A Large-scale Empirical Analysis of Ransomware Activities in Bitcoin

Ransomware operations have evolved from relatively unsophisticated threat actors into highly coordinated cybercrime syndicates that regularly extort millions of dollars in a single attack. Despite dominating headlines and crippling businesses across the globe, there is relatively little in-depth research into the modern structure and economics of ransomware operations.In this paper, we leverage leaked chat messages to provide an in-depth empirical analysis of Conti, one of the largest ransomware groups. By analyzing these chat messages, we construct a picture of Conti’s operations as a highly-profitable business, from profit structures to employee recruitment and roles. We present novel methodologies to trace ransom payments, identifying over $80 million in likely ransom payments to Conti and its predecessor – over five times as much as in previous public datasets. As part of our work, we will publish a dataset of 666 labeled Bitcoin addresses related to Conti and an additional 75 Bitcoin addresses of likely ransom payments. Future work can leverage this case study to more effectively trace – and ultimately counteract – ransomware activity.

AWAP: Adaptive weighted attribute propagation enhanced community detection model for bitcoin de-anonymization

The anonymity mechanism of bitcoin is favored by the society, which promotes its usage and development. An adversary should not be able to discover the relation between bitcoin addresses and bitcoin users to ensure effective privacy. However, the relation among bitcoin transactions can be used to analyze the bitcoin privacy information, which seriously jeopardizes the bitcoin anonymity. Herein, we describe the vulnerabilities associated with the anonymity mechanism of bitcoin, including the relation among bitcoin addresses and the relation among bitcoin users. Further, we demonstrate that the existing methods do not guarantee the comprehensiveness, accuracy, and efficiency of the analysis results. We propose a heuristic clustering method to judge the relation among bitcoin addresses and employ the Louvain method to discover the relation among bitcoin users. Subsequently, we construct an address-associated database of historical transactions and implement real-time updates. Extensive experiments are used to demonstrate the comprehensiveness, accuracy, and efficiency of the proposed scheme. Specifically, the proposed scheme reveals the privacy vulnerability associated with the blockchain technology. We expect that our scheme can be applied to improve the blockchain technology.

Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.

On the economic significance of ransomware campaigns: A Bitcoin transactions perspective

Although postnatal transfer patterns among high-risk (eg, extremely preterm or surgical) infants have been described, transfer patterns among lower-risk populations are unknown. The objective was to examine transfer frequency, indication, timing, and trajectory among very and moderate preterm infants. Observational study of the US Vermont Oxford Network all NICU admissions database from 2016 to 2021 of inborn infants 280/7 to 346/7 weeks. Infants' first transfer was assessed by gestational age, age at transfer, reason for transfer, and transfer trajectory. Across 467 hospitals, 294 229 infants were eligible, of whom 12 552 (4.3%) had an initial disposition of transfer. The proportion of infants transferred decreased with increasing gestational age (9.6% [n = 1415] at 28 weeks vs 2.4% [n = 2646] at 34 weeks) as did the median age at time of transfer (47 days [interquartile range 30-73] at 28 weeks vs 8 days [interquartile range 3-16] at 34 weeks). The median post menstrual age at transfer was 34 or 35 weeks across all gestational ages. The most common reason for transfer was growth or discharge planning (45.0%) followed by medical and diagnostic services (30.2%), though this varied by gestation. In this cohort, 42.7% of transfers were to a higher-level unit, 10.2% to a same-level unit, and 46.7% to a lower-level unit, with indication reflecting access to specific services. Over 4% of very and moderate preterm infants are transferred. In this population, the median age of transfer is later and does not reflect immediate care needs after birth, but rather the provision of risk-appropriate care.

PurposeThe purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.Design/methodology/approachThe authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.FindingsThe findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.Research limitations/implicationsLimitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.Originality/valueThis research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.

With the development of Bitcoin, many thriving activities have developed into stable industries, such as Miner. Identifying and analyzing the transaction behaviors of users within these industries helps to understand the Bitcoin ecosystem from a macro perspective. Currently, industry identification mainly faces two issues. First, the anonymity of Bitcoin makes it difficult to identify the industry identifiers of users who participate in activities through different addresses. Second, since users usually engage in multiple industries at different periods, both the identification of their dynamically changing industry identifiers and the detection of their mostly engaged industry are challenging research tasks.

Functional classification of bitcoin addresses

Today, the term ransomware is frequently used in cybercrime headlines, its consequences have been on the rise leaving a trail of terrible losses in its wake. Both people and businesses have been victimized by ransomware, costing the victims millions of dollars in ransom payments. In addition, victims who were unable to pay the ransom or decrypt the data experienced data losses. This study uses dynamic malware analysis artifacts and supervised machine learning to detect ransomware at the host level. It takes on a thorough examination of the operational specifics of ransomware and suggests a supervised machine-learning approach to detection using various ransomware features derived from dynamic malware analysis. According to the findings, a Logistic Regression algorithm model with a 97.7% accuracy score offers a 99% success rate in ransomware detection. This demonstrates how well machine learning and dynamic malware analysis work together to detect ransomware activity at the host level. Systems security administrators can mitigate security risks by using this method.

Apart from being a code hosting platform, GitHub is the place where large-scale open collaborations and contributions happen. Every minute, thousands of developers are submitting code, having discussions of issues or pull requests, with all user behaviors recorded in the GitHub Event Stream (GES). Exploration of the activities in the GES could help understand who is active, the way they work, the time when they are active and even their location. To this end, a large-scale analysis was initially performed based on the 0.86 billion event records generated in 2020. We extracted 902K active contributors out of 14 million GitHub accounts by observing their activity distribution, then explored their behavior distribution, active time in the day and week, and estimated time zone distributions on the basis of their circadian activity rhythm. To go deeper, a case study of 79 projects in CNCF and contrast analyses of different project maturity levels were conducted. Our results showed that from a macro perspective, bots are increasingly more active and can serve numerous projects. Contributors work on weekdays, and are globally more inclined toward the daytime working hours in the Americas and Europe. The time zone distribution also reveals that UTC+2 and UTC-4 have the most active contributors. A critical discovery was the validation and quantification of a high bus factor risk exists in the OSS ecosystem. Whether from a large group point of view or within specific projects, a rather small group of OSS contributors (less than 20%) undertook the majority of the work. The GES can provide a wealth of information about open source software (OSS). Our findings provide insights into global GitHub collaboration behaviors and may be of help for researchers and practitioners to further understand modern OSS ecosystem.

Due to the nature of the rights protected under the European Convention on Human Rights (ECHR), some of which are temporally and socio-culturally bounded, the European Court of Human Rights (ECtHR) has often felt compelled to assume a standard-setter role when delivering judgments. This resulted in the transformation of the norms safeguarded under the ECHR ‘in the light of present day conditions’. This has been certainly the case for the norm against torture and inhuman or degrading treatment or punishment. This paper looks into how such an institutionalized, and ‘taken for granted’ norm has developed over time. I give an account on how the ECtHR’s jurisprudence has transformed the norm’s nature and scope. Analyzing the preparatory works and conducting large-scale content analysis on the relevant case law for the period between 1948 and 2006, I observe two developments. First, the scope of the norm has been broadened, particularly with the introduction of new obligations. The norm evolved from being conceptualized only in negative obligations terms (obligation to respect), to including positive obligations (obligations to protect and implement). Second, the thresholds to find a violation of this norm have been lowered. Based on a diachronic analysis, this research pinpoints that norms continue to develop even after being formally accepted or institutionalized, and judicial decisions serve as vehicles to set the boundary of (il)legitimate forms of treatment and punishment a State may employ within its jurisdiction.

Large-scale software systems, which are the most sophisticated human-designed objects, play more and more important role in our daily life. Consequently effective analysis for large-scale software has become an urgent problem to be solved with the increasing issues of software security and the continuous expansion of software applications scope. For the characteristics of large scale and complex structure in large-scale software, the traditional software analysis techniques are difficult to be used. With the problem of difficulty in presentation, storage and low efficiency in the process of large-scale software analysis, the visualization analysis framework for large-scale software based on software network, named SoNet, is proposed with the combination of complex network theory and program slicing technique. Constraint logic attributes of the programs will be obtained through source code parsing. Then we will construct a global view by the theory of complex network after extracting software structure and behavior, improving user’s perception of software architecture in a macro perspective. Use case slicing will be realized combined with Redis cluster, and accessibility analysis when given a keyword to be analyzed. We evaluate our prototype implementation on an open source software project named SoundSea in Github, and the results suggest that our approach can realize the analysis for large-scale software.

Electroencephalography (EEG) provides excellent temporal resolution for brain activity analysis but limited spatial resolution at the sensors, making source unmixing essential. Our objective is to enable accurate brain activity analysis from EEG by providing a fast, calibration-free alternative to independent component analysis (ICA) that preserves ICA-like component interpretability for real-time and large-scale use. We introduce a convolutional neural network (CNN) that estimates ICA-like component activations and scalp topographies directly from short, preprocessed EEG epochs, enabling real-time and large-scale analysis. EEG data were acquired from 44 participants during a 40-min lecture on image processing and preprocessed using standard EEGLAB procedures. The CNN was trained to estimate ICA-like components and evaluated against ICA using waveform morphology, spectral characteristics, and scalp topographies. We term the approach “adaptive” because, at test time, it is calibration-free and remains robust to user/session variability, device/montage perturbations, and within-session drift via per-epoch normalization and automated channel quality masking. No online weight updates are performed; robustness arises from these inference-time mechanisms and multi-subject training. The proposed method achieved an average F1-score of 94.9%, precision of 92.9%, recall of 97.2%, and overall accuracy of 93.2%. Moreover, mean processing time per subject was reduced from 332.73 s with ICA to 4.86 s using the CNN, a ~68× improvement. While our primary endpoint is ICA-like decomposition fidelity (waveform, spectral, and scalp-map agreement), the clean/artifact classification metrics are reported only as a downstream utility check confirming that the CNN-ICA outputs remain practically useful for routine quality control. These results show that CNN-based EEG decomposition provides a practical and accurate alternative to ICA, delivering substantial computational gains while preserving signal fidelity and making ICA-like decomposition feasible for real-time and large-scale brain activity analysis in clinical, educational, and research contexts.

Based on fully absorbing and learning from the relevant research results at home and abroad, this paper focuses on four aspects: the transfer of polluting industries in the central and western regions and residents’ health problems. Firstly, the current pattern and development trend of regional pollution transfer in China; secondly, the economic effect of the transfer of polluting industries on the western undertaking areas; finally, from the micro and macro perspectives, the paper investigates the impact of the transfer of polluting industries on the individual health and health expenditure of residents in western China. The results show that the gap between industrial environmental and economic efficiency in the western region narrowed and gradually stabilised from 2008 to 2017. However, the gap between industrial environmental efficiency and economic efficiency in the western region widened from 2017 to 2020. The impact of environmental pollution on industrial environmental efficiency in the western provinces and regions has regional differences. Secondly, the present situation and trend of pollution control in western China are macroscopically investigated by comparing the output of general industrial solid waste and the investment in pollution control in different regions. Finally, this paper reveals the impact of the transfer of polluting industries on the health of residents in western China. Based on the characteristics of household category, age, and income of interviewees, the income growth effect of the transfer of polluting industries is less than the health loss caused by the transfer of pollution. It can be found that the transfer of polluting industries has a significant impact on the environment, economy, and the health of residents in western China.