A surveypaper on Ransomware1Akanksha SinghResearchScholar: Computer Engineering DepartmentLDRPInstitute of Technology & Research, [email protected] PatelLecturer:Information Technology DepartmentLDRPInstitute of Technology & Research, [email protected]
ac.in Abstract— Recently Ransomware virussoftware spread like a cyclone winds. A cyclone wind creates atmosphericinstability; likewise ransomware creates computer data instability. Every useris moving towards digitization. User keep data secure in his or her computer.
But what if data is hijacked, A ransomware is one of the software virus thathijack users data. A ransomware may lock the system in a way which is not for aknowledgeable person to reverse. It not only targets home computers butbusiness also gets affected. It encrypts data in such a way that normal personcan no longer decrypt. A person has to pay ransom to decrypt it. But it doesnot generate that files will be released. This paper gives a brief study ofransomware, its effect on computer world and its preventive measures to controlransomware on computer system.Keywords—Ransomware, Virus, Trojan I.
IntroductionLately many computerusers will have heard/read a lot about the following malware: Cryptolocker,TorrentLocker, Cryptowall, TeslaCrypt, CTB-Locker, PadCrypt, Locky, Petya, …All of them are Ransomware. Ransomware is a type of malware which tries toextort users of the infected systems. This document tries to give a quick viewabout the characteristics of this type of malware, what we can do to prevent it,and what to do when infected.
Ransomware,sometimes known as cryptovirus, cryptotrojan, lockvirus, encryptor virus, orcryptoworm is a type of malware that makes the data belonging to an individualon a computer inaccessible in some way, demanding a ransom for its restoration,hence the name. The term ransomware is commonly used to describe such software,although the field known as cryptovirology predates the term “Ransomware”.Ransomware is defined as malware that contains and uses the publickey of its author. In cryptoviral extortion, the public key is used to hybridencrypt the data of the victim and only the private key (which is not in themalware) can be used to recover the data. This is one of a myriad of attacks inthe field known as cryptovirology. This can make people millions of dollars fortheir Ransomware.
This type of ransomattack can be accomplished by (for example) attaching a specially craftedfile/program to an e-mail message and sending this to the victim. If the victimopens/executes the attachment, the program encrypts a number of files on thevictim’s computer. A ransom note is then left behind for the victim. The victimwill be unable to open the encrypted files without the correct decryption key.Once the ransom demanded in the ransom note is paid, the cracker may (or maynot) send the decryption key, enabling decryption of the “kidnapped”files.
Which get stolen.The idea ofmaliciously encrypting plaintext is not new. The first example is probably thePC Cyborg trojan that was found in 1989. It encrypted only filenames (using avery weak symmetric cypher) causing the file system to be corrupted.
There havebeen other malware attacks that have maliciously encrypted plaintext sincethen. The 1996 IEEE paper by Young and Yung reviews the malware that has donethis and shows how public key cryptography may be used in such threats.Ransomware attacksare typically carried out using a Trojan that is disguised as a legitimate filethat the user is tricked into downloading or opening when it arrives as anemail attachment.
However, one high-profile example, the “WannaCryworm”, traveled automatically between computers without user interaction.Starting from around2012 the use of ransomware scams has grown internationally in June 2013, vendorMcAfee released data showing that it had collected more than double the numberof samples of ransomware that quarter than it had in the same quarter of theprevious year. CryptoLocker was particularly successful, procuring an estimatedUS $3 million before it was taken down by authorities, and CryptoWall wasestimated by the US Federal Bureau of Investigation (FBI) to have accrued overUS $18m by June 2015. II. RANSOMWARE TYPESCurrently, literature makes adistinction between non-encrypting and encrypting ransomware:• Non encrypting ransomwarethreatens you with the diffusion of collected personal information, e.g.:browsing history.• Encrypting ransomware(cryptoware), which is the most common type nowadays, will encrypt the user’sfiles.
It doesn’t encrypt the computer as a whole, since the computer remainsgenerally operational. However it does encrypt all the files which might holdsome value for the user, even if these documents don’t reside on the computeritself, but are accessible through network shares. In order to recover theencrypted files, the ransomware urges you to buy the decryption key. Some newervariants target the database of your website, the data on your phone..
. Themost common encryption algorithms used by these ransomware are AES 256 bits andRSA 2048 bits. Each day, new variants of ransomware appear. Most of theransomware works for Windows but this is not exclusive. There is alsoransomware on MacOS, iOS, Linux, Android, etc. III.
Stages of RansomewareThe mainstages of the Ransomware Kill Chain are as follows: Figure 1: Stages of Ransomware 1. Distributioncampaign – attackers use techniques like social engineering and weaponizedwebsites to trick or force users to download a dropper which kicks off theinfection2. Maliciouscode infection – the dropper downloads an executable which installs theransomware itself3. Maliciouspayload staging – the ransomware sets up, embeds itself in a system, andestablishes persistency to exist beyond a reboot4. Scanning– the ransomware searches for content to encrypt, both on the local computerand the network accessible resources5.
Encryption– the discovered files are encrypted6. Payday– a ransom note is generated, shown to the victim, and the hacker waits tocollect on the ransom IV. RANSOMWARE DISTRIBUTION Ransomware is distributed using multiplevectors:• Phishing Mails: Some phishingcampaigns are used to spread ransomware. These mails contain a maliciousattachment which serves as a Downloader/Dropper. It is the dropper’s job todownload and install the cryptolocker without being noticed. At the end of thissection we describe the most commonly used droppers.
lnk) files.Lnk is the file extension used for icons that launch applications on windows.• Microsoft Compiled html help(.chm), is a format made by Microsoft to distribute help documents.
V. PREVENTIVE MEASURES FORRANSOMEWAREThere are different measures that can betaken on different levels to prevent or reduce the impact of cryptoware. Aquick search will reveal dozens of “tips to prevent ransomwarearticles”. We will enumerate some of the most relevant ones.A. UsersKeep your users informed: an infectionalmost always begins with a human error. Keeping your users informed about therisks of opening attachments, suspicious software, or links is the first lineof defense.
However, even trained personnel is error-prone, NEVER count on thehuman element to keep you safe. B. On Workstation1. Disable macros: We mentionedin the previous section that office documents can contain malicious macro’s.
When you don’t use macro’s, you can disable them. More info Office 2007 andOffice 2010.2. Disable vvsaexe: preventransomware from encrypting your Volume Shadow Copy which is a copy of thefiles, by disabling the vssaexe service. This is a standard builtinfunctionality to administer the VSC.
And attacker could, for example, name a file”MyFile.pdf.exe”. Windows will hide the “.
exe” extension bydefault, making the file appear as a simple pdf. Untrusted “.exe”files should, off course, never by opened.5. Install a Script blockingapplication: To avoid the execution of malicious scripts on a website, you caninstall plugins that block scripts.6.
Restrict file permissions.Windows users can prevent the execution of files in %TEMP% and %AppData%directories. This is usually where malware is installed, and restrictingpermissions can prevent it from running.7.
Take variant-specificpreventive measures. Some ransomware variants have know flaws which can preventthem from executing (for example, creating a HKCUSoftwareLocky registry keywill prevent certain Locky versions). Putting these measures in place willrequire a varying level of technical expertise and will only be effectiveagainst a given program/version.
8. Keep your system and yourantivirus up to date.C. On FileserverFragment your shares. To reduce theimpact of the encryption, you should reduce the rights on different shares.
What a malware can’t edit, it can’t encrypt. You can also check the creation ofspecific extension used by ransomware.D.
On Mail-serverFilter on attachements at the e-mailgateway: Block e-mails containing executables, but don’t hesitate to blockattachements with filetypes that shouldn’t be or don’t often get e-mailedaround like .chm, .lnk and .js. E.
On the Network 1. Use a proxy with webfiltering:Some proxies allow you to filter the traffic from blacklisted domains. Thiscould reduce the risk of infection, if the list is up-to-date.2. Fragment your network: Often cryptoware scansfor network shares to encrypt. If your network is fragmented you will reducethe number of shares available.F. With your backup When all your shared network resources(also called shares) are encrypted by ransomware, it is useful to have abackup.
It is really important to keep your backup offline, unconnected to yournetwork and computer, to avoid them also being encrypted. You have to backupregularly and ensure that your backups actually work. If employees areresponsible for backing up their own machines, ensure that this is doneaccording to a policy.NOTE: Backups are the only SURE way torecover files after a ransomware infection.
G. Commercial Solutions • Each day new dedicatedprotection software are published. Security companies are constantly trying tothwart ransomware and publish software designed to stop these programs fromexecuting. However ransomware keeps evolving, so these solutions are notguaranteed to work against all ransomware variants and versions. VI.
Counter Measures in RansomwareAttackOnce infected, it is often too late. Theonly surefire way to recover files is through the use of backups. If you arevictim of an attack, the first step is to identify the variant (and potentiallyversion) of the program. This this usually mentioned explicitly in the ransommessage or in the program window. Be as specific as possible when looking forinformation or seeking help for the problem.1.
Immediate actionDisconnect the infected machine from thenetwork and all the storage devices that are connected on the machine asquickly as possible. It could reduce the data loss if all the files are not yetencrypted.2. Report the incidentIf you were the victim of a ransomware,it is always usefull to report this to CERT.be. We are specifically interestedin the type of ransomware you were victim of, what dropper was used (how yougot infected) and an extract of the dropper or the malware itself. You may alsocontact your local police department.
CERT.be can help you determine whatinformation to send them.A.
Restoring your filesBefore trying to recover your files itis important to remove the ransomware from your machine. This can be done byeither reinstalling the machine entirely or by using a third party malwareremoval software (usually part of a commercial anti-virus). You should alsoisolate the infected machine from the rest of your network. Once thecryptolocker is removed, you can restore the lost files using your backup.On Windows, you might be able to restorefiles to previous unencrypted versions using the Shadow Volume Copies createdby the System Restore features. Recent cryptoware will often target and deletethese copies, however. Some cryptoware only encrypts a part of the disk, youmay be able to recover files using File recovery tools.
B. To pay or not to payWe strongly discourage paying, as it isonly encouraging the malicious actors to continue their activities. As soon asa certain type of attack becomes uninteresting, criminals will no longer investin it.If you pay, you can never be 100%certain that you will get your files back. The attacker may simply choose towithhold the key, or bugs in the ransomware could prevent the correctdecryption (there are cases where files were corrupted during encryption whichmade any decryption impossible). Furthermore, backdoors or other malware can beinvisibly installed along with the ransomware, so you can’t be sure yourmachine is actually clean.C.
Reverse engineered cryptowareIf you have no backups, then there isone last resort. Some older versions of cryptoware have been cracked. For theseversions, scripts to decrypt your files are available on the web. Even more sothan for prevention software, this approach is extremely dependent on theprogram and version used in the attack (and many current versions are virtuallyunbreakable).
VII. External ResourcesSoftware presentedhere is not intended to provide an up-to-date or exhaustive list on options. Mostinstances are limited to specific malware variants andversions. Open source nature of the project and partly because of the strongsupport and commitment from Yahoo.
Apache Hadoop has its own file system(Hadoop Distributed File System (HDFS)). HDFS is highly fault tolerant and isdesigned to run on low cost components. Hadoop also allows streaming access tothe data. HDFS is portable form one platform to another. VIII.ConclusionRansomware variantsare relatively straight-forward when compared to other more advanced malwarethat aims to remain completely stealthy. In fact, only a small fractionactually irrecoverably deletes the files it threatens to if the target victimrefuses or is unable to pay. Additionally, a sizeable portion of the ransomwarefamilies studied don’t use encryption.
Thus, most ransomware is something thesecurity community has the tools and means to hold at bay until the attackerswielding it, perhaps inevitably, dial up the sophistication. Additionally,victims of ransomware may consider these findings before paying the ransomwithout seeking professional help first. Refrences1 Young,A.; M. Yung (1996). Cryptovirology:extortion-based security threats and countermeasures. IEEE Symposium onSecurity and Privacy.
pp. 129–140. doi:10.1109/SECPRI.1996.
502676. ISBN 0-8186-7417-2.2 Jack Schofield (28 July 2016). “How can Iremove a ransomware infection?”.
The Guardian.Retrieved 28 July 2016.3 Michael Mimoso (28March 2016). “PetyaRansomware Master File Table Encryption”. threatpost.com.
Retrieved 28 July 2016.4 Justin Luna (September21, 2016). “Mambaransomware encrypts your hard drive, manipulates the boot process”. Neowin.Retrieved 5 November 2016.5 Dunn, John E. “RansomTrojans spreading beyond Russian heartland”.
TechWorld.Retrieved 10 March 2012.6 “New Internetscam: Ransomware..” FBI. 9 August 2012.7 “Citadelmalware continues to deliver Reveton ransomware.
.” InternetCrime Complaint Center (IC3). 30 November 2012.8 “Update:McAfee: Cyber criminals using Android malware and ransomware the most”. InfoWorld.Retrieved 16 September 2013.9 “Cryptolockervictims to get files back for free”.
BBC News. 6 August 2014.Retrieved 18 August 2014.10 “FBI sayscrypto ransomware has raked in >$18 million for cybercriminals”. ArsTechnica.
Retrieved 25 June 2015.11 Young, Adam L.; Yung, Moti(2017). “Cryptovirology:The Birth, Neglect, and Explosion of Ransomware”. 60 (7). Communications of theACM: 24–26.
Retrieved 27 June 2017.12 “Ransomwaresqueezes users with bogus Windows activation demand”.Computerworld. Retrieved 9 March 2012.13 “Police warnof extortion messages sent in their name”. Helsingin Sanomat.
Retrieved 9 March 2012.14 McMillian, Robert. “AllegedRansomware Gang Investigated by Moscow Police”. PC World.Retrieved 10 March 2012.15 “Ransomware:Fake Federal German Police (BKA) notice”.
SecureList (KasperskyLab). Retrieved 10 March 2012.16 “And Now, anMBR Ransomware”.
SecureList (Kaspersky Lab). Retrieved 10March2012.17 Adam Young (2005). Zhou, Jianying; Lopez, Javier, eds.”Building a Cryptovirus Using Microsoft’s CryptographicAPI”. Information Security: 8th International Conference, ISC2005.
Springer-Verlag. pp. 389–401.18 Young, Adam (2006). “Cryptoviral Extortion UsingMicrosoft’s Crypto API: Can Crypto APIs Help theEnemy?”. International Journal of Information Security. Springer-Verlag.
5 (2): 67–76. doi:10.1007/s10207-006-0082-7.19 Danchev, Dancho (22 April 2009). “New ransomware locks PCs,demands premium SMS for removal”. ZDNet.
Retrieved 2May 2009.20 “Ransomwareplays pirated Windows card, demands $143”. Computerworld.
Retrieved 9 March 2012.21 Cheng, Jacqui (18 July 2007). “New Trojans:give us $300, or the data gets it!”. Ars Technica.Retrieved 16 April 2009.
22 “You’reinfected—if you want to see your data again, pay us $300 in Bitcoins”. ArsTechnica. Retrieved 23 October 2013.
23 “CryptoDefenseransomware leaves decryption key accessible”. Computerworld.IDG.
Retrieved 7 April 2014.24 “What to doif Ransomware Attacks on your Windows Computer?”. TechieMotto. Retrieved 25 April 2016.
25 Parker, Luke (9 June 2016). “Large UKbusinesses are holding bitcoin to pay ransoms”.Retrieved 9 June 2016.