Types of Ransomware

Ransomware is referred as a type of malware that encrypts and attacks a computer as soon as it attacks the computer and renders the user useless from accessing the system. The attacker demands a ransom to access the computer which was affected and a key is provided to the user which is used to decrypt the encrypted file. The motives of these attacks are generally monetary in particular. Normally, the attacker demands the payment through virtual currencies (such as Ethereum and Bitcoins).

The following report is focused on providing information about ransomwares and discusses the different types of the ransomwares. The mitigation strategies are also highlighted in the following report. 

The variants of ransomware can be differentiated into five categories. They are referred as Gandcrab, Locky, Cryptolocker, Goldeneye and Wannacry. They can be also differentiated into two main categories namely LOCKER and CRYPTO ramsomwares [5]. Strong encryptions are used in CRYPTO ransomwares that prevents the user from accessing their own information from the computer and these types of ransomwares work through the computer silently encrypting the files from valuable locations. A monetary demand is wanted by the ransomeare which normally comes with a time limit after which the ransom increases. A virtual currencies

The LOCKER variant of the ransomware is different from the former as instead of encrypting the sensitive information from the computer it locks the PC where the files can be accessed from. Most of the times these ransomwares lock the user interface of the computer and demands a ransom similarly to unlock the computer [6]

Certain phases and stages are involved in the working mechanism of a particular ransomware. In the first phase (infect and exploit), the ransomware needs to be opened by a user such as an email attachment to activate itself. In this phase, the exploit known as anger is used by the attackers preferably.  In the second phase (delivery), the ransomware executes its executable in the system which it wants to target. Once the executables are provided, the persistence mechanisms starts. In the third phase, the ransomware spoils the backups that are created by the computer. This is a common trait of all ransomwares to attack the backups. The fourth phase (encryption) starts by encrypting the files. A key is pushed by the ransomware in the subsequent stages through the help of c2 server or a command prompt [4]. The notifications and messages for ransom demand are posted in the last stage where the details of the payment are mentioned and the user is given a fixed time to make the payment or the price of the ransom is increased in the subsequent stages. 

Working Mechanism of Ransomware

The potential threats of the ransomware are millions of personal computers that are residing in the homes and offices of common people. The ransomware attackers specially target people who have little knowledge about counterattacking the threat and siphon money out of them. The high level threats include the government institutions as well as information related to national security falling into the wrong hands [2]. The ransomwares can be used to shut down an entire network of a company through continuous DDoS attack and businesses specially the small scale ones face immense threat from this threat. Sensitive information related to customers are also under potential threat from these attacks [1].

The Wannacry ransomware is a recent cyber-attack that occurred in that managed to infect millions of computers around the world. The ransomware encrypted the hard drive of every PC that it affected and even managed to affect high profile targets such as the national service of Britain. After investigation, the security department of USA linked the attack to a company known as Symnatec. Later they dropped the charges and blamed a notorious North Korean group known as Lazarus. The virus came with an in built tor browser and spread through a dropper in a self-contained computer [7]. Before announcing it officially, Microsoft detected the vulnerability one month in advance.  The company pushed several patches to minimise the damages caused by the ransomware along with their vendors such as Adobe. After investigating, it was found out that the ransomware used an exploit found in Microsoft computers known as EternalBlue. Microsoft then sued the USA government for keeping the vulnerability hidden from the general public even after discovering it months in advance. It was accidentally discovered by a person who was trying to find meaning out of a random number of codes [3]. The ransomware was then isolated by the researchers and sandboxed in a virtual environment for further research for properly addressing situations like this. 

The ransomware can be prevented by adopting some healthy habits on a daily basis. Special protection softwares such as antiviruses can help. People need to stay careful while opening an unknown email attachment. They need to realize the threats that are concerned with malwares present in the attachment and their possible implications on the system [9]. Most of the enterprises nowadays are affected by this common problem where an employee working in the company opens and activates a malicious code by mistake causing the company millions of dollars in damage. The user needs to refrain from providing the necessary demand. The enterprises which handle important and sensitive customer information need to use strategic and preventative cyber security tactics to address these situation. Proper backups need to be made [12]. The accessibility of information need to be checked with limits to prevent the attack from spreading in case of phase 1 infection. The snapshots of storage needs to be stored in a pool outside the system which will allow to check whether the saved files and folders have been compromised or not. The domain needs to be compartmentalized with a number of strategies by the concerned organization. 

Potential Threats and Impacts of Ransomware

Steps need to be taken to block the malicious sites and Tor IP addresses which are one of the main reason for creating the gateway for transaction though the CC server. Organizations need to define their restriction policies thoroughly to prevent the infected files from spreading through the whole system. Unwanted wireless network connections such as from infrared as well as Bluetooth devices need to be shut down as research has shown that Bluetooth has the capability to compromise certain systems [11]. To prevent the system from getting hacked, remote services need to be shut down and all the functionalities of the server needs to be physically present in the organizational infrastructure for robust security. The popups need to be blocked.  Auto play option needs to be shut down and Windows PowerShell needs to be deactivated which is responsible for automatic task allocation. The computers can be secured by adding an extra layer of firewall or antivirus solutions [10]. To prevent remote users from getting snapshots of shadow volume, Vssaexe need to be deactivated. The system needs to be patched with the recent updates along with the other third party vendors such as Flash player, Adobe and Java.  Anti-spam settings and extension of files need to be updated from time to time.

To conclude the report, it can be stated that the research topic on ransomware has been effectively assessed in the discussion section of the report. The different variants of the ransomwares have been explained conclusively and the working mechanism of the mentioned threat has been discussed through phases. The impact of the ransomware has been researched effectively and a real life situation has been provided to assess the report from a practical point of view. The report concludes by mentioning several recommendations and preventative measures to combat the threat of ransomwares 

References

[1] A. Dehghantanha, M. Conti, and T. Dargahi, eds. Cyber threat intelligence. Springer International Publishing, 2018.

[2] M. Young, L. Adam, and M. Yung. “Cryptovirology: The birth, neglect, and explosion of ransomware.” Communications of the ACM 60.7, 2017.

 [3] E. Kalita,. “WannaCry Ransomware Attack: Protect yourself from WannaCry Ransomware Cyber Risk and Cyber War.”, 2017.

[4] S. Haber, J. Morey, and B. Hibbert. “Ransomware.” Privileged Attack Vectors. Apress, Berkeley, CA, 2018.

[5] G. Wiener, ed. Cyberterrorism and Ransomware Attacks. Greenhaven Publishing LLC, 2018.

[6] F. Mbol, J.M. Robert, and A. Sadighian. “An efficient approach to detect torrentlocker ransomware in computer systems.” International Conference on Cryptology and Network Security. Springer, Cham, 2016.

[7] A. Palisse. “Ransomware and the legacy crypto API.” International Conference on Risks and Security of Internet and Systems. Springer, Cham, 2016.

[8] A. Liska, and T. Gallo. Ransomware: Defending against digital extortion. ” O’Reilly Media, Inc.”, 2016.

[9] M. Francesco, “Ransomware steals your phone. formal methods rescue it.” International Conference on Formal Techniques for Distributed Objects, Components, and Systems. Springer, Cham, 2016.

[10] P. Shakir, H. Awni, and A.N. Jaber. “A Short Review for Ransomware: Pros and Cons.” International Conference on P2P, Parallel, Grid, Cloud and Internet Computing. Springer, Cham, 2017.

[11] L. Gangwar, M. Keertika, S. Mohanty, and A. K. Mohapatra. “Analysis and Detection of Ransomware Through Its Delivery Methods.” International Conference on Recent Developments in Science, Engineering and Technology. Springer, Singapore, 2017.

[12] R. Goldsborough. “The Increasing Threat of Ransomware.” Teacher Librarian 45.1, 2017