Abstract

Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.

Original languageEnglish (US)
Title of host publicationProceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016
PublisherIEEE Computer Society
Pages1-13
Number of pages13
Volume2016-June
ISBN (Electronic)9781509029228
DOIs
StatePublished - Jun 8 2016
Event2016 APWG Symposium on Electronic Crime Research, eCrime 2016 - Toronto, Canada
Duration: Jun 1 2016Jun 3 2016

Other

Other2016 APWG Symposium on Electronic Crime Research, eCrime 2016
CountryCanada
CityToronto
Period6/1/166/3/16

Fingerprint

Fog
Ecosystems
Topology
Cybercrime
Payment
Malware
Currency
Ecosystem
Lower bounds
Threat
Network topology

Keywords

  • Bitcoin
  • CryptoLocker
  • cybercrime
  • ransomware
  • security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Information Systems
  • Information Systems and Management

Cite this

Liao, K., Zhao, Z., Doupe, A., & Ahn, G-J. (2016). Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin. In Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016 (Vol. 2016-June, pp. 1-13). [7487938] IEEE Computer Society. https://doi.org/10.1109/ECRIME.2016.7487938

Behind closed doors : Measurement and analysis of CryptoLocker ransoms in Bitcoin. / Liao, Kevin; Zhao, Ziming; Doupe, Adam; Ahn, Gail-Joon.

Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. Vol. 2016-June IEEE Computer Society, 2016. p. 1-13 7487938.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Liao, K, Zhao, Z, Doupe, A & Ahn, G-J 2016, Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin. in Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. vol. 2016-June, 7487938, IEEE Computer Society, pp. 1-13, 2016 APWG Symposium on Electronic Crime Research, eCrime 2016, Toronto, Canada, 6/1/16. https://doi.org/10.1109/ECRIME.2016.7487938
Liao K, Zhao Z, Doupe A, Ahn G-J. Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin. In Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. Vol. 2016-June. IEEE Computer Society. 2016. p. 1-13. 7487938 https://doi.org/10.1109/ECRIME.2016.7487938
Liao, Kevin ; Zhao, Ziming ; Doupe, Adam ; Ahn, Gail-Joon. / Behind closed doors : Measurement and analysis of CryptoLocker ransoms in Bitcoin. Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. Vol. 2016-June IEEE Computer Society, 2016. pp. 1-13
@inproceedings{b98073ce42904c84ab85772ab764208f,
title = "Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin",
abstract = "Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.",
keywords = "Bitcoin, CryptoLocker, cybercrime, ransomware, security",
author = "Kevin Liao and Ziming Zhao and Adam Doupe and Gail-Joon Ahn",
year = "2016",
month = "6",
day = "8",
doi = "10.1109/ECRIME.2016.7487938",
language = "English (US)",
volume = "2016-June",
pages = "1--13",
booktitle = "Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016",
publisher = "IEEE Computer Society",
address = "United States",

}

TY - GEN

T1 - Behind closed doors

T2 - Measurement and analysis of CryptoLocker ransoms in Bitcoin

AU - Liao, Kevin

AU - Zhao, Ziming

AU - Doupe, Adam

AU - Ahn, Gail-Joon

PY - 2016/6/8

Y1 - 2016/6/8

N2 - Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.

AB - Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.

KW - Bitcoin

KW - CryptoLocker

KW - cybercrime

KW - ransomware

KW - security

UR - http://www.scopus.com/inward/record.url?scp=84977272009&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84977272009&partnerID=8YFLogxK

U2 - 10.1109/ECRIME.2016.7487938

DO - 10.1109/ECRIME.2016.7487938

M3 - Conference contribution

VL - 2016-June

SP - 1

EP - 13

BT - Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016

PB - IEEE Computer Society

ER -