The dynamic analysis of WannaCry ransomware

Kao, Da-Yu; Hsiao, Shou-Ching

doi:10.23919/icact.2018.8323681

Cited by 26 publications

(23 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the Dark Web was first proposed to support the freedom of the press and guarantee open discussions without political pressure [49], it is also misused for malicious purposes, such as advertising harmful content [34], [30] and command-and-control servers (C&C). For example, an e-commerce market in the Dark Web is known as one of the major drug trading sites [13], [22], and WannaCry malware, one of the most notorious ransomware, has actively used the Dark Web to operate C&C servers [50]. Cryptocurrency also presents a similar situation.…”

Section: Introductionmentioning

confidence: 99%

Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark Web

Lee

Yoon

Kang

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The Dark Web is notorious for being a major distribution channel of harmful content as well as unlawful goods. Perpetrators have also used cryptocurrencies to conduct illicit financial transactions while hiding their identities. The limited coverage and outdated data of the Dark Web in previous studies motivated us to conduct an in-depth investigative study to understand how perpetrators abuse cryptocurrencies in the Dark Web. We designed and implemented MFScope, a new framework which collects Dark Web data, extracts cryptocurrency information, and analyzes their usage characteristics on the Dark Web. Specifically, MFScope collected more than 27 million dark webpages and extracted around 10 million unique cryptocurrency addresses for Bitcoin, Ethereum, and Monero. It then classified their usages to identify trades of illicit goods and traced cryptocurrency money flows, to reveal black money operations on the Dark Web. In total, using MFScope we discovered that more than 80% of Bitcoin addresses on the Dark Web were used with malicious intent; their monetary volume was around 180 million USD, and they sent a large sum of their money to several popular cryptocurrency services (e.g., exchange services). Furthermore, we present two real-world unlawful services and demonstrate their Bitcoin transaction traces, which helps in understanding their marketing strategy as well as black money operations.

show abstract

Section: Introductionmentioning

confidence: 99%

Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark Web

Lee

Yoon

Kang

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Wannacry (Mohurle and Patil (2017)) is a famous ransomware global attack that stroke in May 2017. The hackers used the EternalBlue exploit, see Kao and Hsiao (2018). The ransomware propagated via Microsoft Windows users who did not patched their system against this vulnerability.…”

Section: Calibration Of a Wannacry-type Scenariomentioning

confidence: 99%

Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models

Hillairet

Lopez²

2021

Scandinavian Actuarial Journal

View full text Add to dashboard Cite

In this paper, we propose a general framework to design accumulation scenarios that can be used to anticipate the impact of a massive cyber attack on an insurance portfolio. The aim is also to emphasize the role of countermeasures in stopping the spread of the attack over the portfolio, and to quantify the benefits of implementing such strategies of response. Our approach consists of separating the global dynamic of the cyber event (that can be described through compartmental epidemiological models), the effect on the portfolio, and the response strategy. This general framework allows us to obtain Gaussian approximations for the corresponding processes, and sharp confidence bounds for the losses. A detailed simulation study, which mimics the effects of a Wannacry scenario, illustrates the practical implementation of the method.

show abstract

“…After making an in-depth analysis, we confirmed that the detected domain is indeed malicious. Specifically, in [56], the authors performed a dynamic analysis of WannaCry ransomware, and showed that the domain was an indicator of compromise for WannaCry ransomware. Other security researchers such as Benkow and Matt Suiche confirmed this claim.…”

Section: F Live Streaming Analysis In a Production Environmentmentioning

confidence: 99%

ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices

et al. 2020

View full text Add to dashboard Cite

Today, cyber attacks are constantly evolving and changing, which makes them harder to detect. In particular, detecting attacks in large-scale networks is very challenging because they require high detection rates under real-time resource constraints. In this paper, we focus on detecting infected Internet of Things (IoT) hosts from domain name system (DNS) traffic data. IoT hosts, such as streaming cameras, printers, air conditioners, are hard to protect, unlike PCs and servers. Enterprises are often unaware of the devices which are connected to the network, their types, makes, and vulnerabilities. Since IoT hosts make use of the DNS protocol, analyzing DNS data can give a broad view of malicious activities, because they abuse the DNS protocol and leave fingerprints as part of their attack vector. In this collaborative research between Ben-Gurion University, and IBM, we establish a novel algorithm to detect infected IoT hosts in large-scale DNS traffic, named Anomaly and Reputation Based Algorithm (ARBA). Its novelty resides in developing a framework that combines host classification and domain reputation in a real-time production environment. ARBA is highly computational efficient and meets real-time requirements in terms of run time and computational complexity. By contrast to existing algorithms, it does not require a massive traffic volume for training, which is of significant interest in detecting infected hosts in real-time. The research was conducted on real live streaming data from IBM internal network traffic, and confirm the algorithm's strong performance in a real-time production environment. INDEX TERMS Cyber security, anomaly detection, domain name system (DNS), detection algorithms, real-time algorithms.

show abstract

The dynamic analysis of WannaCry ransomware

Cited by 26 publications

References 0 publications

Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark Web

Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark Web

Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models

ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices

Contact Info

Product

Resources

About