ANALYSIS OF RANSOMWARE ATTACKS

CA K MANIKANDAN
M.No 254418

BATCH 53 OF ONLINE CERTIFICATE COURSE ON FORENSIC ACCOUNTING AND FRAUD DETECTION.

Introduction:
Since ages attacks against another happened for many reason, where people used many kind
of weapons. From the Stone Age to virtual age weapons of mass destruction changed its face
from a Steels made of to virtual computer coding. People used arrows, swards, fire, bomb and
even plague to destroy kingdoms, capture land, genocide. Since development weapons of
mass destruction stopped at the level of nuclear and bio war, where need of new generation
weapon required, which will not take human lives and don’t create border issues.
People with bad Intensions murdered people and taken their livelihood, over the time period
they become mercenaries. And after a period instead of killing they came knew that killing
duck which lay golden egg won’t be a good idea. So they stared a new vertical of business
call abduction and asking for ransom money. Over the period certain types of crimes became
impossible or wont worth doing by risking the life like ‘abduction, assassination, blackmail,
burglary, embezzlement, espionage, hijacking, identity theft, mugging, robbery, shoplifting,
smuggling, terrorism trafficking, treason, vandalism, voyeurism’, to give counter to all this
internet attacks emerged in the this new computer era like Malware, Phishing, DOS, SQL
injection, Zero-day exploit, Drive-by Attack, Password Attack, Eavesdropping.
These new generation attacks used to obtain money, espionage, stop the service provider,
blocking general public utility, gaining access to confidential information, revealing movie
scripts, future strategic plans of organisation.
On that one of the recent biggest threat in the Virtual computer era is ransomware attacks,
people may think that its kind of new things but it was there in the industry since like 1980
but during those days it was introduced as Trojan horse since internet facility is limited and
mostly done by the hackers as hobby. During 1996 concept called Crypto-virology and
cryptoviruses were introduced which shows that cryptography can be used for offensive
purposes, such as extortion which was later evolves as crypto-ransomware. Then offensive
use of cryptography introduced by opening a new field of malicious use of cryptography,
which provided a base for the many viruses utilizing cryptography to cause damage. Every
day, we create roughly 2.5 quintillion bytes of data. With the growing popularity of IoT
(Internet of Things), this data creation rate will become even greater. Protection these data
falls on each individuals.

Malicious Program
Malware is a malicious program aimed at gathering sensitive information, causing
disturbance or destruction to single or multiple users. It usually gets access to legitimate
resources to cause trouble to perform the normal actions.

Ransomware
Ransomware is a form of malware that infects the user by encrypting data without user
permission. It restricts the legitimate access to user data. It stops users access to their own
data. The IRREVERSIBLE effect of a ransomware attack makes it distinct from other
malwares.
Ransomware targets user files is through mapping the user environment. Targeted files need
to be recent and of some value or importance, therefore ransomware may look at the recent
files history and usually maps important folders, such as My Documents, Pictures, and other
generic folders, as well as the Recycle Bin. To determine the importance of the files, the last
accessed date is observed, and a difference is calculated between the creation and last
modified date, both of these indicate the amount of work carried out on a file, as well as the
user’s level of interest.

There are nearly 18 known ransomware types identified, they are Cerber, Chimera, CTB-
Locker, Donald Trump, Jigsaw, Petya, Reveton, Satana, TeslaCrypt, TorrentLocker,
WannaCry, CryptoLocker, Odin, Shade, Locky, Spora, CryptorBit, and CryptoWall

Once encryption is achieved there is no other way to decrypt the user files except for by using
the decryption key. To make the data decrypted, attackers ask for money in an untraceable
currency bitcoin. Ransomware attacks are not only affecting the individuals but organizations
to lose more money. Since it is irreversible attackers take advantage of that for money in the
untraceable format. People were threatened for money for not losing the data and personal
sensitive information like search history exposed.

This malware is also tricky to handle as it uses the two strategies to attack. Some of
ransomware attacks uses asymmetric cryptography for encryption along with deleting the
recovery points and shadow copies one of the prominent features of ransomware is that it
looks like a benign (Not harmfull or good one) program, making it hard to distinguish
ransomware code from legitimate encryption applications

The reason for a successful attack is that the victim organizations want to get their valuable
data back or fear of losing potential users usually goes for paying the ransom. Other victims
include users who are unaware of security breaches and wants to get data back. So, the
victims with little knowledge about ransomware usually go for paying the ransom. This
tarnished attack is growing with every passing day causing data lose or money lose to users
and organizations.

Forms of Ransomware
It can Categorized into three main forms - locker, crypto, and scareware
1. Locker
The aim of locker ransomware is to block primary computer functions. Locker
ransomware may encrypt certain files which can lock the computer screen and/or
keyboard, but it is generally easy to overcome and can often be resolved by rebooting
the computer in safe mode or running an on-demand virus scanner

2. Crypto
 Crypto ransomware encrypts the users sensitive files but does not interfere with basic
computer functions. Unlike locker ransomware, crypto ransomware is often
irreversible. the current encryption techniques are nearly impossible to revert if
implemented properly.

3. Scareware
Scareware may use pop-up ads to manipulate users into assuming that they are
required to download certain software, thereby using coercion techniques for
downloading malware. In scareware, the cyber crooks exploit the fear rather than lock
the device or encrypt any data.

Flow is defied in below flow chart

Attack process
In general, ransomware attack is launched in three Phases i.e., pre-encryption, encryption,
and post-encryption. Ransomware attacks follow a specific pattern that can be observed
variants of ransomware. Attack process consists finding the target, distributing infection virus
or malware and installing the same, after that it targets files, encrypting them by creating
private keys, after the intruder ask for ransom via text message like one in the cover page
Devices being attacked
In the Virtural era not only PC all the IOT devices like wearables,smart tv, mobiles devices,
fog layer, network devices and cloud-based systems are vulnerable for an attack.

Red Flags

There are action can be used as red flag and also some behaviours patterns shows the
occurrence of a ransomware attack. They are
1. Opening of many files
2. Structure of input and out streams
3. Many write/overwrite operations
4. A process calling encryption APIs
5. Frequent reading and rewriting/deleting requests in a short period of time
6. Communication with command-and-control server
7. Change in the user registry keys

Identification of Ransomware and malware analysis

Malware analysis is a standard approach to understand the components and behaviour of
malware, ransomware included. This analysis is useful to detect malware attacks and prevent
similar attacks in the future. They are

1. Signature based Detection Approaches

It a static analysis signature-based detection approach the unique patterns or codes of already
available threats are compared with the under examine code. Advantages of signature-based
detection are that it is fast and has a low false-positive rate; for these reasons, signature-based
detection is very popular. One of the limitations of this approach includes the outdated
samples. New variants are developing with passage of time which required a periodic update
to the available ransomware collection. This periodic updating caused overhead

2. Behavioural based Detection Approaches

In the behavioural based detection approach the under-examination samples are executed in
the controlled environment to monitor its behaviour. The detection is performed in
accordance with the behaviour, shown by the subjected sample. A decoy file technique along
with process monitoring was used to implement the detection system. A depth first search
and recursive approaches were considered for the file traversing. Decoy files were placed in
every directory. When a malicious process operated the decoy file, process monitoring
module monitored the process. If malicious activity was observed, the process was referred to
the user for decision about execution continuation.

3. Hybrid Detection Approaches

This ransomware detection approaches detect the ransomware by combining the use of
signature and behavioural based detection approaches. Two different datasets were used to
perform static and dynamic analysis. Ransomwares were detected by performing the feature
engineering technique to extract the static and dynamic features. Deep convolutional neural
networks and machine learning were used to detect the ransomware.

File Analysis
Crypto ransomware modifies a file when encrypting it. Large changes made to many files in a
computers file system that could indicate that a ransomware attack is underway. There are
several metrics that can be used to detect significant changes in files. These four methods of
file analysis are defined below.

1. File entropy
This measures the “randomness” of a file. Encrypted and compressed files have high
entropy compared to plaintext files. Hence, calculating the entropy of the file and
comparing the value to previous calculations for the same file can be used to
determine whether a file has been infected by ransomware

2. File type
Ransomware typically changes the extension of any file that it encrypts. In addition to
entropy. file type changes as a feature to determine the presence of ransomware

3. Similarity
In comparison with benign file changes, such as modifying parts of a file or adding
new text, the contents of a file encrypted by ransomware should be completely
 dissimilar from the original plaintext content. Hence, measuring the similarity of two
versions of the same file can be used to detect whether ransomware is present.

4. File I/O:
Ransomware typically performs read operations to read user files without the user’s
permission. It executes write operations either to create encrypted copies of the target
files or to overwrite the original files. In the case of the former option, ransomware
performs additional operations to delete the original files

Honeypots
Honeypots (or honey files) are decoy files set up for the ransomware to attack. Once these
files are attacked, the attack is detected and stopped. Honey files are easy to set up and
require little maintenance. However, there is no guarantee the attacker will target these
decoys, so an attacker may encrypt other files while leaving the honey files untouched

Network Traffic Analysis

Network traffic analysis intercepts network packets and analyses communication traffic
patterns to detect ongoing malware attacks. For certain ransomware families, the
communication between the victim host and the C&C (command and control ) server behaves
much differently compared to normal conditions. This anomalous behaviour can be revealed
by studying certain traffic features. The four main features of network traffic used by
researchers to detect ransomware are discussed below.

1. Packet size:
The size of messages exchanged may be unusually large if they contain an encryption
key or encryption instructions.

2. Message frequency:
Ransomware significantly increases the number of HTTP POST request packets
within the traffic stream compared to the normal traffic. Additionally, there are
numerous TCP RST and TCP ACK packets in traffic used to terminate the malicious
TCP connections abnormally.

3. Malicious domains:
Communication between the ransomware and the C&C server can be blocked if the
server domain is identified as malicious. If a malicious domain is detected, the DNS
message is discarded and traffic from the host is blocked.

4. DGA detection:
Rather than using hardcoded domain addresses, which are susceptible to domain
blacklisting, some types of ransomware employ a Domain Generation Algorithm
(DGA) to generate a large number of domain names that can be used as rendezvous
points for their C&C servers.
 5. Other features:
Hundreds of other extracted network features from various OSI layers can also be
used for ransomware detection.

Machine Learning
Machine learning models that detect ransomware by classifying computer programs as either
benign or ransomware based on their behaviour. With sufficient training data, these models
can spot attacks with a high degree of accuracy. Additionally, they are frequently able to
detect ransomware before it has a chance to encrypt any files. However, finding a suitable
model requires trial and error, and biasness or overfitting may occur if proper measures are
not taken. The features used in the surveyed literature include the following:

1. APIs / System calls

API calls are functions that facilitate the exchange of data among applications, while
system calls are service requests made by the ransomware makes API calls to the
C&C server to obtain an encryption or decryption key. Other API calls can be made to
maintain execution privileges on the host computer, enumerate the list of files to
encrypt, and access or modify files. Ransomware and benign programs have specific
call patterns or a unique order of calls that can be used to differentiate them.

2. Log files:
Log files can come from a variety of sources and record information that can indicate
whether a ransomware attack is underway. WannaCry and Petya ransomware exploit
DNS and NetBIOS and can be spotted by analyzing DNS and NetBIOS logs. I/O
request packets are generated for each file operation and contain parameters such as
the type of operation and the address and size of the data being read or written to.
These parameters can be extracted from I/O request packet logs and used as features.

3. File I/O:
Ransomware typically executes many more read operations than benign programs,
since it must read every file it encrypts. Additionally, it executes more write
operations on average. File operation metrics such as the number of files written to or
read from; the average entropy of file-write operations; the number of file operations
performed for each file extension; and the total number of files accessed can be used
to gauge if the file operations being performed are benign or part of a ransomware
attack

4. HPC values:
Hardware Performance Counters (HPCs) are a set of special-purpose registers that
were first introduced to verify the static and dynamic integrity of programs in order to
detect any malicious modifications to them. The time-series data collected from these
counters can be fed into a model to learn the behaviour of a system and detect
malicious programs through any statistical deviations in the data.
 5. Opcode/Bytecode sequences:
Opcodes (”operation codes”) specify the basic processor instructions to be performed
by a machine, whereas bytecode is a form of instruction designed to be executed by a
program interpreter. These sequences have rich context and semantic information that
provide a snapshot of the program’s behaviour. This information can be extracted
through dynamic analysis and fed into a model to predict if a given program is benign
or malicious.

6. Process actions:
This refers to the sequence of events that occur while a program or application is
running. Ransomware will typically cause different events to occur compared to a
benign program; these events can be transformed into feature vectors and learned by a
model by extracting information such as text and encoding it as numerical values.

7. Others:
Related to web domains the length of the domain name, the number of days a domain
is registered, can be issued to identify intruder Portable Executable (PE) file headers,
which show the structure of a file and contain important information about the nature
of the executable file, have components that be used as features. Other sources for
features include the CPU e.g., power usage

Limitation in Detection of ransomware

Many Research and have been conducted on the topic of ransomware detection. There are
still limitations attached to each work. The limitations of existing detection work are listed
below:

1. Most of the conducted research for the ransomware detection fall under conventional
class where ransomware is detected after the encryption starts.
2. High number of irrelevant and redundant system calls used to bypass the detection
3. Developed ransomware studies used different number of logs from different
ransomware families.
4. The ransomware detection systems are platform dependent. A system developed for
windows API cannot be implemented for cloud and mobile devices.
5. Ransomware detection research cannot detect the ransomware which encrypt data
using its own native code.
6. Not all the detection research available in the literature are practical to implement.
Some of the presented studies are empirical or supplement detection systems.
7. Honeypot aka Decoy methods are not fully reliable as there is no guarantee the
honeypot folders will always be accessed by the attack.
8. Analyzing the samples for limited or ample time made the detection researches
inadequate to implement.
9. Dealing with little amount of data or massive data with high redundant values.
 10. Some of the studies did not explain well about the analysis performed for the
detection
11. Unawareness among users
12. Lack of Open-Access Ransomware Libraries

Prevention:
Prevention aims at avoiding the occurrence of ransomware attack. It helps the potential user
to be protected from being a victim to this attack. Studies are conducted with an aim to stop
ransomware in the first place. It involves fixing the security holes in the system. Preventing
the device from attack is easier than applying the remedy after occurrence of an attack.
Prevention research were further classified into Proactive and Reactive research.

Proactive Prevention
Preventive technique continuously monitor the processes and directories for ransomware
detection. It utilized the statistical data collected from processor, memory, storage, and I/O
devices to detect, and remove the ransomware. Process with abnormal behavior carried
different statistics will be stopped or terminated. This technique was also able to detect
ransomware with new patterns.

Reactive Prevention
This system was able to hold original data by using the garbage collector. This system
performed detection by using the frequent read and rewrite requests on the storage devices.
Which is why it is called Self Defensible SSD

Conclusion
In this research paper, ransomware related concepts, and ransomware detection approaches
utilizing machine learning technologies, recent advances in ransomware analysis, detection,
and prevention were explored. This research is intended to provide a user manual that can
encourage researchers as a direction to work with available technologies in the field of
ransomware attack detection. It can help in developing the more efficient ransomware
detection models while considering the available solutions.

References:
1. www.forbes.com
2. https://www.engvid.com/english-resource/vocabulary-crime-criminals/
3. /www.lepide.com/blog/the-15-most-common-types-of-cyber-attacks/
4. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8463105/
5. https://crimesciencejournal.biomedcentral.com/articles/10.1186/s40163-019-0097-9
6. Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation Simon R.
Daviesa,∗ , Richard Macfarlanea and William J. Buchanana
7. Ransomware Detection Using the Dynamic Analysis and Machine Learning: A
Survey and Research Directions Umara Urooj 1,*, Bander Ali Saleh Al-rimy 1,
Anazida Zainal 1 , Fuad A. Ghaleb 1 and Murad A. Rassam 2,3
8. Ransomware Guide Ms-Isac
9. ICAI.org