Conference PaperPDF Available

The state of ransomware. Trends and mitigation techniques

Authors:
Alexander Adamov at Kharkiv National University of Radio Electronics
Alexander Adamov
Anders Carlsson at Blekinge Institute of Technology
Anders Carlsson
Download full-text PDF
Read full-text
Download citation

Figures

Figures - uploaded by Alexander Adamov
Author content
All figure content in this area was uploaded by Alexander Adamov
Content may be subject to copyright.
Content uploaded by Alexander Adamov
Author content
All content in this area was uploaded by Alexander Adamov on Jun 14, 2021
Content may be subject to copyright.
The State of Ransomware. Trends and Mitigation Techniques
Alexander Adamov
NioGuard Security Lab,
Kharkiv National University of Radioelectronics
oleksandr.adamov@nure.ua
Anders Carlsson
Blekinge Institute of Technology,
anders.carlsson@bth.se
Abstract
This paper contains an analysis of the payload of
the popular ransomware for Windows, Android, Linux,
and MacOSX platforms. Namely, VaultCrypt
(CrypVault), TeslaCrypt, NanoLocker,
Trojan-Ransom.Linux.Cryptor, Android Simplelocker,
OSX/KeRanger-A, WannaCry, Petya, NotPetya,
Cerber, Spora, Serpent ransomware were put under
the microscope. A set of characteristics was proposed
to be used for the analysis.
The purpose of the analysis is generalization of the
collected data that describes behavior and design
trends of modern ransomware.
The objective is to suggest ransomware threat
mitigation techniques based on the obtained
information.
The novelty of the paper is the analysis methodology
based on the chosen set of 13 key characteristics that
helps to determine similarities and differences
thorough the list of ransomware put under analysis.
Most of the ransomware samples presented were
manually analyzed by the authors eliminating
contradictions in descriptions of ransomware behavior
published by different malware research laboratories
through verification of the payload of the latest
versions of ransomware.
1. Introduction
The discussion on ransomware and cryptolockers is
not new and started in 1996 [1]. In 2005, the capability
of using MS Crypto API to create “cryptovirus” was
described in [2]. Since 2010, when the first
unbreakable GpCode cryptolocker, which used
RSA-1024 to encrypt a session RC4 key, was
discovered by Kaspersky Lab [3], it has been noticed
significant progress in cryptolockers design [4]. C&C
servers and decryption services have moved into the
Tor network making it impossible to trace and take
down a server [5]. Web decryption services now look
like a real customer service desk hosted in the Tor
network as well. Criminals started using Bitcoins as an
anonymous payment service. Elliptic curves
cryptography has come together with bitcoins. For
example, TeslaCrypt [6] used ECDH to generate a
bitcoin address and as a carrier for a session AES key.
The existing researches in ransomware shows
whether the lack of malware analysis expertise or
ransomware samples used for analysis are out of date
and cannot be met in-the-wild. For example, in [7] the
authors analyzed 1,359 samples that belong to 15
different ransomware families using . However, as
stated in the paper, all the samples were in the wild
between 2006 and 2014, which means the proposed
mitigation strategies address the attacks that were not
active by 2015, when the paper was published.
In this work, the typical samples of the popular
ransomware for Windows, Linux, MacOSX, and
Android platforms discovered during the last years
were analyzed covering almost all possible infection
cases. Moreover, the Cerber [8], Spora [9], Serpent
[10], Petya [11], WannaCry [12], and NotPetya [13]
were active at the moment of writing this paper. The
Cerber, Spora, and Serpent families are in continues
development.
2. A Ransomware Analysis Methodology
We analyzed the latest discovered cryptolockers
found in the wild since 2014 until the present moment
that belong to the following families: TeslaCrypt [6],
978-1-5386-3299-4/17/$31.00 ©2017 IEEE
VaultCrypt (CrypVault, BAT_CRYPVALT.A) [14],
NanoLocker [15], Trojan-Ransom.Linux.Cryptor
(Linux.Cryptor, Linux.Encoder.1) [16, 17], and
Android Simplelocker [18], OSX/KeRanger-A[19],
Petya [11], WannaCry [12], NotPetya [13], Cerber [8],
Spora [9], Serpent[10]. Note, that a verdict name may
vary depending on a security vendor detected a
corresponding threat. We selected a set of key
characteristics which we were considering during the
ransomware analysis. These characteristics include:
delivery method
file type
platform
files encryption method
session key (used to encrypt files)
encryption method
encryption locations
deleting backup
communication with C&C server
decryption service location
payment information
target audience
passive methods of self-protection
active methods of self-protection
3. The Results of Ransomware Analysis
The results of ransomware analysis are summarized
below and provided by the selected criteria.
3.1. Delivery method
This subsection presents the delivery method used
by the ransomware samples under analysis.
VaultCrypt: via spam messages with a malicious
javascript attachment
TeslaCrypt: landed via a drive-by attack with the
help of the Angler web exploit [20]
NanoLocker: no information available
Linux.Cryptor: via exploitation of a vulnerability in
the Magento platform to launch attacks on web servers
Simplelocker: downloaded from unofficial Android
app stores as a fake porn game
OSX/KeRanger-A: via hacked website
WannaCry: EternalBlue exploit
Petya: CVE-2017-0199 exploit in RTF
NotPetya: EternalBlue and EternalRomance exploits
Cerber: spear-phishing email
Spora: spear-phishing and watering hole attacks
Serpent: spear-phishing
3.2. Platform / File type
This subsection presents the target platform and file
type of the ransomware samples under analysis.
VaultCrypt: Windows/BAT
TeslaCrypt: Windows/EXE
NanoLocker: Windows/EXE
Linux.Cryptor: Linux/ELF
Simplelocker: Android/APK
OSX/KeRanger-A: MacOSX
WannaCry: Windows/EXE
Petya:Windows/EXE
NotPetya:Windows/EXE
Cerber: Windows/EXE
Spora: Windows/EXE
Serpent: Windows/EXE
3.3. Files encryption method
This subsection presents the file encryption methods
used by the ransomware samples under analysis. The
ransomware sample uses the Windows Enhanced
Cryptographic Provider (RSAENH) if other is not
specified.
VaultCrypt: RSA-1024 using the GnuPG tool
TeslaCrypt: AES-256-CBC using OpenSSL
NanoLocker: AES-256-CBC
Linux.Cryptor: AES-128-CBC using PolarSSL
Simplelocker: AES-128-CBC using cryptolib
OSX/KeRanger-A: AES-256-CBC
WannaCry: AES-128-CBC
Petya: encrypts MFT with Salsa20-256
NotPetya: AES-128-CBC, encrypts MFT with
Salsa20-256
Cerber: RC4-128
Spora: AES-256-CBC
Serpent: AES-256-CBC
3.4. Encryption method for a session or file
key
This subsection presents encryption method used to
encrypt a session or file key preventing locked files
from decryption. A cryptolocker generates a new
session key for every its run in a user’s environment.
The session key can be used directly to encrypt all files
or encrypts individual file encryption keys. In case of
using a session key for individual file’s keys, a file’s
key encrypted by a session key is usually stored in a
file’s header/footer (Cerber, Spora).
VaultCrypt: RSA-1024 with the hard-coded master
public key using GnuPG tool
TeslaCrypt: the files encryption key is used as a
multiplier in the calculated ECDH shared secret sent to
the C&C server and stored in a header of encrypted
files.
NanoLocker: RSA-1024 with the hard-coded master
public key and base64 encoded to be sent via a Public
Note in a Bitcoin transaction
Linux.Cryptor: RSA-1024 with the hard-coded
master public key
Simplelocker: the files’ encryption key is
hard-coded "jndlasf074hr"
OSX/KeRanger-A: RSA-2048 to encrypt a random
seed used for AES
WannaCry: RSA-2048
Petya: the custom algorithm
NotPetya: RSA-2048
Cerber: RSA-880 and RSA-2048
Spora: RSA-1024
Serpent: RSA-2048
3.5. Encryption locations
This subsection describes encryption locations used
by the ransomware samples under analysis.
VaultCrypt: except Windows, msoffice, Intel, and
framework64
TeslaCrypt: except Windows, Program Files, and
Application Data. The files are encrypted in shared
folders and removable drives as well
NanoLocker: n/a
Linux.Cryptor: files are encrypted in the folders:
/home, /root, /var/lib/mysql, /var/www, /etc/nginx,
/etc/apache2, /var/log
Simplelocker: files on an SD card
OSX/KeRanger-A: Users, Volumes
WannaCry: except \\, $\, Intel, ProgramData,
WINDOWS, Program Files, Program Files (x86),
AppData\Local\Temp, Local Settings\Temp,
Temporary Internet Files, Content.IE5
Petya: MFT
NotPetya: MFT
Cerber: except $getcurrent, $recycle.bin,
$windows.~bt, $windows.~ws, boot, documents and
settings\all users\, documents and settings\default user,
documents and settings\localservice, documents and
settings\networkservice, intel, msocache, perflogs
program files (x86), program files, programdata,
recovery, recycled, recycler, system volume
information, temp, windows.old, windows10upgrade,
windows, winnt, appdata\local, appdata\locallow,
appdata\roaming, local settings, public\music\sample
music, public\pictures\sample pictures,
public\videos\sample videos, tor browser
Spora: except appdata, games, program files,
program files (x86), windows.
Serpent: except program files (x86), program files,
tor browser, windows, programdata, $recycle.bin
3.6. Deleting backup
This subsection shows if the analyzed ransomware
deletes backup copies of the files, for example, shadow
copies.
VaultCrypt: uses SDelete [21] or Cipher tools [22]
to wipe the keys files
TeslaCrypt: yes, using vssadmin.exe [23] to delete
shadow copies of files
NanoLocker: n/a
Linux.Cryptor: n/a
Simplelocker: n/a
OSX/KeRanger-A: encrypt Time Machine backup
files
WannaCry: uses vssadmin.exe [23] to delete
shadow copies of files
Petya: n/a
NotPetya: n/a
Cerber: n/a
Spora: uses vssadmin.exe [23] to delete shadow
copies of files
Serpent: uses WMIC [24] and Cipher [22] tools to
delete shadow copies and wipe the original files from a
disk
3.7. Communication with a C&C server
This subsection points to a С&C communication
protocol used by ransomware, if any.
VaultCrypt: http://revault.me
TeslaCrypt: URL varies on the build version, data
transmitted in an encrypted way (AES-256-CBC) with
the hard-coded key
NanoLocker: ICMP, two ping packets are sent with
a Bitcoin address to C&C (52.91.55.122), the second
ping packet is sent once the encryption is completed
and also contains the number of encrypted files
Linux.Cryptor: n/a
Simplelocker: C&C in Tor
(http://xeyocsu7fu2vjhxs.onion/), user’s data are
transmitted in JSON format
OSX/KeRanger-A: over the Tor network
WannaCry: over the Tor network
Petya: n/a
NotPetya: n/a
Cerber: CIDRs are used (77.12.57.0/27,
19.48.17.0/27, 87.98.176.0/22) to find a C&C server,
remote port 6893
Spora: over the Tor network
Serpent: hmkwegza.pw, pwmhgfhm.pw, over the
Tor network
3.8. Decryption service
This subsection describes where an online
decryption service is located, if any.
VaultCrypt: in the Tor network
TeslaCrypt: in the Tor network
NanoLocker: using a Public Note in Bitcoin
transaction
Linux.Cryptor: in the Tor network
Simplelocker: the decrypting function is available in
the cryptolocker’s code
OSX/KeRanger-A: in the Tor network
WannaCry: in the Tor network
Petya: in the Tor network
NotPetya: n/a
Cerber: in the Tor network
Spora: spora.bz, in the Tor network
Serpent: in the Tor network
3.9. Payment
This subsection gives an overview of ransom
payments demanded by ransomware.
VaultCrypt: in BTC, the price depen
ds on the number of encrypted files
TeslaCrypt: $500 equivalent in BTC, doubled every
60 hours
NanoLocker: 0.25 BTC
Linux.Cryptor: 1 BTC
Simplelocker: MoneXy, Qiwi
OSX/KeRanger-A: 1 BTC
WannaCry: $300/600 in BTC
Petya: $300/600 in BTC
NotPetya: n/a
Cerber: 0.045/0.090 BTC
Spora: depends on the number of encrypted files
Serpent: 0.025/0.075 BTC
3.10. Targeted audience
This subsection suggests the target audience based
on the language used in a web UI or ransom note.
VaultCrypt: Russian speaking (Russia, Ukraine)
TeslaCrypt: English speaking
NanoLocker: English speaking
Linux.Cryptor: English speaking
Simplelocker: Ukraine
OSX/KeRanger-A: English speaking
WannaCry: English speaking
Petya: English speaking
NotPetya: Ukraine
Cerber: English speaking
Spora: Russian speaking
Serpent: English speaking
3.11. Passive methods of protection
This subsection highlights the passive methods of
self-protection used by ransomware.
VaultCrypt: n/a
TeslaCrypt: code obfuscation, traffic encryption
NanoLocker: packing, base64
Linux.Cryptor: n/a
Simplelocker: code obfuscation in some versions
OSX/KeRanger-A: packing
WannaCry: packing, encryption
Petya: n/a
NotPetya: n/a
Cerber: obfuscation, encryption
Spora: obfuscation, encryption
Serpent: obfuscation, encryption
3.12. Active methods of protection
This subsection highlights the active methods of
self-protection used by ransomware.
VaultCrypt: n/a
TeslaCrypt: terminates msconfig, regedit, procexp,
taskmgr tools
NanoLocker: n/a
Linux.Cryptor: n/a
Simplelocker: n/a
OSX/KeRanger-A: n/a
WannaCry: n/a
Petya: n/a
NotPetya: detects avp.exe (Kaspersky AV), NS.exe
(Norton Security), ccSvcHst.exe (Symantec)
Cerber: n/a
Spora: n/a
Serpent: n/a
4. The results analysis
An analysis of the obtained results is presented
below by the selected criteria.
4.1. Delivery method
Ransomware are delivered with the help of
exploits and social engineering tricks. The methods
include drive-by attacks when a compromised
website is used to host an exploit represented as a
malicious JavaScript. Or a spam message with a
document containing the exploit. The malicious
document has a fancy name and a double extension,
for example
Akt_Sverki_za_2014_year_Buhgalterija_SIGNED
-ot_17.02_2015g_attachment.AVG.Checked.OK.pd
f.js’ [25].
4.2. File type
In addition to the ordinary executable file
formats, we see more ransomware come as shell
scripts. For example, VaultCrypt is as a Windows
batch script and uses a standalone GnuPG tool [26]
to encrypt files dropped from the delivered
package.
4.3. Encryption
Most of cryptolockers use the AES block
chaining encryption algorithm with the key length
128 or 256 bits due to performance issues. The only
exception is VaultCrypt with RSA-1024 provided
by GnuPG. After encryption is completed, the
ransomware typically deletes the file encryption
key from memory (TeslaCrypt) or file system (all
others). Before that, the program usually encrypts
the file’s encryption key using asymmetric
encryption algorithm such as RSA-1024 with the
hard-coded master public key (an attacker owns the
master private key) and is stored in a recovery
message or key vault file to be uploaded to a
decryption service. In the case of Android
Simplelocker, the AES file encryption key is stored
in the code, and it makes no problem to get
encrypted data back.
In most of cases Microsoft Crypto Provider was
used as available by default. Host intrusion
prevention systems (HIPS) are aware of that, and
provides monitoring of API calls for the presence of
MS Crypto API calls. Therefore, some ransomware
use alternative cryptolibraries (OpenSSL,
PolarSSL, GnuPG) or come up with their own
implementation to bypass HIPS protection.
When encrypting files cryptolockers may
exclude locations where files should not be
encrypted, such as system and home folders
(VaultCrypt, TeslaCrypt, WannaCry, Cerber, Spora,
Serpent), or, the other way around, the list of
directories to be encrypted only (Linux.Cryptor).
For example, Android Simplelocker encrypts files
only on a phone’s SD card.
Additionally, what was not mentioned in the
analysis above, WannaCry and Serpent ransomware
terminate database-related processes such as
mysqld.exe, sqlwriter.exe, sqlserver.exe to unlock
database files for encryption.
4.4. Deleting backups
Windows ransomware OSX/KeRanger-A,
WannaCry, Spora, and Serpent delete backups of
files using available system tools such as wmic.exe
and vssadmin.exe together with cipher.exe used to
wipe the deleted original files from the disk.
OSX/KeRanger-A encrypts the Time Machine
backup files. Thus, a user cannot restore original
files and keys after the encryption has been
finished.
4.5. Communication with a C&C Server
Commonly, ransomware send check-in requests
in an encrypted way to an attacker’s server via
HTTP protocol. However, NanoLocker sends
specially crafted ICMP packets to the remote server
including a bitcoin address. Linux.Cryptor and
Petya (NotPetya) does not communicate with a
C&C server at all. Cerber and Spora can work even
if a C&C server is offline. Serpent and Locky [27]
ransomware require a connection to C&C to
retrieve the master public RSA key to start
encryption.
4.6. Decryption Service
A web decryption service is usually located in
Tor network making it impossible to shut down or
trace a master. The NanoLocker’s master uses the
Public Note in Bitcoin transaction to get the
victim’s encrypted key and to send back the
decrypted one. Simplelocker has the C&C in Tor
network, but the decryption function is available in
its code.
4.7. Payment
A ransom is paid using anonymous payment
services. Payments in Bitcoins are mostly used.
4.8. Targeted audience
Ransomware are widespread in Russian
speaking region, mostly Russia and Ukraine.
However, most of ransomware have an English user
interface covering users from all over the world.
4.9. Passive and active methods of
ransomware self-protection
Like other malware, cryptolockers use passive
methods of protection: packing, obfuscation, and
encryption. For example, TeslaCrypt uses ‘push-ret’
x86 ASM instructions instead of the normal ‘call’
instruction to call Windows API functions. The
code snippet for IsDebuggerPresent() WinAPI call
is shown in Figure 1.
Figure 1: Example of the obfuscated
function call in TeslaCrypt 2.1 [2]
The same TeslaCrypt used active methods of
protection in the form of terminating the Windows
monitoring and configuration tools: task manager,
process explorer, registry editor, and msconfig. The
code is shown in Figure 2.
Figure 2: TeslaCrypt terminates Windows
monitoring tools [2]
EternalPetya verifies if the antivirus processes
are running on the infected host and does not run
the encryptor.
5. Outcomes and mitigation
recommendations
The analysis of ransomware presented in this paper
helped to reveal trends in the evolution of ransomware
and develop mitigation techniques to protect users
from a crypto attack that violate information
availability in this case.
Delivery method. The ransomware is being
delivered through the Web and Email channels use the
same propagation techniques as targeted attacks: web
exploits and social engineering tricks. Moreover,
recently ransomware started using exploits in SMB1
released by ShadowBrokers such as EternalBlue and
EternalRomance to propagate.
To block ransomware on arrival, it is recommended:
set up spam filters to quarantine suspicious
emails and send attachments for advanced
inspection in a malware sandbox;
use an exploit execution prevention module
and regularly consume the latest threat
intelligence to prevent execution of exploits in
a user’s system.
In future, ransomware may start using 0-day
exploits as well.
Encryption. If an attack is stopped before encryption
is completed, a user has a chance to get a file
encryption key stored in a file system or memory. The
encryption process can be interrupted by simply
hibernating a system.
To block ransomware when ransomware starts
encryption, it is recommended:
to define additional trust boundaries in an
operation system that will help block an
cryptolockers accessing shared folders and
network drives;
deploy HIPS and regularly consume the latest
threat intelligence to prevent execution of
cryptolockers in a user’s system.
Deleting backups. As a ransomware uses standard
administration tools to erase shadow copies of files or
wipe data from a disk, those can be blacklisted by
configuring a local system security policy. The typical
mistake is using a domain user’s account to grant
access to a file server or working under a local admin
account.
Communication. Ransomware may encrypt their
traffic and use standard network protocols making it
hard to detect. However, it is possible to trace traffic to
Tor network and notify a network administrator who
can quarantine or even freeze a host that generates such
a traffic.
Payment
. Bitcoin payment system being anonymous
becomes more and more popular among criminals [28,
29]. Even though, operations with bitcoins are
restricted in the most of stock markets and depend
mostly on particular country laws, victims can still buy
Bitcoins from private persons on the black market. In
Sweden, for example, bitcoins are treated as regular
currency [30]. It is possible to buy and sell goods on
the Internet using bitcoins. The Swedish government
looks at big transactions only to prevent money
laundering. However, most of ransom payments rarely
exceed 2 BTC.
Targeted audience. Despite the most of ransomware
were created by the Russian speaking developers based
on artifacts found in the code, their user interfaces are
available in English.
Passive and active ransomware self-protection.
While passive methods such as obfuscation and
encryption are used by many types of malware for a
while, the active methods introduced first by
TeslaCrypt shows the new trend in ransomware
development. Once infected, it is hard to terminate a
malicious process or make a dump to extract the
session encryption key.
The research is still ongoing, and new versions of
ransomware will be included as they have been
discovered by our lab or antivirus companies.
6. References
[1] Young A., Yung M., Cryptovirology: Extortion-based
security threats and countermeasures. In Security and
Privacy Proceedings, IEEE Symposium, 1996, pp.
129–140.
[2] Young A. Building a Cryptovirus Using Microsoft’s
Cryptographic API. In Proceedings of the International
Conference on Information Security, 2005, pp. 389–401.
[3] Kamluk V., GpCode-like Ransomware Is Back,
Kaspersky Lab,
https://securelist.com/blog/research/29633/gpcode-like-ra
nsomware-is-back/ (2010)
[4] Upadhyaya R., Jain A., Cyber ethics and cyber crime:
A deep dwelved study into legality, ransomware,
underground web and bitcoin wallet, 2016 International
Conference on Computing, Communication and
Automation (ICCCA), 2016, pp. 143-148
[5] Owen G., Savage N., Empirical analysis of Tor
Hidden Services, IET Information Security, Volume 10,
Issue: 3, 2016, pp. 113-118.
[6] Adamov A., Carlsson A, TeslaCrypt 2.1 Analysis:
Cracking "Ping" Message, NioGuard Security Lab, 2015
http://nioguard.blogspot.com/2015/09/teslacrypt-21-analy
sis-cracking-ping.html
[7] Kharraz A., Cutting the Gordian Knot: A Look Under
the Hood of Ransomware Attacks, Detection of
Intrusions and Malware & Vulnerability Assessment
(DIMVA), Milan, Italy, July 9-10, 2015.
[8] New variant of Cerber ransomware (Ferber) analyzed,
Nioguard Security Lab, July 2017, available at
https://nioguard.blogspot.com/2017/07/new-variant-of-ce
rber-ransomware-ferber.html
[9] Spora Ransomware Analysis, Nioguard Security Lab,
August 2017,
https://nioguard.blogspot.com/2017/08/spora-ransomwar
e-analysis.html
[10] Serpent Ransomware Analysis, Nioguard Security
Lab, August 2017,
https://nioguard.blogspot.com/2017/08/serpent-ransomw
are-analysis.html
[11] Petya Taking Ransomware To The Low Level,
MalwareBytes, April 2016, available at
https://blog.malwarebytes.com/threat-analysis/2016/04/pe
tya-ransomware/
[12] Berry A., Homan J., Eitzman R., WannaCry
Malware Profile, FireEye, May 2017,
https://www.fireeye.com/blog/threat-research/2017/05/wa
nnacry-malware-profile.html
[13] EternalPetya / NotPetya Ransomware Analysis,
Nioguard Security Lab, June 2017, available at
https://nioguard.blogspot.com/2017/06/eternalpetya-ranso
mware-analysis.html
[14] Adamov A., VaultCrypt: From Russia with Love,
NioGuard Security Lab and Ukrainian Cyberpolice, 2015,
http://nioguard.blogspot.com/2015/12/vaultcrypt-from-ru
ssia-with-love.html
[15] NanoLocker - Ransomware analysis, Malware
Clipboard,
http://blog.malwareclipboard.com/2016/01/nanolocker-ra
nsomware-analysis.html (2016)
[16] Linux.Encoder.1, DrWeb, 2015,
https://vms.drweb.com/virus/?i=7704004&lng=en
[17] ELF_CRYPTOR.A, TrendMicro, 2015,
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/
malware/elf_cryptor.a
[18] ESET Analyzes Simplocker First Android
File-Encrypting, TOR-enabled Ransomware, ESET, 2014
http://www.welivesecurity.com/2014/06/04/simplocker/
[19] Claud Xiao, Jin Chen, New OS X Ransomware
KeRanger Infected Transmission BitTorrent Client
Installer, Palo Alto Networks, March 2016, available at
https://researchcenter.paloaltonetworks.com/2016/03/new
-os-x-ransomware-keranger-infected-transmission-bittorr
ent-client-installer/
[20] Howard F., A closer look at the Angler exploit kit,
Sophos, 2015,
https://blogs.sophos.com/2015/07/21/a-closer-look-at-the
-angler-exploit-kit/
[21] SDelete Tool, MSDN,
https://support.microsoft.com/en-us/kb/315672
[22] Cipher tool, MSDN,
https://technet.microsoft.com/en-us/library/bb490878.asp
x
[23] VSSadmin Tool, MSDN,
https://technet.microsoft.com/en-us/library/bb491031.asp
x
[24] WMI command line interface, Microsft,
https://msdn.microsoft.com/ru-ru/library/aa394531(v=vs.
85).aspx
[25] VaultCrypt sample analysis, Virustotal,
https://www.virustotal.com/en/file/6cceeddc0c631484f12
f636aa9cdc9020c471af65a524423032e46e82004e179/an
alysis/
[26] GnuPG Tool, https://www.gnupg.org/
[27] Hasherezade, Look Into Locky Ransomware,
MalwareBytes, July 2016, available at
https://blog.malwarebytes.com/threat-analysis/2016/03/lo
ok-into-locky/
[28] Meiklejohn S. et al., A fistful of bitcoins:
Characterizing payments among men with no names. In
Proceedings of the 2013 Conference on Internet
Measurement Conference, 2013, IMC ’13, pp. 127–140.
[29] Fergal R., Martin H., An analysis of anonymity in
the bitcoin system. In Security and Privacy in Social
Networks, 2012.
[30] Swedish Bitcoin webportal, http://www.bitcoin.se/
... This indicates that symmetric encryption is carried out initially, followed by asymmetric encryption in the second stage. Files cannot readily be decrypted as a result (Adamov & Carlsson, 2017;Celiktaş, 2018;Lee, 2019;Liska & Gallo, 2016). ...
... The quality of the utilized encryption algorithm influences the ransomware's strength. Ransomware encryption uses hybrid techniques that are carried out in three phases (Adamov & Carlsson, 2017;Celiktaş, 2018;Kotov & Rajpal, 2014;Lee, 2019;Liska & Gallo, 2016). The ransomware attacker creates an asymmetric pair of keys and inserts them inside the ransomware in step 1. ...
Introduction to Ransomware
Chapter
  • Sep 2023
Ransomware can lock users' information or resources (such as screens); hence, authorized users are blocked from retrieving their private data/assets. Ransomware enciphers the victim's plaintext data into ciphertext data; subsequently, the victim host can no longer decipher the ciphertext data to original plaintext data. To get back the plaintext data, the user will need the proper decryption key; therefore, the user needs to pay the ransom. In this chapter, the authors shed light on ransomware malware, concepts, elements, structure, and other aspects of ransomware utilization. Specifically, this chapter will extend the elaboration on the ransomware, the state-of-art ransomware, the ransomware lifecycle, the ransomware activation and encryption processes, the ransom request process, the payment and recovery, the ransomware types, recommendation for ransomware detection and prevention, and strategies for ransomware mitigation.
View
... Table 1 illustrates the three main ransomware variants presented in the literature. Cerber [19,20] 2016 Unknown RaaS, Geographic targeting mechanism AES and RSA-2048 Yes ...
Can Windows 11 Stop Well-Known Ransomware Variants? An Examination of Its Built-in Security Features
Article
Full-text available
  • Apr 2024
The ever-evolving landscape of cyber threats, with ransomware at its forefront, poses significant challenges to the digital world. Windows 11 Pro, Microsoft’s latest operating system, claims to offer enhanced security features designed to tackle such threats. This paper aims to comprehensively evaluate the effectiveness of these Windows 11 Pro, built-in security measures against prevalent ransomware strains, with a particular emphasis on crypto-ransomware. Utilizing a meticulously crafted experimental environment, the research adopted a two-phased testing approach, examining both the default and a hardened configuration of Windows 11 Pro. This dual examination offered insights into the system’s inherent and potential defenses against ransomware threats. The study’s findings revealed that Windows 11 Pro does present formidable defenses. This paper not only contributes valuable insights into cybersecurity, but also furnishes practical recommendations for both technology developers and end-users in the ongoing battle against ransomware. The significance of these findings extends beyond the immediate evaluation of Windows 11 Pro, serving as a reference point for the broader discourse on enhancing digital security measures.
View
... Figure 2 shows the list of sectors affected by ransomware attacks. The WannaCry and NotPetya attacks of 2017 are estimated to have cost the global economy more than $8 billion [49][50][51][52]. Over 50,000 systems were infected with the GandCrab ransomware during the first quarter of 2018. ...
Early Detection of Windows Cryptographic Ransomware Based on Pre-Attack API Calls Features and Machine Learning
Article
Full-text available
  • Feb 2024
Ransomware attacks are currently one of cybersecurity's greatest and most alluring threats. Antivirus software is frequently ineffective against zero-day malware and ransomware attacks; consequently, significant network infections could result in substantial data loss. Such attacks are also becoming more dynamic and capable of altering their signatures, resulting in a race to the bottom regarding weaponry. Cryptographic ransomware exploits crypto-viral extortion techniques. The malware encrypts the victim's data and demands payment in exchange. The attacker would release the data decryption key after accepting payment. After data encryption, the user has two options: pay the ransom or lose the data. Cryptographic ransomware causes damage that is nearly impossible to undo. Detection at an early stage of a ransomware attack's lifecycle is vital for preventing unintended consequences for the victim. Most ransomware detection technologies concentrate on detection during encryption and post-attack stages. Due to the absence of early behaviour signs, it is challenging to detect ransomware before it begins the unwanted process of mass file encryption. This study examines the relationship between API calls pattern and their nature to determine whether it is ransomware early behaviour. The purpose of this paper is to determine whether this technique can be used to early detect the presence of ransomware activity on a Windows endpoint. 582 ransomware samples that consist of ten ransomware families and 942 benign software samples were analysed. This study proposed RENTAKA, a novel framework for the early detection of cryptographic ransomware. It makes use of characteristics acquired from ransomware behaviour and machine learning. This study presented an algorithm to generate a ransomware pre-encryption dataset. This study, which includes six machine-learning models, gives satisfactory results in detecting cryptographic ransomware. The features used in this research were among the 232 features identified in Windows API calls. Five standard machine learning classifiers were employed in this experiment: Naive Bayes, k-nearest neighbours (kNN), Support Vector Machines (SVM), Random Forest, and J48. In our tests, SVM fared the best, with an accuracy rate of 93.8% and an area under the curve (AUC) of 0.979, respectively. The results indicate that we can distinguish ransomware from benign applications with low false-positive and false-negative rates.
View
View
View
View
View
View
View
Pragmatic Way of Analyzing Malware Attacks Detection in IoT Devices Using Deep Learning
Chapter
  • Jul 2023
Internet of Things (IoT) plays a vital role in transforming the world from telephone to smartphone, typewriter to laptop then notebook, normal home to smart home, hard work to smart work. The tremendous use of IoT in numerous applications not only eases our life but also saves time for innovative work. But everything has its negative influence. There is a ruinous-effect of using IoT in large-scale. It encourages the cyber-attacks to target the network and system which further leads to various kinds of cyber-attacks. Among all the cyber-attacks, malware proves themselves the most dangerous attack to bring interruption to daily operation and threaten the user to think twice before clicking on any link. This paper comprises the different types of malware attacks along with the IoT architecture. However, researchers have proposed different approaches to detect malware attacks on IoT using deep learning. There are some security issues which are still working on it. Further, this paper describes such a type of security issue that proves that IoT devices are still vulnerable to malware attacks.KeywordsIoTMalwareRansomwareBotenago
View
A Fistful of Bitcoins: Characterizing Payments among Men with No Names
Article
Full-text available
  • Apr 2016
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we consider the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
View
A fistful of bitcoins: characterizing payments among men with no names
Conference Paper
Full-text available
  • Oct 2013
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we characterize longitudinal changes in the Bitcoin market, the stresses these changes are placing on the system, and the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
View
An Analysis of Anonymity in the Bitcoin System
Article
Full-text available
  • Jul 2011
Anonymity in Bitcoin, a peer-to-peer electronic currency system, is a complicated issue. Within the system, users are identified by public-keys only. An attacker wishing to de-anonymize its users will attempt to construct the one-to-many mapping between users and public-keys and associate information external to the system with the users. Bitcoin tries to prevent this attack by storing the mapping of a user to his or her public-keys on that user's node only and by allowing each user to generate as many public-keys as required. In this chapter we consider the topological structure of two networks derived from Bitcoin's public transaction history. We show that the two networks have a non-trivial topological structure, provide complementary views of the Bitcoin system and have implications for anonymity. We combine these structures with external information and techniques such as context discovery and flow analysis to investigate an alleged theft of Bitcoins, which, at the time of the theft, had a market value of approximately half a million U.S. dollars.
View
Cryptovirology: Extortion-Based Security Threats and Countermeasures
Article
Full-text available
  • Sep 1996
Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a cryptovirus that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks"). We also suggest countermeasures and mechanis...
View
Cyber ethics and cyber crime: A deep dwelved study into legality, ransomware, underground web and bitcoin wallet
Conference Paper
  • Apr 2016
Future wars will be cyber wars and the attacks will be a sturdy amalgamation of cryptography along with malware to distort information systems and its security. The explosive Internet growth facilitates cyber-attacks. Web threats include risks, that of loss of confidential data and erosion of consumer confidence in e-commerce. The emergence of cyber hack jacking threat in the new form in cyberspace is known as ransomware or crypto virus. The locker bot waits for specific triggering events, to become active. It blocks the task manager, command prompt and other cardinal executable files, a thread checks for their existence every few milliseconds, killing them if present. Imposing serious threats to the digital generation, ransomware pawns the Internet users by hijacking their system and encrypting entire system utility files and folders, and then demanding ransom in exchange for the decryption key it provides for release of the encrypted resources to its original form. We present in this research, the anatomical study of a ransomware family that recently picked up quite a rage and is called CTB locker, and go on to the hard money it makes per user, and its source C&C server, which lies with the Internet's greatest incognito mode-The Dark Net. Cryptolocker Ransomware or the CTB Locker makes a Bitcoin wallet per victim and payment mode is in the form of digital bitcoins which utilizes the anonymity network or Tor gateway. CTB Locker is the deadliest malware the world ever encountered.
View
Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks
Conference Paper
  • Jul 2015
  • Lect Notes Comput Sci
In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim’s computer desktop or attempts to encrypt or delete the victim’s files using only superficial techniques. Our analysis also suggests that stopping advanced ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.
View
Building a cryptovirus using Microsoft's Cryptographic API
Conference Paper
  • Jan 2005
  • Lect Notes Comput Sci
This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.
View
Empirical analysis of Tor Hidden Services
Article
  • Oct 2015
Tor hidden services allow someone to host a website or other transmission control protocol (TCP) service whilst remaining anonymous to visitors. The collection of all Tor hidden services is often referred to as the 'darknet'. In this study, the authors describe results from what they believe to be the largest study of Tor hidden services to date. By operating a large number of Tor servers for a period of 6 months, the authors were able to capture data from the Tor distributed hash table to collect the list of hidden services, classify their content and count the number of requests. Approximately 80,000 hidden services were observed in total of which around 45,000 are present at any one point in time. Abuse and Botnet C&C servers were the most frequently requested hidden services although there was a diverse range of services on offer.
View
Building a Cryptovirus Using Microsoft’s Cryptographic API
Conference Paper
  • Sep 2005
  • Lect Notes Comput Sci
This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.
View
Cryptovirology: Extortion-based security treats and countermeasures
Conference Paper
  • Jun 1996
Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a cryptovirus that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call “cryptovirological attacks”). We also suggest countermeasures and mechanisms to cope with and prevent such attacks. These attacks have implications on how the use of cryptographic tools should be managed and audited in general purpose computing environments, and imply that access to cryptographic tools should be well controlled. The experimental virus demonstrates how cryptographic packages can be condensed into a small space, which may have independent applications (e.g., cryptographic module design in small mobile devices)
View