ANALYSIS OF RANSOMWARE

ATTACKS
CA K MANIKANDAN
M.No 254418
Warning
 Introduction:
 Since ages attacks against another happened for many reason, where people
used many kind of weapons.
 Since development weapons of mass destruction stopped at the level of
nuclear and bio war, where need of new generation weapon required, which
will not take human lives and don’t create border issues.
 People with bad Intensions murdered people and taken their livelihood, over
the time period they become mercenaries. And after a period instead of
killing they came knew that killing duck which lay golden egg won’t be a good
idea
 Over the period certain types of crimes became impossible or wont worth
doing by risking the life like ‘abduction, assassination, blackmail, burglary,
embezzlement, espionage, hijacking, identity theft, mugging, robbery,
shoplifting, smuggling, terrorism trafficking, treason, vandalism, voyeurism’,
to give counter to all this internet attacks emerged in the this new computer
era like Malware, Phishing, DOS, SQL injection, Zero-day exploit, Drive-by
Attack, Password Attack, Eavesdropping.
 On that one of the recent biggest threat in the Virtual computer era is
ransomware attacks,
 During 1996 concept called Crypto-virology and cryptoviruses were introduced
which shows that cryptography can be used for offensive purposes, such as
extortion which was later evolves as crypto-ransomware.
 Every day, we create roughly 2.5 quintillion bytes of data. With the growing
popularity of IoT (Internet of Things), this data creation rate will become
even greater. Protection these data falls on each individuals.
 These new generation attacks used to obtain money, espionage, stop the
service provider, blocking general public utility, gaining access to confidential
information, revealing movie scripts, future strategic plans of organisation
 Malicious Program

 Malware is a malicious program aimed at gathering sensitive information,

causing disturbance or destruction to single or multiple users. It usually gets
access to legitimate resources to cause trouble to perform the normal
actions.
 Ransomware

 Ransomware is a form of malware that infects the user by encrypting data

without user permission. It restricts the legitimate access to user data. It
stops users access to their own data. The IRREVERSIBLE effect of a
ransomware attack makes it distinct from other malwares.
 Ransomware targets user files is through mapping the user environment.
Targeted files need to be recent and of some value or importance, therefore
ransomware may look at the recent files history and usually maps important
folders, such as My Documents, Pictures, and other generic folders, as well as
the Recycle Bin.
 There are nearly 18 known ransomware types identified, they are Cerber,
Chimera, CTB-Locker, Donald Trump, Jigsaw, Petya, Reveton, Satana,
TeslaCrypt, TorrentLocker, WannaCry, CryptoLocker, Odin, Shade, Locky,
Spora, CryptorBit, and CryptoWall
 Once encryption is achieved there is no other way to decrypt the user files
except for by using the decryption key. To make the data decrypted,
attackers ask for money in an untraceable currency bitcoin.
 This malware is also tricky to handle as it uses the two strategies to attack.
Some of ransomware attacks uses asymmetric cryptography for encryption
along with deleting the recovery points and shadow copies one of the
prominent features of ransomware is that it looks like a benign (Not harmfull
or good one) program, making it hard to distinguish ransomware code from
legitimate encryption applications
 The reason for a successful attack is that the victim organizations want to get
their valuable data back or fear of losing potential users usually goes for
paying the ransom.
 the victims with little knowledge about ransomware usually go for paying the
ransom. This tarnished attack is growing with every passing day causing data
lose or money lose to users and organizations.
 Forms of Ransomware

Locker

Crypto Scareware
 Attack process
In general, ransomware attack is launched in three Phases i.e., pre-encryption, encryption, and post-encryption.
Ransomware attacks follow a specific pattern that can be observed variants of ransomware. Attack process consists
finding the target, distributing infection virus or malware and installing the same, after that it targets files, encrypting
them by creating private keys, after the intruder ask for ransom via text message like one in the cover page
Devices being attacked

 In the Virtural era not only PC all the IOT devices like

 Wearables
 Smart tv
 Mobiles devices
 Fog layer
 Fog layer
 Cloud-based systems
Red Flags

There are action can be used as red flag and also some behaviours patterns
shows the occurrence of a ransomware attack. They are
 Opening of many files
 Structure of input and out streams
 Many write/overwrite operations
 A process calling encryption APIs
 Frequent reading and rewriting/deleting requests in a short period of time
 Communication with command-and-control server
 Change in the user registry keys
IDENTIFICATION OF RANSOMWARE AND MALWARE ANALYSIS

Signature
Hybrid based
Detection Detection
Approaches Approaches

Behavioural
based Detection
Approaches
File Analysis
 Crypto ransomware modifies a file when encrypting it. Large changes made to
many files in a computers file system that could indicate that a ransomware
attack is underway. There are several metrics that can be used to detect
significant changes in files. These four methods of file analysis are defined
below.

File
File type
entropy

Similarity File I/O:

Honeypots
 Honeypots (or honey files) are decoy files set up for the ransomware
to attack. Once these files are attacked, the attack is detected and
stopped. Honey files are easy to set up and require little
maintenance. However, there is no guarantee the attacker will target
these decoys, so an attacker may encrypt other files while leaving the
honey files untouched
Network Traffic Analysis

DGA
Packet size
detection

Malicious Message
domains frequency

Other
features:
Machine Learning

 Machine learning models that detect ransomware by classifying computer

programs as either benign or ransomware based on their behaviour. With
sufficient training data, these models can spot attacks with a high degree of
accuracy. Additionally, they are frequently able to detect ransomware before
it has a chance to encrypt any files.
 However, finding a suitable model requires trial and error, and biasness or
overfitting may occur if proper measures are not taken. The features used in
the surveyed literature include the following:
 APIs / System calls

Log files

File I/O

HPC values

Opcode/Bytecode sequences

Process actions

Others
 Limitation in Detection of ransomware
 Most of the conducted research for the ransomware detection fall under conventional class where
ransomware is detected after the encryption starts
 High number of irrelevant and redundant system calls used to bypass the detection
 Developed ransomware studies used different number of logs from different ransomware families.
 The ransomware detection systems are platform dependent. A system developed for windows API cannot be
implemented for cloud and mobile devices.
 Ransomware detection research cannot detect the ransomware which encrypt data using its own native code.
 Not all the detection research available in the literature are practical to implement. Some of the presented
studies are empirical or supplement detection systems.
 Honeypot aka Decoy methods are not fully reliable as there is no guarantee the honeypot folders will always
be accessed by the attack.
 Analyzing the samples for limited or ample time made the detection researches inadequate to implement.
 Dealing with little amount of data or massive data with high redundant values.
 Some of the studies did not explain well about the analysis performed for the detection
 Unawareness among users
 Lack of Open-Access Ransomware Libraries
Prevention

 Prevention aims at avoiding the occurrence of ransomware attack. It helps

the potential user to be protected from being a victim to this attack. Studies
are conducted with an aim to stop ransomware in the first place
 It involves fixing the security holes in the system. Preventing the device from
attack is easier than applying the remedy after occurrence of an attack.
Prevention research were further classified into Proactive and Reactive
research
Proactive Prevention

 Preventive technique continuously monitor the processes and directories for

ransomware detection. It utilized the statistical data collected from
processor, memory, storage, and I/O devices to detect, and remove the
ransomware.
 Process with abnormal behavior carried different statistics will be stopped or
terminated. This technique was also able to detect ransomware with new
patterns.
Reactive Prevention

 This system was able to hold original data by using the garbage collector. This
system performed detection by using the frequent read and rewrite requests
on the storage devices. Which is why it is called Self Defensible SSD
Conclusion

 In this research paper, ransomware related concepts, and ransomware

detection approaches utilizing machine learning technologies, recent
advances in ransomware analysis, detection, and prevention were explored.
 This research is intended to provide a user manual that can encourage
researchers as a direction to work with available technologies in the field of
ransomware attack detection. It can help in developing the more efficient
ransomware detection models while considering the available solutions.