Figure 1 - uploaded by Alexander Adamov
Content may be subject to copyright.
![Example of the obfuscated function call in TeslaCrypt 2.1 [2]](profile/Alexander-Adamov/publication/321121414/figure/fig1/AS:1034536649494531@1623664166739/Example-of-the-obfuscated-function-call-in-TeslaCrypt-21-2.png)
![Figure 1: Example of the obfuscated function call in TeslaCrypt 2.1 [2]](profile/Alexander-Adamov/publication/321121414/figure/fig1/AS:1034536649494531@1623664166739/Example-of-the-obfuscated-function-call-in-TeslaCrypt-21-2_Q320.jpg)
![Figure 2: TeslaCrypt terminates Windows monitoring tools [2]](profile/Alexander-Adamov/publication/321121414/figure/fig2/AS:1034536649510912@1623664166770/TeslaCrypt-terminates-Windows-monitoring-tools-2_Q320.jpg)
Context in source publication
Context 1
... example, TeslaCrypt uses 'push-ret' x86 ASM instructions instead of the normal 'call' instruction to call Windows API functions. The code snippet for IsDebuggerPresent() WinAPI call is shown in Figure 1. The same TeslaCrypt used active methods of protection in the form of terminating the Windows monitoring and configuration tools: task manager, process explorer, registry editor, and msconfig. ...
Similar publications
Citations
... Table 1 illustrates the three main ransomware variants presented in the literature. Cerber [19,20] 2016 Unknown RaaS, Geographic targeting mechanism AES and RSA-2048 Yes ...
The ever-evolving landscape of cyber threats, with ransomware at its forefront, poses significant challenges to the digital world. Windows 11 Pro, Microsoft’s latest operating system, claims to offer enhanced security features designed to tackle such threats. This paper aims to comprehensively evaluate the effectiveness of these Windows 11 Pro, built-in security measures against prevalent ransomware strains, with a particular emphasis on crypto-ransomware. Utilizing a meticulously crafted experimental environment, the research adopted a two-phased testing approach, examining both the default and a hardened configuration of Windows 11 Pro. This dual examination offered insights into the system’s inherent and potential defenses against ransomware threats. The study’s findings revealed that Windows 11 Pro does present formidable defenses. This paper not only contributes valuable insights into cybersecurity, but also furnishes practical recommendations for both technology developers and end-users in the ongoing battle against ransomware. The significance of these findings extends beyond the immediate evaluation of Windows 11 Pro, serving as a reference point for the broader discourse on enhancing digital security measures.
... Figure 2 shows the list of sectors affected by ransomware attacks. The WannaCry and NotPetya attacks of 2017 are estimated to have cost the global economy more than $8 billion [49][50][51][52]. Over 50,000 systems were infected with the GandCrab ransomware during the first quarter of 2018. ...
Ransomware attacks are currently one of cybersecurity's greatest and most alluring threats. Antivirus software is frequently ineffective against zero-day malware and ransomware attacks; consequently, significant network infections could result in substantial data loss. Such attacks are also becoming more dynamic and capable of altering their signatures, resulting in a race to the bottom regarding weaponry. Cryptographic ransomware exploits crypto-viral extortion techniques. The malware encrypts the victim's data and demands payment in exchange. The attacker would release the data decryption key after accepting payment. After data encryption, the user has two options: pay the ransom or lose the data. Cryptographic ransomware causes damage that is nearly impossible to undo. Detection at an early stage of a ransomware attack's lifecycle is vital for preventing unintended consequences for the victim. Most ransomware detection technologies concentrate on detection during encryption and post-attack stages. Due to the absence of early behaviour signs, it is challenging to detect ransomware before it begins the unwanted process of mass file encryption. This study examines the relationship between API calls pattern and their nature to determine whether it is ransomware early behaviour. The purpose of this paper is to determine whether this technique can be used to early detect the presence of ransomware activity on a Windows endpoint. 582 ransomware samples that consist of ten ransomware families and 942 benign software samples were analysed. This study proposed RENTAKA, a novel framework for the early detection of cryptographic ransomware. It makes use of characteristics acquired from ransomware behaviour and machine learning. This study presented an algorithm to generate a ransomware pre-encryption dataset. This study, which includes six machine-learning models, gives satisfactory results in detecting cryptographic ransomware. The features used in this research were among the 232 features identified in Windows API calls. Five standard machine learning classifiers were employed in this experiment: Naive Bayes, k-nearest neighbours (kNN), Support Vector Machines (SVM), Random Forest, and J48. In our tests, SVM fared the best, with an accuracy rate of 93.8% and an area under the curve (AUC) of 0.979, respectively. The results indicate that we can distinguish ransomware from benign applications with low false-positive and false-negative rates.
... This indicates that symmetric encryption is carried out initially, followed by asymmetric encryption in the second stage. Files cannot readily be decrypted as a result (Adamov & Carlsson, 2017;Celiktaş, 2018;Lee, 2019;Liska & Gallo, 2016). ...
... The quality of the utilized encryption algorithm influences the ransomware's strength. Ransomware encryption uses hybrid techniques that are carried out in three phases (Adamov & Carlsson, 2017;Celiktaş, 2018;Kotov & Rajpal, 2014;Lee, 2019;Liska & Gallo, 2016). The ransomware attacker creates an asymmetric pair of keys and inserts them inside the ransomware in step 1. ...
Ransomware can lock users' information or resources (such as screens); hence, authorized users are blocked from retrieving their private data/assets. Ransomware enciphers the victim's plaintext data into ciphertext data; subsequently, the victim host can no longer decipher the ciphertext data to original plaintext data. To get back the plaintext data, the user will need the proper decryption key; therefore, the user needs to pay the ransom. In this chapter, the authors shed light on ransomware malware, concepts, elements, structure, and other aspects of ransomware utilization. Specifically, this chapter will extend the elaboration on the ransomware, the state-of-art ransomware, the ransomware lifecycle, the ransomware activation and encryption processes, the ransom request process, the payment and recovery, the ransomware types, recommendation for ransomware detection and prevention, and strategies for ransomware mitigation.
... It not only gives to cyber-security agencies the time to evaluate the existing defence measures, but also assists them in identifying areas where to develop preventive solutions. Long-term prediction of cyber-threats, however, still relies on the subjective perceptions of human security experts 27,28 . Unlike a fully automated procedure based on quantitative metrics, the human-based approach is prone to bias based on scientific or technical interests 29 . ...
Traditionally, cyber-attack detection relies on reactive, assistive techniques, where pattern-matching algorithms help human experts to scan system logs and network traffic for known virus or malware signatures. Recent research has introduced effective Machine Learning (ML) models for cyber-attack detection, promising to automate the task of detecting, tracking and blocking malware and intruders. Much less effort has been devoted to cyber-attack prediction, especially beyond the short-term time scale of hours and days. Approaches that can forecast attacks likely to happen in the longer term are desirable, as this gives defenders more time to develop and share defensive actions and tools. Today, long-term predictions of attack waves are mostly based on the subjective perceptiveness of experienced human experts, which can be impaired by the scarcity of cyber-security expertise. This paper introduces a novel ML-based approach that leverages unstructured big data and logs to forecast the trend of cyber-attacks at a large scale, years in advance. To this end, we put forward a framework that utilises a monthly dataset of major cyber incidents in 36 countries over the past 11 years, with new features extracted from three major categories of big data sources, namely the scientific research literature, news, blogs, and tweets. Our framework not only identifies future attack trends in an automated fashion, but also generates a threat cycle that drills down into five key phases that constitute the life cycle of all 42 known cyber threats.
... In Some Cases, Ransomware developers moved decryption services into the Tor network, making it impossible to trace and take down a server; Criminals use bitcoin as an anonymous and secure payment service [4]. In 1996, the discussion about ransomware and cryptographic bans began. ...
... Adamove et al. [4] distinguished by choosing a specific set of 13 key characteristics to analyze popular ransomware in many operating systems that help determine the similarities and differences in the list of modern ransomware subject to manual analysis. This analysis was to describe the design trends and behavior of modern ransomware, and this eliminates contradictions in the description of the ransomware behavior published by the Malware analysis laboratories. ...
... In this sense, cyberattacks affecting spectrum sensors in general, and ElectroSense sensors in particular, can be launched by different types of malware. Still, botnets [6], rootkits [7], backdoors [8], ransomware [9], and cryptojackers [10] have been highlighted as some of the most harmful families. Botnets are particularly interesting for crowdsourcing scenarios due to the number of devices and the possibility of recruiting them as zombies to launch Distributed Denial-of-Service (DDoS) attacks. ...
The number of Cyber-Physical Systems (CPS) available in industrial environments is growing mainly due to the evolution of the Internet-of-Things (IoT) paradigm. In such a context, radio frequency spectrum sensing in industrial scenarios is one of the most interesting applications of CPS due to the scarcity of the spectrum. Despite the benefits of operational platforms, IoT spectrum sensors are vulnerable to heterogeneous malware. The usage of behavioral fingerprinting and machine learning has shown merit in detecting cyberattacks. Still, there exist challenges in terms of (i) designing, deploying, and evaluating ML-based fingerprinting solutions able to detect malware attacks affecting real IoT spectrum sensors, (ii) analyzing the suitability of kernel events to create stable and precise fingerprints of spectrum sensors, and (iii) detecting recent malware samples affecting real IoT spectrum sensors of crowdsensing platforms. Thus, this work presents a detection framework that applies device behavioral fingerprinting and machine learning to detect anomalies and classify different botnets, rootkits, backdoors, ransomware and cryptojackers affecting real IoT spectrum sensors. Kernel events from CPU, memory, network, file system, scheduler, drivers, and random number generation have been analyzed, selected, and monitored to create device behavioral fingerprints. During testing, an IoT spectrum sensor of the ElectroSense platform has been infected with ten recent malware samples (two botnets, three rootkits, three backdoors, one ransomware, and one cryptojacker) to measure the detection performance of the framework in two different network configurations. Both supervised and semi-supervised approaches provided promising results when detecting and classifying malicious behaviors from the eight previous malware and seven normal behaviors. In particular, the framework obtained 0.88–0.90 true positive rate when detecting the previous malicious behaviors as unseen or zero-day attacks and 0.94–0.96 F1-score when classifying them.
... Over the years, significant advances have been made in ransomware detection, especially after the devastation that WannaCry caused in 2017 (Adamov & Carlsson, 2017;Berrueta, Morato, Magana, et al., 2020;Fernando, Komninos & Chen, 2020;Molina, Torabi, Sarieddine, et al., 2021;Singh et al., 2019a). Although researchers explored avenues for detection such as static and dynamic information, ransomware has managed to evade static analysis (Subedi et al., 2018). ...
Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, whichencouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38 to 96.28 percents. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.
... Over the years, significant advances have been made in ransomware detection, especially after the devastation that WannaCry caused in 2017 (Adamov & Carlsson, 2017;Berrueta, Morato, Magana, et al., 2020;Fernando, Komninos & Chen, 2020;Molina, Torabi, Sarieddine, et al., 2021;Singh et al., 2019a). Although researchers explored avenues for detection such as static and dynamic information, ransomware has managed to evade static analysis (Subedi et al., 2018). ...
Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, which encouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38% – 96.28%. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.
... The next action that the ransomware executable takes is to remove all backups that the user could utilise to circumvent the ransom payment. In Windows, a common method often used by ransomware, including WannaCry, is through the Volume Shadow Copy service [17]; 4. ...
... It was initially designed to target data belonging to video games, including save files and profiles; however, at some point it was altered by the developers to include a wider file range, possibly to increase profitability through a wider range of victims. TeslaCrypt demanded a ransom of USD 500 equivalent in Bitcoin, which would double every 60 h [17]. AES-256 encryption was used by TeslaCrypt; however, due to a bug introduced in the first TeslaCrypt iteration, the encryption process was reversible. ...
Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services
... The next action that the ransomware executable takes is to remove all backups that the user could utilise to circumvent the ransom payment. In Windows, a common method often used by ransomware, including WannaCry, is through the Volume Shadow Copy service [17]; 4. ...
... It was initially designed to target data belonging to video games, including save files and profiles; however, at some point it was altered by the developers to include a wider file range, possibly to increase profitability through a wider range of victims. TeslaCrypt demanded a ransom of USD 500 equivalent in Bitcoin, which would double every 60 h [17]. AES-256 encryption was used by TeslaCrypt; however, due to a bug introduced in the first TeslaCrypt iteration, the encryption process was reversible. ...
Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services.
