1 of 82

Agenda

Review of project slides

DDoS attacks

Mirai

DDoS/Malware-as-a-Service

Ransomware and Bitcoin

2 of 82

Impact of DDoS

Search for “ddos attack” in Google News

3 of 82

DDoS: Amplification

DNS Amplification

NTP Amplification

Spoofed IP address

4 of 82

Mitigation

5 of 82

What makes DDoS possible?

6 of 82

Mirai Botnet

7 of 82

Mirai Population

8 of 82

DDoS-as-a-Service

9 of 82

Malware-as-a-Service

10 of 82

Booters: Malware-hosting-as-a-Service

11 of 82

Booters: Malware-hosting-as-a-Service

12 of 82

Payment

13 of 82

Tracking Ransomware End-to-end

Danny Y. Huang

Maxwell Matthaios Aliapoulios, Vector Guo Li�Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin�Kirill Levchenko, Alex C. Snoeren, Damon McCoy

14 of 82

Ransomware causes financial damages

15 of 82

Ransomware causes financial damages

16 of 82

Ransomware causes financial damages

17 of 82

Ransomware causes financial damages

How much ransomware revenue?

How to shut down ransomware?

18 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Spam, compromised websites, etc

19 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

20 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

All your files are encrypted!

Send 0.5 bitcoins to the following address.

175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b

21 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

All your files are encrypted!

Send 0.5 bitcoins to the following address.

175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b

Cerber: median ~$1,000

Locky: median ~$1,800

22 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

All your files are encrypted!

Send 0.5 bitcoins to the following address.

175mBiaNSSHAhoCbpv25y1rJYK4A7d7d1b

unique ransom wallet address

23 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Victim’s money

24 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Exchange

Victim’s �bitcoins

Victim’s money

25 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Exchange

Victim’s �bitcoins

Ransom wallet address

Ransomware’s bitcoins

Victim’s money

26 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Exchange

Victim’s �bitcoins

Ransom wallet address

Ransomware’s bitcoins

Victim’s money

27 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Exchange

Victim’s �bitcoins

Ransom wallet address

Ransomware’s bitcoins

Victim’s money

Exchange

Ransomware’s money

28 of 82

Bitcoin’s price rose from $500 to $4,000 in a year

29 of 82

Bitcoin can be used for commerce

30 of 82

Bitcoin can be used for commerce

31 of 82

Bitcoin wallets and wallet addresses

Danny

Merchant

Bitcoin Wallet

Wallet�Address

1JwN...

Wallet�Address

1CVk...

To illustrate how I would use Bitcoin to make purchases, let’s look at two parties. There is me, and there is a merchant that sells a product that I am interested in.

I have a Bitcoin wallet, which holds some bitcoins that I own. The merchant also has a Bitcoin wallet, which holds bitcoins that he owns.

My wallet has a wallet address. It is typically some random-looking text that is not tied to my name or any identifying information about myself. The merchant also has his wallet address.

Much as how email addresses are used to send and receive emails, wallet addresses are used to send and receive payments. Much as how you can create an unlimited number of email addresses with different names, you can create an unlimited number of wallet addresses that are essentially random text.

[Segue] Let’s say I want to buy something from the merchant. I would like to send 0.05 bitcoins to the merchant.

32 of 82

Paying bitcoins to merchant

1JwN→1CVk: 0.05

(pending)

transaction

merchant’s wallet address?

33 of 82

Paying bitcoins to merchant

1JwN→1CVk: 0.05

(pending)

transaction

merchant’s wallet address

34 of 82

Paying bitcoins to merchant

1JwN→1CVk: 0.05

(pending)

transaction

merchant’s wallet address

Danny’s� wallet address

35 of 82

Bitcoin’s decentralized transaction processing

1JwN→1CVk: 0.05

(pending)

Bitcoin’s

Peer-to-peer�Network

1JwN→1CVk: 0.05

(pending)

1JwN→1CVk: 0.05

(pending)

Transactions are public�and partially anonymous.

36 of 82

Decentralized transaction processing

1JwN→1CVk: 0.05

(unconfirmed)

~ 5 min

1JwN→1CVk: 0.05

(unconfirmed)

1JwN→1CVk: 0.05

(unconfirmed)

Bitcoin’s

Peer-to-peer�Network

37 of 82

Decentralized transaction processing

1JwN→1CVk: 0.05

(confirmed)

1JwN→1CVk: 0.05

(confirmed)

1JwN→1CVk: 0.05

(confirmed)

blockchain

Bitcoin’s

Peer-to-peer�Network

38 of 82

Two ways to get bitcoins into my wallet

Buy bitcoins via exchange

Mine bitcoins

1

2

39 of 82

Mining produces new bitcoins

Peer-to-peer�Network

Run mining software to find hash collision

Found collision first? �12.5 bitcoins to �my wallet address

miner

Electricity → Bitcoins → Cash

Here’s how mining works. You download a piece of Bitcoin mining software on your computer. The software attempts to find a special hash collision. This is like the Wheel of Fortune. You spin the wheel, and you win if the wheel stops at some location. The process is entirely random. You just have to keep spinning until you win in one of the attempts.

In fact, you’re not the only one looking for the hash collision. Recall that Bitcoin actually runs on a peer-to-peer network. Everyone else is doing the same thing. The first person to find the hash collision gets a reward. If your computer is faster, then you can have more attempts at spinning the wheel, and the chance of you being the first to find the hash collision first is higher.

Let’s say you find a hash collision before everyone else in this round. 12.5 bitcoins are created out of thin air and deposited to your wallet. If you sell these bitcoins at exchanges today, you’ll earn $50,000. The expected time for someone to find a hash collision is 10 minutes. When someone finds a hash collision, a new round starts, and again, everyone races to be the first to find the hash collision and claim the reward.

This process is called Bitcoin mining. The operators behind these computers are known as miners. This process is computationally intensive, because you’re basically trying again and again with brute force. In many ways, a miner is converting electricity for computation into bitcoins, and bitcoins into cash.

[Segue] Like how transactions are public, newly created bitcoins are also public. Everyone knows that some wallet address receives 12.5 bitcoins, but it is hard to determine exactly who is person behind the wallet address. This partial anonymity is associated with a number of use cases.

40 of 82

How typical ransomware works

Distribution
Infection
Victim pays bitcoins
Decryption
Criminal liquidates �bitcoins

Exchange

Victim’s �bitcoins

Ransom wallet address

Ransomware’s bitcoins

Victim’s money

Exchange

Ransomware’s money

41 of 82

Research questions

How to estimate the total ransom paid (or revenue)?

$16 million over two years, 20k unique payments

How to identify chokepoints?

40% of revenue of one ransomware sent to BTC-e
3% of affiliates of one ransomware caused 50% infections

42 of 82

Research questions

How to estimate the total ransom paid (or revenue)?

$16 million over two years, 20k unique payments

How to identify chokepoints?

40% of revenue of one ransomware sent to BTC-e
3% of affiliates of one ransomware caused 50% infections

43 of 82

Overview of results

How to estimate the total ransom paid (or revenue)?

10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

40% of revenue of one ransomware sent to BTC-e
3% of affiliates of one ransomware caused 50% infections

44 of 82

Overview of results

How to estimate the total ransom paid (or revenue)?

10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

40% revenue of one ransomware sent to BTC-e
3% of affiliates of one ransomware caused 50% infections

45 of 82

Overview of results

How to estimate the total ransom paid (or revenue)?

10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

40% revenue of one ransomware sent to BTC-e
3% affiliates of one ransomware caused 50% infections

46 of 82

Overview of results

How to estimate the total ransom paid (or revenue)?

10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

40% revenue of one ransomware sent to BTC-e
3% affiliates of one ransomware caused 50% infections

1

47 of 82

Overview of results

How to estimate the total ransom paid (or revenue)?

10 families, >$16 million over two years; 90% made by two families

How to identify chokepoints?

40% revenue of one ransomware sent to BTC-e
3% affiliates of one ransomware caused 50% infections

1

2

48 of 82

Blockchain Analysis

1

49 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

50 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

51 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

52 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

53 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

54 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

known victim

0.5

55 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

known victim

0.5

56 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

Co-spending

known victim

0.5

57 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

Co-spending

known victim

0.5

58 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

Co-spending

known victim

0.5

1.0

1.3

59 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

Co-spending

known victim

0.5

1.0

1.3

potential victim

60 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

artificial “victim”

61 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

artificial “victim”

0.001

62 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

Co-spending

artificial “victim”

0.001

63 of 82

Methodology: Follow the money

Identify known victims
Infer unknown victims
Estimate total ransom
Identify exchanges

Co-spending

artificial “victim”

0.001

1.0

1.3

potential victim

64 of 82

Ransom payments over time

Number of payments per day

Median ransom amount per day (USD)

65 of 82

Ransom payments over time

66 of 82

Total ransom received

USD

per

month

67 of 82

Total ransom received

$7.7m

$1.8m

$69k

$6.6m

$100k

USD

per

month

68 of 82

Potential liquidation at exchanges

Fraction of revenue sent to exchanges

$2.6 m

$24 k

We show the result in this graph. On the vertical axis are 5 of the ransomware families we study. On the horizontal axis is the fraction of its revenue that is moved into a particular exchange, based on our methodology.

For ransomware families like WannaCry, we are unable to identify the exchanges, but for Locky, we identify ~40% of its bitcoins, around $2.6m, were moved into BTC-e. Similarly, ~35% of CryptoDefense’s bitcoins, around $24k, also were moved into BTC-e.

In fact, BTC-e was seized last year due to money laundering charges. As exchanges are more highly regulated, ransomware operators are likely to find fewer exchanges who are willing to liquidate the bitcoins.

So far, we have used the blockchain to analyze bitcoins from victims who paid the ransom. But what about victims who did not pay the ransom?

—-

Note:

BTC-e: taken down; charged with money laundering, among which is ransomware

https://www.theverge.com/2017/7/29/16060344/btce-bitcoin-exchange-takedown-mt-gox-theft-law-enforcement

69 of 82

Reverse Engineering Cerber’s C&C

2

70 of 82

Cerber’s outbound UDP traffic

Infected host

IP: x.y.z.1

IP: x.y.z.2

IP: x.y.z.3

IP: x.y.z.254

71 of 82

Cerber’s outbound UDP traffic

Infected host

IP: x.y.z.1

IP: x.y.z.2

IP: x.y.z.3

IP: x.y.z.254

me

two-week data

victim IP�victim ID

affiliate ID

...

72 of 82

Country distribution for victims

73 of 82

Cerber’s outbound UDP traffic

Infected host

IP: x.y.z.1

IP: x.y.z.2

IP: x.y.z.3

IP: x.y.z.254

me

two-week data

victim IP�victim ID

affiliate ID

...

74 of 82

Number of infected IP addr per affiliate

Affiliate ID

75 of 82

3% of affiliates caused 50% of infected IPs

Affiliate ID

76 of 82

Summary

3

77 of 82

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr

Reverse engineered C&C protocol for Cerber ransomware

Key Methods

78 of 82

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr

Reverse engineered C&C protocol for Cerber ransomware

Key Methods

79 of 82

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr

Reverse engineered C&C protocol for Cerber ransomware

Estimated revenue:

10 families, >$16 million

over two years

Possible chokepoints: exchanges and affiliates

Key Methods

Key Results

80 of 82

Summary

Tracked ransom payments for 10 ransomware families using co-spending wallet addr

Reverse engineered C&C protocol for Cerber ransomware

Estimated revenue:

10 families, >$16 million

over two years

Possible chokepoints: exchanges and affiliates

Danny Y. Huang — Postdoc at Princeton — http://hdanny.org

Key Methods

Key Results

81 of 82

Appendix

4

82 of 82

Potentially missing Locky’s ransom payments

Google results

binaries found

bitcoin payment