Types of Ransomware Threats

Ransomware is a malware subset that usually attacks a computer and encrypts it immediately so that the users cannot access it. To access the computer, a ransom is demanded that needs to be paid to get a key which decrypts the user’s affected computer and returns it to its normal state. Monetary related targets are always the motive for the attacks. The payment is usually demanded with the help of virtual currencies such as Bitcoin.

In the following report, the different types of ransomware threats have been discussed and the possible mitigation tools have been highlighted.

There are five two main types of ransomware. The CRYPTO Ransomware and the LOCKER Ransomware are the two types of ransomwares. The CRYPO ransomwares weaponizes strong encryptions to disable a user form accessing his or her computer. These type of malwares are capable of silently going through the computer and encrypting valuable locations to attack a target pc successfully [5]. The ransomware then asks the victim to pay some money so that they can access their files easily. The decryption key is held by the attacker till the last phase of the transaction and these ransomwares usually comes with a time limit or provides link to buy virtual currencies and send them.

The second type of ransomware is known as LOCKER. This is because it does not actually encrypts the valuable files but instead locks the computer through which the files can be accessed from.  The UI or user interface of the computer is locked and a ransom is demanded to unlock the system[6].

They can be also differentiated into five categories considering their strains. These are Wannacry, Goldeneye , Gandcrab, Cryptolocker and Locky.

The working mechanism of ransomware can be divided into certain phases. Phase 1 is known as infection and exploitation. The file needs to be opened in the targeted computer for the ransomware to execute itself. The angler exploit kit is usually preferred by the attackers. The second phase is the delivery where the executable of the ransomware re executed in the system of the victim. The persistence mechanisms jumps into place once the executable are delivered. Phase 3 is known as the spoliation of backup.  The ransomware immediately targets the backup files of the folders and files and is a unique trait of the ransomwares specifically. The fourth phase consists of the encryption of the files. After removing the backups, the ransomware secretly pushes a key exchange which is secure through a command prompt or c2 server[4]. This encryptions are used in the local systems. The phase 4 usually consists of the cleanup and notification stage where the demand payment and extortion details are mentioned and the user is given a few days to pay the ransom. Unable to do so might lead to the increase in the ransom demand.

Working Mechanism of Ransomware

Ransomwares usually use the locker and encryption mechanism to encrypt sensitive information but sometimes the users of the vulnerable system can be targeted as well. This threat from ransomwares are described the USA government as extortion and usually considers strategic targeting to get its job done. They have been also seen to be targeting government agencies such as hospitals to take in critical information regarding the customers [2]. These ransomares can be not only used for data exfiltration but also for DDoS Attacks. They can be also used for anti-detection mechanisms and can virtually shut down an entire enterprise if proper steps are not taken to save and restore the business critical information[1].

In 2017, the Wannacry ransomware spread across millions of computer worldwide and encrypted the hard drive of every system that it will be affected. The ransomware wanted the users to pay a certain amount of money (300 dollars) through bitcoins. It affected a number of high profile systems including the national health service of Britain [3]. The USA security agency first linked the attack to Symnatec and later to a North Korean group known as the Lazarus group behind the attack. The malware initially spread itself through a self-contained computer in the form of a dropper and came with a built in Tor setup file. The vulnerability was detected by Microsoft one month earlier before it officially announced it. System patches was dispersed by several software and operating system vendors to counteract this threat including Apple and Adobe[7]. The ransomware used the Eternal blue exploit to infect the Microsoft computers and later the company sued the USA Government for not dispersing this sensitive information before hand to the public. Later Microsoft released a patch to cover up its SMN vulnerability. The ransomware was detected by accident by a security researcher called Marcus Hutchkins who discovered it while attempting to contact a gibberish line of code. The researchers managed to isolate the ransomware from the infected PC by creating a sandbox environment to contain it.

Ransomwares can be mitigated with the help of some healthy habits such as backing up the system from time to time preferably on a daily basis. The usage of antivirus software can also help in this aspect. The users who are clicking on unknown emails and attachments and strangers should be aware enough about the dangers of malwares and the risks that are associated with it[9]. Several enterprises in the recent decade have fallen prey to this system and have been affected due to the fault of an employee who opened a malicious file by mistake and helped in the spreading process. The victims should try their best to not pay the ransom else the attackers will get enough confident to do the attack again on another victim. Enterprises containing a lot of consumer data should take proper security measures to stop these attacks from handing and should proper mitigation steps to address this process. Hard limits can be enforced on the accessibility of the data so that access can be permitted during an attacking process. Storage snapshots need to be taken outside of the prime storage pool to check the system whether it is up to date with the normal files and folders present in the system.  Strategies need to be developed to compartmentalize domains and authentication systems[12].

Potential Threats of Ransomware

The Tor IP addresses and known malicious sites need to be blocked. The tor sites are one of the main reason for ransomware attacks as they create the communication stream for C&C servers. Software restriction policies need to be defined clearly to prevent malicious executable files to execute in certain locations of the system.  The wireless connections which are not used need to be switched off such as infrared ports and Bluetooth ports. Bluetooth have been used previously to compromise other systems. The remote services which may compromise the system in the future need to be disabled so that the ransomware cannot travel to the enterprise network and compromise the entire security infrastructure. File sharing need to be disabled to isolate the affected ransomware computer from directly affecting other computers [11]. Auto play option needs to be disable and strong passwords need to be enforced to prevent attackers from entering the system through brute force. Popups need to be blocked. The task automation framework or Windows PowerShell needs to be disabled unless it is necessary. Windows script host need to be disabled as a preventative measure. Additional firewalls can be added and properly configured as per the requirement the system. Vssaexe can be disabled to prevent the ransomwares from creating their shadow volume snapshot. The encrypted files can be easily restored if the .exe file remains disabled. If the system gets compromised, the first thing that can be done by the user is to switch the internet connection immediately [10]. The software such as adobe, java and flash player needs to be patched and the system needs to be upgraded from time to time. Show files extension needs to stay enabled and anti-spam settings need to be checked from time to time.

To conclude the report, it can be stated that the topic of ransomware and the impact of it on the society have been evaluated and assessed in the mentioned assignment. The several variants of ransomware have been assessed and discussed. The propagation vector and working mechanism of the ransomwares have been discussed in the discussion section of the report.  The threats that the virus can cause potentially have been widely assessed as well and a case study has been provided to understand the case from a real life scenario. The mitigation strategies and recommendation have been provided for the ransomware attacks in the report as well.

References

[1] M. Young, L. Adam, and M. Yung. “Cryptovirology: The birth, neglect, and explosion of ransomware.” Communications of the ACM 60.7, 2017

[2] A. Dehghantanha, M. Conti, and T. Dargahi, eds. Cyber threat intelligence. Springer International Publishing, 2018.

[3] E. Kalita,. “WannaCry Ransomware Attack: Protect yourself from WannaCry Ransomware Cyber Risk and Cyber War.”, 2017.

[4] S. Haber, J. Morey, and B. Hibbert. “Ransomware.” Privileged Attack Vectors. Apress, Berkeley, CA, 2018.

[5] G. Wiener, ed. Cyberterrorism and Ransomware Attacks. Greenhaven Publishing LLC, 2018.

[6] F. Mbol, J.M. Robert, and A. Sadighian. “An efficient approach to detect torrentlocker ransomware in computer systems.” International Conference on Cryptology and Network Security. Springer, Cham, 2016.

[7] A. Palisse. “Ransomware and the legacy crypto API.” International Conference on Risks and Security of Internet and Systems. Springer, Cham, 2016.

[8] A. Liska, and T. Gallo. Ransomware: Defending against digital extortion. ” O’Reilly Media, Inc.”, 2016.

[9] M. Francesco, “Ransomware steals your phone. formal methods rescue it.” International Conference on Formal Techniques for Distributed Objects, Components, and Systems. Springer, Cham, 2016.

[10] P. Shakir, H. Awni, and A.N. Jaber. “A Short Review for Ransomware: Pros and Cons.” International Conference on P2P, Parallel, Grid, Cloud and Internet Computing. Springer, Cham, 2017.

[11] L. Gangwar, M. Keertika, S. Mohanty, and A. K. Mohapatra. “Analysis and Detection of Ransomware Through Its Delivery Methods.” International Conference on Recent Developments in Science, Engineering and Technology. Springer, Singapore, 2017.

[12] R. Goldsborough. “The Increasing Threat of Ransomware.” Teacher Librarian 45.1, 2017