Accelerat ing t he world's research.

Malware-Free Intrusion: A Novel

Approach to Ransomware Infection
Vectors
Journal of Computer Science IJCSIS, Aaron Zimba

Related papers Download a PDF Pack of t he best relat ed papers 

Journal of Comput er Science IJCSIS February 2017 Part II.pdf

Journal of Comput er Science IJCSIS

Journal of Comput er Science IJCSIS February 2017 Full Volume.pdf

Journal of Comput er Science IJCSIS

St at ic and Dynamic Analysis of WannaCry Ransomware

Vassilios Vassilakis
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017

Malware-Free Intrusion: A Novel Approach to

Ransomware Infection Vectors
Aaron Zimba
Department of Computer Science and Technology
University of Science and Technology Beijing
Beijing 100083, China
azimba@xs.ustb.edu.cn

Abstract— The Internet is so diverse such that at any given
instance someone is clicking a link, opening a file, downloading
an email attachment and so forth. Such seemingly benign actions
do not always return the expected outcome because attackers
leverage these actions to spread their malware. And malware
today casts a broad spectrum of software with varying
characteristics some of which include Ransomware. Ransomware
has come to claim its place in the malware wild due to the
philosophy of extortion behind its operations. Ransomware
threat actors are seeking ways to delivery their malware payload
in ways that do not generate suspicion via unusual network
traffic and system calls by involving less user input if any at all.
Malware-free intrusions present attack vectors so desirable to
Ransomware threat actors in this respect in that they do not
employ an extra malicious code which otherwise would be
detected by intrusion detection and prevention system. We in this
paper explore the utilization of malware-free backdoors for
Ransomware payload delivery over a network with RDP-based
remote access. We further show that leveraging such backdoors
does not require user input while providing high probability
levels of success thus adding to the expansion of the available
attack surface.
domain is not uncommon. Attackers use a wide range of
malware not limited to viruses, worms, trojans, rootkits etc to
achieve their ultimate. One new breed of malware coined as
Ransomware [3] employs a new philosophy altogether, that of
extortion, as a means to achieve the end goal. Unlike
conventional malware which usually seeks to replicate, delete
files, exfiltrate data or extensively consume system resources,
Ransomware on the other hand imposes some form of denial of
service to either the system or system resources such as files
until a ransom is paid. One class of Ransomware uses
encryption to encrypt victim files and demands a ransom before
decryption. This type of malware has targeted critical industries
[4] where the victim has had to pay as the only way out due to
the vitality of access to data on demand. Figure 1 below shows
the distribution of Ransomware attacks on different sectors of
the economy for 2016 [15].

Keywords- Ransomware; Attack Vector; Backdoor; Remote

Access;

I. INTRODUCTION
The rise of the Internet has likewise seen the emergency
related cyber-attacks and the two are seen not to occupy
opposite ends of the continuum. The Internet was initially built
without security in mind [1] implying that all technologies that
jump onto this bandwagon need to address the associated
security concerns in their respective niche, but unfortunately
this is not the case. Due to the vast number of technologies
integrated into the Internet today, the variety of attacks thereof
are extensively wide correlating to the incepting technologies. Figure 1. Ransomware Infections by Organization Sector,
There are many metrics and parameters used to classify cyber- January 2015 – April 2016 [15]
attacks but they can broadly be classified as targeted or non-
targeted attacks [2]. Non-targeted attacks usually don’t have a It is estimated that Ransomware has costed millions of
specific target and tend to be works of novices and script dollars to victims [5] while enriching the criminals that be. As
kiddies as opposed to targeted attacks. On the contrary, with all cyber-attacks, attacks via Ransomware cast a wide
targeted attacks are the works of highly skilled technical people spectrum of attack vectors. These are the ways and means
who might be working on individual basis, for organized crime through which Ransomware is spread and delivered to the
groups, for big corporations or even governments. This class of potential victim. The attacker is therefore tasked with finding
attackers employ sophisticated techniques to compromise and optimal ways of infecting victims and Ransomware is known to
victimize their targets. The use of malicious software in this use some of the common attack vectors employed by other
malware. Some of these attack vectors generate suspicious

317 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017
network traffic and issue out unusual system calls, something
very undesirable to attackers as this tends to raise a red flag.
Most malware require some form of user input of some sort
to effectively carry out an infection. However, most user
systems implement Intrusion Detection Systems (IDS) which
detect and alert the user of potential harm as a consequential
result if certain actions are performed. This detection is
inclusive of Ransomware. Attackers therefore seek to employ
methods and tactics which do not require user interaction and
generate little noise as possible if any at all. For attacks as those
employed by Advanced Persistent Threats (APT), stealthiness
and a low threshold of noise are of great essence as such threat
actors seek to maintain an undetected persistence presence for a
long time [6]. Therefore an attack vector which is stealth and
less noisy is likewise desirable to Ransomware threat actors.
One such attack vector is backdoor implantation leveraging the
pre-authentication services available in almost every version of
the Windows operating system. The accessibility backdoor in
Windows is actualized by replacing an accessibility binary
executable with a system file capable of granting system level
access before even one logs in. This backdoor is documented
[7] to be present in important sectors such education, judiciary,
government etc at the disposal of Ransomware threat actors.
This attack vector is especially attractive to attackers in that it
does not involve any malicious code. This implies that all IDSs
which are signature based [8, 9, 10] are incapable of detecting
it and since the rationale behind the backdoor is to utilize
system resources and files to covertly achieve a goal, a
behavioral based IDS will particularly find it hard to detect it
since there is no anomaly behavior to evaluate.
This paper explores the utilization of the aforementioned
backdoor attack vector for Ransomware payload delivery. We
investigated the delivery of the malware payload in the
presence of IDS on different versions of the Windows
operating system from Windows XP to Windows 10. The
Windows operating system is chosen as the victim on the
pretext that it’s the most widely used operating system [11]
hence the obvious casualty of such attacks. We leverage the
built-in RDP-based remote access functionality in these
systems to establish an RDP session without any login at all to
deliver the malware payload and confirm the result. We
contend that such an attack vector increases the attack surface
of Ransomware attacks with a high probability of inflicting
maximum damage without any direct user input.
The rest of the paper is organized as follows: Section II
provides background information and concepts whilst the
attack model for Ransomware payload delivery and the
analysis thereof are discussed in Section III. Experiment
simulations are presented in Section IV while best practices
and mitigation techniques are presented in Section V and we
conclude the paper in Section VI.
II. BACKGROUND AND CONCEPTS
The networks that build up the Internet are thought to be like
an egg. There is an obvious hard network perimeter that
requires penetration into the softer inner core which permits
lateral traversal once the attacker obtains access. Therefore,
Ransomware attackers try to find ways of penetrating a target
318
network and will utilize lapses in security configurations.
These lapses may include poor security implementations,
vulnerabilities imposed by software built without security in
mind, social engineering etc. To this effect, Ransomware
mainly comes in two flavors; non-encrypting Ransomware
also known as Locker Ransomware and encrypting
Ransomware also known as Crypto Ransomware. The diagram
below in Figure 2 shows the Microsoft report for the relative
distribution of Ransomware variants.
Figure 2. Relative distribution of different Ransomware
variants. [16]
Using Figure 2, we in this paper consider the most
common Ransomware variants of the Locker and Crypto
Ransomware, whose characteristics are later documented in
Section IV in the analysis stage.
A. Locker Ransomware
This is a less common type of Ransomware which basically
locks down the victim’s system and its applications while
disabling user input to prevent the user from operating the
system at all. The victim is usually extorted that they have
engaged in some of cyber-crime like copyright infringement,
child pornography, money laundering etc and that they need to
pay some fee, usually in the form of bitcoin [12], before the
charge is disposed of. The emphasis usually is that the victim
won’t be able to use the system and will be in trouble with the
law unless a payment is made. Some variants of this malware
are capable of modifying the Master Boot Record (MBR) and
even the partition table. Only limited system functionality is
made available such as numeric functions and limited mouse
movements to enable the victim to enter and pay the ransom
amount on the displayed Ransomware screen. This strain of
Ransomware usually leaves the system and user files
uncorrupted [13] and can usually be recovered offline via a
technical hack or otherwise, cause of the weak techniques
employed.
B. Crypto Ransomware
This is by far the most common type of Ransomware [14]
and employs encryption techniques to achieve resource
inaccessibility. This Ransomware variant silently infects the
victim and communicates with its Command and Control (C2)
servers if need be to download the relevant encryption keys.
The malware then extracts the keys and encrypts targeted user
files which become inaccessible without the decryption key.
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017

Unlike Locker Ransomware, crypto Ransomware does not lock
down the system; it only encrypts user data and displays a
message after completion of encryption that the victim’s data
files are no longer accessible and can only be accessed via
decryption upon payment of the ransom. The attacker holds the
decryption keys and promises to avail them once the ransom
demand is met. Whether the attacker avails the decryption keys
upon payment of the ransom is a debate of circumstance but
one thing for sure is that there’s no guarantee that the keys will
be provided after paying the ransom. The diagram in Figure 3
below shows the general structure of Crypto Ransomware.
Encryption
Key*
Main Body
(Payload)
Encryption
Algorithm
D. Infection Vectors
There are different ways in which attackers deliver their
Ransomware payload to the victim. They differ in the degree
of complexity and effectiveness. Here we discuss the most
prevalent ones and elaborate how the attack vector considered
in this paper contributes to the attack surface.
1) Malicious Emails
This is one of the most common way of Ransomware delivery.
The payload is delivered as an attachment from emails sent
through spam using botnets and other compromised hosts. The
victim is social engineered into interacting with the attachment
by directly opening an attachment which executes the
Ransomware payload, opening a malicious file which in turn
initiates payload delivery via a macro or by clicking on a URL
in the email which redirects to an exploit kit which in turn runs
to find vulnerabilities on the target system and executes the
Ransomware payload thereafter. Spam attachments, as shown
in Figure 4 below according to Cisco Security Research [25],
usually carry files of different formats which could be used to
deliver the Ransomware payload.

Figure 3. General overview of Crypto Ransomware

Crypto Ransomware also comes in two flavors; Private-key

Crypto Ransomware (PrCR) and Public-key Crypto
Ransomware (PuCR). PrCR uses classical stream or block
symmetric ciphers for encryption. Since key distribution is a
known challenge in symmetric encryption, these Ransomware
variants, e.g. CryptorBit [17], used a self-designed substitution
cipher in the first 1024 bytes of the target file. These are thus
crackable via cryptanalysis once the analyst gets hold of the
Ransomware itself.
PuCR on the other hand employ public key encryption
where the encryption and decryption key are entirely different.
In this approach, a pair of keys is generated by an asymmetrical
cryptosystem such as RSA and the public key used for
encryption is delivered together with the payload whilst the
private key used for decryption is kept in the hands of the
attacker which the attacker promises to release upon payment
of the ransom. Cryptowall [18], for example, uses a 2048 bit
RSA public key for encryption which is believed to be
computationally infeasible to break without consented efforts
of distributed computing. Figure 4. Malicious files attached to spam emails [25].
C. Command and Control (C2) Servers
2) Brute-force Authentication Credentials
C2 servers are the attacker's online infrastructure which Another attack vector in this domain finding growing usage is
generally coordinate operations of the infected hosts. This brute-forcing user credentials to different systems. Attackers
infrastructure can be a system which the attacker owns or a set employ automated scripts to achieve this task. Bucbi
of compromised hosts in form of a botnet. Ransomware will Ransomware [19] utilized this attack vector to obtain access to
usually beacon back to these servers once an infection is the system via RDP. We contend in this paper that
successful which may handle the remote distribution and
Ransomware threat actors can alternatively leverage malware-
encryption of the victim’s files. It’s these resources that are
responsible for handling operations like payment mechanisms free intrusion backdoors to obtain access through RDP as
and other related tasks. It worth noting that C2 play a vital role some system implement a lockdown mechanism upon failed
in the Ransomware attack chain in that if these servers are multiple authentication attempts.
offline, the malware may not complete the attack process and
the subsequent encryption.

319 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017

3) Exploit Kits (EKs) We now employ an attack tree [24] for our model
EKs are software packages which scan for vulnerabilities with consideration. The diagram in Figure 5 below shows an attack
the purpose of malware installation upon successful discovery. tree with different infection vectors. The root node is denoted
These scans are run on third party servers and inject code into by G0 and it’s the attacker’s ultimate goal. The rest of the
different portions of the server depending on the context nodes and leaves are denoted as follows: G1 – attack via
which in turn redirect server visitors to the malware. The offline or out of band payload delivery, G2 – network attack
Angler EK [20] for example accounted for close to 20 million payload delivery, G3 – authentication attack, G4 – payload
attacks thwarted by Symantec. delivery via USB flash drive, G5 – payload delivery through
optical media, G6 – payload delivery via Bluetooth, G7 –
4) Other Attack Vectors payload delivery via EKs, G8 – payload delivery through spam
There are many other attack vectors employed to attain a email, G9 – payload delivery via brute-forcing, G10 – payload
successful Ransomware attack. Some of these include the delivery through malware-free intrusion and Gn+ – payload
injection of redirect links in JavaScript, Malvertising, Drive- delivery via other network-based infection vectors.
by-Downloads [21, 22, 23] etc.
III. THE ATTACK MODEL G0 Root Node
We now formulate the attack model based on the preferred (System Level Access)
infection vector from the preceding section. We model our
attack model based on a set of conceptual units which serve as
the basic building blocks of the whole attack process. G1 Intermediate Node
Therefore the delivery of Ransomware to a victim can be G2 (Sub-goals)
envisioned as a process with an attacking agent carrying out
the attack by acquiring a set of assets after performing some
Gn+
action with the sole purpose of reaching the goal, the delivery G4 G6 Leaf Nodes
and successful execution of the malware on the targeted host. G5 G3 G7 G8 (Atomic Attacks)
A. Attacking Agent
This is the subject of the attack process who carries out actions G9 G10
towards the object which might be a host, network or system.
The agent can be software e.g. EKs or a human actor or a
combination of both. We distinguish the agent of our model to Figure 5. Attack Tree of Infection Vectors
be a highly skilled threat actor with a considerable level of All the intermediate nodes in the resulting graph decompose
sophistication in terms of traceability and stealthiness. into children nodes sharing disjunctive OR association. This
B. Assets implies that only one node need to be true to traverse to the
upper node, meaning if the route through G1 is traversed, the
These are resources which the agent requires in order to attacker has options of either starting with G4, G5 or G6. The
further the attack. Some resources are but not limited to same is true if the attack route pursued traverses through G2,
information about the host such as operating system, IP the attacker can either start with the leaves G7, G8 or Gn+.
address, open ports, TCP/UDP connectivity and so forth. It’s
0 0
1 1
important to note that such information might be reusable 1 0 0 0 0 0

throughout the attack process hence the need for constant
0 1 1 1 0 0
0 0
verification for consistency.

 
C. Actions 1 0 0 0 1 1

AG = 
0
0 0
These are requests made by the agent with specified input 0 1 0 0 0 0 0

 
parameters with an expected return. There are preconditions
1 0 0 0 0 0
0 0 1 0 0 0 0 0
that have to be met for a given action to return the correct

0 0 1 0 0 0 0 0
output. The output of an action can be either true, in which

 
case the returned parameters further the attack or false where

the returned value denotes that further pursuance of the chosen
attack vector does not yield fruition.
D. Goals
These are the treasures that the attacker seeks to attain.
There’s the ultimate goal, Ransomware delivery and execution
in our context, but also other sub-goals of the attack process
which act as pivots for further attacks. These are only reached
when the returned value of a certain action is true.
0 1 0 0 0 0 0 0
If the attacker instead opts to use the path through G3, likewise
he has an option of starting either with the leaf G9 or G10.
Pursuance of attack vectors through G1 is practically daunting
because of the constraints imposed by the need for physical
presence. Moreover it even limits the target audience which
needs to be reached. We therefore drop this attack path in our

320 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017

attack consideration and generate the adjacency square matrix further activate RDP-based remote access on the targeted
AG of the 8th order shown above for the resultant attack graph. hosts. We acquire and verify Ransomware samples with
We thus deduce five attack scenarios from the adjacency VirusTotal and Malwr [26, 37] for delivery to the victims.
matrix AG corresponding to the following paths: Since the malware is active and harmful, we perform the test
in a securely built environment as specified by common
P7: {G7, G2, G0}
scientific guidelines [27, 28, 29, 30] while maintaining limited
P8: {G8, G2, G0}
regulated Internet access via NAT integrated in Virtual Box.
Pn+: {Gn+, G2, G0}
We in addition used the following tools for analysis of the
P9: {G9, G3, G2, G0}
Ransomware: Process Monitor [31] for verification of process
P10: {G10, G3, G2, G0}
activity, Regshot for registry alterations monitoring, API
EKs require the existence of an exploit before Monitor [32] for observance of issued system calls and
materialization meaning a target without vulnerabilities being ApateDNS and Netcat [33, 34] for emulating some C2 servers.
sought by the EK won’t be susceptible to the attack. We thus We use an Nmap [35] for reconnaissance attacks where the
drop the first path P7. Spam email largely depend on user input actions of the defined attack model returned assets in the form
and a user with up to date Internet hygiene would rarely fall of list of hosts IP addresses, types operating systems, open
prey to such. Moreover, spam emails are subject to filtering by ports and running services. We did obscure an RDP port on
spam filter giving no assurance of success of payload delivery. one of the hosts and it was discovered to be running RDP
We likewise drop path P8. In authentication attacks, brute- services upon probing for the service banner. We also
forcing passwords is subject to system lockdown upon employed the services of an automated script [36] for
multiple failed attempts. We in this regard likewise drop the automated backdoor discovery. We set up an FTP server on
path P9. Malware-free intrusions on the other hand do not the attacker’s machine to host the Ransomware payload. The
require any vulnerabilities for exploits and neither do they snapshot in Figure 7 below shows successful malware delivery
require any user input. Once the malware-free intrusion on one of the targeted hosts.
backdoor is identified, the attacker can without difficulty
We ran the attack by deploying the Ransomware to the victims
deliver his Ransomware payload directly to the victim hence
using the malware-free intrusion infection. First a
the actualization of the attack. We therefore base our
reconnaissance attack was carried out which revealed the list
experiment simulations solely on the attack path P10 in the
of available host and their respective running services upon
following section.
port scans and banner grabbing. The obscured port likewise
IV. EXPERIMENT SIMULATIONS AND ANALYSIS revealed that the RDP service was running. The automated
scripted referenced earlier was employed to probe the
Our simulation environment consists two networks separated
availability of the backdoor and five backdoors were
by a simulated Internet as shown in Figure 6 below. The
discovered on separate hosts. As can be seen in Figure 7, the
attacker is located in one subnet whilst the targeted hosts Ransomware payload file, named Invoice.zip is a small file in
reside in a different subnet altogether. In practice the attacker the range of ~ 10KB and might not raise suspicion to the
can reside in the same network with his victims but that's a
benign user. They are usually attached to some spam email
rarity from a logical point of view in as far as Ransomware is
with a catchy subject to raise interest from the would-be
concerned. The threat actor, the attacking agent defined in the
victim.
attack model ran from the Kali Linux whilst the targeted hosts
ran on Windows XP, Windows Vista, Windows 7, Windows 8 We observed from the pursued attack vector that it did not
and Windows 10. require any user action so long the backdoor was present and
RDP service active. Table I below summarizes some of the
Ransomware Advesary known activities and properties of the Ransomware payloads.
Victim Network
TABLE I. RANSOMWARE ATTACK ACTIVITIES
Ransomware Attack Details
Family
Switch Variant Delete MBR Steals
Name Encryption
Files Alteration Info
  
Internet
Cryptowall Crypto X
Router FakeBSOD Locker X X X 
Brolo Locker X X X X
CTB-Locker Crypto  X X 
Teslacrypt Crypto   X 
Figure 6. Experiment setup for Ransomware delivery Reveton Locker X  X 
Seftad Locker X X  X
 
We implant the accessibility backdoor on target hosts via Cerber Crypto X X
registry manipulations by setting cmd.exe as the debugger for
specified accessibility suite executable binaries and by Ransomware threat actors might have specific targets in mind
switching specific accessibility suite binary executable with but using this attack vector would increase the surface area of
cmd.exe in the %systemroot%\System32\ directory. We infection and since the motive is to extort as much money as

321 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017
possible regardless of the target victim, this attack vector is
especially attractive for maximizing profits.
Different Ransomware families have specific file activity upon
infection. It’s notable that the Locker variant of the
Ransomware does not employ encryption. The deletion carried
out by the various families differ in their target files and the
subject implementing the deletion. Some attacker are known
to remotely delete the files upon failure to pay the ransom
while some Ransomware payload itself deletes target files to
reduce any possibility of recovery. Families which employ
asymmetric encryption largely depend on the C2 for
generation and deployed of encryption keys. The public key is
always used for encryption. There are a number of
Ransomware out in the wild but the majority belong existing
families, only that they introduce some additional
functionalities, e.g. changing from symmetric encryption to
Figure 7. 1 of Ransomware Successfully Delivered to Victim
asymmetric encryption. Therefore, mutations of Ransomware,
just like conventional malware, are not uncommon.
A. The Infection Chain
We now describe the infection chain for crypto
Ransomware used in our experiment. It depicts the life process
of the Ransomware until it accomplishes the given task. Since
the attack vector pursued in our setting is somewhat different
from the common infection vectors in that it does not require
user input or user action, the infection chain likewise
emphasizes that the attack vector leverages malware-free
intrusion as a result of the backdoor and not a direct
consequence of a user’s action. The same chain applies to
Locker Ransomware with the only difference being the attack
322
activities shown in Table I. The chain comprises five stages as
shown in Figure 8 otherwise elaborated below as follows:
1) Malware-free Intrusion Backdoor Discovery
The attacker in this case seeks to find the accessibility
backdoor which when invoked avails a system level access
console via RDP-based remote access. The attacker does not
concern himself with the implantation of the backdoor, his
main objective is to determine whether the backdoor exists or
not. We base this assumption on the fact that this type of
backdoor is documented [7, 38] to be existing on critical
networks of educational institutions, governments,
manufacturing industries, legal sector, gaming companies etc.
Moreover, we contend that a determined attacker with a
specific target might employ other techniques to achieve this
backdoor or any of this type which does not necessarily
require user action. Once the backdoor has been discovered,
the attacker goes to the next step of initial payload delivery.
2) Payload Delivery via FTP
Once in the system console of the victim, the attacker could
use whichever method applicable to fetch the Ransomware
from wherever it’s harbored. In our experiment the
Ransomware was assumed to be hosted on the C2 servers
controlled by the attacker. For effective distribution of the
payloads, attackers are known to host malware payloads in
different mirrors depending on the location of the victim. We
chose to fetch the Ransomware via FTP considering that this
protocol is allowed by most firewalls and would not be red-
flagged under normal conditions.
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017
3) Infection and Initial Execution
Once the Ransomware is delivered to the victim via FTP, the
first action it carries out is to beacon out to the C2 servers.
This is common for the variants which employ public key
encryption. Cases of the Ransomware falling to successfully
encrypt are documented [39] where the failure is attributed to
inability to establish contact with the C2 servers. It should be
noted at this point that the attacker does not engage further in
the attack process but rather awaits the Ransomware to carry
out its tasks. Another point worth noting is that some variants
are known not to execute instantly upon infection but
hibernate in efforts to avoid detection.
Payload Execution
C2 Beaconing
FTP Payload 2
Download Victim 3 X
Victim
Backdoor
File Encryption
Discovery
Ransomware Encryption Key 4 forcing vector all due to the fact that these two methods
File
1 Download Victim
Targeted Hosts User Notification materialize, the benefits outweigh attack paths pursued via
Victim About Ransom
5
C2 Severs
Figure 8.Infection Chain for Ransomware Attack via
Malware-free Intrusion Vector.
4) File Encryption
This is the stage where the payload actually encrypts the
targeted files using keys obtained from the C2 servers. The
encryption is selective in that it does not encrypt system files
but user files not limited to images, text documents, pdf
documents, database files, excel files, PowerPoint etc. Crypto
Ransomware are not known to attack system files since from a
logical point of view it might be cumbersome to deliver the
ransom notice. Once the files are encrypted, only the attacker
with the decryption keys has got the means of making the data
accessible again hence the ransom, but there is no guarantee
that the attacker will keep their word. Some variants as shown
in Table I do delete original files while others don’t. Others
are known to delete shadow files so as to prevent any
possibility of system restoration available in Windows. Crypto
Ransomware threat actors suffer from the challenge of key
management. Clearly using the same key for multiple
encryption, hence decryption increases the chances of key
discovery once a victim pays the ransom as the key would be
reusable. Generating multiple keys introduces the challenge of
key management and increases the chances of key discovery.
5) Ransom Notification
Once the Ransomware is done encrypting and deleting file in
accordance with its characteristics, a ransom note is delivered
to the screen of the victim. Attackers employ a myriad of scare
tactics to intimidate the victim into succumbing. Some of the
scare tactics employed try to prey on the ignorance of the
323
victim. There is the process of payment which is carried out in
different forms the most notable being via bitcoin using the
Tor network to eliminate any chances of traceability.
With the infection chain of Ransomware attack via malware-
free intrusion defined, we now look at how this infection
vector fares in comparison to others in terms of intractability
while putting both the attack and victim into context. Table II
below summarizes the comparisons thereof.
TABLE II. INFECTION VECTOR CHARACTERISTICS
Infection Victim Exploit Mule
Repudiation
Vector Action Dependence Carrier
Spam Mail  X  X
Brute-Forcing X X X 
Exploit Kits    

Malware-Free
X X
Intrusion
It’s evident from the above table that malware-free intrusion
infection vector shares some commonalities with the brute-
require first access to the victim’s machine. Though this may
result in requiring a lot of input parameters for the attack to
other means. It’s worth noting that though these two vectors
may share some commonalities, brute-forcing is subject to a
lot of hurdles compared to malware-free intrusions and the
latter is therefore a better attack vector.
V. MITIGATION AND BEST PRACTICES
In as far as prevention and detection are concerned, we
approach it twofold; against the Ransomware attack itself and
against malware-free intrusion. This is so because as earlier
shown in the attack model, the absence of malware-free
intrusion backdoor implicitly entails that a Ransomware
infection vector in this regard would not be feasible.
There are a number of suggested solutions against
Ransomware attacks the majority directed towards prevention
than recovery. The most echoed of these is “prevention is
better than cure” where offline backup of data is strongly
emphasized. Offline is stressed due to the fact that some
Ransomware families are known to search for any network
attached storage and any network resources and induce an
attack if the target files are present. Offline backup is arguably
the best solution because Ransomware variants keep mutating
and new ones keep emerging with new techniques altogether.
It is also recommended to keep the anti-virus updated so as to
include new Ransomware signatures and anomaly behavior to
the IDS and IPS engine. Good Internet hygiene is another
recommended house-keeping activity; users whether technical
or otherwise should likewise be educated on the importance of
safe Internet browsing since Ransomware attacks are mainly
directed towards the Internet and the users thereof.
One solution against Ransomware attacks is to keep restore
points on the system. However this method works with earlier
variants of Ransomware which did not attack the restore utility
in the Windows operating system. Newer mutated and updated
versions of Ransomware seek to delete system restore points
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017
via the vssadmin.exe file to prevent system restoration, .i.e. the
Ransomware depends on local system resources to make
recovery impossible. Trivial methods have been suggested
[40] to prevent access to the above file by making a backup of
the file and renaming the original file. If this is implemented,
the Ransomware fails to find the vssadmin.exe responsible for
removing restore points consequently failing to explicitly
prevent a system restore. Though the Ransomware at this point
might be able to encrypt the targeted files, restoration is
acquired by removing the Ransomware payload first,
assuming it didn’t delete itself, then renaming the backed up
file to vssadmin.exe and implementing a system restore.
Nevertheless, this is in the hope that the Ransomware doesn’t
compute hashes to check collisions with the targeted file.
Considering that Crypto Ransomware is the more resilient of
the two Ransomware variants, other suggested solutions are
process signing and traffic monitoring by the IPS. Crypto
Ransomware always tries to beacon back to C2 for further
instructions and in this prevention approach, the IPS that be
signs all processes in the system and monitors and logs
process activity on the network. Communication to C2 servers
can be sighted as unusual traffic and the necessary steps taken
to prevent further damage. This techniques has shortfalls in
that C2 servers are not static resources. Attackers employ
different techniques to keep their C2 servers dynamic and
difficult to trace. Moreover, C2 servers can be anything from
normal compromised user machines to botnets controlled by
the attacker. In this case, the Deep Packet Inspection (DPI)
could be employed to examine the payload of communication
with C2s but then DPI is known to be slow and costly for high
bandwidth applications.
Countering malware-free intrusions calls for addressing the
three attack vectors that make it possible. Since the intrusion
discussed herein is as a result of backdoor planting via
accessibility tools, ultimate prevention and mitigation calls for
prohibition of interactive console access at pre-authentication,
most importantly over RDP-based remote access. One way to
detect the presence of the backdoor is by hashing all binary
executables in the %systemroot%\System32\ directory. Any
hash collision is an indicator of compromise. The second
method of detecting the backdoor is by checking registry
entries to check whether cmd.exe has been set as the debugger
to any of the accessibility tools. The presence of such a setting
likewise is a clear indication of compromise. Network Level
Authentication (NLA), a feature that has been introduced in
newer versions of Windows starting with Vista, prevents
establishment of an RDP session before authentication. This
implies that activation of NLA will ultimately see the
thwarting of this malware-free intrusion. However, it must be
stated that NLA imposes requirements such as belonging to a
network domain and a third entity for credential handling,
requirements that are not befitting to the average independent
user. This solution therefore can only work in isolated
instances.
Since one of the actions of the attack model involves RDP
service discovery, and this intrusion is only actualized via
RDP, closing RDP ports and service will prevent this attack.
324
It’s worth noting that security via port obscurity is not
forthcoming due to the fact that service banner probes do
reveal the actual running service.
VI. CONCLUSION
Ransomware attacks keep evolving and so do the methods and
techniques employed to carry out the attacks. The most
common methods of Ransomware payload delivery involve
some third party and require some action of the user.
Moreover these types of attack vectors also involve some form
of malware for initialization of the attack before Ransomware
infection which might otherwise be detectable by the IDS.
Malware-free intrusions introduce a new attack vector so
desirable to the attacker in that it does not require a third party
mule and neither does it require any action from the user. As
demonstrated in this paper, all the attacker needs to do is to
download the payload once the victim’s system has been
penetrated. We in this paper explored the accessibility
backdoor as a malware-free infection vector where system
level access is gained over an RDP session at pre-
authentication without logging at all. Since the accessed
console at pre-authentication is at system level permission, the
Ransomware does not need any user action as it will run under
system root, the highest permission in the system.
Furthermore, this infection vector does not rely on any exploit
whatsoever; all versions of Windows systems are susceptible
to the attack via this infection vector so long RDP-based
remote access is activated, and all versions of Windows
considered in this paper from Windows XP to Windows 10
ship with RDP by default. The attacker needs not to worry
about the implantation of the backdoor because recent study
has shown that a lot of systems running on the Internet today
have this backdoor as evidenced by the SHODAN search
engine.
Ransomware attacks pursued through this attack vector ought
to be countered by addressing the security loopholes resulting
from the implantation of the backdoor. Until Microsoft find a
way to implement context detection of cmd.exe execution at
pre-authentication, i.e. prohibition of execution of cmd.exe or
any other system binary that avails system level access at pre-
login, the backdoor will continue to exist. Since this backdoor
has already been used in APT attacks, it only remains to be
documented for use in Ransomware attacks. Another security
implementation to thwart infection via this vector is ensuring
system integrity check that a system executable binary capable
of providing system level access at pre-authentication is not
set as a debugger to any of the accessibility tools. Though the
concept of introduction of NLA in newer versions of Windows
somewhat helps prevent the backdoor, it should be extended to
pre-authentication attacks and not limited to denial of service
attacks as originally intended.
There are other Ransomware infection vectors that do not
require user action neither a third party carrier, like brute-
forcing, but their effectiveness is hindered by a couple of other
factors. Malware-free intrusion promises a better turnout to the
attacker.
REFERENCES
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 2, February 2017

[1] Al-Salqan, Yahya Y. "Future trends in Internet security." In Distributed [23] McDowell, Karen. "Now that we are all so well-educated about spyware,
Computing Systems, 1997., Proceedings of the Sixth IEEE Computer can we put the bad guys out of business?." In Proceedings of the 34th
Society Workshop on Future Trends of, pp. 216-217. IEEE, 1997. annual ACM SIGUCCS fall conference: expanding the boundaries, pp.
[2] Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S. and Lee, M. 235-239. ACM, 2006.
"Industrial espionage and targeted attacks: Understanding the [24] Schneier, Bruce. "Attack trees." Dr. Dobb’s journal 24, no. 12, pp.21-29,
characteristics of an escalating threat." In International Workshop on 1999.
Recent Advances in Intrusion Detection pp. 64-85, 2012. [25] Catalin Cimpanu. (February 2017). "Spam Accounts for Two-Thirds of
[3] O'Gorman, Gavin, and Geoff McDonald. Ransomware: A growing All Email Volume, and It's Still Going Up." [Online] Available:
menace. Symantec Corporation, 2012. https://www.bleepingcomputer.com/news/security/spam-accounts-for-
[4] Richard Winton (February 2016). "Hollywood hospital pays $17,000 in two-thirds-of-all-email-volume-and-its-still-going-up/#comment_form.
bitcoin to hackers; FBI investigating" [Online] [Accesed February 2017].
Available:http://www.latimes.com/business/technology/la-me-ln- [26] VirusTotal - Free Online Virus, Malware and URL Scanner. [Online]
hollywood-hospital-bitcoin-20160217-story.html [Accessed 3rd January Available: https://www.virustotal.com/. [Accessed 20th December
2017] 2016].
[5] V. Weafer, “McAfee Labs Threats Report,” McAffe, March 2016 [27] Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V.,
[6] Gonzales, Daniel, Jeremy Kaplan, Evan Saltzman, Zev Winkelman, and Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing
Dulani Woods. "Cloud-trust-a security assessment model for malware experiments: status quo and outlook. In: 2012 IEEE
infrastructure as a service (IaaS) clouds." IEEE Transactions on Cloud Symposium on Security and Privacy (SP), pp.65–79. IEEE. 2012.
Computing (2015). [28] L. Zeltzer, “5 Steps to Building a Malware Analysis Toolkit Using Free
[7] D. Maldonado and T. M. Lares. "Sticky Keys to the Kingdom: Pre-Auth Tool.” Zektzer Security Corp. [Online] Available:
system RCE on Windows is more common than you think." DEFCON https://zeltser.com/build-malware-analysis-toolkit/. March 2015.
Conference, 2016. [29] Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis ).
[8] Sourabh Saxena. "Demystifying Malware Traffic." SANS Institute [Online] Available: http://www.cuckoosandbox.org. 2014.
InfoSec. August 2016. [30] M. Sikorski and A. Honig, “Practical Malware Analysis: The HandsOn
[9] Rieck Konrad, Philipp Trinius, Carsten Willems, and Thorsten Holz. Guide to Dissecting Malicious Software,” No Starch Press, 2012.
"Automatic analysis of malware behavior using machine learning." [31] M. Russinovich (2016, July). Process Monitor [Online]. Available:
Journal of Computer Security 19, no. 4, pp. 639-668. 2011. https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
[10] Alazab Mamoun, Sitalakshmi Venkataraman and Paul Watters. [32] API Monitor. (2017). [Online] Available:
"Towards understanding malware behaviour by the extraction of API http://www.rohitab.com/apimonitor
calls." In Cybercrime and Trustworthy Computing Workshop (CTC), [33] ApateDNS. (January 2017). [Online] Available:
2010 Second, pp. 52-59. IEEE, 2010. https://www.fireeye.com/services/freeware.html/mandiant_apatedns.htm
[11] "Top 7 Desktop OSs on January 2017." [Online] Avaialable: l
http://gs.statcounter.com/os-market-share/desktop/worldwide/ [Accessed [34] Ncat - Netcat for the 21st Century. (January 2017). [Online] Availble:
20th January 2017] https://nmap.org/ncat/
[12] Nakamoto, Satoshi. "Bitcoin: A peer-to-peer electronic cash system." [35] Nmap: The Network Mapper. (January 2017). [Online] Available:
2008. https://nmap.org/
[13] Bhardwaj, Akashdeep, et al. "Ransomware Digital Extortion: A Rising [36] “Sticky-Keys-Slayer” (2017). [Online] Available:
New Age Threat." Indian Journal of Science and Technology 9, pp 1- 5, https://github.com/linuz/Sticky-Keys-Slayer [Accessed 2nd January
2016. 2017]
[14] Kharraz, Amin, William Robertson, Davide Balzarotti, Leyla Bilge, and [37] Malware Anysis Service. (2017). [Online] Available:
Engin Kirda. "Cutting the gordian knot: A look under the hood of https://www.malwr.com.
ransomware attacks." In International Conference on Detection of
Intrusions and Malware, and Vulnerability Assessment, pp. 3-24. [38] Zach Grace. "Hunting Sticky Keys Backdoors" (March 2015) [Online]
Springer International Publishing, 2015. Available: https://zachgrace.com/2015/03/23/hunting-sticky-keys-
backdoors.html
[15] Symantec Security Response. "An ISTR Special Report: Ransomware
[39] Ahmadian, M. M., Shahriari, H. R., & Ghaffarian, S. M. "Connection-
and Businesses 2016." [Online] Available:
monitor & connection-breaker: A novel approach for prevention and
http://www.symantec.com/content/en/us/enterprise/media/security_respo
detection of high survivable ransomwares." In Information Security and
nse/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
[Accessed 20th January 2017] Cryptology (ISCISC), 2015 12th International Iranian Society of
Cryptology Conference on (pp. 79-84). IEEE. 2015.
[16] Ransomware, Microsoft Malware Protection Center, Februrary 2015.
[40] Mattias Weckstén, Jan Frick, Andreas Sjöström and Eric Järpe. "A
[17] Salvi, Miss Harshada U., and Mr Ravindra V. Kerkar. "Ransomware: A Novel Method for Recovery from Crypto Ransomware Infections." 2016
Cyber Extortion." Asian Journal of Convergence in Technology. 2016. 2nd IEEE International Conference on Computer and Communications
[18] Ransom Cryptowall. June 2014 [Online] Available: (ICCC 2016), Chengdu, China. IEEE. 2016.
https://www.symantec.com/security_response/writeup.jsp?docid=2014-
061923-2824-99 [Accessed 23rd January 2017].
AUTHORS PROFILE
[19] Ransom Bucbi.(May 2016). [Online] Available:
https://www.symantec.com/security_response/writeup.jsp?docid=2016- Aaron Zimba is currently a PhD student at the University of
050921-2018-99 [Accessed 23rd January 2017] Science and Technology Beijing in the Department of
Computer Science and Technology. He received his Master
[20] Ankit Singh. (January 2016). "What Symantec’s Intrusion Prevention and Bachelor of Science degree from the St Petersburg
System did for you in 2015." Symantec Security Response. 2016. Eletrotechnical University in St Petersburg in 2009 and 2007
[21] Broad Analysis Threat Intelligence and Malware Research. "Malicious respectively. He is also a member of the IEEE. His main
Java Script sends Locky Ransomware Again". [Online] Available: research interests include Network Security Models, Network
http://www.broadanalysis.com/2016/04/29/malicious-java-script-sends- & Information Security and Cloud Computing Security.
locky-ransomware-again/ [Accessed 23rd January 2017]
[22] Sood, Aditya K., and Richard J. Enbody. "Malvertising–exploiting web
advertising." Computer Fraud & Security 2011, V no. 4, pp.11-16, 2011.

325 https://sites.google.com/site/ijcsis/
ISSN 1947-5500