HAL Id: hal-02558819
https://hal.archives-ouvertes.fr/hal-02558819
Preprint submitted on 29 Apr 2020
HAL
is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire
HAL, estdestinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Ransomware Attacks: Challenges and Defence
Mohammed Naeem Miah
To cite this version:
Mohammed Naeem Miah. Ransomware Attacks: Challenges and Defence. 2019. �hal-02558819�
Ransomware Attacks: Challenges and Defence
Mohammed Naeem Miah Faculty of Engineering and Informatics
University of Bradford Bradford, UK Mnmiah@bradford.ac.uk
Abstract —The world today is severely centred on computing and with the development of cyber environments, cyber-attacks have become an imperative concern for the security of computer networks. One of the main factors contributing to this is ransomware attacks. Ransomware is a term used to define a category of malware that restricts users from accessing their system or data, primarily through encryption, until a ransom payment has been made [1]. The main aim for this type of attack is monetary gain through unlawful means, thus the ransom payment aspect being key in this attack. The attackers usually demand the ransom in Bitcoin, which is a cryptocurrency, as this form of payment is hard to detect and backdate [2]. This paper will provide a brief overview of the attack including the challenges and defence mechanisms which can be utilised, in order to implement the appropriate detection and prevention techniques needed to diminish ransomware threats that persistently challenge computer security and data confidentiality.
Keywords — ransomware, cyber-attacks, malware, encryption, cyber-attacks
I. INTRODUCTION
There are many different forms of attacks which disperse around the cyber world. A universal report that emphasises on the significant influence that cybercrime has on economies globally, called ‘Economic Impact of Cybercrime – No Slowing Down’, has discovered that ‘close to $600 billion, nearly 1% of global GDP, is lost to cybercrime every year’ [12]. The main objective behind every attack is usually the same, which is to acquire access to private information and data.
Ransomware has been pivotal in the growth of cybercrime over the past decade. According to AIG, a world-renown global insurance company functioning in over 80 countries, 25% of cyber insurance claims made in 2017 were correlated to ransomware attacks [3]. This portrays the intensification and upsurge of ransomware attacks. This form of attack is highly dangerous due to the different vectors which could be taken to implement the malware within a victim’s network or system. The core method in which ransomware operates is via emission of malware onto a device or system, resulting in the victim being unable to access any private files and data, allowing the attacker to blackmail the victim for a ransom.
II. HOW RANSOMWARE ATTACKS WORK Ransomware attacks can be carried out in many different forms as the target is to flood a set with malware making the contents within the system inaccessible [5]. There are two main ways in which this process can be done; phishing and drive-by downloads.
1. Phishing Emails
Ransomware is most commonly spread through either phishing emails that contain malicious attachments or through drive-by downloading. Phishing emails will consist of scripting from legitimate and trusted sites to lure users into thinking that the email is genuine [4]. The user will fall into the attacker’s trap once the designated instructions within the phishing email have been followed and the impersonating attachments have been deployed. This will lead to malware being discharged into the system allowing the attacker access to all of the user’s private information leaving the user vulnerable [6].
2. Drive-by Downloads
On the other hand, drive-by download is a method that refers to the unintended download of malicious code that leaves systems exposed to cyberattacks. This works through computer backgrounds and ‘silently’ installs malware, such as Trojans, onto a victim’s system. This is mostly done through valid looking websites that have been exploited by attackers, hence going unnoticed by the victim [6, 7]. The unnoticed element of ransomware attacks makes it one of the most difficult attacks to escape from. The following sections of this paper will look and analyse the different forms of ransomware attacks, how they’re carried out, the effects this has on individuals as well as organisations, and prevention and detections techniques which will help avert ransomware attacks.
III. CATEGORIES OF RANSOMWARE ATTACKS Ransomware attacks can be inaugurated in many altered forms, some being more detrimental than others. However, the one thing in common with all these different forms of ransomware attacks is the ransom feature, which is exchanged for the retrieval of stolen information [8]. There are two main types of ransomware which are known as crypto-ransomware, which denies access to files or data, commonly through encryption and locker ransomware, which locks the computer or device [10].
A. Crypto-ransomware
Crypto-ransomware is a highly effective attack which can major disruptions within businesses and organisations.
Crypto-ransomware is a form of destructive program that encrypts files stored on a computer or mobile device in order to demand a form of ransom. Encryption is the process which transforms the components of a file from plain text into ciphertext, making it illegible [9]. In order to re-establish it back to a readable state, a decryption key is required which would return the file into its original format. The victims are blackmailed as the files are kept hostage until a ransom is
exchanged for the decryption key [10, 15]. An IBM study states that crypto-ransomware was one of the most prominent cybersecurity threats in 2016 with the Federal Bureau of Investigation (FBI) evaluating cybercriminals make a reported
$209 million within the first 3 months of 2016 [11, 13]. This indicates the high level of loss which can be generated by ransomware attacks.
One example of crypto-ransomware attacks is the
‘WannaCry’ ransomware attack in 2017. This was a global cyberattack caused by the WannaCry ransomware cryptoworm, which aimed specifically at computers running on the Microsoft Windows operating system. This resulted in over 200,000 victims and more than 300,000 computers being afflicted [19]. This left organisations vulnerable and led to millions of pounds being lost, including a £92 million loss by the NHS (National Health Services) [20].
The main route in which the malware was emitted within the systems was through phishing emails, as mentioned above.
The emails comprised of infected attachments that were unfamiliar to the victims [12]. Once the victims unknowingly prompted these attachments and followed the instructions presented by the attacker, the activation of malicious script was deployed. This led to the malware taking over the system and encrypting all the files within the system, prohibiting users from utilising them. The attacker then demanded a ransom in the form of Bitcoin, with 1 Bitcoin equating to
£5,335.27 as of 2019 [22]. This form of currency is beneficial to the attacker as the transactions are irreversible and are near impossible to track [23]. Some organisations chose to pay the attackers as the compromised data was significant for the business to avoid disruption and further repercussions.
Figure 1: The WannaCry ransom note [35].
Figure 1 illustrates the ransom note displayed to a user when they fell to the WannaCry ransomware attack. As can be seen from the above image, the attacker demanded the ransom in Bitcoin and required it to be delegated to a precise destination. The amount was also threatened to be doubled if the ransom wasn’t funded in 3 days and completely erased if the fee wasn’t paid within 7 days [37].
B. Locker-ransomware
Contrarily, locker-ransomware is used for the same purpose as crypto-ransomware, however, the approach used is
different. Locker ransomware does not encrypt files, instead, it locks victims out of their system or files, making it impossible for victims to access them [14]. Once the victim is locked out, cybercriminals demand ransoms in order to give victims the chance to regain control of their data. After the victim pays the ransom, the files are reinstated back to the victim and can be used again [16]. The main way the malware for this sort of attack can be implemented in the system is through phishing and drive-by downloads as mentioned in the previous sections [6, 7].
One example of locker-ransomware attack is ‘Locky’.
This is a form of ransomware malware which was established in 2016. Similar to WannaCry, Locky is also delivered by emails with corrupted attachments contained within it. The attachments encompass malicious macros, which are unreadable by the victim. Social engineering is then used as the victim will open the linked files and follow the instructions given by the attacker. The victim will unintentionally permit macros settings as they will be under the deception that this will make the attached file readable. However, this will result in Locky being connected and incorporated within the victim’s computer [27]. Once this process has been completed, all the files within that system are locked. At this point, Locky will force the victim to install ‘Tor browser’, which is an internet browser that permits operators to use the web anonymously and also offers admission to the dark web [26]. This browser is essential as this is the browser in which attackers demand their ransom. Like WannaCry, this form of ransom is also generally in Bitcoin currency. The ransom is then exchanged in return for the decryption key so users can gain access and reuse their files normally again [27].
IV. Outcomes of Ransomware Attacks There are many challenges which would need overcoming after a ransomware attack has occurred. This is due to the high levels of disruptions caused and misuse of private information.
The are many factors which need to be taken into consideration when mentioning the challenges faced after a ransomware attack, however, these vary depending on the impact of the attack and whether it was against an organisation or individual [18].
a. Loss of Money
Ransomware attacks primarily target large organisations across a collection of business sectors. These can range from law enforcement authorities to universities and schools. Big businesses have confirmed to be a rewarding aim for attackers for many reasons. As businesses are now beginning to use computerised technology for safekeeping of data, this makes it easier for attackers to determine specific targets as there is a wide range of selection. Another reason is that businesses will usually resort to paying ludicrous amounts of money in order to retrieve the stolen data and stop their business getting defamed [21]. Moreover, as corporations are highly economical, it would be easier for an attacker to get higher ransom from minimal attacks on a business compared to an individual.
b. Loss of Reputation
The main challenge for a business is the loss of reputation and damage caused due to a ransomware attack. As businesses take years to build a good reputation and customer trust, the consequences of a cyberattack such as a ransomware attack
can be devastating [24]. This is due to customers losing their trust within the business as their data may have been compromised. This would lead to organisations losing customers rapidly, in turn, causing the major loss within the company. A BBC news report from 2019 shows the major loss suffered by ‘Norsk Hydro’, a global aluminium producer, after falling victim to a ransomware attack. The report states that
£45 million had been spent on attempting to recover business data [29]. This displays the significant challenges that businesses face after falling victim to a ransomware attack.
c. Theft of Identity
Another challenge that can cause serious issues to individuals after ransomware attacks is the theft of identity.
Once a ransomware attack has been carried out, the attackers have full control of the data within the attacked system [31].
This information can be used by the attackers to steal the private information of the victim as if confidential documents such as driving license or passport documents were saved on the system, the attacker will have full access to this. The attacker can blackmail the victim to pay a higher ransom in exchange for the safe return of the documents. However, this information can also be sold on the dark web, where all illegal activities and exchanging of unlawful data is carried out [34].
This information can, in turn, be used against the victim as the attacker would be able to perform illegal activities under the details of the victim [33].
V. Defending against Ransomware Attacks Reports show that ransomware attacks have increased by over 97% in the past two years [38]. This indicates the substantial incline in ransomware attacks within the cyber industry. As this form of attack is increasing, the defence mechanisms to protect against this form of attack are being researched extensively [25]. This section is going to exhibit the diverse forms of prevention techniques which can be utilised to defend against ransomware attacks.
1. Backup Plans
This technique is integral in defending against ransomware attacks. The reason being that if there is an up to date backup of the files, then the ransom will not need to be paid. This will make the aims of the attacker futile as the data will still be in working condition, under the possession of the user. A recent survey shows that 74% of cybersecurity professionals identify data backup and recovery as the most effective solution in countering a ransomware attack [36, 39].
Therefore, making regular and inclusive backups of all essential files and segregating them from local and open networks is vital in preventing ransomware attackers from achieving their motive.
2. Ransomware Protection Applications
There are many applications that are able to protect systems against ransomware attacks. Two of the most reliable and renown applications are ‘Acronis’ [43] and ‘ZoneAlarm’
[42]. Both of these tools work similarly for the same purpose, which is to prevent ransomware attacks. The tools analyse all the activities within a system or network and detect any suspicious activities within the network infrastructure. It then uses a signature-based method to distinguish if it is a
ransomware attack. If the attack is identified to be a ransomware attack, the applications will immediately block the activities and alert the users. The tools are also capable of restoring any encrypted files failing the attempts of attackers [42, 43]. Installation of ransomware protection applications will diminish the chances of ransomware attacks being carried out.
3. Educate and Inform
Ransomware attacks are highly effective due to their
‘silent’ approach, as previously mentioned in this paper. As many users are unaware of the concept of ransomware attacks, the best way to overcome this is through extensive research and understanding of the attack and how it is conducted [37].
It is highly recommended for organisations to educate the employees on such attacks as a failure to comprehend this information could lead the business data being put into jeopardy. Regular training and security awareness will inform the employees and ensure that everyone is aware of fundamental necessities required to avoid ransomware attacks, such as examination of links and attachments and reporting of any suspicious activities within the system [43].
4. Intrusion Detection Systems
Intrusion Detection Systems (IDS) are applications that monitor traffic within a network and systems to search for suspicious activities such as malicious packets. When an apprehensive activity is detected, an alert is sent out to the user or administration team. These logs and activities assembled can be further analysed to see the type of attack and can be used to prevent future attacks and further damages within the system or network [28, 32]. Network-based IDS is a form of IDS which is key in detecting ransomware attacks as this type of IDS observes a whole network infrastructure and distinguishes any form of suspicious activity within the entire framework. Once fully investigated it can be determined if this is a ransomware attack and the necessary actions can be taken to diminish the attack, avoiding disruption within an organisation [44].
5. Avoid Suspicious Emails and Attachments As the most common form of ransomware attacks are employed through the use of email phishing, it is highly recommended that users avoid suspicious emails and deter from opening unknown attachments within an email.
Organisations are encouraged to issue notices to all employees to instruct them to avoid opening unidentified emails. It is also commended that employees evade checking private emails on company systems as most free email facilities will not have advanced security scanning of attachments [41, 45]. Users should also be vigilant when opening emails from people they know and legitimate named websites as attackers are able to spoof email addresses [43]. As attackers exploit diverse social engineering techniques to entice victims to open attachments or follow links, which consequently result in the installation of ransomware or subsequent infection [46], it is highly endorsed that emails are carefully analysed before opening and following instructions within its contents.
VI. Conclusion
This paper outlined ransomware in terms of what it is, how it is carried out and it also included challenges and defence practices. Ransomware has become one of the most dangerous
problems in the digital world. It is developing as a serious threat and has become a worldwide sensation due to the number of countries targeted by this form of attack. Not only does it offer a risk to individual users, but also challenges large organisations including healthcare systems and law enforcement authorities. Given the attainable monetary gains, ransomware has become the centre of attention for many cyber-criminals leading to its accelerated evolution. This paper highlights the appropriate defence mechanisms needed to avoid being a victim to ransomware attacks as well as the challenges that come with it.
REFERENCES
[1] Liska, A. and Gallo, T. (2016). Ransomware. 1st ed. O'Reilly Media, pp.3,4.
[2] Poopla, S., B. iyekekpolo, U., O. Ojewande, S., O. Sweetwilliams, F., Ndueso John, S. and A. Atayero, A. (2017). Ransomware: Current Trend, Challenges, and Research Directions. [online] 1, pp.1,2.
Available at:
https://www.researchgate.net/publication/320346114_Ransomware_C urrent_Trend_Challenges_and_Research_Directions
[3] Insurance Times. (2018). Ransomware attacks make up quarter of AIG
cyber claims. [online] Available at:
https://www.insurancetimes.co.uk/ransomware-attacks-make-up- quarter-of-aig-cyber-claims/1427272.article
[4] James, L. (2014). Phishing Exposed. Rockland, MA: Elsevier Science, pp.2,3.
[5] I. Ghafir, V. Prenosil, M. Hammoudeh and U. Raza, “Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence,” International Conference on Future Networks and Distributed Systems. Cambridge, United Kingdom, 2017.
[6] Hatton, L. (2011). E-mail forensics. [New Malden]: Bluespear Pub.
[7] Aldwairi, M., Hasan, M. and Balbahaith, Z. (2017). Detection of Drive- by Download Attacks Using Machine Learning Approach.
International Journal of Information Security and Privacy, 11(4).
[8] U. Raza, J. Lomax, I. Ghafir, R. Kharel and B. Whiteside, “An IoT and Business Processes Based Approach for the Monitoring and Control of High Value-Added Manufacturing Processes,” International Conference on Future Networks and Distributed Systems. Cambridge, United Kingdom, 2017.
[9] I. Ghafir, V. Prenosil, and M. Hammoudeh, “Botnet Command and Control Traffic Detection Challenges: A Correlation-based Solution.”
International Journal of Advances in Computer Networks and Its Security (IJCNS), vol. 7(2), pp. 27-31, 2017.
[10] Rubens, P. (2017). Types of Ransomware. [online]
Esecurityplanet.com. Available at:
https://www.esecurityplanet.com/malware/types-of-ransomware.html [11] Www-03.ibm.com. (2016). Ransomware Study: Parents will Pay for Digital Memories. [online] Available at: https://www- 03.ibm.com/press/us/en/pressrelease/51230.wss#release
[12] I. Ghafir and V. Prenosil, “Malicious File Hash Detection and Drive- by Download Attacks,” International Conference on Computer and Communication Technologies, series Advances in Intelligent Systems and Computing. Hyderabad: Springer, vol. 379, pp. 661-669, 2016.
[13] Y. Connolly, L. and Wall, D. (2019). The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures.
Computers & Security, 87.
[14] I. Ghafir and V. Prenosil. “Proposed Approach for Targeted Attacks Detection,” Advanced Computer and Communication Engineering Technology, Lecture Notes in Electrical Engineering. Phuket: Springer International Publishing, vol. 362, pp. 73-80, 9, 2016.
[15] F-secure.com. (2019). Crypto-ransomware. [online] Available at:
https://www.f-secure.com/en/web/labs_global/crypto-ransomware [16] Kaspersky.co.uk. (2019). Different types of ransomware? [online]
Available at: https://www.kaspersky.co.uk/resource- center/threats/ransomware-examples.
[17] Gupta, M. (2015). [online] Pdfs.semanticscholar.org. Available at:
https://pdfs.semanticscholar.org/5d69/e94dc126f0a5f81440b02a5ac4c 81c30abba.pdf
[18] I. Ghafir, J. Svoboda, V. Prenosil, “A Survey on Botnet Command and Control Traffic Detection,” International Journal of Advances in Computer Networks and Its Security (IJCNS), vol. 5(2), pp. 75-80, 2015.
[19] Graham, C. (2017). NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history. [online] The
Telegraph. Available at:
https://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack- everything-need-know-biggest-ransomware-offensive/.
[20] Field, M. (2018). WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled. [online] The Telegraph. Available at:
https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber- attack-cost-nhs-92m-19000-appointments-cancelled/.
[21] I. Ghafir and V. Prenosil, “Advanced Persistent Threat and Spear Phishing Emails.” International Conference Distance Learning, Simulation and Communication. Brno, Czech Republic, pp. 34-41, 2015.
[22] Xe.com. (2019). XE: Convert XBT/GBP. BTC to United Kingdom
Pound. [online] Available at:
https://www.xe.com/currencyconverter/convert/?Amount=1&From=
XBT&To=GBP.
[23] Author, S. (2019). What are the advantages of paying with Bitcoin?.
[online] Investopedia. Available at:
https://www.investopedia.com/ask/answers/100314/what-are- advantages-paying-bitcoin.asp.
[24] J. Svoboda, I. Ghafir, V. Prenosil, “Network Monitoring Approaches:
An Overview,” International Journal of Advances in Computer Networks and Its Security (IJCNS), vol. 5(2), pp. 88-93, 2015.
[25] I. Ghafir and V. Prenosil, “DNS query failure and algorithmically generated domain-flux detection,” International Conference on Frontiers of Communications, Networks and Applications. Kuala Lumpur, Malaysia, pp. 1-5, 2014.
[26] Kint, P. (2019). The Tor Browser: What is it and why would you use it? | VPNOverview.com. [online] VPNoverview.com. Available at:
https://vpnoverview.com/privacy/anonymous-browsing/tor/.
[27] Belcic, I. (2017). What is Locky Ransomware?. [online] What is Locky Ransomware?. Available at: https://www.avast.com/c-locky.
[28] I. Ghafir, J. Svoboda and V. Prenosil, “Tor-based malware and Tor connection detection,” International Conference on Frontiers of Communications, Networks and Applications. Kuala Lumpur, Malaysia, pp. 1-6, 2014.
[29] Tidy, J. (2019). How a ransomware attack cost one firm £45m. [online]
BBC News. Available at: https://www.bbc.co.uk/news/business- 48661152.
[30] F-secure.com. (n.d.). Trojan:W32/Reveton Description | F-Secure Labs. [online] Available at: https://www.f-secure.com/v- descs/trojan_w32_reveton.shtml.
[31] Kiguolis, U. (2018). What is Reveton? Description and removal steps.
[online] 2-spyware.com. Available at: https://www.2- spyware.com/remove-reveton-trojan.html.
[32] I. Ghafir, M. Husak and V. Prenosil, “A Survey on Intrusion Detection and Prevention Systems,” IEEE/UREL conference, Zvule, Czech Republic, pp. 10-14, 2014.
[33] Identitytheft.org.uk. (2018). Identity Theft – Information on identity theft. [online] Available at: https://www.identitytheft.org.uk/.
[34] Patterson, D. and Kates, G. (2019). We found our personal data on the dark web. Is yours there, too?. [online] Cbsnews.com. Available at:
https://www.cbsnews.com/news/we-found-our-personal-data-on-the- dark-web-is-yours-there-too/.
[35] Murphy, M. (2017). Honda struck by DEVASTATING ransomware that caused global chaos. [online] The Sun. Available at:
https://www.thesun.co.uk/tech/3849229/honda-struck-by-same- devastating-wannacry-ransomware-which-caused-global-chaos-and- knocked-nhs-offline/.
[36] I. Ghafir, V. Prenosil, M. Hammoudeh, T. Baker, S. Jabbar, S. Khalid and S. Jaf, “BotDet: A System for Real Time Botnet Command and Control Traffic Detection,” IEEE Access (IF=4.098), vol. 6, pp. 1-12, 2018.
[37] O. Imaji, A. (2019). Ransomware Attacks: Critical Analysis, Threats, and Prevention methods. [online] Available at:
https://www.researchgate.net/publication/332551447_Ransomware_A ttacks_Critical_Analysis_Threats_and_Prevention_methods#pff.
[38] Dobran, B. (2019). 27 Shocking Ransomware Statistics That Every IT Pro Needs To Know. [online] PhoenixNAP Global IT Services.
Available at: https://phoenixnap.com/blog/ransomware-statistics-facts.
[39] Bauer, R. (2019). Ransomware: How to Prevent Being Attacked and Recover After an Attack. [online] Backblaze Blog | Cloud Storage &
Cloud Backup. Available at:
https://www.backblaze.com/blog/complete-guide-ransomware/.
[40] ZoneAlarm. (n.d.). ZoneAlarm Anti-Ransomware. [online] Available at: https://www.zonealarm.com/anti-ransomware.
[41] I. Ghafir, V. Prenosil, M. Hammoudeh, F. J. Aparicio-Navarro, K.
Rabie and A. Jabban, “Disguised Executable Files in Spear-Phishing Emails: Detecting the Point of Entry in Advanced Persistent Threat.”
International Conference on Future Networks and Distributed Systems.
Amman, Jordan, 2018.
[42] Acronis.com. (n.d.). [online] Available at:
https://www.acronis.com/en-gb/personal/free-data-protection/.
[43] Dobran, B. (2019). 15 Critical Security Tactics For Preventing and Detecting Ransomware. [online] PhoenixNAP Global IT Services.
Available at: https://phoenixnap.com/blog/preventing-detecting- ransomware-attacks.
[44] Niyaz, Q., Sun, W., Y Javaid, A. and Alam, M. (2016). A Deep Learning Approach for Network Intrusion Detection System. [online]
Available at:
https://pdfs.semanticscholar.org/8101/1998c41e00d6b2a4dbb84dbeb2 d8f51bb895.pdf.
[45] Correa, F. (2017). “WannaCry” Ransomware Attack. Technical intelligence analysis, 17 – 20.
[46] Zimba, A., Simukonda, L., & Chishimba, M. (2017). Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry for Network and Information Security. Zambia ICT Journal, 1, 35-40.
