RansomWare data mining
Jindrich Karasek
Cyber Threat & Defence Research, AI & Cognitive Security, DFIR, speaker, mentor, TI Associate, Views are my own.
Recently, I did small research regarding how many different ransomware is found in the wild.
Point was to check, if WannaCry is big portion of what is actually going on in this filed.
Below is the picture with my finding. It is correlation of IP' s which sourced the malware, countries of origin, hashes of the droppers, destination file paths and affected processes, targeted operating systems and industries where the sample was first observed.
Due to confidential nature of data source I can publish only a few observations:
{Data collection was running during the WannaCry outbreak: 12th of May 2017 - 19th f May 2017.}
- Red areas and links are WannaCry related. Note how small portion it was even during the outbreak.
- Green stands for security software, which was somehow able to interfere in various stages of Ransomware killchain.
- Orange belongs to the countries. Basically the only correlation between number if infections and country was here with the number of general internet users per country.
- Blue parts stands for malicious IP's. Note that in some areas one IP is responsible for more than one type of attack. [Edit: Due to resolution limitation, blue parts are actually better visible in here]
[This visual is one of my favorites. It reminds me of female head profile. It was called "Ghost out of the Shell" and it's copyrighted by my project, 4n6strider. ]