Discussion

Ransomware can be defined as the significant subset of malware, where the confidential data over the intended system is being locked. This type of locking by the procedure of encryption and then the payment is being demanded [3]. The payment is demanded only with the purpose that the data would be decrypted and specific access would be returned to the authenticate user. The significant motive of this ransomware attack is always monetary and the hacker only wants money from the user. Usually, the payment for this type of attacks is demanded in any type of virtual currency, like the Bitcoin and this is mainly because the attacker does not wish to notify the identity of him or her. The impact of ransomware is extremely threatening for the society as the hacker often demands money that is too much for the user [9]. Moreover, since the systems are kept hostile, the users cannot easily use the computer systems and hence often undergo major issues. The following report will be outlining a brief description about one of the most vulnerable attacks in cyber world, known as the ransomware attack.

Ransomware attacks are increasing day by day. In the last few years, it has been observed that this type of attack is the highest growing of all. The malware that holds data for ransom was present for years. However, packages of such ransomware are being activated so that it can attack in the systems throughout the world [7]. The recent variation is the use of digital currencies, so that the user does not get to know about his attacker. There are several variants of this malware. The five distinct variants of ransomware malware are as follows:

1. i) CryptoLocker: This is one of the popular and significant ransomware malware that has spread its destruction in the year of 2013. It spreads through attachments for spamming messages and thus using the respective RSA public key encryption for the purpose of sealing up of the user files. Finally, cash was demanded in return for the specific decryption keys [10]. Around 500000 machines were affected by the malware of CryptoLocker in 2013 and 2014.
2. ii) TeslaCrypt: The second variant of ransomware malware is TeslaCrypt. This particular variant targeted the ancillary files that are associated with video games, downloaded contents, maps, saved games and many more [5]. All of the files are important for the gamers; however these were saved in the local drive.

iii) SimpleLocker: This particular ransomware variant targeted Android platforms in 2015 and 2016. This ransomware infected the several versions of Android and it encrypted the files and made the files completely inaccessible without taking the help of scammers [11]. It delivered malicious payload through Trojan downloader.

1. iv) WannaCry: Another popular and significant ransomware variant is WannaCry, which occurred in May 2017. This is considered as the biggest ransomware attack registered. More than 250000 systems were detected in 116 countries [4]. Moreover, 150000 Android infections were also registered.
2. v) NotPetya: The fifth variant of ransomware malware is NotPetya. After WannaCry, an updated version started to spread, which utilized the EternalBlue package [1]. Several systems and Android devices were affected by this with an inclusion of several popular organizations. 

From the above five variants, the most destructive variant of ransomware was WannaCry ransomware. WannaCry is the kind of ransomware, which infected the NHS or National Health Service as well as other organizations throughout the world in China, USA, Europe and Russia. This particular ransomware exploits the software of EternalBlue [12]. It simply encrypted the files on tat software and then informs the user that the data are locked and a certain amount of money is demanded by the hacker.

There are five phases for the working mechanism of a ransomware attack. They are given below:

1. i) Exploitation and Infection: This is the first phase is executed by phishing any email or even an exploit kit [10].
2. ii) Delivery and Execution: This is the second phase, where the real ransomware executables are being delivered to the intended system.

iii) Backup Spoliation: The ransomware then targets the backup files or folders over the system and finally removes them for preventing restoration from backup.

1. iv) File Encryption: When the backups are removed, this malware will be performing a secured key exchange with C2 server and hence the encrypted keys are utilized in that system [8].
2. v) User Notification and Cleanup: In the final phase, the backup files are removed and when the encryption is done, the demanded instructions for extortion as well as payments are being presented.

There are several potential threats that are caused the malware of ransomware. They are as follows:

1. i) System Lockups: The first and the foremost potential threat posed by the ransomware is the system lockup. This particular malware is responsible for locking up of the systems or data. The hacker or the attacker eventually locks the system and then demands for money to the user. The intended user cannot open up the files and thus undergoes major issues due to this [6]. The main feature of this type of attack is that digital currency is being demanded by the attacker and hence it becomes extremely difficult for the cyber experts to crack the code and identify the attacker. A huge amount of money is demanded by these attackers and mostly, not a single system is affected. A group of few systems are affected.
2. ii) Encryption of Files: The second significant potential threat posed by ransomware is the encryption of the files or folders. Encryption is the specific method by which any file or data is kept hidden from the unauthorized and unauthenticated users [3]. It is the simplest procedure o encoding the message in such a manner that only the authenticated users could access it and those who are not authenticated cannot get the access of that particular data. It is considered as the simplest system of lock and key. This encryption locks the data with any typical lock and thus converts the plain text to a cipher text. This type of conversion is effective for the users since the attacker does not get a hold of it. That encrypted data or message could only be decrypted with the help of that key, known as the pseudo random encryption key [9]. Without that key, it is not possible to decrypt the data. However, in a specific ransomware attack; the hacker encrypts the file or data to the cipher text or data, which could not be cracked at any cost. Hence, it is a significant threat for the users.

iii) Deleting the Files: The third type of potential threat posed by the ransomware malware s the deletion of files. The hacker or attacker often deletes the files or messages and changes the content of the confidential file [7]. The user does not get any notification of this activity and he is threatened by the attacker that all the data will be deleted if the ransom is not paid. The files could contain confidential as well as sensitive data and the intended user will never want to lose that data.

1. iv) Losing Data Confidentiality: The data confidentiality and integrity is often lost, when the ransomware attack occurs. The user could not do anything in such cases, except paying off the ransom, so that more destruction is not occurred to the files [2].

Working Mechanism of Ransomware

In May 2017, the cyber attack, namely WannaCry ransomware attack took place that targeted the systems, which are running on the Microsoft Windows operating system. It encrypted the data and demanded ransom in terms of Bitcoin [12]. The crypto worm propagated via EternalBlue and the attack was caused by the hacker group, called Shadow Brokers. More than 500000 machines were affected due to this and the most affected organization was NHS or National Health Services in UK.

The two mitigation tools for ransomware attack are as follows:

1. i) Procmon: It is one of the most popular mitigation tools that shows each and every desired activity in a system. It has the capability for filtering so that the user does not get information flood, while using any system [7]. Procmon is effective for the ransomware attacks as it monitors the honeypots and hence ransomware is easily detected by it.
2. ii) SSDT: The second mitigation tool for ransomware attack is the SSDT or System Service Descriptor Table. When the procedure of encryption of files is completed, each and every single activity is notified that where it is kept [5]. It eventually cleans up the entire system without any type of issue.

The above mentioned two tools are extremely effective and popular for the prevention of ransomware attacks as they are much effective.

Therefore, from the above discussion, it can be concluded that the ransomware malware could be easily spread through all types of malicious email attachments, compromised web sites, infected external storage or even infected software applications. The increasing number of attacks can easily utilize the remote desktop protocol or any other approach, which does not rely on the users’ interactions. This type of malware is responsible for changing the login credentials of the intended user within any specific computing device. Ransomware malware could even encrypt the data files within the infected devices or any other linked network devices. The ransomware is the significant kind of malicious software that is emerged from cryptovirology. This type of malware eventually threatens to publish the sensitive data or information of the victim or even blocking the access of the system, until or unless the demanded ransom is being paid. When the ransomware locks the system, even the knowledgeable individual could not crack the code easily. Since, the transaction is done with digital currencies, it s nearly impossible to track the hacker. The above report has clearly outlined the detailed description about ransomware malware and its significant impact on the society. The potential threats as well as the mitigation tools for ransomware are properly explained in this particular report.

References 

 [1] Kharraz, Amin, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. “Cutting the gordian knot: A look under the hood of ransomware attacks.” In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 3-24. Springer, Cham, 2015.

[2] Scaife, Nolen, Henry Carter, Patrick Traynor, and Kevin RB Butler. “Cryptolock (and drop it): stopping ransomware attacks on user data.” In Distributed Computing Systems (ICDCS), 2016 IEEE 36th International Conference on, pp. 303-312. IEEE, 2016.

[3] Andronio, Nicoló, Stefano Zanero, and Federico Maggi. “Heldroid: Dissecting and detecting mobile ransomware.” In International Workshop on Recent Advances in Intrusion Detection, pp. 382-404. Springer, Cham, 2015.

[4] Kharraz, Amin, Sajjad Arshad, Collin Mulliner, William K. Robertson, and Engin Kirda. “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware.” In USENIX Security Symposium, pp. 757-772. 2016.

[5] Mercaldo, Francesco, Vittoria Nardone, Antonella Santone, and Corrado Aaron Visaggio. “Ransomware steals your phone. formal methods rescue it.” In International Conference on Formal Techniques for Distributed Objects, Components, and Systems, pp. 212-221. Springer, Cham, 2016.

[6] Sittig, Dean F., and Hardeep Singh. “A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks.” Applied clinical informatics 7, no. 2 (2016): 624.

[7] Brewer, Ross. “Ransomware attacks: detection, prevention and cure.” Network Security 2016, no. 9 (2016): 5-9.

[8] Pathak, P. B., and Yeshwant Mahavidyalaya Nanded. “A dangerous trend of cybercrime: ransomware growing challenge.” International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Volume 5 (2016).

[9] Song, Sanggeun, Bongjoon Kim, and Sangjun Lee. “The effective ransomware prevention technique using process monitoring on android platform.” Mobile Information Systems2016 (2016).

[10] Yang, Tianda, Yu Yang, Kai Qian, Dan Chia-Tien Lo, Ying Qian, and Lixin Tao. “Automated detection and analysis for android ransomware.” In High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conferen on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on, pp. 1338-1343. IEEE, 2015.

[11] Everett, Cath. “Ransomware: to pay or not to pay?.” Computer Fraud & Security 2016, no. 4 (2016): 8-12.

[12] Chen, Qian, and Robert A. Bridges. “Automated Behavioral Analysis of Malware A Case Study of WannaCry Ransomware.” arXiv preprint arXiv:1709.08753 (2017).