Professional Documents
Culture Documents
CA K MANIKANDAN
M.No 254418
Malicious Program
Malware is a malicious program aimed at gathering sensitive information, causing
disturbance or destruction to single or multiple users. It usually gets access to legitimate
resources to cause trouble to perform the normal actions.
Ransomware
Ransomware is a form of malware that infects the user by encrypting data without user
permission. It restricts the legitimate access to user data. It stops users access to their own
data. The IRREVERSIBLE effect of a ransomware attack makes it distinct from other
malwares.
Ransomware targets user files is through mapping the user environment. Targeted files need
to be recent and of some value or importance, therefore ransomware may look at the recent
files history and usually maps important folders, such as My Documents, Pictures, and other
generic folders, as well as the Recycle Bin. To determine the importance of the files, the last
accessed date is observed, and a difference is calculated between the creation and last
modified date, both of these indicate the amount of work carried out on a file, as well as the
user’s level of interest.
There are nearly 18 known ransomware types identified, they are Cerber, Chimera, CTB-
Locker, Donald Trump, Jigsaw, Petya, Reveton, Satana, TeslaCrypt, TorrentLocker,
WannaCry, CryptoLocker, Odin, Shade, Locky, Spora, CryptorBit, and CryptoWall
Once encryption is achieved there is no other way to decrypt the user files except for by using
the decryption key. To make the data decrypted, attackers ask for money in an untraceable
currency bitcoin. Ransomware attacks are not only affecting the individuals but organizations
to lose more money. Since it is irreversible attackers take advantage of that for money in the
untraceable format. People were threatened for money for not losing the data and personal
sensitive information like search history exposed.
This malware is also tricky to handle as it uses the two strategies to attack. Some of
ransomware attacks uses asymmetric cryptography for encryption along with deleting the
recovery points and shadow copies one of the prominent features of ransomware is that it
looks like a benign (Not harmfull or good one) program, making it hard to distinguish
ransomware code from legitimate encryption applications
The reason for a successful attack is that the victim organizations want to get their valuable
data back or fear of losing potential users usually goes for paying the ransom. Other victims
include users who are unaware of security breaches and wants to get data back. So, the
victims with little knowledge about ransomware usually go for paying the ransom. This
tarnished attack is growing with every passing day causing data lose or money lose to users
and organizations.
Forms of Ransomware
It can Categorized into three main forms - locker, crypto, and scareware
1. Locker
The aim of locker ransomware is to block primary computer functions. Locker
ransomware may encrypt certain files which can lock the computer screen and/or
keyboard, but it is generally easy to overcome and can often be resolved by rebooting
the computer in safe mode or running an on-demand virus scanner
2. Crypto
Crypto ransomware encrypts the users sensitive files but does not interfere with basic
computer functions. Unlike locker ransomware, crypto ransomware is often
irreversible. the current encryption techniques are nearly impossible to revert if
implemented properly.
3. Scareware
Scareware may use pop-up ads to manipulate users into assuming that they are
required to download certain software, thereby using coercion techniques for
downloading malware. In scareware, the cyber crooks exploit the fear rather than lock
the device or encrypt any data.
Attack process
In general, ransomware attack is launched in three Phases i.e., pre-encryption, encryption,
and post-encryption. Ransomware attacks follow a specific pattern that can be observed
variants of ransomware. Attack process consists finding the target, distributing infection virus
or malware and installing the same, after that it targets files, encrypting them by creating
private keys, after the intruder ask for ransom via text message like one in the cover page
Devices being attacked
In the Virtural era not only PC all the IOT devices like wearables,smart tv, mobiles devices,
fog layer, network devices and cloud-based systems are vulnerable for an attack.
Red Flags
There are action can be used as red flag and also some behaviours patterns shows the
occurrence of a ransomware attack. They are
1. Opening of many files
2. Structure of input and out streams
3. Many write/overwrite operations
4. A process calling encryption APIs
5. Frequent reading and rewriting/deleting requests in a short period of time
6. Communication with command-and-control server
7. Change in the user registry keys
File Analysis
Crypto ransomware modifies a file when encrypting it. Large changes made to many files in a
computers file system that could indicate that a ransomware attack is underway. There are
several metrics that can be used to detect significant changes in files. These four methods of
file analysis are defined below.
1. File entropy
This measures the “randomness” of a file. Encrypted and compressed files have high
entropy compared to plaintext files. Hence, calculating the entropy of the file and
comparing the value to previous calculations for the same file can be used to
determine whether a file has been infected by ransomware
2. File type
Ransomware typically changes the extension of any file that it encrypts. In addition to
entropy. file type changes as a feature to determine the presence of ransomware
3. Similarity
In comparison with benign file changes, such as modifying parts of a file or adding
new text, the contents of a file encrypted by ransomware should be completely
dissimilar from the original plaintext content. Hence, measuring the similarity of two
versions of the same file can be used to detect whether ransomware is present.
4. File I/O:
Ransomware typically performs read operations to read user files without the user’s
permission. It executes write operations either to create encrypted copies of the target
files or to overwrite the original files. In the case of the former option, ransomware
performs additional operations to delete the original files
Honeypots
Honeypots (or honey files) are decoy files set up for the ransomware to attack. Once these
files are attacked, the attack is detected and stopped. Honey files are easy to set up and
require little maintenance. However, there is no guarantee the attacker will target these
decoys, so an attacker may encrypt other files while leaving the honey files untouched
1. Packet size:
The size of messages exchanged may be unusually large if they contain an encryption
key or encryption instructions.
2. Message frequency:
Ransomware significantly increases the number of HTTP POST request packets
within the traffic stream compared to the normal traffic. Additionally, there are
numerous TCP RST and TCP ACK packets in traffic used to terminate the malicious
TCP connections abnormally.
3. Malicious domains:
Communication between the ransomware and the C&C server can be blocked if the
server domain is identified as malicious. If a malicious domain is detected, the DNS
message is discarded and traffic from the host is blocked.
4. DGA detection:
Rather than using hardcoded domain addresses, which are susceptible to domain
blacklisting, some types of ransomware employ a Domain Generation Algorithm
(DGA) to generate a large number of domain names that can be used as rendezvous
points for their C&C servers.
5. Other features:
Hundreds of other extracted network features from various OSI layers can also be
used for ransomware detection.
Machine Learning
Machine learning models that detect ransomware by classifying computer programs as either
benign or ransomware based on their behaviour. With sufficient training data, these models
can spot attacks with a high degree of accuracy. Additionally, they are frequently able to
detect ransomware before it has a chance to encrypt any files. However, finding a suitable
model requires trial and error, and biasness or overfitting may occur if proper measures are
not taken. The features used in the surveyed literature include the following:
2. Log files:
Log files can come from a variety of sources and record information that can indicate
whether a ransomware attack is underway. WannaCry and Petya ransomware exploit
DNS and NetBIOS and can be spotted by analyzing DNS and NetBIOS logs. I/O
request packets are generated for each file operation and contain parameters such as
the type of operation and the address and size of the data being read or written to.
These parameters can be extracted from I/O request packet logs and used as features.
3. File I/O:
Ransomware typically executes many more read operations than benign programs,
since it must read every file it encrypts. Additionally, it executes more write
operations on average. File operation metrics such as the number of files written to or
read from; the average entropy of file-write operations; the number of file operations
performed for each file extension; and the total number of files accessed can be used
to gauge if the file operations being performed are benign or part of a ransomware
attack
4. HPC values:
Hardware Performance Counters (HPCs) are a set of special-purpose registers that
were first introduced to verify the static and dynamic integrity of programs in order to
detect any malicious modifications to them. The time-series data collected from these
counters can be fed into a model to learn the behaviour of a system and detect
malicious programs through any statistical deviations in the data.
5. Opcode/Bytecode sequences:
Opcodes (”operation codes”) specify the basic processor instructions to be performed
by a machine, whereas bytecode is a form of instruction designed to be executed by a
program interpreter. These sequences have rich context and semantic information that
provide a snapshot of the program’s behaviour. This information can be extracted
through dynamic analysis and fed into a model to predict if a given program is benign
or malicious.
6. Process actions:
This refers to the sequence of events that occur while a program or application is
running. Ransomware will typically cause different events to occur compared to a
benign program; these events can be transformed into feature vectors and learned by a
model by extracting information such as text and encoding it as numerical values.
7. Others:
Related to web domains the length of the domain name, the number of days a domain
is registered, can be issued to identify intruder Portable Executable (PE) file headers,
which show the structure of a file and contain important information about the nature
of the executable file, have components that be used as features. Other sources for
features include the CPU e.g., power usage
1. Most of the conducted research for the ransomware detection fall under conventional
class where ransomware is detected after the encryption starts.
2. High number of irrelevant and redundant system calls used to bypass the detection
3. Developed ransomware studies used different number of logs from different
ransomware families.
4. The ransomware detection systems are platform dependent. A system developed for
windows API cannot be implemented for cloud and mobile devices.
5. Ransomware detection research cannot detect the ransomware which encrypt data
using its own native code.
6. Not all the detection research available in the literature are practical to implement.
Some of the presented studies are empirical or supplement detection systems.
7. Honeypot aka Decoy methods are not fully reliable as there is no guarantee the
honeypot folders will always be accessed by the attack.
8. Analyzing the samples for limited or ample time made the detection researches
inadequate to implement.
9. Dealing with little amount of data or massive data with high redundant values.
10. Some of the studies did not explain well about the analysis performed for the
detection
11. Unawareness among users
12. Lack of Open-Access Ransomware Libraries
Prevention:
Prevention aims at avoiding the occurrence of ransomware attack. It helps the potential user
to be protected from being a victim to this attack. Studies are conducted with an aim to stop
ransomware in the first place. It involves fixing the security holes in the system. Preventing
the device from attack is easier than applying the remedy after occurrence of an attack.
Prevention research were further classified into Proactive and Reactive research.
Proactive Prevention
Preventive technique continuously monitor the processes and directories for ransomware
detection. It utilized the statistical data collected from processor, memory, storage, and I/O
devices to detect, and remove the ransomware. Process with abnormal behavior carried
different statistics will be stopped or terminated. This technique was also able to detect
ransomware with new patterns.
Reactive Prevention
This system was able to hold original data by using the garbage collector. This system
performed detection by using the frequent read and rewrite requests on the storage devices.
Which is why it is called Self Defensible SSD
Conclusion
In this research paper, ransomware related concepts, and ransomware detection approaches
utilizing machine learning technologies, recent advances in ransomware analysis, detection,
and prevention were explored. This research is intended to provide a user manual that can
encourage researchers as a direction to work with available technologies in the field of
ransomware attack detection. It can help in developing the more efficient ransomware
detection models while considering the available solutions.
References:
1. www.forbes.com
2. https://www.engvid.com/english-resource/vocabulary-crime-criminals/
3. /www.lepide.com/blog/the-15-most-common-types-of-cyber-attacks/
4. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8463105/
5. https://crimesciencejournal.biomedcentral.com/articles/10.1186/s40163-019-0097-9
6. Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation Simon R.
Daviesa,∗ , Richard Macfarlanea and William J. Buchanana
7. Ransomware Detection Using the Dynamic Analysis and Machine Learning: A
Survey and Research Directions Umara Urooj 1,*, Bander Ali Saleh Al-rimy 1,
Anazida Zainal 1 , Fuad A. Ghaleb 1 and Murad A. Rassam 2,3
8. Ransomware Guide Ms-Isac
9. ICAI.org