You Win Some You Ransom
Reconstructing the ransomware ecosystem using ground truth communication data of the Conti ransomware gang
More Info
expand_more
Abstract
Ransomware has evolved over the years, shifting from widespread attacks targeting individuals to focused attacks on businesses and agencies. These attacks are performed by ransomware gangs while establishing interaction within the ransomware ecosystem. In this thesis, the ransomware ecosystem is posited as being constructed of three separate sub-ecosystems: the attacker sub-system, the defender sub-system, and the governance sub-system. Since ransomware gangs put in an effort to hide their internal communication and operation from the outer world, difficulties arise in correctly understanding the ransomware ecosystem and a ransomware gang’s establishment of interactions within this ecosystem. As a result, current interventions are ineffective.
While earlier research has been conducted on ransomware, we observe two knowledge gaps: 1) there is a lack of understanding of how ransomware gangs establish interactions with actors in the ransomware ecosystem, and 2) There has been a lack of research that uses ground truth data due to ransomware gangs keeping their internal communication and operations hidden. This thesis uses the leaked internal communication data of the Conti ransomware gang to fill these knowledge gaps and answer the research question: To which extent can the ransomware ecosystem be reconstructed using ground truth communication data of the Conti ransomware gang?”.
To answer this question, a novel methodology is proposed that uses Latent Dirichlet Allocation (LDA) topic modeling to empirically determine overarching topics in Conti's internal communication. It is then researched how these overarching topics map to Conti’s tactics, techniques, and procedures (TTP) which is a commonly used methodology to better understand how ransomware gangs operate. Subsequently, these TTP are leveraged to reconstruct the ransomware ecosystem while taking the perspective of how the Conti ransomware gang establishes interactions within the ransomware ecosystem.
The findings of this thesis indicate that Conti is a large and professional organization that incorporates and adjusts services of service-providing cybercriminals in the attacker ecosystem rather than developing their ransomware themselves using scarce IT talent. In addition, reconnaissance is one of the most critical activities that ransomware gangs perform to get to a successful ransomware attack. While researching Conti's TTP, this thesis identifies novel TTP of ransomware gangs, such as Conti's attack chain, reconnaissance procedure, and money laundering procedure.
We conclude that the ransomware ecosystem can be reconstructed from the attacker ecosystem, the defender ecosystem, and the governance ecosystem, in which ransomware gangs establish interactions within each sub-ecosystem while operating from the attacker ecosystem. In the attacker ecosystem, ransomware gangs establish interactions with service-providing cybercriminals to outsource sub-commodities of their ransomware value chain. This allows them to strengthen their attack vectors by relying on the expertise of others and have a more varied set of attacks. The defender ecosystem is comprised of defenders that defend themselves against ransomware. Ransomware gangs establish interactions by performing extensive reconnaissance on defender territories and valuable information and open-source tools that strengthen their attack vectors. The governance ecosystem comprises governance actors that create and maintain the governance framework that influences the attacker ecosystem and defender ecosystem. Ransomware gangs establish interactions with actors in the governance ecosystem to observe the regulatory frameworks in place and adjust their TTP based on the involved risks of getting caught.