paper on Ransomware
Scholar: Computer Engineering Department
Institute of Technology & Research, Gandhinagar
Information Technology Department
Institute of Technology & Research, Gandhinagar
Abstract— Recently Ransomware virus
software spread like a cyclone winds. A cyclone wind creates atmospheric
instability; likewise ransomware creates computer data instability. Every user
is moving towards digitization. User keep data secure in his or her computer.
But what if data is hijacked, A ransomware is one of the software virus that
hijack users data. A ransomware may lock the system in a way which is not for a
knowledgeable person to reverse. It not only targets home computers but
business also gets affected. It encrypts data in such a way that normal person
can no longer decrypt. A person has to pay ransom to decrypt it. But it does
not generate that files will be released. This paper gives a brief study of
ransomware, its effect on computer world and its preventive measures to control
ransomware on computer system.
Ransomware, Virus, Trojan
Lately many computer
users will have heard/read a lot about the following malware: Cryptolocker,
TorrentLocker, Cryptowall, TeslaCrypt, CTB-Locker, PadCrypt, Locky, Petya, …
All of them are Ransomware. Ransomware is a type of malware which tries to
extort users of the infected systems. This document tries to give a quick view
about the characteristics of this type of malware, what we can do to prevent it,
and what to do when infected.
sometimes known as cryptovirus, cryptotrojan, lockvirus, encryptor virus, or
cryptoworm is a type of malware that makes the data belonging to an individual
on a computer inaccessible in some way, demanding a ransom for its restoration,
hence the name. The term ransomware is commonly used to describe such software,
although the field known as cryptovirology predates the term “Ransomware”.
Ransomware is defined as malware that contains and uses the public
key of its author. In cryptoviral extortion, the public key is used to hybrid
encrypt the data of the victim and only the private key (which is not in the
malware) can be used to recover the data. This is one of a myriad of attacks in
the field known as cryptovirology. This can make people millions of dollars for
This type of ransom
attack can be accomplished by (for example) attaching a specially crafted
file/program to an e-mail message and sending this to the victim. If the victim
opens/executes the attachment, the program encrypts a number of files on the
victim’s computer. A ransom note is then left behind for the victim. The victim
will be unable to open the encrypted files without the correct decryption key.
Once the ransom demanded in the ransom note is paid, the cracker may (or may
not) send the decryption key, enabling decryption of the “kidnapped”
files. Which get stolen.
The idea of
maliciously encrypting plaintext is not new. The first example is probably the
PC Cyborg trojan that was found in 1989. It encrypted only filenames (using a
very weak symmetric cypher) causing the file system to be corrupted. There have
been other malware attacks that have maliciously encrypted plaintext since
then. The 1996 IEEE paper by Young and Yung reviews the malware that has done
this and shows how public key cryptography may be used in such threats.
are typically carried out using a Trojan that is disguised as a legitimate file
that the user is tricked into downloading or opening when it arrives as an
email attachment. However, one high-profile example, the “WannaCry
worm”, traveled automatically between computers without user interaction.
Starting from around
2012 the use of ransomware scams has grown internationally in June 2013, vendor
McAfee released data showing that it had collected more than double the number
of samples of ransomware that quarter than it had in the same quarter of the
previous year. CryptoLocker was particularly successful, procuring an estimated
US $3 million before it was taken down by authorities, and CryptoWall was
estimated by the US Federal Bureau of Investigation (FBI) to have accrued over
US $18m by June 2015.
Currently, literature makes a
distinction between non-encrypting and encrypting ransomware:
Non encrypting ransomware
threatens you with the diffusion of collected personal information, e.g.:
(cryptoware), which is the most common type nowadays, will encrypt the user’s
files. It doesn’t encrypt the computer as a whole, since the computer remains
generally operational. However it does encrypt all the files which might hold
some value for the user, even if these documents don’t reside on the computer
itself, but are accessible through network shares. In order to recover the
encrypted files, the ransomware urges you to buy the decryption key. Some newer
variants target the database of your website, the data on your phone… The
most common encryption algorithms used by these ransomware are AES 256 bits and
RSA 2048 bits. Each day, new variants of ransomware appear. Most of the
ransomware works for Windows but this is not exclusive. There is also
ransomware on MacOS, iOS, Linux, Android, etc.
Stages of Ransomeware
stages of the Ransomware Kill Chain are as follows:
Figure 1: Stages of Ransomware
campaign – attackers use techniques like social engineering and weaponized
websites to trick or force users to download a dropper which kicks off the
code infection – the dropper downloads an executable which installs the
payload staging – the ransomware sets up, embeds itself in a system, and
establishes persistency to exist beyond a reboot
– the ransomware searches for content to encrypt, both on the local computer
and the network accessible resources
– the discovered files are encrypted
– a ransom note is generated, shown to the victim, and the hacker waits to
collect on the ransom
Ransomware is distributed using multiple
Phishing Mails: Some phishing
campaigns are used to spread ransomware. These mails contain a malicious
attachment which serves as a Downloader/Dropper. It is the dropper’s job to
download and install the cryptolocker without being noticed. At the end of this
section we describe the most commonly used droppers.
Compromised Web page: When you
visit a compromised page, a script downloads a malicious payload which could be
The malicious actors remain creative,
thus this is no exclusive list. Other distribution methods might be used.
commonly used downloaders/droppers are:
Microsoft office documents
Malicious LiNK (.lnk) files.
Lnk is the file extension used for icons that launch applications on windows.
Microsoft Compiled html help
(.chm), is a format made by Microsoft to distribute help documents.
PREVENTIVE MEASURES FOR
There are different measures that can be
taken on different levels to prevent or reduce the impact of cryptoware. A
quick search will reveal dozens of “tips to prevent ransomware
articles”. We will enumerate some of the most relevant ones.
Keep your users informed: an infection
almost always begins with a human error. Keeping your users informed about the
risks of opening attachments, suspicious software, or links is the first line
of defense. However, even trained personnel is error-prone, NEVER count on the
human element to keep you safe.
Disable macros: We mentioned
in the previous section that office documents can contain malicious macro’s.
When you don’t use macro’s, you can disable them. More info Office 2007 and
Disable vvsaexe: prevent
ransomware from encrypting your Volume Shadow Copy which is a copy of the
files, by disabling the vssaexe service. This is a standard builtin
functionality to administer the VSC. The shadow copies will be stopped when you
disable the service. The ransomware will no more be able to encrypt these files
that could be used to recover a part of the files.
Disable Windows Script Host
under windows. However, this measure should be carefully considered as it might
have an impact on production software.
Show hidden extensions on
Windows. A simple way to trick users into opening an executable file is to add
another extension. And attacker could, for example, name a file
“MyFile.pdf.exe”. Windows will hide the “.exe” extension by
default, making the file appear as a simple pdf. Untrusted “.exe”
files should, off course, never by opened.
Install a Script blocking
application: To avoid the execution of malicious scripts on a website, you can
install plugins that block scripts.
Restrict file permissions.
Windows users can prevent the execution of files in %TEMP% and %AppData%
directories. This is usually where malware is installed, and restricting
permissions can prevent it from running.
preventive measures. Some ransomware variants have know flaws which can prevent
them from executing (for example, creating a HKCUSoftwareLocky registry key
will prevent certain Locky versions). Putting these measures in place will
require a varying level of technical expertise and will only be effective
against a given program/version.
Keep your system and your
antivirus up to date.
Fragment your shares. To reduce the
impact of the encryption, you should reduce the rights on different shares.
What a malware can’t edit, it can’t encrypt. You can also check the creation of
specific extension used by ransomware.
Filter on attachements at the e-mail
gateway: Block e-mails containing executables, but don’t hesitate to block
attachements with filetypes that shouldn’t be or don’t often get e-mailed
around like .chm, .lnk and .js.
On the Network
Use a proxy with webfiltering:
Some proxies allow you to filter the traffic from blacklisted domains. This
could reduce the risk of infection, if the list is up-to-date.
Fragment your network: Often cryptoware scans
for network shares to encrypt. If your network is fragmented you will reduce
the number of shares available.
With your backup
When all your shared network resources
(also called shares) are encrypted by ransomware, it is useful to have a
backup. It is really important to keep your backup offline, unconnected to your
network and computer, to avoid them also being encrypted. You have to backup
regularly and ensure that your backups actually work. If employees are
responsible for backing up their own machines, ensure that this is done
according to a policy.
NOTE: Backups are the only SURE way to
recover files after a ransomware infection.
Each day new dedicated
protection software are published. Security companies are constantly trying to
thwart ransomware and publish software designed to stop these programs from
executing. However ransomware keeps evolving, so these solutions are not
guaranteed to work against all ransomware variants and versions.
Counter Measures in Ransomware
Once infected, it is often too late. The
only surefire way to recover files is through the use of backups. If you are
victim of an attack, the first step is to identify the variant (and potentially
version) of the program. This this usually mentioned explicitly in the ransom
message or in the program window. Be as specific as possible when looking for
information or seeking help for the problem.
Disconnect the infected machine from the
network and all the storage devices that are connected on the machine as
quickly as possible. It could reduce the data loss if all the files are not yet
Report the incident
If you were the victim of a ransomware,
it is always usefull to report this to CERT.be. We are specifically interested
in the type of ransomware you were victim of, what dropper was used (how you
got infected) and an extract of the dropper or the malware itself. You may also
contact your local police department. CERT.be can help you determine what
information to send them.
Restoring your files
Before trying to recover your files it
is important to remove the ransomware from your machine. This can be done by
either reinstalling the machine entirely or by using a third party malware
removal software (usually part of a commercial anti-virus). You should also
isolate the infected machine from the rest of your network. Once the
cryptolocker is removed, you can restore the lost files using your backup.
On Windows, you might be able to restore
files to previous unencrypted versions using the Shadow Volume Copies created
by the System Restore features. Recent cryptoware will often target and delete
these copies, however. Some cryptoware only encrypts a part of the disk, you
may be able to recover files using File recovery tools.
To pay or not to pay
We strongly discourage paying, as it is
only encouraging the malicious actors to continue their activities. As soon as
a certain type of attack becomes uninteresting, criminals will no longer invest
If you pay, you can never be 100%
certain that you will get your files back. The attacker may simply choose to
withhold the key, or bugs in the ransomware could prevent the correct
decryption (there are cases where files were corrupted during encryption which
made any decryption impossible). Furthermore, backdoors or other malware can be
invisibly installed along with the ransomware, so you can’t be sure your
machine is actually clean.
Reverse engineered cryptoware
If you have no backups, then there is
one last resort. Some older versions of cryptoware have been cracked. For these
versions, scripts to decrypt your files are available on the web. Even more so
than for prevention software, this approach is extremely dependent on the
program and version used in the attack (and many current versions are virtually
VII. External Resources
here is not intended to provide an up-to-date or exhaustive list on options. Most
instances are limited to specific malware variants and
versions. Open source nature of the project and partly because of the strong
support and commitment from Yahoo. Apache Hadoop has its own file system
(Hadoop Distributed File System (HDFS)). HDFS is highly fault tolerant and is
designed to run on low cost components. Hadoop also allows streaming access to
the data. HDFS is portable form one platform to another.
are relatively straight-forward when compared to other more advanced malware
that aims to remain completely stealthy. In fact, only a small fraction
actually irrecoverably deletes the files it threatens to if the target victim
refuses or is unable to pay. Additionally, a sizeable portion of the ransomware
families studied don’t use encryption. Thus, most ransomware is something the
security community has the tools and means to hold at bay until the attackers
wielding it, perhaps inevitably, dial up the sophistication. Additionally,
victims of ransomware may consider these findings before paying the ransom
without seeking professional help first.
A.; M. Yung (1996). Cryptovirology:
extortion-based security threats and countermeasures. IEEE Symposium on
Security and Privacy. pp. 129–140. doi:10.1109/SECPRI.1996.502676. ISBN 0-8186-7417-2.
Jack Schofield (28 July 2016). “How can I
remove a ransomware infection?”. The Guardian.
Retrieved 28 July 2016.
Michael Mimoso (28
March 2016). “Petya
Ransomware Master File Table Encryption”. threatpost.com.
Retrieved 28 July 2016.
Justin Luna (September
21, 2016). “Mamba
ransomware encrypts your hard drive, manipulates the boot process”. Neowin.
Retrieved 5 November 2016.
Dunn, John E. “Ransom
Trojans spreading beyond Russian heartland”. TechWorld.
Retrieved 10 March 2012.
scam: Ransomware..” FBI. 9 August 2012.
malware continues to deliver Reveton ransomware..” Internet
Crime Complaint Center (IC3). 30 November 2012.
McAfee: Cyber criminals using Android malware and ransomware the most”. InfoWorld.
Retrieved 16 September 2013.
victims to get files back for free”. BBC News. 6 August 2014.
Retrieved 18 August 2014.
10 “FBI says
crypto ransomware has raked in >$18 million for cybercriminals”. Ars
Technica. Retrieved 25 June 2015.
11 Young, Adam L.; Yung, Moti
The Birth, Neglect, and Explosion of Ransomware”. 60 (7). Communications of the
ACM: 24–26. Retrieved 27 June 2017.
squeezes users with bogus Windows activation demand”.
Computerworld. Retrieved 9 March 2012.
13 “Police warn
of extortion messages sent in their name”. Helsingin Sanomat.
Retrieved 9 March 2012.
14 McMillian, Robert. “Alleged
Ransomware Gang Investigated by Moscow Police”. PC World.
Retrieved 10 March 2012.
Fake Federal German Police (BKA) notice”. SecureList (Kaspersky
Lab). Retrieved 10 March 2012.
16 “And Now, an
MBR Ransomware”. SecureList (Kaspersky Lab). Retrieved 10
17 Adam Young (2005). Zhou, Jianying; Lopez, Javier, eds.
“Building a Cryptovirus Using Microsoft’s Cryptographic
API”. Information Security: 8th International Conference, ISC
2005. Springer-Verlag. pp. 389–401.
18 Young, Adam (2006). “Cryptoviral Extortion Using
Microsoft’s Crypto API: Can Crypto APIs Help the
Enemy?”. International Journal of Information Security. Springer-Verlag. 5 (2): 67–76. doi:10.1007/s10207-006-0082-7.
19 Danchev, Dancho (22 April 2009). “New ransomware locks PCs,
demands premium SMS for removal”. ZDNet. Retrieved 2
plays pirated Windows card, demands $143”. Computerworld.
Retrieved 9 March 2012.
21 Cheng, Jacqui (18 July 2007). “New Trojans:
give us $300, or the data gets it!”. Ars Technica.
Retrieved 16 April 2009.
infected—if you want to see your data again, pay us $300 in Bitcoins”. Ars
Technica. Retrieved 23 October 2013.
ransomware leaves decryption key accessible”. Computerworld.
IDG. Retrieved 7 April 2014.
24 “What to do
if Ransomware Attacks on your Windows Computer?”. Techie
Motto. Retrieved 25 April 2016.
25 Parker, Luke (9 June 2016). “Large UK
businesses are holding bitcoin to pay ransoms”.
Retrieved 9 June 2016.