Presentation Titled " Bitcoin and Ransomware Analysis " we discuss ransomware and how bitcoin are being utlized in cyber crime. we also have look at Bitcoin mining, Bitcoin trading market and block chain concept.
4. • In 2012, something changed, a lot!
• In 2010, something changed…
Reality Check - Perspective
Google search trends “ransomware” searches
2008 to 2015
Google search trends “ransomware” searches vs
“malware” searches 2008 to 2015
7. Ransomware
• A type of malware that restricts access to the infected computer system in someway and
Demands that the user pay a ransom to the malware operators to remove the restriction.
• Some of the Malicious actions by Malware:
Encrypt personal files ( images, movie files, documents, text files)
Encrypt files on shared network drives/ resources
Lock system access using login
Crash system through resource use – eg spawning processes
Disrupt and annoy – open browser windows, display pornographic images
8. How do Ransomware threats spread?
Common methods used by cybercriminals to spread ransomware:
• Spam e-mail campaigns that contain malicious links or attachments;
• Malicious websites
• Legitimate websites that have malicious code injected in web pages
• Drive-by downloads
• Security exploits in vulnerable software
9. CryptoWall 3.x
• A server on their own control would upstream requests to the C2 server inside the Tor network.
• Between the victims' infected machine and the Tor proxy server they added another proxy which is
PHP script running on a hacked website.
• PHP script upstreams requests towards the Tor server making it somewhat harder to track down the
actual Tor proxies.
10. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
11. SMSs or phone calls
to premium-rate
numbers
Prepaid electronic
payment – Ukash,
MoneyPack, PayPal
My Cash Cards
Bitcoins – virtual
currency which makes
it difficult to trace the
actual recipient of the
money
Payment Mechanisms
13. What is Bitcoin?
• Bitcoin is software-based online payment system
described by satoshi nakamoto in 2008 and introduced
as open-source software in 2009.
• Payments are recorded in a publicly disclosed linked
ledger of transactions stored in a blockchain.
• It is a form of digital currency (physical form is absent),
created and held electronically.
• It can be used to buy things electronically and in that
sense it is no different than conventional dollars.
• Bitcoin is commonly referred to as cryptocurrency and
it can be divided into smaller unit called satoshi (one
hundred milionth of a BTC).
14. 2009 2010 2011 2012 2013 2014 2016
Mt. Gox
bankruptNov.08
Nakamoto
paper
German finance
ministry recognizes BTC
as a unit of account
Silk Road shut down
by the FBI
‘09 BTC trades at
$0.14
Jan.09 Bitcoin
(BTC) is launched
IRS
recognizes
BTC as
property
119,756 BTC
i.e about
$65 million
Hacked
15. Features of Bitcoin
• Essentially it’s “Deflationary” - the reward is cut in half every four years, and tokens
can be irrevocably destroyed.
• Nearly infinitely divisible currency units supporting eight decimal places 0.00000001
(known as a Satoshi or Noncent*)
• Nominal transaction fee’s paid to the network
Same cost to send $.01 as $1,000,000
• Consensus driven – no central authority
• Counterfeit resilient
Cannot add coins arbitrarily
Cannot be double-spent
• Non-repudiation - no recourse and no one to appeal to return sent tokens
16. BitCoin Ecosystem
Based on Iyer & Davenport HBR 2008
BitCoin
Platform
Users
Merchants
Miners
Services:
Wallets &
Exchanges
17. Size of the BitCoin Economy
• Number of BitCoins in circulation - 15.2 million (Feb 2016)
• Total number of BitCoins generated cannot exceed 21 million (over 72% of
all bitcoins are already in circulation)
• Currently, there are 25 new bitcoins produced (mined) every 10 minutes.
• Average price of a Bitcoin (over the previous 6 months): around $600
1 BTC = 594 USD (Aug 11, 2016)
Price is very unstable.
• 30 Transactions per min. (Visa transaction 200,000 per minute.)
18. How Can One Obtain Bitcoins?
• Earn Bitcoins from mining.
• Buy bitcoins from Bitit Coinbase, Cubits, CoinCorner, BIPS
Market, Circle, or Celery.
• Buy bitcoins are the Bitcoin Exchanges
• There are several services where you can trade them for
traditional currency.
• Buy bitcoins using Bitcoin ATMs (in some countries).
• Find someone to trade cash for Bitcoins in-person through a local
directory.
• Participate in a mining pool.
• If you have a lot of mining hardware, you can solo mine and
attempt to create a new block (currently yields 25 Bitcoins plus
transaction fees).
• Various ways (donations, gambling, getting tipped, completing
tasks on websites...)
19. What is it based on?
• System is run by the bitcoin protocol.
• It is based on mathematics unlike conventional currencies that had been
based on fixed quantity of metal (gold, silver…) or fiat currencies.
• Bitcoin has several features that set it apart from fiat currencies:
It is decentralized
It is easy to set up and it is fast
It is anonymous
It is completely transparent
Transaction fees are miniscule
Transactions are irreversible
20. Decentralized
• The “digital wallet” operates in a peer to peer mode
• When it starts, it bootstraps to find other wallets
• Originally it used the Internet Relay Chat (IRC) network
• Now based on DNS and “seed nodes”
• The wallet will synchronize with the network by downloading ALL of the transactions
starting from the GENESIS block if necessary
• 338,540 blocks at time of slide prep
• Just over 20 GB
• Using a “Gossip Protocol” the wallets share all transaction information with their peers
http://en.wikipedia.org/wiki/Gossip_protocol
21. Coins flow from Inputs to Outputs
21
A coin owner transfers coins by digitally signing (via ECDSA) a hash digest of the
previous transaction and the public key of the next owner. This signature is then
appended to the end of the coin.
22. Pseudo Anonymous
• Using public key cryptography, specifically Elliptic Curve Cryptography
due to its key strength and shorter keys.
• Transactions are sent to public key “addresses”
1AjYPi8qryPCJu6xgdJuQzVnWFXLmxq9s3
1Give4dbry2pyJihnpqV6Urq2SGEhpz3K
https://blockchain.info/
23. Addresses are like Accounts
23
• Wallet listens for transactions addressed to any of its public keys and in theory is
the only node that is able to decrypt and accept the transfer.
• “Coins” are “sent” by broadcasting the transaction to the network which are
verified to be viable and then added to a block.
• Keys can represent a MULTI-SIG address that requires a N of M private keys in
order to decrypt the message.
• Every viable transaction is stored in a public ledger.
• Transactions are placed in blocks, which are linked by SHA-256 hashes.
https://blockchain.info
24. How are Bitcoins created - Mining PROCESS
• Miners use special software to solve math problems (bitcoin algorithm), and
upon completing the task they receive certain amount of coins.
• They are created each time a user discovers new block (finds hash value).
• Software is creating new units until it reaches amount of 21 million unites
(currency with finite supply).
• The rate of block creation is approximately consistant over time (6 per hour)
with 50 % reduction every four years.
• Halving (in theory) continues until year 2110-2140 when
21 million BTC have been issued.
25. Total Bitcoin Unit Supply Over Time (Projection)
25Period
NumberOfUnitsIn
Circulation
data source: bitcoin.it
26. Technology Behind Bitcoin
• Hashing (double-SHA256, RIPEMD-160)
• Proof-of-work (hashcash proof)
• Dual key encryption (Elliptical Curve Digital Signature Algorithm,
Merkle Trees )
• Peer-To-Peer Networking (similar to IRC Internet Relay Chat)
27. Hashing
• Hashing is applying an algorithm to find a short number (digest) of a block
of data.
• BitCoin uses the SHA-256 hash algorithm to generate
verifiably "random" numbers in a way that requires a predictable amount
of CPU effort.
• Generating a SHA-256 hash with a value less than the current target solves
a block and wins you some coins.
• Every time you apply a hash to some data, you get the same hash number.
• Hashes are one-way traffic
If you have the data, you can find the hash. But, if you have the hash, you can’t figure
out the data.
28. Blockchain
• Miners publish a block of recent transactions every 10 minutes on average.
• Each block is provably related to the previous.
• Every transaction ever is stored in the blockchain.
• If there are disagreements about valid blocks, the blockchain can fork.
• Miners add to the longest good chain.
• Searching the blockchain can reveal interesting things.
31. Mining Activity Is Determined By Hard Economics
• Avalon ASIC Miner
• 75 GigaHash/sec
• Network speed: 140 TeraHash
• 0.05% of BTC network
• 0.05% of 3600 BTC /day = 1.8 BTC /day
• $200/day
Source: Dec. 2013 data self-reported by a miner
32. Verification (‘Mining’) includes a reward to the Miner
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Unverified
Transactions
Verified
Transactions
Transfer of funds
Proof of ownership
Digital Signature
Newly minted
BTC that is
owned by the
miner
‘Block Chain’ of verified Transactions
BitCoin P2P
client Network
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Check
33. Transfer of funds
Proof of ownership
Digital Signature
Many Miners compete to create the next block and reap the reward
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Unverified
Transactions
Verified
Transactions
Transfer of funds
Proof of ownership
Digital Signature
‘Locked’ into
the next block
of the Block
Chain
‘Block Chain’ of verified Transactions
BitCoin P2P
client Network
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Check
Check
Check
Check
Check
Check
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
34. Once in the block chain, the transaction is irreversible
RHONDA the merchant
Account XYZ678
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
Transfer of
funds
Proof of
ownership
Digital
Signature
35. Use of BitCoin follows a pre-existing business agreement
RHONDA the merchant
Account XYZ678
“I accept BitCoin Payment
12 roses = 0.1 BTC
Account: XYZ678”
“Please send 12 roses to 839 Hilton Rd., Cville, VA.
I am sending a transaction (from ABC123)”
SAM the consumer
Account ABC123
with secret key Secret123
36. Fund transfers use public key cryptography to insure non-
repudiation and integrity
SAM the consumer
Account ABC123
with secret key Secret123
RHONDA the merchant
Account XYZ678
Proof of BTC ownership
Sender: RST234
Transfer to: ABC123
Amount: 5 BTC
Digital Signature: 973sdskhu9dft
Transaction
Transfer of funds
Sender: ABC123
Transfer to: XYZ678
Amount: 0.1 BTC
37. Transactions are propagated
through a P2P network
Transaction
Transfer of funds
Proof of ownership
Digital Signature
BitCoin P2P
client network
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
SAM the consumer
Account ABC123
RHONDA the merchant
Account XYZ678
38. • The peers verify the ownership of funds using the block chain
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Transfer of funds
Proof of
ownership
Digital Signature
Unverified
transactions
Verified
transactions
Transfer of funds
Proof of ownership
Digital Signature
‘Locked’ into
the next block
of the Block
Chain
‘Block Chain’ of verified transactions
BitCoin P2P
client network
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Transfer of funds
Proof of ownership
Digital Signature
Check
Block Chain of Transactions
40. Anatomy of a ransomware attack
And gone
The ransomware will then deleteitself leaving just the encrypted filesand ransom notes behind.
Ransom demand
A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frameof e.g. 72 hours
to enable decryption of thedata with the privatekey that only the attacker’s system has access to.
Encryption of assets
Certain files are then encrypted on thelocal computer and on all accessible network drives with this public key. Automatic backups of the
Windows OS (shadow copies) are often deleted to prevent data recovery.
Contact with the command & control server of the attacker
The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer.
Installation via an exploit kit or spam with an infected attachment
Once installed theransomware modifies the registry keys
41. Step 1: Locate the Payment Method Instructions
• This step can be fairly easy since most ransomware will display the payment
methods in large text or very clear instructions.
• Typically there will be a link to instructions right in the ransomware screen.
• In other cases you will have a file named something like
DECRYPT_INSTRUCTIONS.TXT that you can follow.
• Regardless of the specific version of ransomware you’ve been hit with, the payment
instructions will give you three pieces of information:
How much to pay
Where to pay
Amount of time left to pay the ransom (countdown timer)
Once you have the above information, it’s time to figure out how to pay the
ransom.
44. Step 2: Obtaining Bitcoin
• Set up an account with Bitcoin Exchange and you will need to purchase
some Bitcoin.
• Deciding which exchange to use can be tricky, because some require
banking information, while others are more of a brokerage site between
people wanting to buy and sell Bitcoin.
• In some cases you can even transact in person! In any case, you’ll have to
create an account Example http://www.CoinBase.com.
• Once you’ve created an account, you’ll likely have a Wallet Address. This
is the address you’ll need to provide to the person you’re buying the
Bitcoin from.
45. Installing a TOR Browser
• To download the TOR browser, navigate to http://www.torproject.org and click the
download button. (Do not download a TOR browser from any other website)
• Ransomware creators often host their sites in very temporary locations in the TOR
network and you may be forced to use the TOR browser to navigate to the
site created specifically with your payment instructions.
• This is done so that the hackers can take down the site immediately after it is
done being used and avoid any public tracking that would come with using normal
hosting in your typical world-wide-web.
• Website “address” given to you by the ransomware may look very odd, and it will
usually be located in the decrypt instructions or main screen.
46. Step 4: Paying the Ransom
• Once you have a Bitcoin (or more) in your Bitcoin wallet, now it’s time to transfer that
Bitcoin to the wallet of the ransomware creator.
• Typically paying the ransom will require one or more of the following pieces of
information:
A web address to view your specific ransomware payment information (this may be
a TOR address).
The hacker’s BTC wallet ID that you will use to transfer the BTC to.
Depending on ransomware, the transaction ID or “hash” generated when you
actually transfer the BTC to the hacker’s wallet.
47. Step 4: Paying the Ransom
• Once you’ve logged into your account at the Bitcoin Exchange and transferred the
Bitcoin to the hacker’s wallet (this may take some time, 20-40 minutes) then you
usually get a transaction confirmation hash, which is another long series of letters
and numbers.
• Depending on the type of ransomware you’ve been hit with, you may need to
provide the transaction hash ID to the hackers.
• Ransomware will usually have a field where you can type in or paste the transaction
hash ID.
48. Step 5: Decrypting Your Files
• Once you’ve paid the Bitcoin to the hackers, you will probably have to wait for
a bit of time (up to several hours) before they have processed the transaction.
• Once the hackers have processed the transaction, they should give you
access to the unique executable with the key that starts decrypting your files.
50. Theoretical & Technical Problems Which Goes Against Favour Of Bitcoin Usage:
• illegal activities, speculations and nature of this currency.
• Theoretical base for digital currency usage.
• Regulation and taxation issue.
• Disputable status of independent and
decentralized currency.
• Mining problems.
• Skepticism towards implementation of
new, unregulated, theologies in finance
sphere.
51. illegal Activities, Speculations And Nature Of Bitcoin Currency
53
• Can currency be anonymous and transparent at the same time?
• Why would somebody give you approximately 27,000 $ for solving impractical
mathematical equations?
• According to forbes (2014.), Currently, more than 90 percent of bitcoin accounts are
in a buy-and-hold mode!
“At some point in the growth of a boom all aspects of property ownership become
irrelevant except the prospect for an early rise in price. Income from the property, or
enjoyment of its use, or even its long-run worth is now academic.”
J. K. Galbraith (the great crash 1929.)
52. Legality of Bitcoin by country
• PERMISSIVE
• CONTENTIOUS
• HOSTILE
• UNKNOWN
Source: bitlegal.io
53. Does Bitcoin Need Regulation?
55 | Bitcoin |
• Guns don’t kill people…people do!
• Bitcoins don’t buy drugs … people do!
• Regulation not so much about use…. but
Consumer protection
Anti-money laundering
Anti-tax evasion
54. International Acceptance?
• Germany - Bitcoin should be considered as “private money”
• EU – warning re fraud, tax evasion, crimes
• UK – not treated as money …but subject to VAT
• Belgium – no regs
• France – no action
• Finland – issued regulatory guide and capital gains tax
• Sweden – bitcoin a means of payment; registration for exchanges
• Slovenia – pro bitcoin; not currency or financial instrument; taxable
• China – prohibitions on financial institutions/payment processors
• Singapore - pro bitcoin; taxable
55. Silk Road Website
• A black market website that began on the TOR network starting
in February of 2011.
• Bitcoin predates Silk Road.
• Transactions are paid for with Bitcoin.
• Uses an escrow system to reduce abuse.
• Looks like eBay, but most things are illegal—most notably, drugs.
• Shut down by the FBI on 10/2/2013 and a suspected leader
(Dread Pirate Roberts) was arrested .
• Many millions of dollars worth of BTC were confiscated from
people all over the world, even if they broke no laws.
• On 11/6/2013 the website re-opened as 2.0, apparently with
new management.
• Silk Road is only the most successful marketplace for black
market goods.