Abstract
In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to be simple, security specialists ranked ransomware as a sophisticated attack vector with many variations and families. Wide range of features which are available in different families and versions of ransomware further complicates their detection and analysis. Though the existing body of research provides significant discussions about ransomware details and capabilities, the all research body is fragmented. Therefore, a ransomware feature taxonomy would advance cyber defenders’ understanding of associated risks of ransomware. In this paper we provide, to the best of our knowledge, the first scientific taxonomy of ransomware features, aligned with Lockheed Martin Cyber Kill Chain (CKC) model. CKC is a well-established model in industry that describes stages of cyber intrusion attempts. To ease the challenge of applying our taxonomy in real world, we also provide the corresponding ransomware defence taxonomy aligned with Courses of Action matrix (an intelligence-driven defence model). We believe that this research study is of high value for the cyber security research community, as it provides the researchers with a means of assessing the vulnerabilities and attack vectors towards the intended victims.
Highlights
The fast growth in both number and types made ransomware an imminent threat to our digital data [1]
They use a range of techniques from disguising a malware in a benign looking payload, such as Adobe Portable Document Format (PDF) or Microsoft Office documents, to exploiting a remote-access O-day vulnerability2 to disable target machine security protections, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or AntiViruses [25]
While there are some similarities between these related work and our features taxonomy, there are two main differences: (i) as ransomware has specific objective, we distinguish and provide features dedicated to ransomware; and (ii) our taxonomy is systematized based on Cyber Kill Chain (CKC) framework which makes it easier for cyber defenders to use it as a reference for standard defensive and process models, e.g., Courses of Action (CoA) Matrix [20], that are well-known and well-established within the operations of many organizations
Summary
The fast growth in both number and types made ransomware an imminent threat to our digital data [1]. A comprehensive taxonomy would help in differentiating between a ransomware and other malware samples, classifying different ransomware families based on their known features and providing dedicated course of actions to each category. This motivated us to provide, to the best of our knowledge, the first taxonomy of ransomware features To this end, we provide the reader with detailed information about ransomware lifecycle; enabling researchers to figure out how a criminal delivers a ransomware (considering different families) and infects a victim, how ransomware hides itself, as well as the actions that ransomware performs on the victim’s machine. If the victim decides to make the ransom payment, occasionally ransomware continues with downloading the decryption key from the C&C server and decrypts the victim data ( in the absence of follow-up security improvements it is just matter of time that the same or different ransomware infects the machine again). 1: Victim receives a phishing email containing a link to an infected website, and visits the website
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Journal of Computer Virology and Hacking Techniques
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
