Research on a knowledge-powered cross-domain investigation of cyber-extortion operators

Abstract

Fueled through the protections afforded by anonymous payment systems such as Bitcoin, cyberextortionhas emerged as a lucrative cyber-criminal business model. Globally, schemes such as ransomware,wreak havoc on organizations, individuals, and even governments, with little or no help fromlaw enforcement to combat these crimes. Unfortunately, despite the high visibility of these crimes andthe billions of dollars that are produced, little is known about the underlying flow and dissemination ofthe extorted currency once paid by the victims. In this paper, we describe a cross-domain investigationframework to analyze the links among crimeware operators and their extortion campaigns. We highlightthe utility of the system through case studies of multiple cybercrime syndicates, beginning with Clop,a recent ransomware campaign. Our system, eXpos´e was able to successfully characterize 3rd-partyentities that the operator(s) of Clop have dealt with. This is done by mining Bitcoin transactions andfusing this information with other transactions captured within an entity-graph knowledge base that isconstructed by our system. Using eXpos´e, we present an analysis that shows that the Clop operator(s)were involved in multiple extortion campaigns, and by grouping scam-related addresses eXpos´e reveals adistribution of funds managed by these operators that is currently at more than 11K BTC (approximately96.7 Million U.S. dollars at the current exchange rate in November 2019). We also present case-studiesthat reveal close inter-connections to entities from other cyber-criminal operations, including the Necursbotnet, scam-based extortion campaigns and The Shadow Brokers.