Earlier this month, the intelligence platform firm, TruSTAR presented a research tool called White Rabbit, which claims to identify emerging ransomware campaigns that use the Bitcoin Core (BTC) network for ransom payments. The tool was presented by two Trustar developers at the global hacking counterculture events Black Hat Arsenal and Defcon 2018, held in Las Vegas.
For those not well-versed in crypto lingo, ransomware is a kind of malicious software from cryptovirology that can pose a threat to publish the victim’s data or permanently cut off access to it unless a ransom is paid. According to the developers, Olivia Thet (engineering) and Nicolas Kseib (data science), the tool provides a “near real-time contextual awareness of a specific ransomware campaign.” This means the tool screens cryptocurrency transactions that have the propensity to be the actions of a criminal.
Threat researchers and malware hunters can identify a particular ransomware campaign and then set things into motion to block the attack. The White Rabbit tool is in sync with TruSTAR’s flagship function of threat intelligence solutions.
On account of its almost anonymous nature and the fact that it can be transferred without hassle across state and national territories, bitcoin public ledger data is often used as a payment method in ransomware campaigns. TruSTAR is the first threat intelligence platform to track Bitcoin addresses as an indicator of compromise (IOC).
“As the blockchain evolves and potentially plays a bigger role in cyberattacks, the security community will have to dramatically rethink the current concepts of tracking adversaries,” said Nicolas Kseib, Lead Data Scientist at TruSTAR.
“We’re fighting the wrong fight in trying to deanonymize the blockchain – we should be looking at the bigger picture instead,” said Olivia Thet, Software Engineer at TruSTAR. “Security analysts who are using TruSTAR are far more interested in how Bitcoin wallet addresses are correlating with the other IOCs they’re tracking versus who is actually implementing the ransomware campaigns.”
The developers used a three-part framework to explain the White Rabbit, where in, the first part involves tagging a set of BTC addresses as “clean” or “dirty”. The second part tests the classification models and discusses ideas about how to compute expensive, but important features obtained from transaction data stored on a graph database. In the third part, they show how to use the obtained optimal model to project if an address is “dirty”.
According to Bitcoin.com, a company or an entity monitoring public blockchains and blacklisting or tainting bitcoin addresses is becoming a controversial topic amid cryptocurrency supporters. With the advent of blockchain surveillance tools such as White Rabbit, there has been a spike in liking for bitcoin transaction mixers and privacy-valuing cryptocurrencies in recent years.