Thank you very much, Phil. So, the black eye actually came from a hockey injury

(ethereal music) (clapping) – Thank you very much, Phil. So, the black eye actually came from a hockey injury. It was not ransomware related I’m happy to say. But here, if you want to see what I look like without the black eye, it’s right here for you in full high definition. So, my name is Kevin Perlow, I currently work at Booz Allen Hamilton, and I’m a malware analyst. I do cyber threat intelligence along with some threat hunting, some host forensics, a nice mix of things. I went to school at Georgetown University actually for business and just sort of worked my way into this industry. Thought it was a little bit more interesting. So, what we have here is we’re gonna be talking about transactions on the blockchain, but we’re not just gonna be talking about Bitcoin transactions. That’s gonna be our primary focus. A little later on we’re gonna talk about Namecoin transactions as well ’cause that’s something you’re gonna start to see a little more nowadays. So the first thing is, well what is a blockchain? A lot of time people talk about the blockchain, and when they do that mean the Bitcoin blockchain. But a blockchain itself, it’s just a series of recorded transactions on a public ledger that’s decentralized. So, a way to think about this, and using Bitcoin as an example, if I wanted, so my brother’s here in the audience, if I wanted to pay him a dollar right now, all of you would watch me do that and so you would all agree that it happened, we would record it to a database and that transaction, no one could ever dispute that it took place. With a blockchain, what you do is when you have enough of these new transactions and new data, you put it on a block and from there you take a hash of the previous block of data, and you put it in this new block and you store it. And that’s how it builds on itself. That’s all a blockchain is. If you’re interested in the cryptography behind a blockchain go to the RSA conference, we’re not gonna talk about it here. But, if you wanna talk about some other things you can do besides from monetary transactions, we have medical records, you could potentially use blockchain technology for this, although I think after this presentation you’ll agree that that’s a horrible idea. You can do currency, which we mentioned, and you can do DNS, domain name system, where you have a decentralized domain name system and so you have some resiliency behind your domain. So, Bitcoins have become the defacto currency for really any sort of illegal activity on the internet, but it was designed to just be an anonymous, or pseudo anonymous, way to conduct transactions. So, Bitcoins are built around something called Bitcoin wallets and Bitcoin addresses. You can think of a Bitcoin wallet as something that holds a lot of prepaid debit cards, which would be the Bitcoin addresses. And there is something very interesting here. If you go to a store, when you purchase a good or product from that store you might only turn over, if you have $20 on one of these prepaid debit cards, you might only turn over 15 of those dollars. But with Bitcoins, you turn over the whole 20, and then it sends part of it back to you as change. And so the way that it goes back as change, it can either be to the same address that sent it to the recipient address, or it could go to a different address. And that all just depends on how your Bitcoin wallet is configured and which Bitcoin wallet system you’re using. That particular nuance is gonna be important for tracking some of these things down. And so I have that captured here. Two different examples, the one on the top, lets assume you’re buying a banned book for a Bitcoin. You might send 20 Bitcoins over, one would come back to the same Bitcoin address. Alternatively, you have the example on the bottom where you send 20 Bitcoins over, 19 go back to the … Sorry, I misspoke on the first one, 19 go back to the first Bitcoin address. On the second one, 19 go back to the second Bitcoin address, it’s a totally different address. And, you know, the theory behind this is that it makes it a little harder to tell who received verus who gave the money in a transaction. So, that’s what we’re gonna jump into here is how do we track these transactions. There are really only two resources that we’re gonna need. The first is Blockchain.info. It has an API, it’s very useful. It tracks all Bitcoin transactions, and it records the timestamps for them, it records the addresses that were sending money, addresses receiving money. And what we can do with that is, anytime you have an address from a ransom payment you can just throw it in there and see what you find. The other tool is going to be Wallet Explorer. It does the same thing, but the purpose behind Wallet Explorer, and the interface behind Wallet Explorer, is instead to correlate the addresses into certain wallets, and in some cases to identify those wallets with Bitcoin exchanges, or other major Bitcoin entities. So, they do two different things, they work very well in tandem. The person that made Wallet Explorer actually now works for Chainanalysis, which you can think of as the premium version of this. So we’re gonna be using both of those tools. So we’re gonna start simple. We’re gonna use something called the Globe Ransomware. This is not a major ransomware family, but it illustrates what we’re doing pretty well. So I did redact the personal key, but you can imagine having one of these messages show up on your screen, and I think most of the people in this room have either handled an incident, or you do malware analysis, you’re familiar with these. There’s also … What this message says, it says to go email [email protected] and if you email him and you tell him you’ve been infected, and you give him your id, which we redacted here. He’ll go ahead and he’ll give you a Bitcoin address. And you can also see that there’s a price for point five Bitcoins that you’re gonna have to pay. The first thing if you’re handling one of these incidents, just to kind of, as a bit of a side note, you wanna look up that email address because you wanna see, you wanna get a sense of has this guy been around doing anything else. Has he used other ransomware families – and he has. Do we know any other TTP’s associated with him because we ultimately don’t want to just decrypt our files, we want to prevent this from happening again. This person, we suspect, is primarily associated with RDP group force attacks, maybe even PS exact remote, reports, attacks. So we got that address from him, it’s at the top, right under the title here, the 1Hyas, and we throw it in Blockchain.info and this is what you get, and this isn’t a full list, I snipped some out of the middle. But you can see that there were other people who paid 0.5 Bitcoins. So the good news is other people are paying this person, you’re probably gonna get your files back if you were to make a payment and get the decrypter it’ll probably work. The bad news is other people are paying this guy, I believe it’s 1.5 Bitcoins sorry, other people are paying this guy and, so you probably do also need to pay him to get your files back, there probably isn’t a free decrypter out there otherwise who would bother. The next thing you wanna do is you wanna post this on Wallet Explorer. So on this screen you can see that total received, but on Wallet Explorer you get a whole list of all the transactions that this persons had, and so the output from Wallet Explorer is on the left part of the slide. You can dump it as a CSV, which shows up on the right part of the slide. And what we can do here is take, take inventory of what he’s been receiving. So, we’re interested in probable ransom income, that’s gonna be ransom, or that’s gonna be payments to this Bitcoin wallet where the amount was exactly the same as in the ransom note, and we come up with 24 of those. Another metric I had, because we’re really just estimating here, is what about possible ransom income? The possible ransom income is the, the metric I came up with was anything that was four digits or fewer. So, if someone paid 1.75 that might be a ransom payment, that’s a pretty specific amount. In the cyber criminal underground, even though they use Bitcoins for these transactions, they typically peg the Bitcoin to some sort of currency value, often USD. And so what you’re gonna see instead for more of a business like transaction that’s not ransomware transaction, you’ll see something like 1.7829, some longer number like that. So that’s where we came up with the other number. Now you might say this is a pretty wide range, it’s a factor of two, but what I find, and what we’ll see when we go into the Locky example coming up in a second, is it’s really an order of magnitude that we’re concerned about. So, this guy, we’re talking in the 10s of 1000s of dollars, maybe up to $50,000 is what he’s received over the many months that he’s been doing this, about six months, a year to date. So, so that’s good. I mean this doesn’t tell us a whole lot, but it illustrates the point in how to use these tools. What we’re a little more interested in is gonna be this Locky ransomware example. This is one of my favorite ones. So, what’s interesting here is we’re gonna see a sense of scale. So, Locky ransomware came out in January, February 2016, it was famous for hitting a hospital. And a hospital has to stay in operations, so they had no choice but to pay the ransom. And this Locky example, what we’re gonna find is they’re not alone, a lot of people have paid this. So on the bottom right of this screen is gonna be the Bitcoin address that you would have to pay for this particular Locky instance. But what I have to point out is that for the Locky ransomware, and for a lot of other sophisticated cyber crime, or cyber crime group affiliated ransomware, where it’s not just one actor, these are generated server side and they’re generated unique to each instance of Locky. So, what that means is when you first get this address it’s gonna be blank. I should also say, this was one provided by another security analyst, I do just wanna thank them for contributing this. They didn’t want me to say who they were. But it is, we couldn’t do this type of analysis without having this happen. So, because it’s a unique Locky Bitcoin address, in order for us to get any data out of this someone has to pay it. And, so that, once someone pays it the criminal then has to move the money because otherwise they wouldn’t be able to use it, they wouldn’t be able to cash it out, and it would be a totally worthless exercise for everybody involved. And it happens here. On the bottom left we have our victim, on the bottom right we have that money being paid. Then it, this is just the default interface for Blockchain.info, on the top left the money moves again, and it moves as part of a much larger, I think 80 Bitcoin transaction. And what that means is there were other Bitcoin addresses involved in this. So our next step here is where things start to get interesting. We wanna map out the blockchain. That might seem like a daunting task, and it is, but here you go. So, on the left there’s a script that’s on Github that you can use to do this, you plug in an address and it’ll map this out in graphviz format. But we some very interesting, just looking at this, and I know you can’t read them, we’ll get to that in a second, we’ll zoom in. But, on the left, the circles on the left, or the ovals on the left, are gonna be people paying, those are gonna be the victims. In the middle those are those intermediate addresses, and then on the right, if we go back here, there we go, on the right are gonna be those two addresses that received the money, it turns out other addresses are also funneling money into these two points. So, we’re interested in those, and that’s where we’re gonna do our exploration. But first, someone earlier had an enhance button, so do I and mines better, it has a red box. So we have, this is one of the other sections on that graph, and we’ve identified just by throwing this into Blockchain.info, we’ve identified another possible ransom payment because we have two Bitcoins that’s around the right amount for, or three Bitcoins, whatever, it’s around the right amount for a ransomware payment. And if you go and you look at the other ones you’ll find the same thing over and over and over again. So we do wanna dive into where this money’s going. So we throw it into wallet explorer and what do we have? Well, we have that this, one of these receiving addresses is part of a much larger list and it’s received 81 pages on wallet explorer worth of transactions. This is a lot. In fact this is a very very very very large number for a non Bitcoin exchange. You can also see, it’s a little hard to read the numbers on there, but you can see a lot of single digit numbers, those are gonna be three, four, two, five, those are about the right amount for a ransomware payment. And so if you go through all 80 pages of this, that’s what you find over and over again is that these guys since January 2016, conveniently when Locky came out, all the way through October 2016, and then they took a bit of a break, and then in January 2017, were receiving these ransom payments. So our next question here is well what, you know, what does this all mean? Like what can we do this data? The first thing I wanna do is come up with some estimate, excuse me, some estimate of how much money they’ve made. There are, there’s a couple different ways, there’s a conservative one, so only transactions by .25, the one from before, the four characters in length, and then one where we just add them all up and we can do that. They’ve never even received any increment over 10 Bitcoins. So it’s entirely possible everything here was a ransom payment. And so you can see the numbers there, I tend to think we’re talking somewhere between 13 and 14,000 Bitcoins on this. I’m sure other people have paid them for other things, but the point stands, even back in 2016 Bitcoin currency value, we were looking at over $10,000,000 from January through October. That’s crazy, and when you do the victim count you’re looking at 6,000, 8,000 victims that have paid. That’s not even the people that were just infected with it, and couldn’t figure out how to pay, or just said I’m not gonna pay. That number, they have targets on the cyber criminal underground for these things, but that number could easily be 5% of the total infections. It could be even less than that. We, that part we just don’t know. The point is this is such a huge scale. So how does this help as an incident responder? Well, the main thing for an incident responder is to figure out, or one of the main things, who targeted us, or was this even a targeted attack? Probably not if you’re getting hit by something like this where there are 81 other pages of ransom transactions. I mean maybe they targeted your industry, maybe not, but when we think back to the globe example where we thought, OK, that was more of an RDP group force attack. The after, you know, you wanna, you wanna do a complete investigation, but the priority you’re gonna take into certain actions after this are gonna be different. You’re not gonna be necessarily worried about closing down an open RDP port that shouldn’t be there. Instead you’re gonna be worried about well we probably have to fix our email filtering and upgrade some detection logic and stop this from happening. But they’re two different approaches, the main point being at least you’re not concerned that you were targeted, everyone was targeted, you’re just concerned that you were infected. The last point I want to take here is the cash outs. So, here you can see them actually moving 220, 100, 150 Bitcoins to an exchange called BTC-e. They did use a couple of other exchanges, you can see some other cash outs here that weren’t identified by Wallet Explorer, but that’s just what these guys tend to do, the tend to put about 50 to 100 to 200 Bitcoins at a time and they cash it out. And because there’s no way to subpoena BTC-e, unless their database ever gets leaked, or unless law enforcement finds a way to compel them to turn over that data, out the money goes and we don’t know who’s getting it. If they ever do get that data, then we’ll be able to find out. So, the third thing we wanna talk about is attribution. There’s sort of a myth behind Bitcoins that you can never do any sort of attribution. This is, not a totally unique example, it’s a little rarer, but I did wanna show it because it’s interesting. There is a way to do some deductive reasoning and come up with an attribution, at least in this particular instance. So this is a Shark and Atom ransomware. It kind of hit the news in Oct, I wanna say around October 2016 actually, around the same time frame as when that Locky activity was happening when we started focusing in on that. The idea behind the Shark ransomware was hey we’ll give you a portal, or we’ll give you a tool, and you can use that tool to build your own ransomware. You put in your Bitcoin address, we’re just gonna take 20% of the cut. The source advertised on a Russian website, so were these people Russian? It would be a reasonable guess, but we would like a second data point on that. And so here on the bottom you can see the panel. You can see the ransom note. But more interestingly, you can watch on the blockchain, or you could watch at the time when this was in service, the money go to a payment address that was specified by the attacker, and then at the top you can see an 80 20 split happen for when it was making the payment on the blockchain, going, the 20% going to the authors, the 80% going to the attacker. As far as network forensics go it’s kind of exciting to watch this happen on the blockchain and then watch it happen in a PCAP as it’s coming back to the infected host. It’s kind of cool. But what’s even more cool is they use that same address for, they didn’t generate a new 20% address, they used the same one for a host of other transactions and at one point they might have even paid themselves through a chain of events, possibly testing their own infrastructure. It’s not entirely clear if they were running a test, or if they were just paying a different address of theirs, or a different wallet of theirs. But you can see the graph here, it looks similar to the other graphs. And in red is gonna be this 1FzW Address, which is where they’re receiving these 20%s. And that’s gonna be the main pivot point for what we’re gonna do next. So we throw it in Wallet Explorer, we’ve got one other address there, it starts with 16q3. And, the other way to correlate these two is if we look at the transactions on there we can also say well 1FzW had an address put money, and I’m gonna graph these, so if it’s just rattling off numbers don’t panic there’s a graph coming. But the 1FzW, the first address to fund that, to fund this part of the ransomware Bitcoin infrastructure, starts with 16qCm, and the first one to ever fun that starts with 16q3 And that was also paid by 1FzW. So the deductive logic there creates this loop, and so you would at least be able to determine that, if you didn’t know from Wallet Explorer, you could do some deductive reasoning and say well these are owned by the same person. Given the timeframe of these transactions, given what was happening, you could say that pretty comfortably. What we’re gonna do then is we’re gonna use this graph and we’re gonna pivot off of this graph. We’re gonna add to it a little bit. So, what’s the first to fund 16q3? Well this address starting with 17N4mi. That’s therefore likely also owned by the Atom author. And when we talk about, you know, mapping these out we’re curious well where else did that one send money? So in the same transaction that it funded this, it also sent money to another, to another Bitcoin address. And when we talk about change, from earlier on, that’s what we meant. And this is an example where it becomes particularly relevant. So here’s our new graph. We’ve added a little section at the bottom. We still have that triangle relationship from the ones we found before. So lets keep going. So we’ve branched off, in one spot we’re funding part of our ransomware infrastructure. What are we doing in the other spot? Well we can follow these a little bit more. It sends money to another address, that address sends money to two more addresses. Those last two addresses are tagged on Wallet Explorer as something called matbea.com, and I’ll show you that momentarily, but here’s the graph. We can see our overlap from the infrastructure, what funded the infrastructure, what did the simultaneous paying, and where the money all goes on the bottom right. So I mentioned matbea.com. If you, if you map this all out using the script from before, it’ll look something like this, it just depends on which address you use as the baseline for the script. But we have a couple others at the bottom right that are also matbea.com. Well here’s matbea.com, you can see the cyrillic text there. So we’re looking at a Russian Bitcoin exchange. So here’s our second data point that I mentioned earlier that we were trying to get to. Originally we were talking just hey these guys posted on a Russian language forum, a lot of people do that and a lot of people do it in really awful Russian, but these guys might actually be Russian, and we have that nice little extra data point. And so this was a cool piece of attribution, now it’s important to point of course, it could be a false flag, but given that this was pretty unsophisticated and given the other things we know about ransomware and about these guys in general, we’re, we’re pretty comfortable with this assessment and with this data point. So, I do have a bonus example on here. I don’t have time to go through it today, and I wasn’t planning on going through it today, but if you ever wanna look at something with the spora ransomware, it’s on Cyber4Sight’s blog, which is the group I work at, at Booz Allen. And you can, you can go through this and see how spora is an affiliate program, and how you can come up with that deduction just based off of blockchain analysis. And that’s not a grand proclamation at this point, but when this was new, and when this was three days old, it was pretty interesting data to see the first spora affiliates get paid. And so that’s something you can, you can look at when the slides are posted online later. So the last thing I wanted to talk about is the Namecoin blockchain. The Namecoin blockchain is pretty interesting, it’s another use of blockchain technology, and the idea behind it is to decentralize domain name systems. Allegedly, for the purpose of anti censorship, but you can use it for your malware because no one can take down your domain if it’s sitting on a blockchain. Instead they have to take down the actual, they have to retake the actual IP address that your domain would resolve to. So, a little bit more about this. Namecoin domains are gonna be .bit domains. They’re not an official ICANN domain, top level domain. So what you have to do is you have to do a DNS query to an OpenNIC server, or you have to do a DNS query to a dedicated Namecoin DNS server. That’s two interesting things to look at in your network logs. I’ve seen some misconfigurations do those before, but I’ve also seen just straight up malware do it before. There’s really no good reason this should ever happen. Now domain, this blockchain can work as a regular cryptocurrency blockchain. The currency isn’t worth a whole lot right now, but the other part of this is the domain names sit on special coins on this blockchain, so that you can’t accidentally, you know, buy bread with whatever website .bit. Like that would be weird, and so they don’t want that to happen by accident, and the, that special coin has a special property in how these things get updated that it tends to flatten out the blockchain for analysis. The consequence of that, and I’ll show what, I’ll show what I mean by that visually, but the consequence of that is it’s really easy to track and map out Namecoin infrastructure. So that’s what we’re gonna do with this example of the Shifu banking Trojan. On January 6th, 2017 Palo Alto’s unit 42 came out with a really really good reverse engineering report on this. And part of it was they noted that hey this banking Trojan started using these two .bit domains at some point in 2016. The picture up here is actually a newer version of it, a newer, an updated version of this information, because at the time there were only a couple IP’s associated with each of these two domains on there. And the question I had was well, what other infrastructure, there’s no way these actors were only using two domains and a couple of IP addresses. And a few other things happened too. A couple days after that report came out I have it in a little box here, you can see that they zeroed out the IP address. So by looking at the Namecoin system you already know hey these guys are reading open source intelligence reports, just like we all are, and they zeroed out their infrastructure, and we’re gonna see that happen in a couple other pieces of this as well. So what we wanna do, there’s no API for this, so you’re gonna be on your own for the script we go for later, but what you wanna do is you wanna take the first transaction from one of these domains because that’s when it was created. So, here’s the first transaction. There’s a lot on this screen and I know that. I’m gonna talk through all of it. But the first transaction on the name chain website will show that, it’ll show when this was first created, so you can see the operation is OP_NAME_NEW that means a new domain being made. You can see a change address happening, so a certain amount of Namecoin currency was used to perform this operation, but then another amount went to change. That, like 23 or 24 Namecoin change, was later used to register the second domain that was listed in the, in the Palo Alto report. So we already know those two were associated just with a couple of clicks. Now the, the next thing here is that we wanna kind of go backwards a little bit more. So we, so this, this Namecoin address was generated somewhere, so when we go to the first transaction involving it, like so, we’ll see that it actually was part of change from another Namecoin operation from another domain called healthshop.bit. And this had a different IP address, but what we can do is we can look at the overlapping IP addresses for this infrastructure now. We can look at just all of the data from the healthshop domain, all of the data from the one we were looking at, the slavaukraine domain, and we can say hey there was a shared relationship on the blockchain, but there was also a shared infrastructure relationship. These things were resolving to the same IP addresses at different points in time. And so that’s what we have right here. If you compare them side by side you’ll see in the blue you’ll see some of the same IP addresses, you’ll see that they were zeroed out on the 11th at the same time. So, those are some pretty good date points. We would say with almost near certainty that the same people were operating these domains. So, good, we found an extra domain, that’s good for out incident responders, that’s good for our stock. We also know when these IP addresses were relevant because when they switched the IP’s they’re no longer true indicators of compromise. I mean they might still own the infrastructure, but they might not. So what we wanna do next is what else can we find? And, and in going the same way that we went with mapping out the Bitcoin infrastructure, we can do the same thing here, we can go to each transaction that happened, look at the addresses, go to each transaction of those, and so on and so forth, and, and, and so what we do is we get a graph here and I tried to zoom in as best I can, but it illustrates a point I’m about to make. This is a much flatter blockchain. And you can even see that I included the scroll bar in the picture so you can see how wide this goes. But in doing this, you get a nice little visualization, you can see that these addresses that these domains, that these IP addresses are truly related. It’s just not enough to have a graph though. You would never be able to constantly be scrolling left and right, so the other thing you wanna do is if you, if you go to do something like this you wanna dump a nice little CSV file, which, or actually two CSV files, one with just just the infrastructure, and one with the days that this happens. And I did my best to show the relationship here. So you’ll see that they have similar IP space in some cases, you’ll see shared IP addresses. The next thing you would wanna do is either in graphviz or in analysts notebook, you wanna take, you wanna take all these data points and you wanna correlate them together and show that they are truly all linked. Before I go to that picture on the right, you can also see some interesting TTP’s from these actors. You can see that they tend to name their domains in some similar ways. So you’ve got like foreveryoung and foreverone. You have a couple that have the term data in them, a few others like that. A couple with references to Russia, Ukraine. So it’s some other interesting TTP’s, and it gives you even more confidence that these are related. And when you map it all out, here’s what you wind up with. And so remember, we started with only two domains, and when we ended this we wound up with over a dozen domains that these guys were using as part of this campaign. We also, just to go back real quick, it’s a little cut off at the top, but you can see that they’ve been doing this since March of 2016. So we have a nice firm start point for this activity as well. And that gives you some really good actionable intelligence that you can use for this. And it’s just a nice little example of, well the, well the Namecoin watching is a little bit esoteric, and while it provides some sort of resiliency for these actors, we can actually use it against them. And so that’s, that’s kind of where we are for doing some of this blockchain analysis. So just a quick recap. The blockchain stores an awful lot of data, and if you’re good with just some basic deductive logic, and maybe a little bit of scripting, you can find out a whole host of historical information just by navigating through it properly. I do have two items in here in question marks. They’re things we should think about. Given what I just showed you where we can map out Namecoin domains, do we really want to be in a situation where someones medical records are stored on a blockchain, and that’s one of the common ones that’s listed for blockchain technology. My argument personally would be well probably not because as soon as, if someone, if there’s an OPSEC failure of some form, or a database gets leaked, and someones personal medical blockchain address were to be paired with their name, you would have all of their history. And so I think that’s something we have to think about. With property titles it would be a similar situation. On the other hand it does provide resiliency and it does provide nice data storage, and it can be used to prevent fraud. So, we do have to consider both sides of that. (tribal drum music)