Addressing The Intelligence Applications of Bitcoin Payments Related to Ransomware
This thesis addresses the evolving threat of the use of cryptocurrency in ransomware attacks. These attacks are a form of cyber extortion in which malicious software (malware) is used to infect, encrypt, and render systems unusable unless the victims pay a ransom. Such attacks can cripple the capabilities of business-critical systems as well as critical infrastructure. Increasingly, ransom payments are being demanded in hard-to-trace cryptocurrency formats such as Bitcoin. This thesis by publication, comprising four published research papers, a published conference proceeding paper, and two research papers submitted for journal publication, demonstrates the utility of taking a target centric approach to intelligence collection and analysis of a ransomware-cryptocurrency network. Utilising graph analysis techniques applied to data gathered from the Bitcoin blockchain, this research addresses challenges security researchers face in preventing the propagation of ransomware payments throughout cryptocurrency networks as well as determining the accountability of such payments. The first paper provides a general perspective on analysis techniques relating to illicit Bitcoin transactions and ransomware incidents, and the second paper develops a target-centric intelligence approach to a specific Bitcoin ransomware incident (WannaCry 2.0). The third study explores the possibility of using a common sharing standard such as STIX to share ransomware payment related cyber intelligence, while the fourth paper discerns Bitcoin payment patterns from well-known ransomware attacks (WannaCry, CryptoDefense, and NotPetya). The fifth paper examines graph embeddings in more IV detail to reveal risky nodes in a ransomware-Bitcoin network, and the sixth paper develops a novel methodology to systematically identify ransomware transactions within cryptocurrency payment networks. By undertaking target network modelling and analysis, this research provides a basis for analysing payment patterns generated by ransomware-Bitcoin transactions as a graph. Furthermore, to enhance the understanding of the ransomware-Bitcoin environment and any points of vulnerability, blockchain data collection is used to populate the target network model. This allows for the development of a knowledge graph for understanding the relationship between data assets in the ransomware-Bitcoin payment network and provides context to the machine learning systems used in this research.