Professional Documents
Culture Documents
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage Control
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage Control
Abstract Ransomware is a type of malware that prevents or advertisements, blocking service, disable keyboard or spying
restricts user from accessing their system, either by locking the on user activities. It locks the system or encrypts the data
system's screen or by locking the users' files in the system unless leaving victims unable to help to make a payment and
a ransom is paid. More modern ransomware families, sometimes it also threatens the user to expose sensitive
individually categorize as crypto-ransomware, encrypt certain
information to the public if payment is not done[1].
file types on infected systems and forces users to pay the ransom
through online payment methods to get a decrypt key. The In case of windows, from figure 1 it shown that there are
analysis shows that there has been a significant improvement in some main stages that every crypto family goes through. Each
encryption techniques used by ransomware. The careful analysis variant gets into victims machine via any malicious website,
of ransomware behavior can produce an effective detection
system that significantly reduces the amount of victim data loss.
email attachment or any malicious link and progress from
there.
Index Terms Ransomware attack, Security, Detection,
Prevention.
I. INTRODUCTION
Once the victims machine gets infected, it contacts Corporation" in order to obtain a repair tool. It was the first
Command and Control server. A command and control server crypto form ransomware as it used the combination of a
is the centralized computer that issues commands to a botnet symmetric key and an initialization vector to encrypt the files
(a network of private computers infected with malicious present in the computer drives[1].
software and controlled as a group without the owners'
The first fake antivirus ransomware appear in 2004 and then
knowledge or zombie army) and receives reports back from
in 2005 the series of fake antivirus ransomware types seen.
the computers. Command and control servers may be either
Some of these were named as Spysherriff, Performance
directly controlled by the malware operators, or themselves
Optimizer, and Registry care[1]. In 2005, the PGPcoder
run on hardware compromised by malware. It sends victims
family started growing and this visibly indicates the era of
machine information to the attacker and ultimately obtains a
crypto ransomware. Gpcode used custom encryption method
randomly generated symmetric key from the server.
for encryption of data. PGPcoder spread wildly till 2008 as we
can see many variants. In 2006, two other families started
spreading, these are Cryzip and Archiveus. Cryzip searched
Once it receives the encryption key, then it looks for specific
for files with selected extensions, and then located these
files and folders to encrypt. Some variants look for all disk
encrypted files in a zipped folder. Archiveus placed all the
drives, network share and removable drives as well for
files in a password protected folder[1].
encrypting their data. Meanwhile, the malware deletes all the
restore points, backup folders, and shadow volume copies[1].
After the entire encryption process, it will display the ransom
payment message on victims machine. In the case of locker
ransomware, malware goes throughout all the same phases but
it doesnt do encryption of data. Once the victims machine is
infected with locker ransomware, it takes organizational rights
and takes control of the keyboard. It locks the user access to
the device. It changes the desktop wallpaper or it will show a
window which notify about ransomware attack and show the
steps to follow in order to get their access back[1].
Ransomware is essentially just an encryption tool that safely
packs away your files into an unreadable format.
Unfortunately, only the hacker knows the decryption key. As
some observers have noted, however, these particular hackers
tend to be fairly honorable about giving you the key provided
you pay some fee for their time and trouble, often in
Bitcoin. This business model, as immoral as4 it may be, has a
certain logic to it: keep the payments small enough to be
worth avoiding the hassles of losing files or trying to resolve
the matter through other means, and keep victims reassured
that paying up will get them their data back[2].
The reminder of this paper is organized as follows: in section
II related work is included with literature survey and section
III consists of detection and prevention of ransomware and
section IV consist final conclusion of paper.
accessing its services. It not at all encrypts file and displays Crypto ransomware became a vast problem in 2013, it came
the ransom message at computer boot-up time[1]. back with Cryptolocker, Cryptolocker 2, Ransomcrypt,
Crilock and Dirty Decrypt. Later in 2015, a new variants of
Fake Antivirus (Fake AV is detection for Trojan horse
Ransomcrypt, Crypto locker, Vaultcrypt, Crypto
programs that intentionally misrepresent the security status of
Fortress,Troldesh, TelsaCrypt, CryptoTor Locker, Cryptowall
a computer) was increase in the natural in 2004. It became
4. Cryptowall 3 uses Tor anonymity network for C & C
significant in 2005 when it tried to take the form of Fake
communication. Nearly all recent crypto ransomware families
Antivirus solution, Performance Optimizer software and
are using very sophisticated encryption techniques.
Registry care software, which tried to offer paid solutions for
your machine problems which didnt even existed. It was Ransomweb, Pclock, Cryptowall 3, Crypto blocker and
surfaced over the internet till 2008[1]. Recently in 2016, new families of crypto like PHPRansm.B,
Locky, Ransom32, HydraCrypt, Crypto locker.N andCerber
Fake FBI(Federal Bureau of Investigation) ransomware out in
have started to spread [1].
2011 with the Ransom lock family. Later in 2012, families
like Reveton and ACCDFISA started spreading in-the-wild. B. Literature Survey
These families display the fine payment notice from official
The following table 1 contains study of 20 most important
looking local law enforcement agencies. Later, many variants
papers on the ransomware attack which helps to identify the
of Ransom lock and Reveton came in 2013. In 2014, new
effects, amount that to pay for ransom when it gets the attack
locker families like Virlock, Kovter and few new variants of
to the system. It also includes the overview of each paper with
Ransom lock arrived[1].
their positive and negative aspects. Publishers and publication
year are also included in the table
. TABLE 1: Literature Survey on Ransomware Attack
Publication/Year Title Overview Positive Aspects Limitations
ELSEVIER/2016 Experimental Analysis -This paper shows the life cycle -The main purpose is to - To prevent the users data from getting
of Ransomware on and analysis of windows based detect the ransomware by into un-recoverable state, a user should
Windows and Android Ransomware. monitoring abnormal file have incremental online and offline
Platforms: Evolution -Also it presents evolution of system registry activities. backups of all the important data and
and ransomware for windows. - PEid tool is used for images.
Characterization[1] -MD5 method, Cuckoo Sandbox windows ransomware
used for malware analysis system. detection.
-RSA and AES used for
encryption.
IEEE/2016 CryptoLock (and Drop -Teslacrypt, CTB-Locker, GP -CryptoDrop reduces the - CryptoDrop stops ransomware from
It): Stopping code are used for CryptoDrop need for the victim to pay executing with a median loss of only 10
Ransomware Attacks detection. the ransom and represents files.
on User Data[2] - Ransomware is a nuisance the malware ineffective.
which can be remedied by wiping
the system or removing the disk
and extracting the users
important data.
Hindawi/ The Effective -Ransomware prevention - The proposed method can - It does not need to install an application
2016 Ransomware technique on Android platform is monitor file events that such as existing prevention and reduce
Prevention Technique proposed. occurred when the damage caused by unknown ransomware
Using Process - The proposed technique is ransomware accesses and attacks.
Monitoring on designed with three modules: copies files.
Android Platform[4] Configuration, Monitoring, and -Ransomware classified into
Processing. three types: Scareware,
Lock-Screen, and
Encrypting.
IEEE/2015 Unknown Malware - It presents an end-to-end - The proposed method - Evaluated the effect of the environment
Detection Using supervised based system for analyzes DNS, HTTP, and on the performance.
Network Traffic detecting malware by analyzing SSL protocols, and
Classification[5] network traffic. combines different network
-Network classification method is classification methods in
used. different resolutions of
network.
IEEE/2015 Fest: A Feature - FEST contains three - FEST only takes 6.5s to -FrequenSel is definitely more suitable for
Extraction and components: AppExtractor, analyze an app on a feature dataset.
Selection Tool for FrequenSel and Classifier. common PC, which is very
Android Malware -FEST generally aims with time-efficient for malware
Detection[6] detecting malware using both of detection in Android
high efficiency and accuracy. markets.
-AppExtractor, FrequenSel is used
as the method.
IEEE/2015 Validation of Network -Cyber Army Modeling and - National Cyber Range -Results demonstrated that several orders
Simulation Model with Simulation (CyAMS) model is to (NCR) is utilized to generate of magnitude of less computing resources
Emulation using provide an accurate representation data and provide results for are required for a simulation compared to
Example Malware[7] of malware propagation over a a number of different test emulation for particular test case.
behavioral model network. cases on networks of
varying sizes.
2016 Protecting Your -The method Remote Desktop -Ransomware targets home -The prevention measures are to set anti-
Networks from protocol (RDP) and Software users, businesses, and virus and anti-malware programs to
Ransomware[8] Restriction Policies (SRP) is used. government networks and conduct regular scans automatically.
- Configure firewalls to block can lead to temporary or -Back up data regularly and keep it secure.
access to known malicious IP permanent loss of sensitive
addresses. or corrective information.
ELSEVIER/2016 Grouping the - K-Means Clustering algorithm is - The study of malwares and -Detection of malwares on the basis of
executables to detect used to obtain groups to select generous executables in classifiers, file sizes gives accuracy up to
malwares with high promising features for training groups to detect unknown 99.11%.
accuracy[9] classifiers to detect variants of malwares with high
malwares or unknown malwares. accuracy.
-Metamorphic malware represent
the next group of virus that can
create an entirely new variant
after reproduction.
Springer/ HELDROID: -HelDroid, a fast, efficient and -.The classifier based -Ransomware, before or after the
2015 Dissecting and fully automated approach that Natural Language threatening phase the malware actually
Detecting Mobile recognizes known and unknown Processing (NLP) features, a locks the device and/or encrypts sensitive
Ransomware[10] scareware and ransomware lightweight emulation content until the ransom is paid, usually
samples. technique to detect locking through money transfer.
-The main approach is to strategies, and the
determine whether a mobile application of ruin tracking
application attempts to threaten for detecting file-encrypting
the user, to lock the device and to flows.
encrypt data. -HelDroid performs well
against unknown
ransomware samples.
Springer/ Study of Malware -The main objective of this paper -A sandbox test environment -The future work is to expand the malware
2011 Threats Faced by the is the behavioral characteristics of platform using virtual data coverage to a maximum of one year
Typical Email different malware types affecting machines was built to period to record a complete picture of the
User[11] the Internet and other enterprise perform research and malware behavior over an extended period
email systems. simulate real-life malware of time.
behavior and determine its
signature at the point of
execution for proper
analysis.
IEEE/2011 An Experimental -Method such as Inbound traffic -The main goal of this paper - The sniffer-2 takes more time to search
Analysis For Malware approach, distributed denial-of- is to work out a realistic through a database containing more
Detection Using service (DDoS) activities and solution to protect the number of rules than sniffer-1.
Extrusion[12] direct attacks and tool such as network from the malware
Snort software is used. by exploring the feasibility
- For the detection of malware, it of the concept of analysis of
will use two sniffers which will be outbound traffic.
implemented using an open
source snort.
IEEE/2011 A Virus Detection - Paper present a graph features - It present a novel feature - This paper is not providing better
Scheme Based on based method, which can be used chooses method that extract convinced data of detection results.
Features of Control in the method of machine structural features from the
Flow Graph[13] learning, and design a virus Control Flow Graph of PE
detection model based on feature files.
method.
Springer/ Monitoring Malware -Honeypot operation is to make - Access router works also - Assigned IP addresses do not generate
2010 Activity on the LAN available some resources or as DHCP server, assigning much address resolution protocol (ARP)
Network[14] illusion of resources as a trap for IP addresses to systems on traffic.
malware program and monitor research network and as a
program behavior in its attempts DNS server.
of resource usage.
Springer/ Research on -In the proposed system, file -This paper presents a novel -The proposed approach is not to replace
2014 Classification of structure and file content are classification approach, classification of binary malware.
Malware Source extracted as features for based on content similarity
Code[15] classification system. and directory structure
similarity.
2016 Ransomware attacks: -The five phases of ransomware -The main objective is -Organizations can suffer the effects of
detection, prevention are Exploitation and infection, defending against a lost productivity, loss of business, problem
and cure[16] Delivery and execution, Back-up ransomware attack is largely to customers and potentially the
spoliation, File encryption and dependent on the level of permanent loss of data.
User notification and clean-up. preparation and the ability to
detect, shut down and
contain suspicious activity.
Springer/ Feature-Distributed -The main objective is to propose -In particular, malware can -C&C communication of the current
2014 Malware Attack: Risk the new method of feature- perform its functionalities implementation is based on
and Defence[17] distributed malware that by dynamically distributing sbd(Automotive technology consultancy
dynamically distributes its them to user-approved or and research) that is a Netcat-clone,
features to various software system approved designed to be portable and offer strong
components. applications. encryption.
Springer/ A comparison of static, -Used malware detection method -The main purpose of this -Future work could include a similar
2015 dynamic, and hybrid is signature scanning. There are paper is to compare malware analysis involving additional features
analysis for malware many approaches to the malware detection techniques based beyond API calls and opcodes.
detection[18] detection problem such as on static, dynamic, and
signature-based, behavior based, hybrid analysis.
and statistical-based detection.
Springer/ 2010 Analyzing and -Clustering and Classification -The goal of the research is - The reports do not include sufficient
Exploiting Network algorithms are comprehensively a real time behavior based detailed information to identify malwares
Behaviors of used in the literature to evaluate malware detection system precise implementation.
Malware[19] proposed host, network and incorporating several
hybrid detection approaches. perspectives capable of
detecting known and
unknown malware on host
machines.
Springer/ A Framework for -It proposes a framework for -The proposed framework -The main problem of approach is the
2011 Defining Malware dynamic malware analysis using has three major processes technique to disassemble the program
Behavior Using Run real time analysis and resource such as run time analysis, because most of the malware codes are
Time Analysis and monitoring. Two common resource monitoring and blur by great variety of packers.
Resource techniques that can be used to behavior definition.
Monitoring[20] analyze malware are static
analysis and dynamic analysis.
IEEE/2012 Automatic Signature -It presents a technique for large- -Feature hashing is to get the - Feature hashing is a fast and space
Analysis and scale malware analysis with bit-vector representation of efficient way of vectorizing features.
Generation for Large- feature extraction based on hashed the malware in each cluster. - Bayesian selection method provides a
Scale Network matrix. -Bayesian selection method way to ensure the low false negative and
Malware[21] -It proposes the automatic achieves good performance low false positive of the signature.
signature generation using the in speed and accuracy, and
Bayesian signature selection can also be efficient in
within clusters. presence of noise.