A target-centric intelligence approach to WannaCry 2.0

Adam B. Turner; Stephen McCombie; Allon J. Uhlmann

doi:10.1108/JMLC-01-2019-0005

A target-centric intelligence approach to WannaCry 2.0

Adam B. Turner^*, Stephen McCombie, Allon J. Uhlmann

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

16 Citations (Scopus)

Abstract

Purpose: This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains.

Design/methodology/approach: This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation.

Findings: Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.

Originality/value: The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.

Original language	English
Pages (from-to)	646-665
Number of pages	20
Journal	Journal of Money Laundering Control
Volume	22
Issue number	4
DOIs	https://doi.org/10.1108/JMLC-01-2019-0005
Publication status	Published - 7 Oct 2019

Keywords

WannaCry
Ransomware
Cryptocurrency
Bitcoin
blockchain
money flows
intelligence
target-centric

Access to Document

10.1108/JMLC-01-2019-0005

Cite this

@article{2dad9f62714748c0940a5b07aae94d32,

title = "A target-centric intelligence approach to WannaCry 2.0",

abstract = "Purpose: This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains.Design/methodology/approach: This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation.Findings: Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.Originality/value: The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.",

keywords = "WannaCry, Ransomware, Cryptocurrency, Bitcoin, blockchain, money flows, intelligence, target-centric",

author = "Turner, \{Adam B.\} and Stephen McCombie and Uhlmann, \{Allon J.\}",

year = "2019",

month = oct,

day = "7",

doi = "10.1108/JMLC-01-2019-0005",

language = "English",

volume = "22",

pages = "646--665",

journal = "Journal of Money Laundering Control",

issn = "1368-5201",

publisher = "Emerald Group Publishing",

number = "4",

}

TY - JOUR

T1 - A target-centric intelligence approach to WannaCry 2.0

AU - Turner, Adam B.

AU - McCombie, Stephen

AU - Uhlmann, Allon J.

PY - 2019/10/7

Y1 - 2019/10/7

N2 - Purpose: This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains.Design/methodology/approach: This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation.Findings: Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.Originality/value: The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.

AB - Purpose: This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains.Design/methodology/approach: This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation.Findings: Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.Originality/value: The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.

KW - WannaCry

KW - Ransomware

KW - Cryptocurrency

KW - Bitcoin

KW - blockchain

KW - money flows

KW - intelligence

KW - target-centric

UR - https://www.scopus.com/pages/publications/85075049705

U2 - 10.1108/JMLC-01-2019-0005

DO - 10.1108/JMLC-01-2019-0005

M3 - Article

AN - SCOPUS:85075049705

SN - 1368-5201

VL - 22

SP - 646

EP - 665

JO - Journal of Money Laundering Control

JF - Journal of Money Laundering Control

IS - 4

ER -

A target-centric intelligence approach to WannaCry 2.0

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this