{"id":231848,"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00231848","sets":["581:11492:11493"]},"path":["11493"],"owner":"44499","recid":"231848","title":["SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices"],"pubdate":{"attribute_name":"公開日","attribute_value":"2024-01-15"},"_buckets":{"deposit":"9ed08075-4d51-42a1-9f63-462159133d93"},"_deposit":{"id":"231848","pid":{"type":"depid","value":"231848","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices","author_link":["626963","626966","626969","626970","626971","626967","626968","626972","626965","626961","626964","626962"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices"},{"subitem_title":"SPOT: In-depth Analysis of IoT Ransomware Attacks Using Bare Metal NAS Devices","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"[特集:コラボレーションとネットワークサービス] IoT Ransomware Attack, NAS, Tor Hidden Service, IoT Honeypot, IoT Malware Sandbox","subitem_subject_scheme":"Other"}]},"item_type_id":"2","publish_date":"2024-01-15","item_2_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"}]},"item_2_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"eng"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/231848/files/IPSJ-JNL6501016.pdf","label":"IPSJ-JNL6501016.pdf"},"date":[{"dateType":"Available","dateValue":"2026-01-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-JNL6501016.pdf","filesize":[{"value":"3.0 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"0","billingrole":"5"},{"tax":["include_tax"],"price":"0","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"8"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"042a984d-ced2-4452-a64f-a32e4f19b73a","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Information Processing Society of Japan"}]},"item_2_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Hiroki, Yasui"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takahiro, Inoue"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takayuki, Sasaki"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Rui, Tanabe"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Katsunari, Yoshioka"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tsutomu, Matsumoto"}],"nameIdentifiers":[{}]}]},"item_2_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Hiroki, Yasui","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takahiro, Inoue","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takayuki, Sasaki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Rui, Tanabe","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Katsunari, Yoshioka","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tsutomu, Matsumoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_2_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN00116647","subitem_source_identifier_type":"NCID"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_6501","resourcetype":"journal article"}]},"item_2_publisher_15":{"attribute_name":"公開者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"item_2_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"1882-7764","subitem_source_identifier_type":"ISSN"}]},"item_2_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"Ransomware attacks targeting Network Attached Storage (NAS) devices have occurred steadily in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware binaries but failed to reveal its operation and attack infrastructure. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as the honeypot and the malware sandbox to conduct an in-depth analysis of IoT ransomware attacks. During the six-month observation from September 2021 to March 2022, we observed on average, 130 hosts per day accessing from the Internet to compromise the NAS devices. Moreover, we executed 48 ransomware samples downloaded from VirusTotal in the SPOT sandbox. We identified seven remote Onion proxy servers used for C&C connection and successfully observed three samples infecting the NAS device to connect them to the C&C server behind the TOR network. The ransom notes gave two kinds of contact points; instruction web pages and email addresses. Though the email addresses were not reachable, we could access the instruction website. We kept monitoring the website and observed a “30% discount campaign” for ransom payments. We also interacted with the threat actor via online support chat on the website, but we were banned from the channel because we asked about their organization. We observe that the degree of automation in the attack operation is much higher compared to the carefully tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.\n------------------------------\nThis is a preprint of an article intended for publication Journal of\nInformation Processing(JIP). This preprint should not be cited. This\narticle should be cited as: Journal of Information Processing Vol.32(2024) (online)\nDOI　http://dx.doi.org/10.2197/ipsjjip.32.23\n------------------------------","subitem_description_type":"Other"}]},"item_2_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Ransomware attacks targeting Network Attached Storage (NAS) devices have occurred steadily in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware binaries but failed to reveal its operation and attack infrastructure. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as the honeypot and the malware sandbox to conduct an in-depth analysis of IoT ransomware attacks. During the six-month observation from September 2021 to March 2022, we observed on average, 130 hosts per day accessing from the Internet to compromise the NAS devices. Moreover, we executed 48 ransomware samples downloaded from VirusTotal in the SPOT sandbox. We identified seven remote Onion proxy servers used for C&C connection and successfully observed three samples infecting the NAS device to connect them to the C&C server behind the TOR network. The ransom notes gave two kinds of contact points; instruction web pages and email addresses. Though the email addresses were not reachable, we could access the instruction website. We kept monitoring the website and observed a “30% discount campaign” for ransom payments. We also interacted with the threat actor via online support chat on the website, but we were banned from the channel because we asked about their organization. We observe that the degree of automation in the attack operation is much higher compared to the carefully tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.\n------------------------------\nThis is a preprint of an article intended for publication Journal of\nInformation Processing(JIP). This preprint should not be cited. This\narticle should be cited as: Journal of Information Processing Vol.32(2024) (online)\nDOI　http://dx.doi.org/10.2197/ipsjjip.32.23\n------------------------------","subitem_description_type":"Other"}]},"item_2_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographic_titles":[{"bibliographic_title":"情報処理学会論文誌"}],"bibliographicIssueDates":{"bibliographicIssueDate":"2024-01-15","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"1","bibliographicVolumeNumber":"65"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"updated":"2025-01-19T10:37:19.129398+00:00","created":"2025-01-19T01:32:23.381633+00:00","links":{}}