Ransomware: malware and cybercrime

What exactly is ransomware? And what happens in a ransomware attack?

What does research say about ransomware and the pervasive and increasing threat and damage caused by cybercrime?

Featured articles (these articles have been added to the Science Primary Literature database):

**updated July 2021**

*Bae, S. I., Gyu, B. L., & Im, E. G. (2020). Ransomware detection using machine learning algorithms. Concurrency and Computation, 32(18), e5422. [Cited by]

“The number of ransomware variants has increased rapidly every year, and ransomware needs to be distinguished from the other types of malware to protect users’ machines from ransomware-based attacks. Ransomware is similar to other types of malware in some aspects, but other characteristics are clearly different. For example, ransomware generally conducts a large number of file-related operations in a short period of time to lock or to encrypt files of a victim’s machine. The signature-based malware detection methods, which have difficulties to detect zero-day ransomware, are not suitable to protect users’ files against the attacks caused by risky unknown ransomware. Therefore, a new protection mechanism specialized for ransomware is needed, and the mechanism should focus on ransomware-specific operations to distinguish ransomware from other types of malware as well as benign files. This paper proposes a ransomware detection method that can distinguish between ransomware and benign files as well as between ransomware and malware. The experimental results show that our proposed method can detect ransomware among malware and benign files.”

*Dargahi, T., Dehghantanha, A., Bahrami, P. N., Conti, M., Bianchi, G., & Benedetto, L. (2019). A cyber-kill-chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15(4), 277-305. [PDF] [Cited by]

“In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to be simple, security specialists ranked ransomware as a sophisticated attack vector with many variations and families. Wide range of features which are available in different families and versions of ransomware further complicates their detection and analysis. Though the existing body of research provides significant discussions about ransomware details and capabilities, the all research body is fragmented. Therefore, a ransomware feature taxonomy would advance cyber defenders’ understanding of associated risks of ransomware. In this paper we provide, to the best of our knowledge, the first scientific taxonomy of ransomware features, aligned with Lockheed Martin Cyber Kill Chain (CKC) model. CKC is a well-established model in industry that describes stages of cyber intrusion attempts. To ease the challenge of applying our taxonomy in real world, we also provide the corresponding ransomware defence taxonomy aligned with Courses of Action matrix (an intelligence-driven defence model). We believe that this research study is of high value for the cyber security research community, as it provides the researchers with a means of assessing the vulnerabilities and attack vectors towards the intended victims.”

*Ghazi-Tehrani, A. K., & Pontell, H. N. (2021). Phishing evolves: Analyzing the enduring cybercrime. Victims & Offenders, 16(3), 316-342. [PDF] [Cited by]

Phishing, the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity via electronic communication, has quickly evolved beyond low-skill schemes that relied on casting “a wide net.” Spear phishing attacks target a particular high-value individual utilizing sophisticated techniques. This study aims to describe the current state of phishing, the expected technological advances and developments of the near future, and the best prevention and enforcement strategies. Data comes from interviews with approximately 60 information technology security professionals, “hackers,” and academic researchers. Routine Activity Theory provided an operational framework; while it is an imperfect fit for most crimes, it provides enough explanatory power for cyber-crimes. Interviewees mainly agreed: First, technological advances increase the proliferation of phishing attacks, but also aid in their detection. It has never been easier to conduct a simple attack, but a good attack requires more effort than ever before. Second, phishing is directly responsible financial fraud and, indirectly, as the primary attack vector for ransomware. Third, newer types of attacks utilizing technology, like deepfakes, will make the problem worse in the short-term. Fourth, prevention will come from machine learning and public education akin to WIFI security improvement via the combination of encryption and password awareness.”

*Maigida, A. M., Abdulhamid, S. M., Olalere, M., Alhassan, J. K., Chiroma, H., & Dada, E. G. (2019). Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. Journal of Reliable Intelligent Environments, 5(2), 67-89. [Cited by]

Ransomware is advanced and upgraded malicious software which comes in the forms of Crypto or Locker, with the intention to attack and take control of basic infrastructures and computer systems. The vast majority of these threats are aimed at directly or indirectly making money from the victims by asking for a ransom in exchange for decryption keys. This systematic literature analysed the anatomy of ransomware, including its trends and mode of attacks to find the possible solutions by querying various academic literature. In contrast to previous reviews, sources of ransomware dataset are revealed in this review paper to ease the challenges of researchers in getting access to ransomware datasets. In addition, a taxonomy of ransomware current trends is presented in the paper. We discussed the articles in detail, the evolution and trend in ransomware researches. Most of the techniques deployed could not completely prevent ransomware attacks because of its obfuscation techniques, but rather recommend proper and regular backup of important files. This review can serve as a benchmark for researchers in proposing a novel ransomware detection methodology and starting point for novice researchers.”

*Zimba, A., & Chishimba, M. (2019). Understanding the evolution of ransomware: Paradigm shifts in attack structures. International Journal of Computer Network and Information Security, 11(1), 26-39. [PDF] [Cited by]

“The devastating effects of ransomware have continued to grow over the past two decades which have seen ransomware shift from just being opportunistic attacks to carefully orchestrated attacks. Individuals and business organizations alike have continued to fall prey to ransomware where victims have been forced to pay cybercriminals even up to $1 million in a single attack whilst others have incurred losses in hundreds of millions of dollars. Clearly, ransomware is an emerging cyber threat to enterprise systems that can no longer be ignored. In this paper, we address the evolution of the ransomware and the associated paradigm shifts in attack structures narrowing down to the technical and economic impacts. We formulate an attack model applicable to cascaded network design structures common in enterprise systems. We model the security state of the ransomware attack process as transitions of a finite state machine where state transitions depict breaches of confidentiality, integrity, and availability. We propose a ransomware categorization framework that classifies the virulence of a given ransomware based on a proposed classification algorithm that is based on data deletion and file encryption attack structures. The categories that increase in severity from CAT1 to CAT5 classify the technical prowess and the overall effectiveness of potential ways of retaining the data without paying the ransom demand. We evaluate our modeling approach with a WannaCry attack use case and suggest mitigation strategies and recommend best practices based on these models.”

Questions? Please let me know (engelk@grinnell.edu).

Leave a Reply

Your email address will not be published. Required fields are marked *