Tracking Ransomware End-to-end

Danny Yuxing Huang; Maxwell Matthaios Aliapoulios; Vector Guo Li; Luca Invernizzi; Elie Bursztein; Kylie McRoberts; Jonathan Levin; Kirill Levchenko; Alex C. Snoeren; Damon McCoy

doi:10.1109/SP.2018.00047

Tracking Ransomware End-to-end

Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.

Original language	English (US)
Title of host publication	Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	618-631
Number of pages	14
ISBN (Electronic)	9781538643525
DOIs	https://doi.org/10.1109/SP.2018.00047
State	Published - Jul 23 2018
Event	39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States Duration: May 21 2018 → May 23 2018

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2018-May
ISSN (Print)	1081-6011

Other

Other	39th IEEE Symposium on Security and Privacy, SP 2018
Country	United States
City	San Francisco
Period	5/21/18 → 5/23/18

Fingerprint

Keywords

bitcoin
blockchain
malware
ransomware

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Cite this

Huang, D. Y., Aliapoulios, M. M., Li, V. G., Invernizzi, L., Bursztein, E., McRoberts, K., Levin, J., Levchenko, K., Snoeren, A. C., & McCoy, D. (2018). Tracking Ransomware End-to-end. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (pp. 618-631). [8418627] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00047

Tracking Ransomware End-to-end. / Huang, Danny Yuxing; Aliapoulios, Maxwell Matthaios; Li, Vector Guo; Invernizzi, Luca; Bursztein, Elie; McRoberts, Kylie; Levin, Jonathan; Levchenko, Kirill; Snoeren, Alex C.; McCoy, Damon.

Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 618-631 8418627 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Huang, DY, Aliapoulios, MM, Li, VG, Invernizzi, L, Bursztein, E, McRoberts, K, Levin, J, Levchenko, K, Snoeren, AC & McCoy, D 2018, Tracking Ransomware End-to-end. in Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018., 8418627, Proceedings - IEEE Symposium on Security and Privacy, vol. 2018-May, Institute of Electrical and Electronics Engineers Inc., pp. 618-631, 39th IEEE Symposium on Security and Privacy, SP 2018, San Francisco, United States, 5/21/18. https://doi.org/10.1109/SP.2018.00047

Huang, Danny Yuxing ; Aliapoulios, Maxwell Matthaios ; Li, Vector Guo ; Invernizzi, Luca ; Bursztein, Elie ; McRoberts, Kylie ; Levin, Jonathan ; Levchenko, Kirill ; Snoeren, Alex C. ; McCoy, Damon. / Tracking Ransomware End-to-end. Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 618-631 (Proceedings - IEEE Symposium on Security and Privacy).

TY - GEN

T1 - Tracking Ransomware End-to-end

AU - Huang, Danny Yuxing

AU - Aliapoulios, Maxwell Matthaios

AU - Li, Vector Guo

AU - Invernizzi, Luca

AU - Bursztein, Elie

AU - McRoberts, Kylie

AU - Levin, Jonathan

AU - Levchenko, Kirill

AU - Snoeren, Alex C.

AU - McCoy, Damon

PY - 2018/7/23

Y1 - 2018/7/23

N2 - Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.

AB - Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.

KW - bitcoin

KW - blockchain

KW - malware

KW - ransomware

UR - http://www.scopus.com/inward/record.url?scp=85051044249&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85051044249&partnerID=8YFLogxK

U2 - 10.1109/SP.2018.00047

DO - 10.1109/SP.2018.00047

M3 - Conference contribution

AN - SCOPUS:85051044249

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 618

EP - 631

BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 39th IEEE Symposium on Security and Privacy, SP 2018

Y2 - 21 May 2018 through 23 May 2018

ER -