(Work in Progress): Clustering-Based Characterization of Database Server Ransom Scams

Liebergen, Kevin van; Gómez, Gibran; Matic, Srdjan; Caballero, Juan

Ponencia

dc.contributor.editor	Varela Vaca, Ángel Jesús	es
dc.contributor.editor	Ceballos Guerrero, Rafael	es
dc.contributor.editor	Reina Quintero, Antonia María	es
dc.creator	Liebergen, Kevin van	es
dc.creator	Gómez, Gibran	es
dc.creator	Matic, Srdjan	es
dc.creator	Caballero, Juan	es
dc.date.accessioned	2024-06-03T09:38:59Z
dc.date.available	2024-06-03T09:38:59Z
dc.date.issued	2024
dc.identifier.citation	Liebergen, K.v., Gómez, G., Matic, S. y Caballero, J. (2024). (Work in Progress): Clustering-Based Characterization of Database Server Ransom Scams. En Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) (9ª.2024. Sevilla) (60-67), Sevilla: Universidad de Sevilla. Escuela Técnica Superior de Ingeniería Informática.
dc.identifier.isbn	978-84-09-62140-8	es
dc.identifier.uri	https://hdl.handle.net/11441/159596
dc.description.abstract	We perform the first study of database server ransom scams, a class of attacks where attackers scan for database servers, log in by leveraging the lack of authentication or by using guessed credentials, drop the database contents, and demand a ransom to return the deleted data. To enable our study, we leverage 5,792 unique ransom notes collected by an Internet scanning engine from 27,750 compromised ElasticSearch and MySQL database servers over a period of two years. We propose a novel automated three-step clustering approach. First, it leverages similarity of the ransom notes text to identify servers infected by the same campaign. Then, it identifies campaigns run by the same threat group by merging note similarity clusters that reuse IOCs (i.e., Bitcoin payment addresses, email addresses, Tor onion addresses). Finally, it merges IOC reuse clusters whose notes contain Bitcoin addresses co-spent in Bitcoin transactions. This process groups the 27,750 database server infections into 94 clusters, identifying a dominant threat group that is responsible for 49% of the infections	es
dc.format	application/pdf	es
dc.format.extent	8	es
dc.language.iso	eng	es
dc.publisher	Universidad de Sevilla. Escuela Técnica Superior de Ingeniería Informática	es
dc.relation.ispartof	Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) (9ª.2024. Sevilla) (2024), pp. 60-67.
dc.rights	Attribution-NonCommercial-NoDerivatives 4.0 Internacional	*
dc.rights.uri	http://creativecommons.org/licenses/by-nc-nd/4.0/	*
dc.subject	Database servers	es
dc.subject	Ransomware attacks	es
dc.subject	Ransom Scams	es
dc.subject	Clustering	es
dc.title	(Work in Progress): Clustering-Based Characterization of Database Server Ransom Scams	es
dc.type	info:eu-repo/semantics/conferenceObject	es
dc.type.version	info:eu-repo/semantics/publishedVersion	es
dc.rights.accessRights	info:eu-repo/semantics/openAccess	es
dc.publication.initialPage	60	es
dc.publication.endPage	67	es
dc.eventtitle	Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) (9ª.2024. Sevilla)	es
dc.eventinstitution	Sevilla	es
dc.relation.publicationplace	Sevilla	es

Ficheros	Tamaño	Formato	Ver	Descripción
JNIC24_78.pdf	493.8Kb	[PDF]	Ver/Abrir

Este registro aparece en las siguientes colecciones

Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) (9ª.2024. Sevilla)

Mostrar el registro sencillo del ítem

Excepto si se señala otra cosa, la licencia del ítem se describe como: Attribution-NonCommercial-NoDerivatives 4.0 Internacional