Opendata, web and dolomites

Report

Teaser, summary, work performed and final results

Periodic Reporting for period 1 - RAMSES (Internet Forensic platform for tracking the money flow of financially-motivated malware)

Teaser

The Internet has become a key piece of any business activity. Criminal activity is not an exception. Some crimes previous to the Internet, such as thefts and scams, have found in the Internet the perfect tool for developing their activities. The Internet allows criminals...

Summary

The Internet has become a key piece of any business activity. Criminal activity is not an exception. Some crimes previous to the Internet, such as thefts and scams, have found in the Internet the perfect tool for developing their activities. The Internet allows criminals hiding their real identity and the possibility to purchase specific tools for stealing sensitive data with a very low investment.

For this reason, the overall objective of the EU-Project RAMSES is to design and develop a holistic, intelligent, scalable and modular platform for Law Enforcements Agencies to facilitate digital Forensic Investigations. The system will extract, analyse, link and interpret information extracted from the internet related with financially-motivated malware. Customers, developers and malware victims will be included in order to obtain a better understanding of how and where malware is spread and to get to the source of the threat. To achieve these ambitious objectives, this project will rely on disruptive Big Data technologies to firstly extract and storage, and secondly look for patterns of fraudulent behaviour in enormous amounts of unstructured and structured data.

Work performed

The main results of the first period are:

-Rrequirements of the Law Enforcement Agencies were defined. The consortium carried out desk research and literature analysis combined with focused contribution from the partners to obtain a knowledge-based approach with the intent to combine knowledge generation with awareness raising/information-sharing among the partners, thus facilitating a mutual understanding of the phenomenon, the real priorities and the specific user requirements. The consortium was also able to identify the existing best practices and possible recommendations based on the active participation of LEAs in the knowledge-generation process so to merge the analysis of the enforcement framework with the criminological analysis of the phenomenon of financially motivated malware, as well as with the technological continuous evolution of the Banking Trojans and the ransomware;

- Definition of operational and ethical implications of RAMSES project. The project partners studied the privacy, data protection and ethical implications of the RAMSES solution and research activities, focusing on the requirements for consortium partners. The privacy and ethical risks and their potential impacts were highlighted and a comprehensive framework of safeguards and recommendations to guide RAMSES data collection, storage and processing was developed, so as to prevent any illegal and unethical activities and limit any negative privacy and ethical implications of RAMSES.

- Modelling malware from a point of view of Economic Theory. The consortium published a deliverable with the state-of-the-art in Economic Modelling regarding Ransomware. This report provides initial equations and algorithms for identifying traits of malware that contribute to its profitability. The consortium identified contributory and negative behaviours exhibited in historic ransomware strains, forming an understanding of how ransomware generates the profit it does (and allowing us to comment on ways in which ransomware operators may sabotage themselves by mimicking classical ransom scenarios). Besides, RAMSES developed an optimal economic model system, which identifies the optimal ransom(s) to request based on a surveyed population and selected ransomware strategy. This model also includes currently rare behaviours, such as price discrimination and population segmentation, which we theorise will become more common as ransomware becomes more sophisticated (and profitable).

- Development of a set of tools for Internet Forensics. Based on the LEAs requirements the development of new tools to help them in their investigations started: (OSINT both from the surface and the darknet, Banking Trojans analyser, Multimedia Forensics, Malware Intelligence).

Within this period the consortium carried out some dissemination activities with the objective to let the general public and other LEAs to know about the project and its aims. Some scientific papers were also published and some partners participated in conferences.

Final results

RAMSES impact as analysed from two different perspectives:

• External: The proposal has a clear focus on reaching tangible assets towards improving the tools for Internet Forensics in Europe. Additionally, RAMSES aims to use open-source and free software.

• Internal: The RAMSES impact is particularly relevant as a result of the research and innovation capacities of the consortium. For technological partners, RAMSES enables them to leverage and improve existing technology, putting it in value for a very specific problem. For LEAs, it materializes the exploitation of existing knowledge and enhances their care cycle, improving data collection for practitioners and constituting new communication channels with citizens.

Website & more info

More info: http://www.ramses2020.eu.