Uploaded by mano8846

ransomeware

advertisement
MALWARE DEFENSE WHITE
PAPER AND VIDEO REFLECTION
name
Contents
Executive Summary:...................................................................................................................................... 1
Behavior analysis: ......................................................................................................................................... 2
Criminal business model: .............................................................................................................................. 2
State-of-the-art detection method: .............................................................................................................. 3
Ransomware detection based on signatures:........................................................................................... 3
Changes to File system.............................................................................................................................. 4
Traffic analysis........................................................................................................................................... 4
Conclusion: .................................................................................................................................................... 5
References: ................................................................................................................................................... 5
Executive Summary:
The type of malware that is designed to prevent users to access their data, their OS, and device.
Ransomware is found in two types’ locker ransomware and crypto-ransomware. Locker ransomware is
a type in which hackers prevent users to their device or lock their device as like they hijack your device
and OS and force users for payment in return to access their OS and files. Crypto-ransomware is the type
that is used to encrypt your files, data, and using such a complex encryption algorithm and demand
payment to return their data. After hijacking the hijacker also send user instruction How to send
payment and get key for access your data, file, and system. In this report we discussed the behavior
analysis of the ransomware. The ransomware are detected based on their behavior and approaches.
Behavior analysis:
The only aim of the ransomware is to encrypt the data files present on the target machine.
Hence, almost 80% of the ransomware has the common behaviors. Hacker uses a script that
forces the target machine to stop working and encrypt or lock target machine data. Very detection or
prevention of any ransomware depends on monitoring of many behaviors or detect malware without
taking other resources on the machine. When a hacker gets information, it uses this manually to
determine the nature of the process. Many languages like python and .Net or other OS like Linux are
used for scripting for hijacking data and systems. These scripts directly retrieve any information about a
process or directly send data on monitoring machines, which hijackers use against users. It uses a safe
communication channel to transfer the data for monitoring. (Booker, Mario. , 2021, 9)To lessen the
infectious impact of ransomware a LINUX based monitoring system is used. Using a windows platform,
we conducted a test in which malware, trusted software, and ransomware were executed. Then the
data was transferred to the Ubuntu machine after the collection from malware, trusted software, and
ransomware with the help of python program. Because every collected data needs not to be monitored
periodically. 2 different threads were generated initially: first thread is the analysis thread which help to
retrieve data till the ending o the process related to the loop and variable data. Secondly, an info thread
which is responsible for gathering the constant data, transferring it and then stop. Not an equal amount
of time was being taken by the data retrieval process then two other threads were generated for the
data slow-t-collect. A thread naming file which provides the details about all of the opened files by some
process, and the other thread is tagfile which is responsible to read the content of tagfile. Each thread
shows the different type of data, this kind of separation helps to optimize the program as it is time
taking to retrieve one value and during this process thread is paused.
Criminal business model:
Nowadays the cryptographic ransomware is being discussed, which scan the critical data
present on the computer which is compromised then makes the data inaccessible by the victim
by encrypting it, and demands money in return of the valuable data. Among the ransomware
types the cryptographic ransomware is most powerful and successful. Ransomware is a
complete criminal business model which is being used by the criminals to get ransom in return
of data by using malicious activities.
A ransomware attack is successful if it is being done in the following way:

To take the control of the mobile phone, computer, system or a device. Normally a user
is directed to see some attachment, viewing some malicious link, or opening something
malicious with the help of a trick using social engineering and then a malware is installed
on the system of the user and the control is taken by the attacker.




The owner of the device is prevented to access the data using encryption, screen lockouts, and
scareware are used. (Cardillo, Anna, 2020, p. 2511)
Then the alert message is displayed to the victim to inform about the holding device and asks for
ransom by providing payment method and account details.
If the victim transfers the payment, then after receiving the payment the device’ s access is
returned to the victim. If a hacker thinks for the short time and destroys the data even after
receiving the payment, then the impact of the method will be vanished as nobody will be agree
to pay the ransom as having guarantee of the data safety.
But if the owner of the device would not be agreeing to pay ransom then all of the above steps
and plan will be destroyed.
If the hacker is unable to manage any of the step, then the whole scheme would not be successful. The
ransomware concept is old but now new techniques are being used like encryption, decryption
according to the above mentioned steps. It is an effective criminal business model for revenue.
State-of-the-art detection method:
There are multiple methods for security groups to detect the malware and ransomware. Basically, there
are three categories of detection approaches:




signature-based methods
behavior-based methods
deception
a combination of malware analysis and automation is used for the detection of ransomware because
they have the ability to detect malicious files at an early stage. But its not that much easy to detect
malware each time. Our main aim is not to find malware but to find malicious activity
Ransomware detection based on signatures:
The detection of ransomware based on signatures tries to know the signatures by comparing the
ransomware samples. In an environment, the static analysis of file is done quickly. Most of the antivirus
software or security platforms scan the system to detect the executable files quickly to find out if these
are authorized and original executable files or generated by the hacker for ransomware. To find the hash
of a file different tools can be used by the security teams such as open source intelligence tools,
powershell cmdlet Get-fileHash, and virus total to identify the malware samples. (Arabo, Abdullahi &
Dijoux, 2020, p. 290)
These approaches are considered as the initial level of defense. It can identify existing threats the
signature based detection method can also identify and detect new malware. The hackers continuously
update their files based on the previous detections, they can create new hash by amending a byte to the
existing file. So, the detection ability decreases. According to the cyber threat report in 2021 by
SonicWall- a security company, detected 185,945 new variants of malware. The signature based
detection is able to detect the previous versions of malware and known files.
detection methods based on behavior
Behavior detection methods can be used to analyze the behaviours with the help of historical data.
Security teams used to compare the standard behavior with the current behaviours using the
compromise indicators. Such as the system notes the behavior in which the employee is present and
online from the company but the system is also logged in from another state.
Below are three behavior methods.
Changes to File system
The abnormal behaviors of files and their execution should be noted by the security groups like there
are a lot of renames of the files at the same time. Normally, in routine there are fewer renames in a
workday, but there can be a lot of work in a small amount of time and being noticed by the security
professionals and can cause red flag raise.
Before the execution of the ransomware they can be staying hidden. So, the security professionals
should keep an eye on the frequency of the file creation
Traffic analysis
The anamolies in traffic should also be detected by the security teams like a software can be connected
to the shady file sharing website and the time related to such activities.
The increased volume of the traffic should also be notified and observed by the professionals to check
from where it originates. There is the need of the connectivity to the network for exchanging the
decryption keys and to get the control instructions and commands. (Wasiuta, Olga, 2020, p. 242)
There is a need of time for analysis in this detection method also it can provide false positive results.
3. Deception-based detection
The detection technique on the third number is the deception based technique. The example of
honeypot can be given in its context. For hackers can consider the file repository as the bait. Normally,
the users of the system won’t interact with the server, but if you are noticing some activity then it must
be an attack.
Conclusion:
Ransomware is found in two types’ locker ransomware and crypto-ransomware. Locker ransomware is
a type in which hackers prevent users to their device or lock their device as like they hijack your device
and OS and force users for payment in return to access their OS and files. Crypto-ransomware is the type
that is used to encrypt your files, data, and using such a complex encryption algorithm and demand
payment to return their data. After hijacking the hijacker also send user instruction How to send
payment and get key for access your data, file, and system.
References:
Cardillo, Anna. (2020). Ransomware. Berliner Anwaltsblatt. 10.37307/j.2510-5116.2020.11.36.
Wasiuta, Olga. (2020). Ransomware. 2. 240-248.
Booker, Mario. (2021). Ransomware as Hostage Negotiation.
Rosli, Safwan. (2020). Discovering Ransomware Behavior by Host-based Approach.
Arabo, Abdullahi & Dijoux, Remi & Poulain, Timothee & Chevalier, Gregoire. (2020). Detecting
Ransomware Using Process Behavior Analysis. Procedia Computer Science. 168. 289-296.
10.1016/j.procs.2020.02.249.
Download