Part IIa — Analysing the campaigns — taking a target centric approach
Objective
Following on from our previous blog post, Part I — Building the foundations, I wanted to analyse the ransomware-bundle.json dataset from DOGESEC further. I will break this analysis into three parts. Part IIa — Analysing the campaigns — taking a target centric approach. Part IIb — It’s not the length that counts and Part IIc — Different spokes for different folks. In doing so, I hope to:
- Show how different ransomware attackers reveal different payment profiles;
- Understand some of the key characteristics of these payment profiles
Recap
In our first blog post we examined the structure of the data collected from the cryptocurrency-wallet and cryptocurrency-transactions STIXs objects. With this collected intelligence we loaded it into Neo4j to extract and visualise the nodes, relationships and properties of the STIX data across 105 ransomware campaigns as per the ransomwhe.re dataset. With our Neo4j graph data model in place we can now do some deeper analysis. This analysis will span over multiple parts as we seek to look at the campaigns through a few different lenses.
Methodology
Much of the thought behind the analysis follows a conceptual intelligence framework known as Target Centric Intelligence, first proposed by Clark (2019). The beauty of this approach is that it lends itself to the networked nature of threat intelligence and provides some structure to an often chaotic environment. Starting with a hypothesis or target in mind, we can continuously iterate and navigate through the changing needs of the intelligence consumer and the entropic nature of the information that relates to our target.
A good place to start is to formulate a target by seeking answers from within the collected ransomware intel. Some initial investigation triggers to consider are:
- Which campaign has the most number of addresses/transactions attributed to it?
- Which campaign has the most BTC collected from those addresses?
- Which campaigns have the highest/lowest/most unique 1:n or n:1 (address:tx) ratios? And why?
- The Timeline: What are the timestamps of our transactions telling us?
- Does the campaign duration determine the profile of the campaign?
- Has ransomware evolved over time to use different payment tactics?
- Can we get Cryptocurrency Exchange information from our intel? For example, where a wallet is created or moving funds to?
By seeking answers to some or all of these questions we can start to build our analysis pipeline to meet our objectives:
- Show how different ransomware attackers reveal different payment profiles;
- Understand some of the key characteristics of these payment profiles
Analysis → Seek answers
Beginning with our top three axioms:
- Which campaign has the most number of addresses/transactions attributed to it?
- Which campaign has the most BTC collected from those addresses?
- Which campaigns have the highest/lowest/most unique 1:n or n:1 (address:tx) ratios? And why?
Using the following cypher query on our Neo4j database, created with ransomware-bundle.json data, we can sort through the ransomware campaigns of interest.
MATCH (n:Indicator)-[r]-(w:Wallet)-[q]-(t:TX)
RETURN DISTINCT n.name, COUNT(distinct w.address) as rns_addr, COUNT(distinct t.hash) as rns_tx, sum(q.amount)/100000000 as address_amount
ORDER BY address_amount DESC, rns_addr DESC, rns_tx DESCModifying the order of the ORDER BY clause we can take the top 10 campaigns with the most number of addresses/transactions/BTC collected, respectively. The following tables reveal these results:
Looking at our three leaderboards we can see some common campaigns prevailing in the top 3.
- Locky with 7,036 addresses; 7,874 transactions; 16,244 BTC collected
- Razy with 1 address; 1,783 transactions; 29,679 BTC collected
Then there are a number of campaigns jostling for a top 5 position on the leaderboard yielding some interesting combinations between large numbers of transactions, large numbers of addresses and large amounts of BTC collected.
- Conti with 100 addresses; 133 transactions; 9,035 BTC collected
- Netwalker (Mailto) with 66 addresses; 234 transactions; 3,029 BTC collected
- Maui with 7 addresses; 2,216 transactions; 1,141 BTC collected
There are also some anomalous campaigns, for example “Qlocker”, that yield 22 addresses; 910 transactions and collected only 9 BTC. Depending on the target of your analysis, it can also be worthwhile examining why this campaign, with a large number of addresses and transactions, only collected a modest amount of BTC.
For now, based on the above, our targets for analysis are centred on those big campaigns (Locky and Razy) that are yielding a large amount of ransom paid and are extremely active in the Bitcoin ecosystem with a large number of transactions. You may decide on a different approach to kick-start your analysis. For example, some other angles might be:
- What is the target industry of the ransomware campaign?
- Are they targeting critical infrastructure?
- Is the campaign a tool of malicious intent or financially motivated?
- What geopolitical context are the attackers operating under?
The answers to these questions may naturally come about no matter what triggers your initial investigation. That is the utility of the target centric approach.
Next we take a look at what the gaps might be between our two chosen campaigns (Locky and Razy) versus the rest of the pack.
Analysis → Identify gaps
Examining the impact matrix based on our initial analysis criteria (# addresses, # transactions, BTC collected), we can see the gaps between the campaigns and certain clusters of others. Figure 2 shows the dominance of Locky (top right corner) on the cohort of campaigns (i.e large number of addresses + large number of transactions + large amount of BTC collected (bubble size)). Such is the influence of Locky on this ransomware cohort it relegates over 100 other campaigns to a small cluster in the bottom left corner. The two other campaigns that fight against Locky’s gravity are Razy and Maui. These are the two others we called out in our top five leaderboard from the previous section.
Focusing on Locky for a moment.
MATCH (n:Indicator)
WHERE n.name =~ 'Locky.*'
RETURN nWhat is it about this campaign that sets it apart from the others?
- Could it be the longevity of the ransomware strain that has persisted over time?
- The campaign first appeared in 2016.
- Could it be the attack vector?
- Large scale email campaigns spearheaded by the Necurs Botnet.
- A phishing email is received with a Microsoft Word document attachment that contains the malicious code. The document prompts the user to enable macros to view the document, this then primes Locky’s payload.
- Could it be the group the ransomware is attributed to?
- The Russian backed Evil Corp.
- Could it be the industries targeted by the group?
- The number one target for Locky ransomware was healthcare institutions.
These are important considerations when trying to understand the risk or threat scenario (likelihood x vulnerability x impact) (Young, 2022).
Let’s also take a look at the BTC collection profile of our campaigns.
This is another perspective of our bubble chart in Figure 2. It places Razy in pole position because the data is ordered by the BTC amount collected as per Table 3.
The curious case of Razy
MATCH (n:Indicator)
WHERE n.name =~ 'Razy.*'
RETURN nWe can certainly ask the same questions about Razy as we did about Locky. In addition, what seems special about Razy is that it only has one address attributed to it from the ransomwhe.re dataset (1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX). Why might this be? According to SecureList by Kaspersky, Razy was a financially motivated attack that would install a malicious browser extension on a victim’s computer. This would allow the attackers to use the malware to:
- Search for addresses of cryptocurrency wallets on websites and replace them with the threat actor’s wallet addresses
- Spoof images of QR codes pointing to wallets
- Modify the web pages of cryptocurrency exchanges
- Spoof Google and Yandex search results
All with the intention of stealing a victim’s cryptocurrency. According to Kaspersky, the Razy top 3 countries consisted of the Russian Federation (72 percent), Ukraine (4 percent) and Kazakhstan (3 percent). What is remarkable from a cryptocurrency perspective is that the attributed Bitcoin addresses were: ‘1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L’, ‘1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq’, ‘3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY’, ‘1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj’, ’35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC’, ’34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ’. At the time of writing their analysis (24 January 2019), Kaspersky measured, total incoming transactions on all these wallets only amounted to approximately 0.14 BTC plus 25 ETH.
Conflicting Intelligence
This is in contrast to our collected intelligence revealing 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX as the sole address associated with Razy. It turns out that this address is related to an FBI seized address from the Silk Road take down. They were able to seize 29,658 BTC in total on the address 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX. Which is pretty close to the recorded amount we have in our collection, 29,679 BTC. It is more than likely that Razy is not associated with this address and we should consider relabelling it and removing it from further analysis. This will become evident when we look at how the transaction time span over the duration of the campaigns. The time of the earliest transaction associated with Razy is 2013–10–02T10:27:16Z. This is the exact date and time the FBI took down the Silk Road and transferred these proceeds to their controlled wallet.
Don’t believe everything you collect
The examination of Razy with respect to our data highlights the importance of verifying the intelligence collected. In Part IIb, we will remove the influence of Locky and Razy from our impact analysis and see which campaigns become more influential as well as look at campaign longevity and how it influences the impact.
References
Clark, R. M. (2019). Intelligence analysis: a target-centric approach. CQ press.
Young, C. S. (2022). Cybercomplexity: A Macroscopic View of Cybersecurity Risk. Springer Nature.
