Internet Forensic platform for tracking the money flow of financially-motivated malware

 

 

Background

As the Internet has increased in importance for governments, business and society, criminal activity has followed suit. Criminals use the Internet to facilitate and target their attacks with lucrative malware infections. Moreover, thanks to the anonymity offered by the Dark Web and the Darknet, perpetrators of online crime have established successful online marketplaces for the buying and selling of tools for these activities, namely malware-as-a-service.  Tampering with multimedia files and concealing information within them has, moreover, allowed criminals and malware to communicate undetected and to utilise unsuspicious means of infection. Cryptocurrencies, and Bitcoin in particular, have further facilitated criminals in handling their financial proceeds.

Ransomware and banking Trojans are among the types of malware that have recently gained popularity amongst online perpetrators. As of March 2017, they were the most prominent categories of malware encountered by Law Enforcement Agencies (LEAs) in Europe. The RAMSES project focuses its efforts on these types of malware, seeking to enhance European investigatory capabilities in the field.

 

Objectives

Motivated by the recent developments in cybercrime, the objective of the RAMSES project is to design and develop a holistic and intelligent forensic investigation platform for Law Enforcement Agencies (LEAs). To this end, RAMSES is developing a set of tools for internet forensics. To ensure the sustainable benefit of the project, RAMSES will undertake research to better understand malware investigations by LEAs, so the tools developed by RAMSES can enhance such investigations. RAMSES will also build a basis for long-term LEA collaboration in the sector by developing effective guidelines and collaborative methodologies for LEAs investigations. The impact and benefits of the RAMSES platform will be demonstrated through several pilot exercises in different countries, trainings and awareness campaigns.

 

Our Role

Within the project, Trilateral will undertake a comprehensive Privacy and Ethical Impact Assessment and analyse the ethical considerations of digital surveillance to ensure the RAMSES platform and tools, as well as their practical deployment during pilot exercises with participating LEAs and after the end of the project, meet privacy and data protection requirements and ethical standards. Trilateral will closely examine the functioning of the tools and work closely with technical partners to ensure that identified privacy and data protection risks are mitigated through technical, organisational or operational measures built into the architecture of the platform and tools or in the way the RAMSES technology is used.

Trilateral will also oversee the research ethics and data management aspects of the project, ensuring that the consortium respects individuals’ rights and freedoms, takes steps to prevent abuse and misuse of the RAMSES outputs and handles data in a secure and responsible manner. Due regard has been taken of the values of open data, promoted by the European Commission, as well as the sensitivity of law enforcement research.

 

Outputs

RAMSES will develop a big data platform and tools to extract, analyse, link and interpret information from the Internet that is related to financially-motivated malware. Using webscraping of the surface and deep layers of the web, these tools will look for patterns of fraudulent behaviour from among an enormous amount of unstructured and structured data. Along with particular desktop-based solutions, the RAMSES tools will provide insights regarding:

  • Ransomware and banking Trojan families and campaigns, their modus operandi and, in some cases, command & control servers
  • Clusters of Bitcoin addresses related to criminal activity and the links between them
  • Online malware market places
  • Multimedia (image and video) analysis to detect steganography, tampering and authorship

RAMSES will also research and expand the current state of knowledge regarding:

  • Existing and best practices for digital surveillance by LEAs
  • Economic modelling of malware as a business model and their implications
  • Role of cryptocurrencies in the e-crime field
  • The use and prevalence of image and video steganography over Social Media

These investigatory tools will be tested during the RAMSES pilots that will be held in collaboration with LEAs in at least three EU member states (Portugal, Belgium and Spain) and opportunities for future exploitation, including commercial applications, will be developed.

FACTSHEETS

RAMSES_Fact_Sheet_ENG

RAMSES_Fact_Sheet_ES

RAMSES_Fact_Sheet_GER

RAMSES_Fact_Sheet_ITA

RAMSES_Fact_Sheet_NL

RAMSES_Fact_Sheet_PRT

Impact

The project aims to significantly improve the tools for Internet forensics in Europe, enhancing LEA capabilities to understand and investigate ransomware and banking Trojan infections by providing a wide array of tools and knowledge sources. All tools will be designed and developed with privacy, data protection and ethics in mind. The project will also improve the training of LEA staff in performing such investigations and lead to more effective law enforcement procedures by enhancing these capabilities.

Finally, the consortium’s experience with developing complex investigatory tools for LEAs and understanding LEA requirements will be summarised and made publicly available, contributing to a better prepared and more competitive European technology-development sector, capable of responding to law enforcement needs.

For further information visit the RAMSES website and Twitter @RamsesEU 

 

Please contact our team for more information:

Anna Donovan, Senior Research Analyst at Trilateral Research

Anna Donovan Research Analyst


RAMSES – Internet Forensic Platform for Tracking The Money Flow Of Financially-Motivated Malware – has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700326.