GET A GRIP, MIKAYLA'S MOM - Ahh, children's birthday parties. The balloons, the games, the judgey parents inspecting your hand towels - and of course, the enormous icing phallus on ...
Wednesday, August 9, 2017
BHUSA17: Tracking Ransomware End to End
Only 37% of people backup their data, which leaves them open to ransomeware.
Victims are shown a URL to pay to get back their data. Posted in Tor, so the source is hard to take down. They will only accept BitCoin, so they can use the blockchain to see who paid and who didn't.
BitCoin is anonymous and irrefutable - cannot be reversed! If you find the ledger, you can go back and see who else was ransomed. Gathering seeds from victim reports and synthetic victims means you have to pay a small amount to find out more about the network.
The researchers initial data was for 34 families with 154,000 ransomed files. by using clustering for dataset expansion to find other victims, they are now working with 300,000 files. This one ransomware has made approximately $25,253,505 (low ball estimate) - so there's money to be made no doubt!
In 2017, ransomeware increased binary diversity in order to evade AVs.
Many victims don't have any BitCoin, so they buy it from "LocalBitCoins" site (think Craigslist for BitCoin).
The researchers found that 90% of the transactions went through as a single transaction, 9% did not account for the transaction fees and a small percent are doing multiple transactions for unknown reasons.
Locky - a ransomeware family increased spread - started seeing it in infrastructure like hospitals. It was making about $1million/month!
Dridex, Locky and Cerber are all distributed via botnets. Cerber recruits low-tech criminals to help them make a consistent income of $200K/month.
Cerber includes real time chats to talk to customer "service" to help you simply recover certain files.
WannaCray seems more like wipeware, than ransomeware. Even if victims paid, the way it was done was hard to track that you did indeed pay and harder to get your files back.
The researchers have also seen a rise in NotPetya lately - another wipeware.
This is not going away. this is a multi-million dollar industry. Cerber has even introduced the concept of an affiliate model - so more people can "play". yikes!