, Bursztein E, McRoberts K et al. Tracking Ransomware End-to-end. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Vol. 2018-May. Institute of Electrical and Electronics Engineers Inc. 2018. p. 618-631. 8418627 https://doi.org/10.1109/SP.2018.00047
    Huang, Danny Yuxing ; Aliapoulios, Maxwell Matthaios ; Li, Vector Guo ; Invernizzi, Luca ; Bursztein, Elie ; McRoberts, Kylie ; Levin, Jonathan ; Levchenko, Kirill ; Snoeren, Alex C. ; McCoy, Damon. / Tracking Ransomware End-to-end. Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Vol. 2018-May Institute of Electrical and Electronics Engineers Inc., 2018. pp. 618-631
    @inproceedings{5e0a46fb377e4f48b3012980f665bac7,
    title = "Tracking Ransomware End-to-end",
    abstract = "Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.",
    keywords = "bitcoin, blockchain, malware, ransomware",
    author = "Huang, {Danny Yuxing} and Aliapoulios, {Maxwell Matthaios} and Li, {Vector Guo} and Luca Invernizzi and Elie Bursztein and Kylie McRoberts and Jonathan Levin and Kirill Levchenko and Snoeren, {Alex C.} and Damon McCoy",
    year = "2018",
    month = "7",
    day = "23",
    doi = "10.1109/SP.2018.00047",
    language = "English (US)",
    volume = "2018-May",
    pages = "618--631",
    booktitle = "Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",

    }

    TY - GEN

    T1 - Tracking Ransomware End-to-end

    AU - Huang, Danny Yuxing

    AU - Aliapoulios, Maxwell Matthaios

    AU - Li, Vector Guo

    AU - Invernizzi, Luca

    AU - Bursztein, Elie

    AU - McRoberts, Kylie

    AU - Levin, Jonathan

    AU - Levchenko, Kirill

    AU - Snoeren, Alex C.

    AU - McCoy, Damon

    PY - 2018/7/23

    Y1 - 2018/7/23

    N2 - Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.

    AB - Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.

    KW - bitcoin

    KW - blockchain

    KW - malware

    KW - ransomware

    UR - http://www.scopus.com/inward/record.url?scp=85051044249&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85051044249&partnerID=8YFLogxK

    U2 - 10.1109/SP.2018.00047

    DO - 10.1109/SP.2018.00047

    M3 - Conference contribution

    VL - 2018-May

    SP - 618

    EP - 631

    BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -