Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Bitcoin and Ransomware Analysis

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Blockchain
Blockchain
Wird geladen in …3
×

Hier ansehen

1 von 58 Anzeige

Bitcoin and Ransomware Analysis

Presentation Titled " Bitcoin and Ransomware Analysis " we discuss ransomware and how bitcoin are being utlized in cyber crime. we also have look at Bitcoin mining, Bitcoin trading market and block chain concept.

Presentation Titled " Bitcoin and Ransomware Analysis " we discuss ransomware and how bitcoin are being utlized in cyber crime. we also have look at Bitcoin mining, Bitcoin trading market and block chain concept.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Bitcoin and Ransomware Analysis (20)

Anzeige

Aktuellste (20)

Bitcoin and Ransomware Analysis

  1. 1. Bitcoin and Ransomware Analysis Emergence of the Cyber-Extortion Menace Inderjeet Singh CDCS, CDCP, CEH, CCSP, ISO 27K, ITIL, ITSM, ISO 31K, CYBER LAW
  2. 2. Purview • Brief History • Bitcoin Overview • Bitcoin Usage in Ransomware • Bitcoin- Regulatory Considerations • Wrap-up and Q&A
  3. 3. It’s a hot topic…
  4. 4. • In 2012, something changed, a lot! • In 2010, something changed… Reality Check - Perspective Google search trends “ransomware” searches 2008 to 2015 Google search trends “ransomware” searches vs “malware” searches 2008 to 2015
  5. 5. Ransomware: Escalating Extortion
  6. 6. Ransomware • A type of malware that restricts access to the infected computer system in someway and Demands that the user pay a ransom to the malware operators to remove the restriction. • Some of the Malicious actions by Malware:  Encrypt personal files ( images, movie files, documents, text files)  Encrypt files on shared network drives/ resources  Lock system access using login  Crash system through resource use – eg spawning processes  Disrupt and annoy – open browser windows, display pornographic images
  7. 7. How do Ransomware threats spread? Common methods used by cybercriminals to spread ransomware: • Spam e-mail campaigns that contain malicious links or attachments; • Malicious websites • Legitimate websites that have malicious code injected in web pages • Drive-by downloads • Security exploits in vulnerable software
  8. 8. CryptoWall 3.x • A server on their own control would upstream requests to the C2 server inside the Tor network. • Between the victims' infected machine and the Tor proxy server they added another proxy which is PHP script running on a hacked website. • PHP script upstreams requests towards the Tor server making it somewhat harder to track down the actual Tor proxies.
  9. 9. Ransom Evolves: Learning New Tricks Using TOR Network to Hide C&C Bitcoin is default payment method Mobile and Cloud based ransomware Increasingly difficult to detect and shutdown ransomware Harder for Law enforcement to trace Near impossible to decrypt without paying
  10. 10. SMSs or phone calls to premium-rate numbers Prepaid electronic payment – Ukash, MoneyPack, PayPal My Cash Cards Bitcoins – virtual currency which makes it difficult to trace the actual recipient of the money Payment Mechanisms
  11. 11. Insight Into Bitcoin The Disruptive Potential of Cryptocurrency
  12. 12. What is Bitcoin? • Bitcoin is software-based online payment system described by satoshi nakamoto in 2008 and introduced as open-source software in 2009. • Payments are recorded in a publicly disclosed linked ledger of transactions stored in a blockchain. • It is a form of digital currency (physical form is absent), created and held electronically. • It can be used to buy things electronically and in that sense it is no different than conventional dollars. • Bitcoin is commonly referred to as cryptocurrency and it can be divided into smaller unit called satoshi (one hundred milionth of a BTC).
  13. 13. 2009 2010 2011 2012 2013 2014 2016 Mt. Gox bankruptNov.08 Nakamoto paper German finance ministry recognizes BTC as a unit of account Silk Road shut down by the FBI ‘09 BTC trades at $0.14 Jan.09 Bitcoin (BTC) is launched IRS recognizes BTC as property 119,756 BTC i.e about $65 million Hacked
  14. 14. Features of Bitcoin • Essentially it’s “Deflationary” - the reward is cut in half every four years, and tokens can be irrevocably destroyed. • Nearly infinitely divisible currency units supporting eight decimal places 0.00000001 (known as a Satoshi or Noncent*) • Nominal transaction fee’s paid to the network  Same cost to send $.01 as $1,000,000 • Consensus driven – no central authority • Counterfeit resilient  Cannot add coins arbitrarily  Cannot be double-spent • Non-repudiation - no recourse and no one to appeal to return sent tokens
  15. 15. BitCoin Ecosystem Based on Iyer & Davenport HBR 2008 BitCoin Platform Users Merchants Miners Services: Wallets & Exchanges
  16. 16. Size of the BitCoin Economy • Number of BitCoins in circulation - 15.2 million (Feb 2016) • Total number of BitCoins generated cannot exceed 21 million (over 72% of all bitcoins are already in circulation) • Currently, there are 25 new bitcoins produced (mined) every 10 minutes. • Average price of a Bitcoin (over the previous 6 months): around $600  1 BTC = 594 USD (Aug 11, 2016)  Price is very unstable. • 30 Transactions per min. (Visa transaction 200,000 per minute.)
  17. 17. How Can One Obtain Bitcoins? • Earn Bitcoins from mining. • Buy bitcoins from Bitit Coinbase, Cubits, CoinCorner, BIPS Market, Circle, or Celery. • Buy bitcoins are the Bitcoin Exchanges • There are several services where you can trade them for traditional currency. • Buy bitcoins using Bitcoin ATMs (in some countries). • Find someone to trade cash for Bitcoins in-person through a local directory. • Participate in a mining pool. • If you have a lot of mining hardware, you can solo mine and attempt to create a new block (currently yields 25 Bitcoins plus transaction fees). • Various ways (donations, gambling, getting tipped, completing tasks on websites...)
  18. 18. What is it based on? • System is run by the bitcoin protocol. • It is based on mathematics unlike conventional currencies that had been based on fixed quantity of metal (gold, silver…) or fiat currencies. • Bitcoin has several features that set it apart from fiat currencies:  It is decentralized  It is easy to set up and it is fast  It is anonymous  It is completely transparent  Transaction fees are miniscule  Transactions are irreversible
  19. 19. Decentralized • The “digital wallet” operates in a peer to peer mode • When it starts, it bootstraps to find other wallets • Originally it used the Internet Relay Chat (IRC) network • Now based on DNS and “seed nodes” • The wallet will synchronize with the network by downloading ALL of the transactions starting from the GENESIS block if necessary • 338,540 blocks at time of slide prep • Just over 20 GB • Using a “Gossip Protocol” the wallets share all transaction information with their peers http://en.wikipedia.org/wiki/Gossip_protocol
  20. 20. Coins flow from Inputs to Outputs 21 A coin owner transfers coins by digitally signing (via ECDSA) a hash digest of the previous transaction and the public key of the next owner. This signature is then appended to the end of the coin.
  21. 21. Pseudo Anonymous • Using public key cryptography, specifically Elliptic Curve Cryptography due to its key strength and shorter keys. • Transactions are sent to public key “addresses”  1AjYPi8qryPCJu6xgdJuQzVnWFXLmxq9s3  1Give4dbry2pyJihnpqV6Urq2SGEhpz3K https://blockchain.info/
  22. 22. Addresses are like Accounts 23 • Wallet listens for transactions addressed to any of its public keys and in theory is the only node that is able to decrypt and accept the transfer. • “Coins” are “sent” by broadcasting the transaction to the network which are verified to be viable and then added to a block. • Keys can represent a MULTI-SIG address that requires a N of M private keys in order to decrypt the message. • Every viable transaction is stored in a public ledger. • Transactions are placed in blocks, which are linked by SHA-256 hashes. https://blockchain.info
  23. 23. How are Bitcoins created - Mining PROCESS • Miners use special software to solve math problems (bitcoin algorithm), and upon completing the task they receive certain amount of coins. • They are created each time a user discovers new block (finds hash value). • Software is creating new units until it reaches amount of 21 million unites (currency with finite supply). • The rate of block creation is approximately consistant over time (6 per hour) with 50 % reduction every four years. • Halving (in theory) continues until year 2110-2140 when 21 million BTC have been issued.
  24. 24. Total Bitcoin Unit Supply Over Time (Projection) 25Period NumberOfUnitsIn Circulation data source: bitcoin.it
  25. 25. Technology Behind Bitcoin • Hashing (double-SHA256, RIPEMD-160) • Proof-of-work (hashcash proof) • Dual key encryption (Elliptical Curve Digital Signature Algorithm, Merkle Trees ) • Peer-To-Peer Networking (similar to IRC Internet Relay Chat)
  26. 26. Hashing • Hashing is applying an algorithm to find a short number (digest) of a block of data. • BitCoin uses the SHA-256 hash algorithm to generate verifiably "random" numbers in a way that requires a predictable amount of CPU effort. • Generating a SHA-256 hash with a value less than the current target solves a block and wins you some coins. • Every time you apply a hash to some data, you get the same hash number. • Hashes are one-way traffic  If you have the data, you can find the hash. But, if you have the hash, you can’t figure out the data.
  27. 27. Blockchain • Miners publish a block of recent transactions every 10 minutes on average. • Each block is provably related to the previous. • Every transaction ever is stored in the blockchain. • If there are disagreements about valid blocks, the blockchain can fork. • Miners add to the longest good chain. • Searching the blockchain can reveal interesting things.
  28. 28. Bitcoin Network Geographic Node Density (Worldwide & Europe)
  29. 29. Mining Requires Solving Crypto Puzzles By Brute-force Methods Application Specific Integrated Circuit 1 ASIC = 70,000 Intel CPUs Source: HashFast
  30. 30. Mining Activity Is Determined By Hard Economics • Avalon ASIC Miner • 75 GigaHash/sec • Network speed: 140 TeraHash • 0.05% of BTC network • 0.05% of 3600 BTC /day = 1.8 BTC /day • $200/day Source: Dec. 2013 data self-reported by a miner
  31. 31. Verification (‘Mining’) includes a reward to the Miner Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Unverified Transactions Verified Transactions Transfer of funds Proof of ownership Digital Signature Newly minted BTC that is owned by the miner ‘Block Chain’ of verified Transactions BitCoin P2P client Network Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Check
  32. 32. Transfer of funds Proof of ownership Digital Signature Many Miners compete to create the next block and reap the reward Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Unverified Transactions Verified Transactions Transfer of funds Proof of ownership Digital Signature ‘Locked’ into the next block of the Block Chain ‘Block Chain’ of verified Transactions BitCoin P2P client Network Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Check Check Check Check Check Check Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature
  33. 33. Once in the block chain, the transaction is irreversible RHONDA the merchant Account XYZ678 Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature
  34. 34. Use of BitCoin follows a pre-existing business agreement RHONDA the merchant Account XYZ678 “I accept BitCoin Payment 12 roses = 0.1 BTC Account: XYZ678” “Please send 12 roses to 839 Hilton Rd., Cville, VA. I am sending a transaction (from ABC123)” SAM the consumer Account ABC123 with secret key Secret123
  35. 35. Fund transfers use public key cryptography to insure non- repudiation and integrity SAM the consumer Account ABC123 with secret key Secret123 RHONDA the merchant Account XYZ678 Proof of BTC ownership Sender: RST234 Transfer to: ABC123 Amount: 5 BTC Digital Signature: 973sdskhu9dft Transaction Transfer of funds Sender: ABC123 Transfer to: XYZ678 Amount: 0.1 BTC
  36. 36. Transactions are propagated through a P2P network Transaction Transfer of funds Proof of ownership Digital Signature BitCoin P2P client network Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature SAM the consumer Account ABC123 RHONDA the merchant Account XYZ678
  37. 37. • The peers verify the ownership of funds using the block chain Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Unverified transactions Verified transactions Transfer of funds Proof of ownership Digital Signature ‘Locked’ into the next block of the Block Chain ‘Block Chain’ of verified transactions BitCoin P2P client network Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Transfer of funds Proof of ownership Digital Signature Check Block Chain of Transactions
  38. 38. Bitcoin Usage During Ransomware Attack
  39. 39. Anatomy of a ransomware attack And gone The ransomware will then deleteitself leaving just the encrypted filesand ransom notes behind. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frameof e.g. 72 hours to enable decryption of thedata with the privatekey that only the attacker’s system has access to. Encryption of assets Certain files are then encrypted on thelocal computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Installation via an exploit kit or spam with an infected attachment Once installed theransomware modifies the registry keys
  40. 40. Step 1: Locate the Payment Method Instructions • This step can be fairly easy since most ransomware will display the payment methods in large text or very clear instructions. • Typically there will be a link to instructions right in the ransomware screen. • In other cases you will have a file named something like DECRYPT_INSTRUCTIONS.TXT that you can follow. • Regardless of the specific version of ransomware you’ve been hit with, the payment instructions will give you three pieces of information:  How much to pay  Where to pay  Amount of time left to pay the ransom (countdown timer)  Once you have the above information, it’s time to figure out how to pay the ransom.
  41. 41. Ransom Demand Note HELP_DECRYPT.HTML HELP_DECRYPT.TXT HELP_DECRYPT.URL Screenshot Of A “Free Decryption Service” Webpage.
  42. 42. Ransom Notes HELP_DECRYPT.HTML HELP_DECRYPT.TXT HELP_DECRYPT.URL
  43. 43. Step 2: Obtaining Bitcoin • Set up an account with Bitcoin Exchange and you will need to purchase some Bitcoin. • Deciding which exchange to use can be tricky, because some require banking information, while others are more of a brokerage site between people wanting to buy and sell Bitcoin. • In some cases you can even transact in person! In any case, you’ll have to create an account Example http://www.CoinBase.com. • Once you’ve created an account, you’ll likely have a Wallet Address. This is the address you’ll need to provide to the person you’re buying the Bitcoin from.
  44. 44. Installing a TOR Browser • To download the TOR browser, navigate to http://www.torproject.org and click the download button. (Do not download a TOR browser from any other website) • Ransomware creators often host their sites in very temporary locations in the TOR network and you may be forced to use the TOR browser to navigate to the site created specifically with your payment instructions. • This is done so that the hackers can take down the site immediately after it is done being used and avoid any public tracking that would come with using normal hosting in your typical world-wide-web. • Website “address” given to you by the ransomware may look very odd, and it will usually be located in the decrypt instructions or main screen.
  45. 45. Step 4: Paying the Ransom • Once you have a Bitcoin (or more) in your Bitcoin wallet, now it’s time to transfer that Bitcoin to the wallet of the ransomware creator. • Typically paying the ransom will require one or more of the following pieces of information:  A web address to view your specific ransomware payment information (this may be a TOR address).  The hacker’s BTC wallet ID that you will use to transfer the BTC to.  Depending on ransomware, the transaction ID or “hash” generated when you actually transfer the BTC to the hacker’s wallet.
  46. 46. Step 4: Paying the Ransom • Once you’ve logged into your account at the Bitcoin Exchange and transferred the Bitcoin to the hacker’s wallet (this may take some time, 20-40 minutes) then you usually get a transaction confirmation hash, which is another long series of letters and numbers. • Depending on the type of ransomware you’ve been hit with, you may need to provide the transaction hash ID to the hackers. • Ransomware will usually have a field where you can type in or paste the transaction hash ID.
  47. 47. Step 5: Decrypting Your Files • Once you’ve paid the Bitcoin to the hackers, you will probably have to wait for a bit of time (up to several hours) before they have processed the transaction. • Once the hackers have processed the transaction, they should give you access to the unique executable with the key that starts decrypting your files.
  48. 48. Bitcoin Regulatory Considerations
  49. 49. Theoretical & Technical Problems Which Goes Against Favour Of Bitcoin Usage: • illegal activities, speculations and nature of this currency. • Theoretical base for digital currency usage. • Regulation and taxation issue. • Disputable status of independent and decentralized currency. • Mining problems. • Skepticism towards implementation of new, unregulated, theologies in finance sphere.
  50. 50. illegal Activities, Speculations And Nature Of Bitcoin Currency 53 • Can currency be anonymous and transparent at the same time? • Why would somebody give you approximately 27,000 $ for solving impractical mathematical equations? • According to forbes (2014.), Currently, more than 90 percent of bitcoin accounts are in a buy-and-hold mode! “At some point in the growth of a boom all aspects of property ownership become irrelevant except the prospect for an early rise in price. Income from the property, or enjoyment of its use, or even its long-run worth is now academic.” J. K. Galbraith (the great crash 1929.)
  51. 51. Legality of Bitcoin by country • PERMISSIVE • CONTENTIOUS • HOSTILE • UNKNOWN Source: bitlegal.io
  52. 52. Does Bitcoin Need Regulation? 55 | Bitcoin | • Guns don’t kill people…people do! • Bitcoins don’t buy drugs … people do! • Regulation not so much about use…. but  Consumer protection  Anti-money laundering  Anti-tax evasion
  53. 53. International Acceptance? • Germany - Bitcoin should be considered as “private money” • EU – warning re fraud, tax evasion, crimes • UK – not treated as money …but subject to VAT • Belgium – no regs • France – no action • Finland – issued regulatory guide and capital gains tax • Sweden – bitcoin a means of payment; registration for exchanges • Slovenia – pro bitcoin; not currency or financial instrument; taxable • China – prohibitions on financial institutions/payment processors • Singapore - pro bitcoin; taxable
  54. 54. Silk Road Website • A black market website that began on the TOR network starting in February of 2011. • Bitcoin predates Silk Road. • Transactions are paid for with Bitcoin. • Uses an escrow system to reduce abuse. • Looks like eBay, but most things are illegal—most notably, drugs. • Shut down by the FBI on 10/2/2013 and a suspected leader (Dread Pirate Roberts) was arrested . • Many millions of dollars worth of BTC were confiscated from people all over the world, even if they broke no laws. • On 11/6/2013 the website re-opened as 2.0, apparently with new management. • Silk Road is only the most successful marketplace for black market goods.
  55. 55. Questions?
  56. 56. Thanx Reach me on Social Media: Facebook: Technology Evangeist Twitter Handle: @InderBarara LinkedIn: InderBarara Blog: https://technologyevaneglist.wordpress.com/ Email me at: inderjit.barara@gmail.com

×