Ponencia
(Work in Progress): Clustering-Based Characterization of Database Server Ransom Scams
Autor/es | Liebergen, Kevin van
Gómez, Gibran Matic, Srdjan Caballero, Juan |
Coordinador/Director | Varela Vaca, Ángel Jesús
![]() ![]() ![]() ![]() ![]() ![]() ![]() Ceballos Guerrero, Rafael ![]() ![]() ![]() ![]() ![]() ![]() ![]() Reina Quintero, Antonia María ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
Fecha de publicación | 2024 |
Fecha de depósito | 2024-06-03 |
Publicado en |
|
ISBN/ISSN | 978-84-09-62140-8 |
Resumen | We perform the first study of database server ransom scams, a class of attacks where attackers scan for database servers, log in by leveraging the lack of authentication or by using guessed credentials, drop the database ... We perform the first study of database server ransom scams, a class of attacks where attackers scan for database servers, log in by leveraging the lack of authentication or by using guessed credentials, drop the database contents, and demand a ransom to return the deleted data. To enable our study, we leverage 5,792 unique ransom notes collected by an Internet scanning engine from 27,750 compromised ElasticSearch and MySQL database servers over a period of two years. We propose a novel automated three-step clustering approach. First, it leverages similarity of the ransom notes text to identify servers infected by the same campaign. Then, it identifies campaigns run by the same threat group by merging note similarity clusters that reuse IOCs (i.e., Bitcoin payment addresses, email addresses, Tor onion addresses). Finally, it merges IOC reuse clusters whose notes contain Bitcoin addresses co-spent in Bitcoin transactions. This process groups the 27,750 database server infections into 94 clusters, identifying a dominant threat group that is responsible for 49% of the infections |
Cita | Liebergen, K.v., Gómez, G., Matic, S. y Caballero, J. (2024). (Work in Progress): Clustering-Based Characterization of Database Server Ransom Scams. En Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) (9ª.2024. Sevilla) (60-67), Sevilla: Universidad de Sevilla. Escuela Técnica Superior de Ingeniería Informática. |
Ficheros | Tamaño | Formato | Ver | Descripción |
---|---|---|---|---|
JNIC24_78.pdf | 493.8Kb | ![]() | Ver/ | |