SPOT: Analyzing IoT Ransomware Attacks using Bare Metal NAS Devices

Yasui, Hirofumi; Inoue, Takahiro; Sasaki, Takayuki; Tanabe, Rui; Yoshioka, Katsunari; Matsumoto, Tsutomu

doi:10.1109/asiajcis57030.2022.00013

Cited by 2 publications

(1 citation statement)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such a strong association implies that the successful deployment or functioning of CryptoLocker might heavily rely on the presence, support, or capabilities offered by the Blacklist malware. From a cybersecurity standpoint, this association emphasizes the collaborative or interdependent nature of various malware families in ransomware campaigns [73], [74]. Understanding these connections between ransomware strains and their associated malware allows cybersecurity professionals to decipher the intricate workings of these threats.…”

Section: MImentioning

confidence: 99%

RFSA: A Ransomware Feature Selection Algorithm for Multivariate Analysis of Malware Behavior in Cryptocurrency

Nkongolo Wa Nkongolo

2024

IJCDS

View full text Add to dashboard Cite

This research introduces innovative features tailored to capture distinctive characteristics of ransomware activity within the cryptocurrency ecosystem. The study employs a multifaceted analysis to delve into ransomware-related data encompassing transaction metadata, ransom analysis, behavioral patterns, and financial aspects. A feature selection algorithm is explored to discern ransomware transactions in Bitcoin (BTC) and the United States Dollar (USD) using the UGRansome dataset. This comprehensive dataset of ransomware-related transactions facilitates the proposal of novel features designed to capture the unique traits of ransomware activity. The correlation matrix and temporal analysis of these features contribute to a nuanced understanding of the dynamic nature of ransomware threats. The research presents the Ransomware Feature Selection Algorithm (RFSA) based on Gini Impurity and Mutual Information (MI) to effectively select crucial ransomware features. Evaluation metrics such as precision, recall, accuracy, and F1 score highlight the effectiveness of the RFSA. The analysis reveals that approximately 68% of ransomware incidents involve BTC transactions ranging from 1.46 to 2.56, with an average of 2.01 BTC transactions per attack. Moreover, ransomware causes financial damages ranging from 4.38 to 172.36 USD, with an average damage of 88.37 USD. The RFSA identifies 17 ransomware types and their associated malware to shed light on their characteristics. The study investigates the pricing of ransomware and reveals that TowerWeb is associated with the highest fee, amounting to 135.26 BTC, while CryptoLocker has the lowest fee, recorded at 10.51 BTC. Additionally, the impact of ransomware duration on financial gains and network flow is investigated, disclosing a correlation between extended duration and higher financial gains. The research achieves outstanding performance metrics, including an MI score of 95%, accuracy of 93%, recall of 92%, and precision of 89%. These results showcase the superiority of the proposed approach over existing studies, emphasizing the dynamic and adaptable nature of ransomware demands. The findings suggest that there is no fixed amount for specific cyberattacks. This underscores the importance of adapting to the evolving landscape of ransomware threats.

show abstract

Section: MImentioning

confidence: 99%

RFSA: A Ransomware Feature Selection Algorithm for Multivariate Analysis of Malware Behavior in Cryptocurrency

Nkongolo Wa Nkongolo

2024

IJCDS

View full text Add to dashboard Cite

show abstract

SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices

Yasui,

Inoue,

Sasaki

et al. 2024

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Ransomware attacks targeting Network Attached Storage (NAS) devices have occurred steadily in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware binaries but failed to reveal its operation and attack infrastructure. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as the honeypot and the malware sandbox to conduct an in-depth analysis of IoT ransomware attacks. During the six-month observation from September 2021 to March 2022, we observed on average, 130 hosts per day accessing from the Internet to compromise the NAS devices. Moreover, we executed 48 ransomware samples downloaded from VirusTotal in the SPOT sandbox. We identified seven remote Onion proxy servers used for C&C connection and successfully observed three samples infecting the NAS device to connect them to the C&C server behind the TOR network. The ransom notes gave two kinds of contact points; instruction web pages and email addresses. Though the email addresses were not reachable, we could access the instruction website. We kept monitoring the website and observed a "30% discount campaign" for ransom payments. We also interacted with the threat actor via online support chat on the website, but we were banned from the channel because we asked about their organization. We observe that the degree of automation in the attack operation is much higher compared to the carefully tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.

show abstract

SPOT: Analyzing IoT Ransomware Attacks using Bare Metal NAS Devices

Cited by 2 publications

References 1 publication

RFSA: A Ransomware Feature Selection Algorithm for Multivariate Analysis of Malware Behavior in Cryptocurrency

RFSA: A Ransomware Feature Selection Algorithm for Multivariate Analysis of Malware Behavior in Cryptocurrency

SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices

Contact Info

Product

Resources

About