MALWARE DEFENSE WHITE PAPER AND VIDEO REFLECTION name Contents Executive Summary:...................................................................................................................................... 1 Behavior analysis: ......................................................................................................................................... 2 Criminal business model: .............................................................................................................................. 2 State-of-the-art detection method: .............................................................................................................. 3 Ransomware detection based on signatures:........................................................................................... 3 Changes to File system.............................................................................................................................. 4 Traffic analysis........................................................................................................................................... 4 Conclusion: .................................................................................................................................................... 5 References: ................................................................................................................................................... 5 Executive Summary: The type of malware that is designed to prevent users to access their data, their OS, and device. Ransomware is found in two types’ locker ransomware and crypto-ransomware. Locker ransomware is a type in which hackers prevent users to their device or lock their device as like they hijack your device and OS and force users for payment in return to access their OS and files. Crypto-ransomware is the type that is used to encrypt your files, data, and using such a complex encryption algorithm and demand payment to return their data. After hijacking the hijacker also send user instruction How to send payment and get key for access your data, file, and system. In this report we discussed the behavior analysis of the ransomware. The ransomware are detected based on their behavior and approaches. Behavior analysis: The only aim of the ransomware is to encrypt the data files present on the target machine. Hence, almost 80% of the ransomware has the common behaviors. Hacker uses a script that forces the target machine to stop working and encrypt or lock target machine data. Very detection or prevention of any ransomware depends on monitoring of many behaviors or detect malware without taking other resources on the machine. When a hacker gets information, it uses this manually to determine the nature of the process. Many languages like python and .Net or other OS like Linux are used for scripting for hijacking data and systems. These scripts directly retrieve any information about a process or directly send data on monitoring machines, which hijackers use against users. It uses a safe communication channel to transfer the data for monitoring. (Booker, Mario. , 2021, 9)To lessen the infectious impact of ransomware a LINUX based monitoring system is used. Using a windows platform, we conducted a test in which malware, trusted software, and ransomware were executed. Then the data was transferred to the Ubuntu machine after the collection from malware, trusted software, and ransomware with the help of python program. Because every collected data needs not to be monitored periodically. 2 different threads were generated initially: first thread is the analysis thread which help to retrieve data till the ending o the process related to the loop and variable data. Secondly, an info thread which is responsible for gathering the constant data, transferring it and then stop. Not an equal amount of time was being taken by the data retrieval process then two other threads were generated for the data slow-t-collect. A thread naming file which provides the details about all of the opened files by some process, and the other thread is tagfile which is responsible to read the content of tagfile. Each thread shows the different type of data, this kind of separation helps to optimize the program as it is time taking to retrieve one value and during this process thread is paused. Criminal business model: Nowadays the cryptographic ransomware is being discussed, which scan the critical data present on the computer which is compromised then makes the data inaccessible by the victim by encrypting it, and demands money in return of the valuable data. Among the ransomware types the cryptographic ransomware is most powerful and successful. Ransomware is a complete criminal business model which is being used by the criminals to get ransom in return of data by using malicious activities. A ransomware attack is successful if it is being done in the following way: To take the control of the mobile phone, computer, system or a device. Normally a user is directed to see some attachment, viewing some malicious link, or opening something malicious with the help of a trick using social engineering and then a malware is installed on the system of the user and the control is taken by the attacker. The owner of the device is prevented to access the data using encryption, screen lockouts, and scareware are used. (Cardillo, Anna, 2020, p. 2511) Then the alert message is displayed to the victim to inform about the holding device and asks for ransom by providing payment method and account details. If the victim transfers the payment, then after receiving the payment the device’ s access is returned to the victim. If a hacker thinks for the short time and destroys the data even after receiving the payment, then the impact of the method will be vanished as nobody will be agree to pay the ransom as having guarantee of the data safety. But if the owner of the device would not be agreeing to pay ransom then all of the above steps and plan will be destroyed. If the hacker is unable to manage any of the step, then the whole scheme would not be successful. The ransomware concept is old but now new techniques are being used like encryption, decryption according to the above mentioned steps. It is an effective criminal business model for revenue. State-of-the-art detection method: There are multiple methods for security groups to detect the malware and ransomware. Basically, there are three categories of detection approaches: signature-based methods behavior-based methods deception a combination of malware analysis and automation is used for the detection of ransomware because they have the ability to detect malicious files at an early stage. But its not that much easy to detect malware each time. Our main aim is not to find malware but to find malicious activity Ransomware detection based on signatures: The detection of ransomware based on signatures tries to know the signatures by comparing the ransomware samples. In an environment, the static analysis of file is done quickly. Most of the antivirus software or security platforms scan the system to detect the executable files quickly to find out if these are authorized and original executable files or generated by the hacker for ransomware. To find the hash of a file different tools can be used by the security teams such as open source intelligence tools, powershell cmdlet Get-fileHash, and virus total to identify the malware samples. (Arabo, Abdullahi & Dijoux, 2020, p. 290) These approaches are considered as the initial level of defense. It can identify existing threats the signature based detection method can also identify and detect new malware. The hackers continuously update their files based on the previous detections, they can create new hash by amending a byte to the existing file. So, the detection ability decreases. According to the cyber threat report in 2021 by SonicWall- a security company, detected 185,945 new variants of malware. The signature based detection is able to detect the previous versions of malware and known files. detection methods based on behavior Behavior detection methods can be used to analyze the behaviours with the help of historical data. Security teams used to compare the standard behavior with the current behaviours using the compromise indicators. Such as the system notes the behavior in which the employee is present and online from the company but the system is also logged in from another state. Below are three behavior methods. Changes to File system The abnormal behaviors of files and their execution should be noted by the security groups like there are a lot of renames of the files at the same time. Normally, in routine there are fewer renames in a workday, but there can be a lot of work in a small amount of time and being noticed by the security professionals and can cause red flag raise. Before the execution of the ransomware they can be staying hidden. So, the security professionals should keep an eye on the frequency of the file creation Traffic analysis The anamolies in traffic should also be detected by the security teams like a software can be connected to the shady file sharing website and the time related to such activities. The increased volume of the traffic should also be notified and observed by the professionals to check from where it originates. There is the need of the connectivity to the network for exchanging the decryption keys and to get the control instructions and commands. (Wasiuta, Olga, 2020, p. 242) There is a need of time for analysis in this detection method also it can provide false positive results. 3. Deception-based detection The detection technique on the third number is the deception based technique. The example of honeypot can be given in its context. For hackers can consider the file repository as the bait. Normally, the users of the system won’t interact with the server, but if you are noticing some activity then it must be an attack. Conclusion: Ransomware is found in two types’ locker ransomware and crypto-ransomware. Locker ransomware is a type in which hackers prevent users to their device or lock their device as like they hijack your device and OS and force users for payment in return to access their OS and files. Crypto-ransomware is the type that is used to encrypt your files, data, and using such a complex encryption algorithm and demand payment to return their data. After hijacking the hijacker also send user instruction How to send payment and get key for access your data, file, and system. References: Cardillo, Anna. (2020). Ransomware. Berliner Anwaltsblatt. 10.37307/j.2510-5116.2020.11.36. Wasiuta, Olga. (2020). Ransomware. 2. 240-248. Booker, Mario. (2021). Ransomware as Hostage Negotiation. Rosli, Safwan. (2020). Discovering Ransomware Behavior by Host-based Approach. Arabo, Abdullahi & Dijoux, Remi & Poulain, Timothee & Chevalier, Gregoire. (2020). Detecting Ransomware Using Process Behavior Analysis. Procedia Computer Science. 168. 289-296. 10.1016/j.procs.2020.02.249.