CASE STUDY

MITIGATE RISKS OF RANSOMWARE

ATTACKS THROUGH
MALWARE INTELLIGENCE AND
CRYPTOCURRENCY DUE DILIGENCE
WITH MALTEGO AND CIPHERTRACE

How to Evaluate Malware Threats and Identify

Affiliates Amidst A Ransomware Attack
By using the NetWalker RaaS case as an example, this case study demonstrates how cyber analysts
can use Maltego and CipherTrace cryptocurrency intelligence to analyze, identify, and respond to
ransomware attacks. Additionally, it will illustrate how cyber security researchers can enrich threat data
in Maltego with its various threat intelligence integrations at early stages of an attack.

Scenario

Your organization finds itself under a sudden ransomware attack. With no existing attribution data about
the ransomware, your SOC team must identify the seriousness of the threat and the malicious actors
demanding the ransom.

New Email

Hi!

Your files are encrypted.

If you are reading this text, it probably means the computer has slowed down and your heart rate has increased due to the inability to troubleshoot.

We recommend that you move away from the computer and accept that you have been compromised. Do NOT try rebooting or shutting down the
computer because you will lose your files and the files of others on the same network forever. That's just a friendly warning from us.

Our encryption is very strong and your files are well protected, but you must cooperate with us to safely decrypt the files.

We advise you to contact us as soon as possible before our patience runs thin. We will not wait for your letter for a long time. HURRY UP.

Contact us:

1. kkeessnnkkaa@cock.li
2. hhaaxxhhaaxx@tuta.io

Image 1: Netwalker ransom note

The compromised machines receive a ransom About NetWalker Ransomware
letter like the one above, warning them about
Ransomware as a Service (RaaS) is a
the risk of shutting down their laptops and
subscription-based business model that
demanding a payment in exchange for safe
enables affiliates to purchase or rent
decryption of the compromised files. In the
ransomware tools from ransomware
ransom note, the malicious actors included two
developers and perform attacks. Funds
email addresses as a means of contact.
extorted from victims are then shared between
the ransomware providers and affiliates.
The investigation will focus on the following two
According to the prediction of Cybersecurity
aspects of threat intelligence and the findings will
Ventures, ransomware damages will reach 20
help your team assess the necessary measures
billion USD by 2021.
to solve the crisis:
Created by the cybercriminal group “Circus

• Evaluate the threat level, understand the Spider”, the NetWalker ransomware started

malware history, and mitigate risks gaining traction among affiliates in March

• Identify the destination of the cryptocurrency 2020 and earned 25 million USD in just five

ransom months. The attacks usually target institutions

in healthcare and education as well as
governmental organizations and private
companies.

Step 1: Gathering Malware Intelligence for Incident Analysis

Upon first encounter with the malware, cyber analysts must gain an understanding of the severity of the
attack by looking at public reports and find ways to mitigate it by gathering observables and identifying
IOCs and attack vectors.

Investigators often turn to industry-

Image 2: Maltego’s Data Integrations with Recorded Future,
VirusTotal, and Various OSINT Sources
standard threat intelligence providers
like VirusTotal and Recorded
Future to understand the history and
extent of a malware and accumulate
such information for the incident
management teams. Investigators can
also check with fraud prevention services
such as IPQualityScore or Have I been
Pwned? to collect prior knowledge of
the email addresses.

In Maltego, querying data from these disparate sources and mapping the resulting relationships can be
easily achieved in one visual graph since they are part of Maltego’s large library of data integrations.
In this case, we can conduct an initial search on the email addresses the attackers provided. A quick
check using IPQS informs us that the email addresses have been recently abused and suspected of
fraudulent activities, with fraud scores of 75 and 90 respectively.

Image 3: Checking Fraudulent History of Target Email Addresses

We also query the Recorded Future intelligence database to obtain all reports mentioning these email
addresses. Instead of reading each individual report, we can easily extract the different malware types
mentioned in the reports and map them on the graph.

Image 4: Querying Recorded Future’s Threat Reports and Malware Intelligence

Given that Recorded Future reports often compare similar malwares and malware behaviors, it won’t
be strange to find multiple malware types mentioned in reports relevant to the email addresses under
investigation. Thanks to Maltego’s mapping capabilities, we can identify the “Mailto Ransomware”,
another name for the NetWalker ransomware, as the first lead in our investigation because it has the
most links to reports.

As threat intelligence analysts, we need to provide our Incident Response team with information like
hashes and known vulnerabilities, so they can check our SIEM events and observables, do enrichment to
identify IOCs, and proceed to remediation tasks.
 Furthermore, we can pivot from these
hashes into the VirusTotal database to
discover the filenames associated with the
Mailto Ransomware from them and even
identify the IP addresses these files have
been communicating with. This helps us
understand how the malware may have
infiltrated our network.

Image 5: Known Hashes and Vulnerabilities of the “Mailto

Ransomware” in Recorded Future’s Threat Intel Database

Image 6: Enriching Threat Data by Pulling in VirusTotal Intelligence

Finally, we query VirusTotal again to obtain

other filenames and all types of hashes
associated with these files, so that the
Incident Response team can find all files
connected to the Mailto Ransomware in
our network.

In a few minutes, we are able to pull in

a wide range of threat intelligence in
the form of hashes, filenames, and IP
addresses. We can easily export the data
and graph to share with our Incident
Response team or SIEM engineers, who
will take remediation steps and improve
our SIEM rules. We can also push the
findings directly from Maltego into SIEMs
such as Splunk or ticketing systems such Image 7: Complete Overview of Threat Intel for Netwalker
ServiceNow if the integration is set up. Ransomware in Maltego gence
2: Conducting Cryptocurrency Due Diligence in the Event of a Ransomware
Attack

A question that often comes up during ransomware attacks is whether the compromised organization
should simply pay the ransom and get back to business as usual. While there is no universal answer to
this question, it is important to conduct due diligence before making such payment.

According to a joint advisory made by the Financial Crimes Enforcement Network (FinCEN) and the Office
of Foreign Assets Control (OFAC), both part of the U.S. Treasury Department, making ransom payments
to sanctioned entities (whether directly as an organization or via a Virtual Assets Service Provider, VASP)
can be potentially considered as a sanction violation. This is because in said case, the VASP or the
victim organization would in fact be technically funding the sanctioned persons or organizations through
said payment.

Therefore, blockchain analysis—since cryptocurrency has become more commonly used by malicious
actors—is vital to determine the entities associated with counterparty cryptocurrency addresses, thus
avoiding being subject to liabilities and hefty financial penalties under federal law when deciding to pay
up a ransom.

In most cases, the cryptocurrency address we receive from the attacker will most likely be a newly
generated one which has no transaction history on the blockchain yet. Since it doesn’t exist on the
blockchain, we won’t be able to do an analysis of it using tools such as CipherTrace.

In carrying out the investigation that allowed us to identify the strand of ransomware and attribute it to
(Mailto) NetWalker, we may be able to dig up old cryptocurrency addresses tied to the same threat actor
to perform our due diligence analysis with CipherTrace and avoid a potential sanction violation based on
the destination of the funds.

In this case, we find a screenshot in an intelligence report from a dark web forum where the threat actor
Bugatti advertised the malware as part of their RaaS offering. To show it is indeed an active service, they
added a screenshot of four partial Bitcoin addresses with transactions resulting from ransom payments
for the NetWalker attack.

Image 7: Threat Actor Bugatti advertised the NetWalker ransomware with detail of payment split
and transaction history (Source: McAfee)
Although the addresses in the screenshot are incomplete, investigators can obtain the full addresses for
these four transactions by using the CipherTrace Inspector tool. By copying the resulting four addresses
into Maltego, we can query CipherTrace’s cryptocurrency intelligence and map their transaction history
and establish wallet attributions.

In this case, given that NetWalker has been around for a couple of years and has affected multiple
organizations, CipherTrace has already tagged the two addresses where the ransomware payment was
funneled into as part of said RaaS attack; information that would not be available were we dealing with a
brand-new ransomware strand. At this point we would need to determine our risk of being considered
as liable if we decide to pay the ransom.

Image 8: The Bitcoin transactions shared by Bugatti in Image 6 led us to discover

addresses attributed to NetWalker

Deepening the Investigation & Understanding the Ransomware Campaign

If we are dealing with a new malware strand or simply want to perform a deeper due diligence
investigation into this RaaS campaign, we may select the addresses directly linked to the wallets and
again query CipherTrace for other amounts paid into said addresses.

Image 9: Identifying other transactions paid into the NetWalker Bitcoin addresses
Studying the resulting Bitcoin addresses, we are able to spot a transaction pattern, where 80% of
the funds were transferred into one address, and the remaining 20% were divided into three other
addresses. This pattern matches the franchise ransomware business model presented at the bottom of
Bugatti’s post where the ransom profits would be split 80/20 between the affiliates (franchise owners)
and the ransomware developers.

Image 10: A transaction pattern that confirmed the 80/20 revenue

split between affiliates and ransomware developers

Most of the time, malware franchise owners being highly financially motivated but not technically
skilled results in the conspicuousness with which they conduct their cryptocurrency transactions. This
often leads to them moving their funds around repeatedly in an attempt to confuse investigators while
directing the funds into crypto exchanges in order to convert to fiat currencies, for instance.

This can be illustrated by carrying out the following process: Select one of the four addresses obtained
from the last query in Image 9 and query it for its outgoing transactions. Next, query the resulting
transactions for their destination addresses, and then select one of the resulting addresses and
repeat the process over and over again, following the money.

Image 11: Tracing how the cybercriminals moved out their ransom funds
At any point we could query a specific address for its wallet in order to establish whether the particular
flow that we are following is a useful one or not in terms of possible attribution of the wallet owner
or requests for information. In this case, we obtained a wallet associated with WasabiCoinjoin. This is
used for Coinjoin transactions, which was released for obfuscation purposes, making this flow a dead-
end and signaling we need to move on to the next flow to search for a wallet that belongs to a more
cooperative exchange.

Image 11: One fund movement of the NetWalker ransom ended up

in an address associated with the “WasabiCoinjoin” wallet

In following the iterative

process mentioned above,
we may be able to spot
other transaction patterns
that will help us understand
the methodology followed
by the threat actors when
funneling their illicit gains.
The following Maltego graph
is an example of that. By
focusing on a particular
number of transactions that
were connected to a specific
address and querying them
all for their destination
address while using the
diverse descent view, we
can visualize the emerging
transaction patterns.
Image 13: Exploring the Bitcoin movement pattern of 467 transactions
made by the NetWalker threat actors
By focusing on the two bigger clusters and zooming into them, we can better visualize the pattern that
is repeated throughout the graph and whereby the payments are split two-ways.

Image 14: All transactions are split two-ways between one single address and multiple other addresses

More work needs to be done, in particular to ascertain the origin of the funds, but at this point you are
well on your way.

Accelerate Your Cryptocurrency Investigation with CipherTrace and Maltego Now

We hope this case study helps you understand better how cybersecurity operations teams can use
Maltego to accelerate threat intelligence processes by bringing together multiple investigation sources
and to conduct cryptocurrency due diligence with CipherTrace data.

Getting Started is Easy: Try Our CipherTrace Data Bundles!

Small Medium Large Enterprise

100 500 1000 15000
Transform Runs Transform Runs Transform Runs Transform Runs
per month per month per month per month

You can access CipherTrace cryptocurrency intelligence easily by purchasing our data bundles—a
flexible, annual subscription tailored to your investigative needs and budgets, starting at $1,000 USD
per year. Learn more about the CipherTrace data integration and data bundles on our webpage.

f you want to learn more about how Maltego can support your Trust & Safety or fraud investigations,
schedule a personalized demo with us today!

For more information about Maltego’s solution and other whitepapers and case studies, visit
Maltego.com
About CipherTrace
CipherTrace develops cryptocurrency solutions for anti-money laundering (AML)/counter-terrorist
financing (CTF), blockchain forensics, crypto threat intelligence, and regulators. Leading exchanges,
banks, auditors, regulators and digital asset businesses use CipherTrace to comply with regulatory
requirements, investigate financial crimes, and foster trust in the crypto economy. Founded in 2015
by experienced Silicon Valley entrepreneurs with expertise in cybersecurity, eCrime, payments,
banking, encryption, and virtual currencies. CipherTrace is backed by top venture capital investors
and by the US Department of Homeland Security.

For more information, visit: https://ciphertrace.com/.

About Maltego
Maltego empowers investigators worldwide to speed up and increase the precision of their
investigations through easy data integration in a single interface. Aided by powerful visualization
and collaborative capabilities to quickly zero in on relevant information, Maltego is a proven tool that
has empowered one million investigations worldwide since its launch in 2008. Due to its wide range
of possible use cases, ranging from threat intelligence to fraud investigations, Maltego is used by a
broad audience, from security professionals and pentesters, to forensic investigators, investigative
journalists, and market researchers.

More information about the NetWalker ransomware investigation:

Take a “NetWalk” on the Wild Side (McAfee)

Tracing Ransomware: CipherTrace Helps McAfee Follow NetWalker Funds (CipherTrace)

© 2021 by Maltego Technologies. All Rights Reserved. Maltego.com

Maltego and the Maltego logo are trademarks owned by Maltego Technologies GmbH. support@maltego.com

10