Behind Closed Doors: Measurement and Analysis of CryptoLocker Ransoms in Bitcoin

【Author】 Liao, Kevin; Zhao, Ziming; Doupe, Adam; Ahn, Gail-Joon

【Source】PROCEEDINGS OF THE 2016 APWG SYMPOSIUM ON ELECTRONIC CRIME RESEARCH (ECRIME)

【Abstract】Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.

【Keywords】Bitcoin; CryptoLocker; cybercrime; ransomware; security

【标题】CryptoLocker:测量和分析比特币中的加密锁赎金

【摘要】比特币是一种去中心化的加密货币，在过去几年里越来越受欢迎，是各种网络犯罪的共同特征。从2013年9月5日到2014年1月31日，我们对CryptoLocker进行了测量分析，这是一个系列的勒索软件，在比特币生态系统内加密受害者的文件，直到支付赎金。使用从reddit和BitcoinTalk等在线论坛收集的信息作为初始起点，我们生成了一个属于CryptoLocker的968个比特币地址的集群。我们为CryptoLocker的比特币经济提供了一个下限，并确定了795笔共计1128.40比特币(310,472.38美元)的赎金支付，但显示在峰值估值时，收益可能超过110万美元。通过纵向跨CryptoLocker的运营期间和横向跨一天的时间分析赎金支付时间戳，我们检测到分布的变化，并形成对CryptoLocker的猜测，证实来自以前的努力的信息。此外，我们构建了一个网络拓扑来详细描述CryptoLocker的金融基础设施，并获取有关CryptoLocker操作的辅助信息。最值得注意的是，我们发现了与流行的比特币服务(如比特币雾和BTC-e)有关的证据，以及与围绕比特币的其他网络犯罪(如2013年的绵羊市场骗局)的微妙联系。我们利用我们的研究强调测量分析和威胁情报在理解不稳定的网络犯罪景观中的价值。

【关键词】比特币;CryptoLocker;网络犯罪;勒索;安全

【发表时间】2016

【收录时间】2022-04-23

【文献类型】Proceedings Paper

【论文大主题】链上数据分析

【论文小主题】交易溯源追踪

【翻译者】王佳鑫