Authors: Cuneyt Akcora (University of Manitoba)
DFRWS USA 2021
This decade has been marked with the rise of blockchain based technologies. In its core, blockchain is a distributed public ledger that stores transactions between two parties without requiring a trusted central authority. On a blockchain, two unacquainted parties can create an immutable transaction that is permanently recorded on the ledger to be seen by the public. One of the first applications of Blockchain has been the Bitcoin cryptocurrency. Bitcoin’s success has ushered an age known as the Blockchain 1.0, and currently there exist more than 1000 Blockchain based cryptocurrencies.
Bitcoin transactions can be created anonymously, and participation in the network does not require identity verification. A payment can be requested by delivering a public Bitcoin address (i.e., a short string) to a sender by using anonymity networks such as Tor. This ease of usage and worldwide transaction availability of Bitcoin have been noticed by malicious actors as well. The pseudo-anonymity of cryptocurrencies has attracted the interest of a diverse body of criminals, transnational terrorist groups, and illicit users. Cryptocurrency related crime and, more generally, criminal abuse of blockchain technologies are nowadays recognized as the fastest-growing type of cybercrime.
Pseudo-anonymous transactions has resulted in a spike of various e-crime activities and, particularly, cryptocurrency payments in hacking attacks demanding ransom by encrypting sensitive user data. Currently, most hackers use Bitcoin for payments, and existing ransomware detection tools depend only on a couple of heuristics and/or tedious data gathering steps. By capitalizing on the recent advances in Topological Data Analysis, we propose a novel, efficient and tractable framework to automatically predict new ransomware transactions in a ransomware family, given only limited records of past transactions. Moreover, our new methodology exhibits high utility to detect emergence of new ransomware families, that is, detecting ransomware with no past records of transactions.