Abstract
Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 618-631 |
Number of pages | 14 |
ISBN (Electronic) | 9781538643525 |
DOIs | |
State | Published - Jul 23 2018 |
Externally published | Yes |
Event | 39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States Duration: May 21 2018 → May 23 2018 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Volume | 2018-May |
ISSN (Print) | 1081-6011 |
Other
Other | 39th IEEE Symposium on Security and Privacy, SP 2018 |
---|---|
Country | United States |
City | San Francisco |
Period | 5/21/18 → 5/23/18 |
Fingerprint
Keywords
- bitcoin
- blockchain
- malware
- ransomware
ASJC Scopus subject areas
- Safety, Risk, Reliability and Quality
- Software
- Computer Networks and Communications
Cite this
Tracking Ransomware End-to-end. / Huang, Danny Yuxing; Aliapoulios, Maxwell Matthaios; Li, Vector Guo; Invernizzi, Luca; Bursztein, Elie; McRoberts, Kylie; Levin, Jonathan; Levchenko, Kirill Igorevich; Snoeren, Alex C.; McCoy, Damon.
Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 618-631 8418627 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Tracking Ransomware End-to-end
AU - Huang, Danny Yuxing
AU - Aliapoulios, Maxwell Matthaios
AU - Li, Vector Guo
AU - Invernizzi, Luca
AU - Bursztein, Elie
AU - McRoberts, Kylie
AU - Levin, Jonathan
AU - Levchenko, Kirill Igorevich
AU - Snoeren, Alex C.
AU - McCoy, Damon
PY - 2018/7/23
Y1 - 2018/7/23
N2 - Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.
AB - Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a crypto-currency like Bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments, victim telemetry from infections, and a large database of bitcoin addresses annotated with their owners, we sketch the outlines of this burgeoning ecosystem and associated third-party infrastructure. In particular, we are able to trace the financial transactions, from the acquisition of bitcoins by victims, through the payment of ransoms, to the cash out of bitcoins by the ransomware operators. We find that many ransomware operators cashed out using BTC-e, a now-defunct Bitcoin exchange. In total we are able to track over $16 million USD in likely ransom payments made by 19,750 potential victims during a two-year period. While our study focuses on ransomware, our methods are potentially applicable to other cybercriminal operations that have similarly adopted Bitcoin as their payment channel.
KW - bitcoin
KW - blockchain
KW - malware
KW - ransomware
UR - http://www.scopus.com/inward/record.url?scp=85051044249&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051044249&partnerID=8YFLogxK
U2 - 10.1109/SP.2018.00047
DO - 10.1109/SP.2018.00047
M3 - Conference contribution
AN - SCOPUS:85051044249
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 618
EP - 631
BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PB - Institute of Electrical and Electronics Engineers Inc.
ER -