Abstract

Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.

Original languageEnglish (US)
Title of host publicationProceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016
PublisherIEEE Computer Society
Pages1-13
Number of pages13
ISBN (Electronic)9781509029228
DOIs
StatePublished - Jun 8 2016
Event2016 APWG Symposium on Electronic Crime Research, eCrime 2016 - Toronto, Canada
Duration: Jun 1 2016Jun 3 2016

Publication series

NameeCrime Researchers Summit, eCrime
Volume2016-June
ISSN (Print)2159-1237
ISSN (Electronic)2159-1245

Other

Other2016 APWG Symposium on Electronic Crime Research, eCrime 2016
CountryCanada
CityToronto
Period6/1/166/3/16

Keywords

  • Bitcoin
  • CryptoLocker
  • cybercrime
  • ransomware
  • security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Information Systems
  • Information Systems and Management

Fingerprint Dive into the research topics of 'Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin'. Together they form a unique fingerprint.

  • Cite this

    Liao, K., Zhao, Z., Doupe, A., & Ahn, G-J. (2016). Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin. In Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016 (pp. 1-13). [7487938] (eCrime Researchers Summit, eCrime; Vol. 2016-June). IEEE Computer Society. https://doi.org/10.1109/ECRIME.2016.7487938