Visible to the public Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin

TitleBehind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin
Publication TypeConference Paper
Year of Publication2016
AuthorsLiao, K., Zhao, Z., Doupe, A., Ahn, G. J.
Conference Name2016 APWG Symposium on Electronic Crime Research (eCrime)
Date Publishedjun
ISBN Number978-1-5090-2922-8
Keywordsauxiliary information, bitcoin, Bitcoin ecosystem, Bitcoin Fog, Bitcoin services, BitcoinTalk, BTC-e, composability, Computer crime, cryptography, CryptoLocker, CryptoLocker economy, CryptoLocker operation, Cryptolocker ransoms, Cybercrime, cybercrimes, decentralized cryptographic currency, Electronic mail, erratic cybercrime landscape, financial data processing, financial infrastructure, Human Behavior, Metrics, Online banking, online fora, privacy, Protocols, pubcrawl, Public key, ransom payments, ransomware, reddit, Resiliency, security, sheep marketplace scam, threat intelligence
Abstract

Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC (\$310,472.38), but show that the proceeds could have been worth upwards of \$1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.

URLhttp://ieeexplore.ieee.org/document/7487938/
DOI10.1109/ECRIME.2016.7487938
Citation Keyliao_behind_2016