Tracking Ransomware End to End

Presented at Black Hat USA 2017, July 26, 2017, 5:05 p.m. (25 minutes)

A niche term just two years ago, ransomware has rapidly risen to fame in the last year, infecting hundreds of thousands of users, locking their documents, and demanding hefty ransoms to get them back. In doing so, it has become one of the largest cybercrime revenue sources, with heavy reliance on Bitcoins and Tor to confound the money trail.

In this talk, we demonstrate a method to track the ransomware ecosystem at scale, from distribution sites to the cash-out points. By processing 100k+ samples, we shed light on the economics and infrastructure of the largest families, and we provide insight on their revenue and conversion rates. With a deep dive in the two largest groups, we show the details of their operation. Finally, we uncover the cash-out points, tracking how the money exits the bitcoin network, enabling the authorities to pick up the money trail using conventional financial tracing means.

Presenters:

• Luca Invernizzi - Research Scientist, Google
  Luca Invernizzi is a Research Scientist in Google's anti-abuse team. His current research focuses in understanding and modeling the underground economy of abuse, and detecting malware at scale on desktop and mobile. Luca holds a Ph.D. in Computer Science from the University of California, Santa Barbara.
• Elie Bursztein - anti-fraud research lead, Google
  Elie Bursztein leads Google's anti-abuse research, which helps protect users against Internet threats. Elie has contributed to applied-cryptography, machine learning for security, malware understanding, and web security; authoring over fifty research papers in the field. Most recently, he was involved in finding the first SHA-1 collision. Elie is a beret aficionado, tweets at @elie, and performs magic tricks in his spare time. Born in Paris, he received a PhD from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011. He now lives with his wife in Mountain View, California.
• Kylie McRoberts - Sr. Strategist, Google
  Kylie McRoberts is a senior strategist with Google's Safe Browsing where she is currently focused on binary analysis in support of enforcement of Safe Browsing policies. Before joining Google, she conducted political and military analysis for the Australian Department of Defence.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#tracking-ransomware-end-to-end-7676
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Tracking Ransomware End to End.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Tracking Ransomware End to End.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=RV2tcc6e168
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Invernizzi-Tracking-Ransomware-End-To-End.pdf

Similar Presentations:

• Black Hat USA 2015 / Most Ransomware Isn't as Complex as You Might Think
• Black Hat Europe 2016 / Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game
• BSides Austin 2017 / Defending against ransomware: You already have the capability, why are we not using it? This method stopped our attacks cold. Now let me show you how to do it. And it’s FREE, you don’t have to purchase anything.