RESEARCH PAPER

ON

ANALYSES OF RANSOMEWARE ATTACKS

PRESENTED BY

CA. MILIND A KULKARNI

1|Page
TABLE OF CONTENTS

Sl. No CONTENTS PAGE No

1. Introduction: what is Ransomware? 3

2. History of Ransomware 3

3. How ransomware works 4

4. Ransomware distribution techniques 5

5. Types of Ransomware 6-7

6. How does ransomware affect businesses? 7

7. Steps for responding to an attack 8

8. How to prevent ransomware attacks? 8-9

9. Examples of Ransomware 9

10. Conclusion. 10

2|Page
1. INDTRODUCTION: WHAT IS RANSOMWARE?

Ransomware is a malware designed to deny a user or organization access to files on their computer.
By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers
place organizations in a position where paying the ransom is the easiest and cheapest way to regain
access to their files.

Ransomware is a type of malware that holds a victim’s data or device hostage, threatening to keep it
locked—or worse—unless the victim pays a ransom to the attacker. This type of attack takes
advantage of human, system, network, and software vulnerabilities to infect the victim’s device—
which can be a computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or other
endpoint.

If a computer or network has been infected with ransomware, the ransomware blocks access to the
system or encrypts its data. Cyber criminals demand ransom money from their victims in exchange
for releasing the data. In order to protect against ransomware infection, a watchful eye and security
software are recommended. Victims of malware attacks have three options after an infection: they
can either pay the ransom, try to remove the malware, or restart the device.

However, even if you pay the ransom, there is no guarantee that you will get access to your computer,
or your files. Attackers will also threaten to publish data if payment is not made. To counter this,
organisations should take measures to minimise the impact of data exfiltration

2. HISTORY OF RANSOMWARE

One of the first ransomware attacks ever documented was the AIDS TROJAN (PC Cyborg
Virus) that was released via floppy disk in 1989. Victims needed to send $189 to a P.O. box in
Panama to restore access to their systems, even though it was a simple virus that utilized symmetric
cryptography.

Harvard-trained evolutionary biologist Joseph L. Popp sent 20,000 infected diskettes labelled “AIDS
Information – Introductory Diskettes” to attendees of the World Health Organization’s international
AIDS conference.

But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s
computer. To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box
in Panama.

Fast Forward to the Internet Age

In 2006, criminal organizations began using more effective asymmetric RSA encryption.

• The Archives Trojan3 encrypted everything in the My Documents directory and required
victims to purchase items from an online pharmacy to receive the 30-digit password.

• The GPcode4, an encryption Trojan, which initially spread via an email attachment
purporting to be a job application, used a 660-bit RSA public key. Two years later, a variant
(GPcode.AK) used a 1024-bit RSA key.

3|Page
 Starting 2011, ransomware moved into big time. About 60,000 new ransomwares was detected in Q3
2011, and more than doubled in Q3 2012, to over 200,000.5 What’s most astounding is that from Q3
2014 to Q1 2015, ransomware more than quadrupled.

 The modern ransomware craze began with the WannaCry outbreak of 2017. This large-scale
and highly-publicized attack demonstrated that ransomware attacks were possible and
potentially profitable. Since then, dozens of ransomware variants have been developed and
used in a variety of attacks.

 In an age dominated by digital risks, a staggering 71% of companies have encountered

ransomware attacks, resulting in an average financial loss of $4.35 million per incident.

 In the year 2023 alone attempted ransomware attacks have targeted 10% of organizations
globally. This marks a notable rise from the 7% of organizations facing similar threats in the
previous year, representing the highest rate recorded in recent years.

3. HOW RANSOMWARE WORKS

a. Infection—Ransomware is covertly downloaded and installed on the device.
b. 2. Execution—Ransomware scans and maps locations for targeted file types, including
locally stored files, and mapped and unmapped network-accessible systems. Some
ransomware attacks also delete or encrypt any backup files and folders.
c. Encryption—Ransomware performs a key exchange with the Command and Control Server,
using the encryption key to scramble all files discovered during the Execution step. It also
locks access to the data. (See Figure 2.)
d. User Notification—Ransomware adds instruction files detailing the pay-for-decryption
process, then uses those files to display a ransom note to the user.
e. Clean-up—Ransomware usually terminates and deletes itself, leaving only the payment
instruction files.
f. . Payment—Victim clicks a link in the payment instructions, which takes the victim to a web
page with additional information on how to make the required ransom payment. Hidden TOR
services are often used to encapsulate and obfuscate these communications to avoid detection
by network traffic monitoring.
g. Decryption—After the victim pays the ransom, usually via the attacker’s Bitcoin address, the
victim may receive the decryption key. However, there is no guarantee the decryption key
will be delivered as promised.

4|Page
4. RANSOMWARE DISTRIBUTION TECHNIQUES

DISTRIBUTION
DESCRIPTION
TECHNIQUES

Clicking a link embedded in an email, which redirects to a

Phishing email
malicious web page.

Opening an email attachment and enabling malicious

macros; or downloading a document embedded with a
Email attachments Remote Access Trojan (RAT); or downloading a ZIP file
containing a malicious JavaScript or Windows Script Host
(WSH) file.

Clicking a malicious link on Facebook, Twitter, social

Social media
media posts, instant messenger chats, etc.

Clicking a legitimate advertising site seeded with malicious

Malvertising
code.

Installing an application or program containing malicious

Infected programs
code.

Visiting an unsafe, suspicious, or fake web page; or opening

or closing a pop-up. NOTE: A legitimate web page can be
Drive-by infections
compromised if a malicious JavaScript code is injected into
the page’s content.

Clicking a link on a legitimate gateway web page that

Traffic Distribution
redirects the user to a malicious site, based on the user’s
System (TDS)
geo-location, browser, operating system, or other filter.

5|Page
 Self-propagation Spreading the malicious code to other devices through
network and USB drives.

5. TYPES OF RANSOMWARE

Type Description

Scareware This common type of ransomware deceives users by

displaying a fake warning message claiming malware has
been detected on the victim’s computer. These attacks are
often disguised as an antivirus solution demanding payment
to remove the non-existent malware

Screen lockers These programs are designed to lock the victim out of their
computer, preventing them from accessing any files or data.
A message is typically displayed that demands payment to
unlock it

Encrypting Also called “crypto-ransomware,” this common ransomware

ransomware encrypts the victim’s files and demands payment in exchange
for a decryption key

DDoS extortion A Distributed Denial of Service extortion threatens to launch

a DDoS attack against the victim’s website or network unless
a ransom payment is fulfilled

Mobile ransomware As the name suggests, mobile ransomware targets devices

like smartphones and tablets and demands payment to unlock
the device or decrypt the data.

6|Page
 Doxware While less common, this sophisticated type of ransomware
threatens to publish sensitive, explicit, or confidential
information from the victim’s computer unless a ransom is
paid.

Ransomware-as-a- Also called “crypto-ransomware,” this common ransomware

Service (RaaS) encrypts the victim’s files and demands payment in exchange
for a decryption key

DDoS extortion Cybercriminals offer ransomware programs to other hackers

or cyber-attackers that use such programs to target victims.

6. HOW DOES RANSOMWARE AFFECT BUSINESSES?

A. Financial Losses: Ransomware attacks are designed to force their victims to pay a ransom.
Additionally, companies can lose money due to the costs of remediating the infection, lost
business, and potential legal fees

B. Data Loss: Some ransomware attacks encrypt data as part of their extortion efforts. Often,
this can result in data loss, even if the company pays the ransom and receives a decryptor.

C. Data Breach: Ransomware groups are increasingly pivoting to double or triple extortion
attacks. These attacks incorporate data theft and potential exposure alongside data encryption.

D. Downtime: Ransomware encrypts critical data, and triple extortion attacks may
incorporate DDoS attacks. Both of these have the potential to cause operational downtime for
an organization.

E. Brand Damage: Ransomware attacks can harm an organization’s reputation with customers
and partners. This is especially true if customer data is breached or they receive ransom
demands as well.

F. Legal and Regulatory Penalties: Ransomware attacks may be enabled by security

negligence and may include the breach of sensitive data. This may open up a company to
lawsuits or penalties being levied by regulators

7|Page
7. STEPS FOR RESPONDING TO AN ATTACK

Basic steps to properly respond to ransomware, but note that expert intervention is usually required
for root-cause analysis, clean-up, and investigations.

A. Determine which systems are impacted. You must isolate systems so that they cannot affect
the rest of the environment. This step is part of containment to minimize damage to the
environment.

B. Disconnect systems and power them down if necessary. Ransomware spreads rapidly on
the network, so any systems must be disconnected by disabling network access or powering
them down.

C. Prioritize the restoration of systems. This ensures that the most critical ones are returned to
normal first. Typically, priority is based on productivity and revenue impact.

D. Reset Credentials: Reset credentials including passwords.

E. Eradicate the threat from the network. Attackers might use backdoors, so eradication must
be done by a trusted expert. The expert needs access to logs to perform a root-cause analysis
that identifies the vulnerability and all impacted systems.

F. Have a professional review the environment for potential security upgrades. It’s common
for a ransomware victim to be a target for a second attack. Undetected vulnerabilities can be
exploited again.

8. HOW TO PREVENT RANSOMWARE ATTACKS?

I. Defend your email against Ransomware: Email phishing and spam are the primary ways
ransomware attacks are distributed. Secure Email Gateways with targeted attack
protection are crucial for detecting and blocking malicious emails that deliver ransomware.
These solutions protect against malicious attachments, malicious documents, and URLs in
emails delivered to user computers.

II. Defend your mobile devices against Ransomware: When used with mobile device
management (MDM) tools, mobile attack protection products can analyse applications on
user devices and immediately alert users and IT to any applications that might compromise
the environment.

III. Defend your web surfing against Ransomware: Secure web gateways can scan users’ web
surfing traffic to identify malicious web ads that might lead them to ransomware.

IV. Monitor your server and network and back up key systems: Monitoring tools can detect
unusual file access activities, viruses, network C&C traffic and CPU loads in time to block
ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk
of a crashed or encrypted machine causing a critical operational bottleneck

8|Page
 FEW MORE MITIGATING STRATEGIES

1. Regular data backups and testing

2. Employee training and awareness programs

3. Patch management and software updates

4. Implementation of robust security solutions

5. Incident response planning and execution

9. EXAMPLES OF RANSOMWARE

WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm
that infected over 250,000 systems before a kill switch was tripped to stop its spread.

CryptoLocker: This was an early current-generation ransomware requiring cryptocurrency for

payment (Bitcoin) and encrypted a user’s hard drive and attached network drives.

NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics
from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft
Windows-based system. NotPetya targeted the same vulnerability as WannaCry to rapidly spread
payment demands in Bitcoin to undo the changes.

Bad Rabbit: Considered a cousin of NotPetya, using similar code and exploits to spread, Bad
Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media companies.
Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid.

REvil: REvil is authored by a group of financially-motivated attackers. It exfiltrates data before

encryption to blackmail targeted victims into paying if they choose not to send the ransom.

Ryuk: Ryuk is a manually-distributed ransomware application mainly used in spear-phishing. Targets

are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files
hosted on the infected system are then encrypted.

9|Page
10. CONCLUSION:

As itself suggest “Ransomware”, it is type of a malware that prevents you from accessing your
computer or data or Computer itself may get locked or the data on it might be stolen, deleted or
encrypted.

Usually Organisations/Entities asked to contact the attacker/hackers via an anonymous email address
or follow instructions on an anonymous web page, to make payment. The payment is invariably
demanded in a cryptocurrency such as Bitcoin, in order to unlock your computer, or access your data.
However, even if you pay the ransom, there is no guarantee that you will get access to your computer,
or your files.

Organisations should use preventive and mitigating strategies to save their data and organisation
reputations. Regular data backups and employee training and awareness programs can prevent from
huge losses. Organisation must invest in Data Centres, Data security and Employee training to protect
the organisation from Ransomware attacks.

New age Ransomware attacks can be AI driven and may cause huge data loss. Organisations must
implement strategies to prevent as well as response to such attacks. Regular testing of safety
measures, firewalls and mock drills may be useful in quick response in Ransomware attacks.

Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do
pay the ransom:

 there is no guarantee that you will get access to your data or computer
 your computer will still be infected
 you will be paying criminal groups
 you're more likely to be targeted in the future

Attackers will also threaten to publish data if payment is not made. To counter this, organisations
should take measures to minimise the impact of data exfiltration

10 | P a g e