Crypto-ransomware Attacks Research Articles

Understanding Ransomware Actions Through Behavioral Feature Analysis

Crypto ransomware attacks have substantially increased in recent years, and owing to their highly profitable  nature, this growth will evidently escalate in the future. To better understand this malware and help developers of ransomware detection systems build more robust and reliable solutions, this study investigates ransomware actions during the destruction phase through behavioral feature analysis. We used a dataset with 1524 samples and 30 967 features representing the actions conducted using 582 types of ransomware and 942 good applications (goodware). Six representative and widely used classification algorithms were applied as auxiliary tools to investigate the behavior of these attacks: Naive Bayes (NB), K-Nearest Neighbors (KNN), Logistic Regression (LR), Random Forest (RF), Stochastic Gradient Descent (SGD), and Support Vector Machine (SVM). We achieved an accuracy of 98.48%, balanced accuracy of 98.35%, precision of 98.17%, recall of 97.82%, F-measure of 97.98%, and ROC AUC of 99.87% by using RF for 462 features of the resultant dataset. We propose a new criterion to determine the feature group relevance and a method to distinguish the features that are most related to ransomware and goodware. Our main conclusions are as follows: Application Programming Interface (API) calls are the most relevant feature group, achieving alone a balanced accuracy of 96.49%; native encryption Windows APIs are not crucial for ransomware classification; and the most significant features of ransomware tend to involve handling the thread/process, physical memory operation, and communication, whereas goodware features are more likely to indicate virtual memory, files, directories, and resource operations.

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

After several years, crypto-ransomware attacks still constitute a principal threat for individuals and organisations worldwide. Despite the fact that a number of solutions are deployed to fight against this plague, one main challenge is that of early reaction, as merely detecting its occurrence can be useless to avoid the pernicious effects of the malware. With this aim, the authors introduced in a previous work a novel anti-ransomware tool for Unix platforms named R-Locker. The proposal is supported on a honeyfile-based approach, where ‘infinite’ trap files are disseminated around the target filesystem for early detection and to effectively block the ransomware action. The authors extend here the tool with three main new contributions. First, R-Locker is migrated to Windows platforms, where specific differences exist regarding FIFO handling. Second, the global management of the honeyfiles around the target filesystem is now improved to maximise protection. Finally, blocking suspicious ransomware is (semi)automated through the dynamic use of white-/black-lists. As in the original work for Unix systems, the new Windows version of R-Locker shows high effectivity and efficiency in thwarting ransomware action.

A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation and Features Extraction

The cryptography employed against user files makes the effect of crypto-ransomware attacks irreversible even after detection and removal. Thus, detecting such attacks early, i.e. during pre-encryption phase before the encryption takes place is necessary. Existing crypto-ransomware early detection solutions use a fixed time-based thresholding approach to determine the pre-encryption phase boundaries. However, the fixed time thresholding approach implies that all samples start the encryption at the same time. Such assumption does not necessarily hold for all samples as the time for the main sabotage to start varies among different crypto-ransomware families due to the obfuscation techniques employed by the malware to change its attack strategies and evade detection, which generates different attack behaviors. Additionally, the lack of sufficient data at the early phases of the attack adversely affects the ability of feature extraction techniques in early detection models to perceive the characteristics of the attacks, which, consequently, decreases the detection accuracy. Therefore, this paper proposes a Dynamic Pre-encryption Boundary Delineation and Feature Extraction (DPBD-FE) scheme that determines the boundary of the pre-encryption phase, from which the features are extracted and selected more accurately. Unlike the fixed thresholding employed by the extant works, DPBD-FE tracks the pre-encryption phase for each instance individually based on the first occurrence of any cryptography-related APIs. Then, an annotated Term Frequency-Inverse Document Frequency (aTF-IDF) technique was utilized to extract the features from runtime data generated during the pre-encryption phase of crypto-ransomware attacks. The aTF-IDF overcomes the challenge of insufficient attack patterns during the early phases of the attack lifecycle. The experimental evaluation shows that DPBD-FE was able to determine the pre-encryption boundaries and extract the features related to this phase more accurately compared to related works.

An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability

Abstract This study looks at the experiences of organizations that have fallen victim to ransomware attacks. Using quantitative and qualitative data of 55 ransomware cases drawn from 50 organizations in the UK and North America, we assessed the severity of the crypto-ransomware attacks experienced and looked at various factors to test if they had an influence on the degree of severity. An organization’s size was found to have no effect on the degree of severity of the attack, but the sector was found to be relevant, with private sector organizations feeling the pain much more severely than those in the public sector. Moreover, an organization’s security posture influences the degree of severity of a ransomware attack. We did not find that the attack target (i.e. human or machine) or the crypto-ransomware propagation class had any significant bearing on the severity of the outcome, but attacks that were purposefully directed at specific victims wreaked more damage than opportunistic ones.

Targeted Ransomware: A New Cyber Threat to Edge System of Brownfield Industrial Internet of Things

Much value in a brownfield Industrial Internet of Things (IIoT) implementation resides at its edge tier, where new types of devices and technologies are deployed to interoperate the legacy industrial control systems with servers and systems in the cloud, and leverage the benefits of the Internet of Things technologies. One of these novel devices is the IIoT edge gateway, which is used to connect critical physical systems with the cyber world, and to provide consistent storage, processing, and analytical and controlling capabilities. However, these devices also come with new and advanced threats such as targeted ransomware. In this paper, we investigate this threat in detail. We studied the threat actors' motivations, the anatomy of ransomware for edge gateways, and the likelihood of such ransomware attack to happen in the future. We found that threat actors find IIoT edge gateways attractive ransomware targets due to their vital roles and functionalities in working with critical infrastructure and that the likelihood of such attack to occur is high. We built the first version of a ransomware security testbed for IIoT, and for test purposes, we developed a first version of ransomware target at IIoT edge gateway in a brownfield system. From our measurements we conclude that kernel-related activity parameters are significant indicators of the abnormal behavior caused by crypto-ransomware attacks in IIoT edge gateways, much more so even than for similar attacks in information technology server workstation. Thereby, some potential countermeasures for addressing targeted ransomware in IIoT systems are recommended as proactive strategies for dealing with attackers' new techniques and tactics.

The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures

Year in and year out the increasing adaptivity of offenders has maintained ransomware's position as a major cybersecurity threat. The cybersecurity industry has responded with a similar degree of adaptiveness, but has focussed more upon technical (science) than ‘non-technical’ (social science) factors. This article explores empirically how organisations and investigators have reacted to the shift in the ransomware landscape from scareware and locker attacks to the almost exclusive use of crypto-ransomware. We outline how, for various reasons, victims and investigators struggle to respond effectively to this form of threat. By drawing upon in-depth interviews with victims and law enforcement officers involved in twenty-six crypto-ransomware attacks between 2014 and 2018 and using an inductive content analysis method, we develop a data-driven taxonomy of crypto-ransomware countermeasures. The findings of the research indicate that responses to crypto-ransomware are made more complex by the nuanced relationship between the technical (malware which encrypts) and the human (social engineering which still instigates most infections) aspects of an attack. As a consequence, there is no simple technological ‘silver bullet’ that will wipe out the crypto-ransomware threat. Rather, a multi-layered approach is needed which consists of socio-technical measures, zealous front-line managers and active support from senior management.

Recent Advances in Cryptovirology: State-of-the-Art Crypto Mining and Crypto Ransomware Attacks

Recent Advances in Cryptovirology: State-of-the-Art Crypto Mining and Crypto Ransomware Attacks

On the Economic Impact of Crypto-ransomware Attacks: The State of the Art on Enterprise Systems

According to Cybersecurity Ventures research in 2017, in every 40 s, a business falls prey to a ransomware attack and the rate is predicted to rise to 14 s by 2019. Business organizations have had to pay cybercriminals even up to $1 million in a single attack, while others have incurred losses in hundreds of millions of dollars. Clearly, ransomware is an emerging cyberthreat to enterprise systems that can no longer be ignored. In this paper, we address the various facets of the ransomware pandemic narrowing down to the technical and economic impacts. We formulate an attack model applicable to cascaded network design structures common in enterprise systems, detailing the various susceptible ransomware entry points. We evaluate how the incorporation of asymmetric and symmetric encryption in hybrid cryptosystems with worm-like properties in recent ransomware strains has brought about tragic targeted ransomware attacks campaigns such as WannaCry, Erebus, and SamSam. We also detail the economic impact of ransomware on various businesses in terms of paid ransoms and loss of revenue due to downtime and loss of production. Results show the substantial role played by the Bitcoin cryptocurrency and email as the prevalent attack vector in indiscriminate attack campaigns, while vulnerability exploitation is dominant in targeted attacks. Furthermore, results show that lack of offline backup and poorly implemented offline backup strategies end up costing businesses more than the ransom demand itself. We suggest mitigation strategies and recommend best practices based on the demystified core components of successful ransomware attacks campaigns.

Addressing Crypto-Ransomware Attacks: Before You Decide whether To-Pay or Not-To

ABSTRACT Crypto-ransomware attacks have forced victims to part away with millions of dollars using various intimidation and scare tactics. Victims have made hasty decisions of whether to pay or not without adequate information. In this paper, we explore options to address ransomware attacks before considering whether to pay or not. We propose a ransomware categorization framework that classifies the virulence of a ransomware attack using a proposed classification algorithm that is based on data deletion and file encryption attack structures. The categories that increase in severity from CAT1 to CAT8 classify the technical prowess and the overall effectiveness of potential ways of retaining the data without paying the ransom demand. The framework provides an avenue for a deeper comprehension of potential inadequacies and flaws to be exploited for data recovery. Results show that poorly implemented attack structures make recovery of data possible via system volume shadow copies or third-party software without paying.

Multi-stage crypto ransomware attacks: A new emerging cyber threat to critical infrastructure and industrial control systems

Abstract The inevitable integration of critical infrastructure to public networks has exposed the underlying industrial control systems to various attack vectors. In this paper, we model multi-stage crypto ransomware attacks, which are today an emerging cyber threat to critical infrastructure. We evaluate our modeling approach using multi-stage attacks by the infamous WannaCry ransomware. The static malware analysis results uncover the techniques employed by the ransomware to discover vulnerable nodes in different SCADA and production subnets, and for the subsequent network propagation. Based on the uncovered artifacts, we recommend a cascaded network segmentation approach, which prioritizes the security of production network devices.