Professional Documents
Culture Documents
Maltego Case Study CipherTrace Mitigate Risks of Ransomware Attacks Through Malware Inelligence and Cryptocurrency Due Diligence
Maltego Case Study CipherTrace Mitigate Risks of Ransomware Attacks Through Malware Inelligence and Cryptocurrency Due Diligence
Maltego Case Study CipherTrace Mitigate Risks of Ransomware Attacks Through Malware Inelligence and Cryptocurrency Due Diligence
Scenario
Your organization finds itself under a sudden ransomware attack. With no existing attribution data about
the ransomware, your SOC team must identify the seriousness of the threat and the malicious actors
demanding the ransom.
New Email
Hi!
If you are reading this text, it probably means the computer has slowed down and your heart rate has increased due to the inability to troubleshoot.
We recommend that you move away from the computer and accept that you have been compromised. Do NOT try rebooting or shutting down the
computer because you will lose your files and the files of others on the same network forever. That's just a friendly warning from us.
Our encryption is very strong and your files are well protected, but you must cooperate with us to safely decrypt the files.
We advise you to contact us as soon as possible before our patience runs thin. We will not wait for your letter for a long time. HURRY UP.
Contact us:
1. kkeessnnkkaa@cock.li
2. hhaaxxhhaaxx@tuta.io
• Evaluate the threat level, understand the Spider”, the NetWalker ransomware started
malware history, and mitigate risks gaining traction among affiliates in March
• Identify the destination of the cryptocurrency 2020 and earned 25 million USD in just five
Upon first encounter with the malware, cyber analysts must gain an understanding of the severity of the
attack by looking at public reports and find ways to mitigate it by gathering observables and identifying
IOCs and attack vectors.
In Maltego, querying data from these disparate sources and mapping the resulting relationships can be
easily achieved in one visual graph since they are part of Maltego’s large library of data integrations.
In this case, we can conduct an initial search on the email addresses the attackers provided. A quick
check using IPQS informs us that the email addresses have been recently abused and suspected of
fraudulent activities, with fraud scores of 75 and 90 respectively.
We also query the Recorded Future intelligence database to obtain all reports mentioning these email
addresses. Instead of reading each individual report, we can easily extract the different malware types
mentioned in the reports and map them on the graph.
Given that Recorded Future reports often compare similar malwares and malware behaviors, it won’t
be strange to find multiple malware types mentioned in reports relevant to the email addresses under
investigation. Thanks to Maltego’s mapping capabilities, we can identify the “Mailto Ransomware”,
another name for the NetWalker ransomware, as the first lead in our investigation because it has the
most links to reports.
As threat intelligence analysts, we need to provide our Incident Response team with information like
hashes and known vulnerabilities, so they can check our SIEM events and observables, do enrichment to
identify IOCs, and proceed to remediation tasks.
Furthermore, we can pivot from these
hashes into the VirusTotal database to
discover the filenames associated with the
Mailto Ransomware from them and even
identify the IP addresses these files have
been communicating with. This helps us
understand how the malware may have
infiltrated our network.
A question that often comes up during ransomware attacks is whether the compromised organization
should simply pay the ransom and get back to business as usual. While there is no universal answer to
this question, it is important to conduct due diligence before making such payment.
According to a joint advisory made by the Financial Crimes Enforcement Network (FinCEN) and the Office
of Foreign Assets Control (OFAC), both part of the U.S. Treasury Department, making ransom payments
to sanctioned entities (whether directly as an organization or via a Virtual Assets Service Provider, VASP)
can be potentially considered as a sanction violation. This is because in said case, the VASP or the
victim organization would in fact be technically funding the sanctioned persons or organizations through
said payment.
Therefore, blockchain analysis—since cryptocurrency has become more commonly used by malicious
actors—is vital to determine the entities associated with counterparty cryptocurrency addresses, thus
avoiding being subject to liabilities and hefty financial penalties under federal law when deciding to pay
up a ransom.
In most cases, the cryptocurrency address we receive from the attacker will most likely be a newly
generated one which has no transaction history on the blockchain yet. Since it doesn’t exist on the
blockchain, we won’t be able to do an analysis of it using tools such as CipherTrace.
In carrying out the investigation that allowed us to identify the strand of ransomware and attribute it to
(Mailto) NetWalker, we may be able to dig up old cryptocurrency addresses tied to the same threat actor
to perform our due diligence analysis with CipherTrace and avoid a potential sanction violation based on
the destination of the funds.
In this case, we find a screenshot in an intelligence report from a dark web forum where the threat actor
Bugatti advertised the malware as part of their RaaS offering. To show it is indeed an active service, they
added a screenshot of four partial Bitcoin addresses with transactions resulting from ransom payments
for the NetWalker attack.
Image 7: Threat Actor Bugatti advertised the NetWalker ransomware with detail of payment split
and transaction history (Source: McAfee)
Although the addresses in the screenshot are incomplete, investigators can obtain the full addresses for
these four transactions by using the CipherTrace Inspector tool. By copying the resulting four addresses
into Maltego, we can query CipherTrace’s cryptocurrency intelligence and map their transaction history
and establish wallet attributions.
In this case, given that NetWalker has been around for a couple of years and has affected multiple
organizations, CipherTrace has already tagged the two addresses where the ransomware payment was
funneled into as part of said RaaS attack; information that would not be available were we dealing with a
brand-new ransomware strand. At this point we would need to determine our risk of being considered
as liable if we decide to pay the ransom.
If we are dealing with a new malware strand or simply want to perform a deeper due diligence
investigation into this RaaS campaign, we may select the addresses directly linked to the wallets and
again query CipherTrace for other amounts paid into said addresses.
Image 9: Identifying other transactions paid into the NetWalker Bitcoin addresses
Studying the resulting Bitcoin addresses, we are able to spot a transaction pattern, where 80% of
the funds were transferred into one address, and the remaining 20% were divided into three other
addresses. This pattern matches the franchise ransomware business model presented at the bottom of
Bugatti’s post where the ransom profits would be split 80/20 between the affiliates (franchise owners)
and the ransomware developers.
Most of the time, malware franchise owners being highly financially motivated but not technically
skilled results in the conspicuousness with which they conduct their cryptocurrency transactions. This
often leads to them moving their funds around repeatedly in an attempt to confuse investigators while
directing the funds into crypto exchanges in order to convert to fiat currencies, for instance.
This can be illustrated by carrying out the following process: Select one of the four addresses obtained
from the last query in Image 9 and query it for its outgoing transactions. Next, query the resulting
transactions for their destination addresses, and then select one of the resulting addresses and
repeat the process over and over again, following the money.
Image 11: Tracing how the cybercriminals moved out their ransom funds
At any point we could query a specific address for its wallet in order to establish whether the particular
flow that we are following is a useful one or not in terms of possible attribution of the wallet owner
or requests for information. In this case, we obtained a wallet associated with WasabiCoinjoin. This is
used for Coinjoin transactions, which was released for obfuscation purposes, making this flow a dead-
end and signaling we need to move on to the next flow to search for a wallet that belongs to a more
cooperative exchange.
Image 14: All transactions are split two-ways between one single address and multiple other addresses
More work needs to be done, in particular to ascertain the origin of the funds, but at this point you are
well on your way.
We hope this case study helps you understand better how cybersecurity operations teams can use
Maltego to accelerate threat intelligence processes by bringing together multiple investigation sources
and to conduct cryptocurrency due diligence with CipherTrace data.
You can access CipherTrace cryptocurrency intelligence easily by purchasing our data bundles—a
flexible, annual subscription tailored to your investigative needs and budgets, starting at $1,000 USD
per year. Learn more about the CipherTrace data integration and data bundles on our webpage.
f you want to learn more about how Maltego can support your Trust & Safety or fraud investigations,
schedule a personalized demo with us today!
For more information about Maltego’s solution and other whitepapers and case studies, visit
Maltego.com
About CipherTrace
CipherTrace develops cryptocurrency solutions for anti-money laundering (AML)/counter-terrorist
financing (CTF), blockchain forensics, crypto threat intelligence, and regulators. Leading exchanges,
banks, auditors, regulators and digital asset businesses use CipherTrace to comply with regulatory
requirements, investigate financial crimes, and foster trust in the crypto economy. Founded in 2015
by experienced Silicon Valley entrepreneurs with expertise in cybersecurity, eCrime, payments,
banking, encryption, and virtual currencies. CipherTrace is backed by top venture capital investors
and by the US Department of Homeland Security.
About Maltego
Maltego empowers investigators worldwide to speed up and increase the precision of their
investigations through easy data integration in a single interface. Aided by powerful visualization
and collaborative capabilities to quickly zero in on relevant information, Maltego is a proven tool that
has empowered one million investigations worldwide since its launch in 2008. Due to its wide range
of possible use cases, ranging from threat intelligence to fraud investigations, Maltego is used by a
broad audience, from security professionals and pentesters, to forensic investigators, investigative
journalists, and market researchers.
10