A target-centric intelligence approach to WannaCry 2.0
Pages | 646-665 |
DOI | https://doi.org/10.1108/JMLC-01-2019-0005 |
Published date | 07 October 2019 |
Date | 07 October 2019 |
Author | Adam B. Turner,Stephen McCombie,Allon J. Uhlmann |
A target-centric intelligence
approach to WannaCry 2.0
Adam B. Turner,Stephen McCombie and Allon J. Uhlmann
Department of Security Studies and Criminology,
Macquarie University, Sydney, Australia
Abstract
Purpose –This paper aims to demonstratethe utility of a target-centric approach to intelligence collection
and analysis in the prevention and investigationof ransomware attacks that involve cryptocurrencies. The
paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The
approach proves particularlybeneficial in facilitating information sharing and an integrated analysis across
intelligencedomains.
Design/methodology/approach –This study conducted data collectionand analysis of the component
Bitcoin elements of the WannaCryransomware attack. A note of both technicalities of Bitcoin operationsand
current models forsharing cyber intelligence was made. Our analysisbuilds on and further develops current
definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM)
and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware
attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for
collaborativeinvestigation.
Findings –Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the
intelligence problem of collectingand analysingd ata related to inflowsand outflows of Bitcoin-related ransomware
transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting,
analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under
cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious
cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.
Originality/value –The application of a target-centric intelligence approach to the cryptocurrency
componentsof a ransomwareattack provides a frameworkfor intelligence units to break down the problem in
the financialdomain and model the network behaviour of illicitBitcoin transactions relating to ransomware.
Keywords WannaCry, Ransomware, Cryptocurrency, Bitcoin, Blockchain, Money flows,
Intelligence, Target-centric, Illicit money flows
Paper type Research paper
1. Introduction
In May 2017, a ransomware outbreak known as WannaCry infected more than 300,000
computers across 150 countries worldwide, making it the most prominent ransomware
attack involving nation-states and cryptocurrencies to date (Turner and Irwin, 2018). The
use of cryptocurrencies in ransomware attacks like WannaCry poses challenges for law
enforcement agencies (LEAs),the intelligence community (IC), regulators and policymakers.
These challenges relateto the effective collection and analysis of cryptocurrencyintelligence
and the ascertaining of the identification of criminal behaviour. It is possible to overcome
these challenges through a clearly identified target-centric intelligence model and move
towards a more advancedwarning of ransomware mobilisation.
The authors wish to thank John Bambenek for his guidance on classifying ransomware attacks and
AlešJanda for the use of his https://www.walletexplorer.com API to access blockchain data.
JMLC
22,4
646
Journalof Money Laundering
Control
Vol.22 No. 4, 2019
pp. 646-665
© Emerald Publishing Limited
1368-5201
DOI 10.1108/JMLC-01-2019-0005
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1368-5201.htm
1.1 Crypto-criminal evolution
The largest cryptocurrency by market capitalisation[1] is Bitcoin. At the time of writing,
Bitcoin had a market capitalisation of more than five times that of the next largest
cryptocurrency, Etherum, US$113.2bn versus US$21.3bn, respectively (CoinMarketCap,
2018). Further to that, on 18 October 2018, the volumeof Bitcoin traded in a 24-h period was
approximately three times that of Etherum, US$4b versus US$1.4b, respectively
(CoinMarketCap, 2018). Bitcoin’sleading market position among its peers is a function of its
mainstream circulation, strong liquidity and sharp rise in price, peaking at US$19,783.21,
per Bitcoin, in December 2017 (Higgins, 2017). However, it is hard to ignore the criminal
roots that tarnish Bitcoin,and even with its rise in popularity, there is still much trepidation
surrounding the cryptocurrency owing to its association with Darknet marketplaces like
“The Silk Road”,“Valhalla”and “AlphaBay”(Turner and Irwin, 2018). According to
Europol, approximately US$1bn was transacted on AlphaBay (Europol, 2017). The pseudo-
anonymous properties of Bitcoin make it particularly attractive to criminal activities.
Coupled with the obfuscatingnetwork infrastructure of the Darknetusing The Onion Router
(TOR) protocol[2], Bitcoin transactions make it possible to evade regulators and law
enforcers. The use of Bitcoin and other cryptocurrencies for the movement of criminally
acquired funds is often attributed to the circumvention of economic and trade sanctions
imposed on a country, such as those faced by the Democratic People’s Republic of Korea
(DPRK). The DPRK is known to avoid such sanctions by mining Bitcoin and Monero
(Guerrero-Saade and Moriuchi, 2018). Not surprisingly, cryptocurrencies have emerged as
the currency of choicein ransomware attacks.
Ransomware combines two elements. One is a malware cyberattack that targets and
exploits a vulnerability on a computer and encrypts the victim’s critical data. The other is
the capability to extort a ransom payment from the victim in return for decryption or
restoration of the hijacked data (Carbon Black, 2018). According to the 2018 Chainalysis
report into the changing nature of cryptocurrencycrime, a shift is evident in the illicit usage
of Bitcoin from Darknet markets to theftsfrom scams, ransomware and hacks (Chainalysis,
2018). In addition, in 2017, Deputy U.S. Attorney General Rod J. Rosenstein quoted FBI
estimates that ransomware payments would reach around US$1bn annually (U.S. DOJ,
2017). Influences on that estimatecould be seen through the two major ransomware attacks
of 2017 NotPetya and WannaCry. With WannaCrydriving a 40 per cent uptick in infections
between 2016 and 2017, according to Symantec’s Internet Security Threat Report (ISTR)
(2018).
WannaCry executed its ransomware campaign with three hardcoded Bitcoin addresses/
wallets. As of 20 June 2017, 335 payments, totalling 51.91182371 Bitcoin (BTC) or US
$144,010.54, had been collected from victims into the three Bitcoin wallets (Turner and
Irwin, 2018). At the time WannaCry was one of the biggest outbreaks of ransomware
(F-Secure, 2017), proving a strong indication of the evolving cryptocurrency threat from
ransomware and the needfor intelligence services to counter that threat.
1.2 Target-centric intelligence
Back in 2012, the FBI identified the difficulties law enforcement could face when it comes to
gaining intelligence from cryptocurrency systems to disrupt, prosecute and target illegal
cryptocurrency activity (Federal Bureau of Investigation [FBI], 2012). The advent of
cryptocurrencies has enabled cyber criminals to avoid attribution and to move their
proceeds of crime relatively anonymously throughout cryptocurrency ecosystems such as
Bitcoin. Traditional institutional structures of intelligence collection, analysis and
WannaCry 2.0
647
To continue reading
Request your trial