WEKO3
アイテム
SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices
https://ipsj.ixsq.nii.ac.jp/records/231848
https://ipsj.ixsq.nii.ac.jp/records/231848e812ff4d-72b9-415d-81a2-0071133d1411
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6501016.pdf (3.0 MB)
|
Copyright (c) 2024 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Journal(1) | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2024-01-15 | |||||||||||||||||
| タイトル | ||||||||||||||||||
| タイトル | SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices | |||||||||||||||||
| タイトル | ||||||||||||||||||
| 言語 | en | |||||||||||||||||
| タイトル | SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices | |||||||||||||||||
| 言語 | ||||||||||||||||||
| 言語 | eng | |||||||||||||||||
| キーワード | ||||||||||||||||||
| 主題Scheme | Other | |||||||||||||||||
| 主題 | [特集:コラボレーションとネットワークサービス] IoT Ransomware Attack, NAS, Tor Hidden Service, IoT Honeypot, IoT Malware Sandbox | |||||||||||||||||
| 資源タイプ | ||||||||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||||||||
| 資源タイプ | journal article | |||||||||||||||||
| 著者所属 | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属 | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属 | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属 | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属 | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属 | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属(英) | ||||||||||||||||||
| en | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属(英) | ||||||||||||||||||
| en | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属(英) | ||||||||||||||||||
| en | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属(英) | ||||||||||||||||||
| en | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属(英) | ||||||||||||||||||
| en | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者所属(英) | ||||||||||||||||||
| en | ||||||||||||||||||
| Yokohama National University | ||||||||||||||||||
| 著者名 |
Hiroki, Yasui
× Hiroki, Yasui
× Takahiro, Inoue
× Takayuki, Sasaki
× Rui, Tanabe
× Katsunari, Yoshioka
× Tsutomu, Matsumoto
|
|||||||||||||||||
| 著者名(英) |
Hiroki, Yasui
× Hiroki, Yasui
× Takahiro, Inoue
× Takayuki, Sasaki
× Rui, Tanabe
× Katsunari, Yoshioka
× Tsutomu, Matsumoto
|
|||||||||||||||||
| 論文抄録 | ||||||||||||||||||
| 内容記述タイプ | Other | |||||||||||||||||
| 内容記述 | Ransomware attacks targeting Network Attached Storage (NAS) devices have occurred steadily in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware binaries but failed to reveal its operation and attack infrastructure. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as the honeypot and the malware sandbox to conduct an in-depth analysis of IoT ransomware attacks. During the six-month observation from September 2021 to March 2022, we observed on average, 130 hosts per day accessing from the Internet to compromise the NAS devices. Moreover, we executed 48 ransomware samples downloaded from VirusTotal in the SPOT sandbox. We identified seven remote Onion proxy servers used for C&C connection and successfully observed three samples infecting the NAS device to connect them to the C&C server behind the TOR network. The ransom notes gave two kinds of contact points; instruction web pages and email addresses. Though the email addresses were not reachable, we could access the instruction website. We kept monitoring the website and observed a “30% discount campaign” for ransom payments. We also interacted with the threat actor via online support chat on the website, but we were banned from the channel because we asked about their organization. We observe that the degree of automation in the attack operation is much higher compared to the carefully tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.32(2024) (online) DOI http://dx.doi.org/10.2197/ipsjjip.32.23 ------------------------------ |
|||||||||||||||||
| 論文抄録(英) | ||||||||||||||||||
| 内容記述タイプ | Other | |||||||||||||||||
| 内容記述 | Ransomware attacks targeting Network Attached Storage (NAS) devices have occurred steadily in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware binaries but failed to reveal its operation and attack infrastructure. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as the honeypot and the malware sandbox to conduct an in-depth analysis of IoT ransomware attacks. During the six-month observation from September 2021 to March 2022, we observed on average, 130 hosts per day accessing from the Internet to compromise the NAS devices. Moreover, we executed 48 ransomware samples downloaded from VirusTotal in the SPOT sandbox. We identified seven remote Onion proxy servers used for C&C connection and successfully observed three samples infecting the NAS device to connect them to the C&C server behind the TOR network. The ransom notes gave two kinds of contact points; instruction web pages and email addresses. Though the email addresses were not reachable, we could access the instruction website. We kept monitoring the website and observed a “30% discount campaign” for ransom payments. We also interacted with the threat actor via online support chat on the website, but we were banned from the channel because we asked about their organization. We observe that the degree of automation in the attack operation is much higher compared to the carefully tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.32(2024) (online) DOI http://dx.doi.org/10.2197/ipsjjip.32.23 ------------------------------ |
|||||||||||||||||
| 書誌レコードID | ||||||||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||||||||
| 収録物識別子 | AN00116647 | |||||||||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 65, 号 1, 発行日 2024-01-15 |
|||||||||||||||||
| ISSN | ||||||||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||||||||
| 公開者 | ||||||||||||||||||
| 言語 | ja | |||||||||||||||||
| 出版者 | 情報処理学会 | |||||||||||||||||
