Unveiling Dynamics and Patterns: A Comprehensive Analysis of Spreading Patterns and Similarities in Low-Labelled Ransomware Families
Egileak: Mikel Gorricho Segura
Data: 19.08.2024
Abstract
Ransomware has become one of the most widespread threats, primarily due to its easy deployment and the accessibility to services that enable attackers to raise and obfuscate funds. This latter aspect has been significantly enhanced with the advent of cryptocurrencies, which, by fostering decentralisation and anonymity, have transformed this threat into a large-scale outbreak. Furthermore, Random as a Service platforms have made tools and services available even to individuals with limited technical expertise, enabling them to launch complex ransomware attacks. In this sense, recent reports indicate that a small group of individuals dominate the ransomware ecosystem, often obfuscating their activity by using multiple strains characterised by a short time to live. This scenario suggests that different strains could share mechanisms in ransom collection, fund movement, and money laundering operations. For this reason, this study aims to analyse the address-transaction graphs generated in the Bitcoin network by low-labelled ransomware families. Our goals are to identify payment spreading patterns for evaluating the evolution of ransomware families and to detect similarities among different strains that potentially can be controlled by the same attacker. Specifically, this latter task assigns an address behaviour to each node in the address-transaction graphs according to its dynamics. The distribution of the behaviours in each strain is finally used to evaluate the closeness among different ransomware families. Our findings show that although ransomware families can quickly establish connections with millions of addresses, numerous families require multiple-step analysis. Furthermore, the study demonstrates that the introduced behaviours can effectively be used to highlight similarities among different ransomware strains. The outcome shows that families are similar primarily due to behaviours usually associated with ransom collection and money laundering operations. To the best of our knowledge, this work contributes to dissecting the evolution of ransomware strains and detecting distinctive markers they show within the Bitcoin network.
BIB_text
title = {Unveiling Dynamics and Patterns: A Comprehensive Analysis of Spreading Patterns and Similarities in Low-Labelled Ransomware Families},
pages = {260-268},
keywds = {
Behaviour Distribution; Bitcoin Analysis; Ransomware; Similarities; Spread Evolution
}
abstract = {
Ransomware has become one of the most widespread threats, primarily due to its easy deployment and the accessibility to services that enable attackers to raise and obfuscate funds. This latter aspect has been significantly enhanced with the advent of cryptocurrencies, which, by fostering decentralisation and anonymity, have transformed this threat into a large-scale outbreak. Furthermore, Random as a Service platforms have made tools and services available even to individuals with limited technical expertise, enabling them to launch complex ransomware attacks. In this sense, recent reports indicate that a small group of individuals dominate the ransomware ecosystem, often obfuscating their activity by using multiple strains characterised by a short time to live. This scenario suggests that different strains could share mechanisms in ransom collection, fund movement, and money laundering operations. For this reason, this study aims to analyse the address-transaction graphs generated in the Bitcoin network by low-labelled ransomware families. Our goals are to identify payment spreading patterns for evaluating the evolution of ransomware families and to detect similarities among different strains that potentially can be controlled by the same attacker. Specifically, this latter task assigns an address behaviour to each node in the address-transaction graphs according to its dynamics. The distribution of the behaviours in each strain is finally used to evaluate the closeness among different ransomware families. Our findings show that although ransomware families can quickly establish connections with millions of addresses, numerous families require multiple-step analysis. Furthermore, the study demonstrates that the introduced behaviours can effectively be used to highlight similarities among different ransomware strains. The outcome shows that families are similar primarily due to behaviours usually associated with ransom collection and money laundering operations. To the best of our knowledge, this work contributes to dissecting the evolution of ransomware strains and detecting distinctive markers they show within the Bitcoin network.
}
isbn = {979-835035159-0},
date = {2024-08-19},
}
