This document summarizes a paper about the history, mechanisms, and countermeasures of ransomware. It describes how ransomware has evolved since 1989 from simply encrypting file names to using sophisticated encryption techniques and ransom payment through cryptocurrencies. Recent ransomware incidents have targeted hospitals, which feel pressure to pay ransoms to avoid putting patients at risk. Key countermeasures include awareness training to prevent infection through phishing emails, as well as maintaining backups to recover data without paying ransoms. Sandbox deployment and signature analysis can also help detect and block ransomware.
1. Ransomware: The History, Mechanisms and
Countermeasures
Yue Zhu
Information Security Institute
Johns Hopkins University
Baltimore, MD, United States
yzhu48@jhu.edu
Ren Hao
Information Security Institute
Johns Hopkins University
Baltimore, MD, United States
rhao1@jhu.edu
Abstract—This paper generally introduces the history,
mechanism and potential countermeasures of ransomwares.
Ransomware nowadays introduces new risks to our community,
and targets of ransomwares are hospitals in recent incidents.
From 1989 to now, the sophistications of ransomwares have been
increasing rapidly. Nowadays, ransomware writers use hybrid
encryption schemes to lock victims’ files, and to recover
encrypted files or encrypted keys with brute force are not timely
feasible. Especially for hospitals, they cannot afford to wait by
putting their patients on risk. Currently, ransomwares use spam
emails to reach victims; once victims download malicious
attachments, they get infected. In order to prevent Internet
users’ systems to be infected by ransomwares, awareness training
is the key factor to decrease the infection rate. Moreover, if
victims get infected by ransomwares, the most efficient way to
minimize loss is to recover data from backups. In this paper, we
also briefly talk about countermeasures such as signature
comparison and sandbox deployment.
Keywords—Ransomware, Encryption, Awareness Training,
Sandbox
I. INTRODUCTION
Malware is not a strange term to the majority of our
community anymore. As information technology becomes
more advanced, the sophistication of malwares is also
increased rapidly. Incentives to write malwares also have been
changed. As Giri and Jyoti [1] state in their research, “The
days when computer malware was written for fame are long
gone. Money is what causes the adrenaline rush in cyber
criminals these days”. Hackers nowadays become more
interested at making money faster than ever. Ransomware, as
its name indicates, demands ransoms from victims. For
common Internet users, ransoms can just be money, but for
enterprises or organizations, ransoms can be more valuable
items, such as organizational resources or even secret
information. Without paying ransoms, ransomwares restrict
victims’ accesses to their own files. The potential risk for not
paying ransoms also depends on the role of victims. For
common Internet users, it may not be severe, but for
enterprises or organizations, restrictions to access information
systems or files can cause huge damages. Recently, according
to Digital Trends’ report [2], “a Hollywood hospital whose
computer systems were locked up by ransomware earlier this
month has paid $17,000 in bitcoin in regain access to its data”.
Hackers locked the hospital’s information system and
restricted normal accesses to patients’ records, and the
hospital finally decided to pay the ransom because that was
the fastest way to solve the problem; hospitals cannot afford to
put their patients on risk.
Ransomwares have also been evolving since its first
appearance. Although ransomware’s first appearance can be
traced back to 1989, it was not peaked until 2009. Nowadays,
the most common type of ransomware is Crypto Ransomware,
and this type of ransomware is also the most efficient way for
hackers to make money. In this paper, Crypto Ransomware
will be provided with details.
The way Internet users may get infected by ransomwares
is actually quite similar to other malwares, and phishing attack
is the most common way to spread ransomwares over the
Internet by attackers. In this paper, we will provide more
details about how to prevent being infected by ransomwares,
and more importantly if victims are infected, how we can
solve the problem.
II. HISTORY OF RANSOMWARE
Ransomware was peaked since 2009, but the first
ransomware actually appeared in 1989. From the AIDS Trojan,
Fake AV to CryptoWall and CrypotoLocker, sophistications
of ransomwares have been increasing dramatically. One of the
most recent version of ransomwares is CryptoWall 3.0, and its
sophistication includes the use of hybrid encryption schemes
and C&C server.
A. The First Ransomware
The origin of ransomware can be traced back to 1989,
which was the first appearance of the AIDS Trojan. According
to Wang, Chen and Xu’s review on Trojans [3], “To call it
AIDS, because certain information about price of HIV
medicines and prevention measures is stored in that disk”.
Moreover, the Trojan will hide dietaries and encrypt all the
file names on drive C. Then the user will be asked to contact
PC Cyborg Corporation for payment in order to renew the
license.
AIDS Trojan represents the originality of ransomwares.
First of all, it hided itself as a Trojan, and the way it worked
2. was to encrypt all the file names on drive C and asked for
money. This functionality defined what ransomware was.
B. Scareware
In 2009, Fake Antivirus peaked. Scareware may be a
better name for this type of ransomwares. As Google’s
research paper [4] describes, Fake AV scares people by
claiming there are viruses on people’s systems, and Fake AV
then asks people to pay for anti-virus service. Of course Fake
AV does not know if there are viruses on people’s systems,
but Fake AV writers do know they can scare someone to pay
them money. Fake AV represents the phishing attack version
of ransomware, and surprisingly, researchers from Google [4]
found Fake AV accounts for 15% of all malwares detected by
their systems.
C. Crypto Ransomware
Crypto Ransomware represents a family of ransomwares
that encrypts victims’ files in order to restrict victims’ access
to their own systems or files. Comparing to AIDS Trojan,
Crypto Ransomware uses much more complicated encryption
schemes. Once victims’ files are kidnapped by attackers,
victims have to pay ransoms and get decryption keys as an
exchange. In most cases, strong encryptions are used which
means trying to break the encryption with brute force is an
infeasible action. Crypto ransomware is also currently the
most popular type, and it includes CryptoWall and
CryptoLocker [5].
III. ANALYSIS OF CRYPTO RANSOMWARE
Various types of Crypto Ransomware have been detected,
and all of them share many similarities. In this section, we are
going to talk about encryption schemes, infection vectors and
payment process of Crypto Ransomwares. According to
Hampton and Baig’s research [6] on ransomwares, a
successful ransomware requires three core technologies. First,
it requires strong and reversible encryption to lock victims’
files. Second, it needs a system for anonymously communicate
keys and decryption tools. Last but not the least, it requires an
untraceable way to pay the ransom. In this section, we are
going to introduce how Crypto Ransomwares include these
three factors.
A. Encryption
As Hansberry, Lansser and Tarrh stated in their research
[7], “encryption, which is designed to protect people’s privacy,
is now the weapon that are used by hackers to kidnap people’s
files and systems”. New versions of ransomware use hybrid
encryption schemes to hijack victims’ files. In most cases,
current Crypto Ransomwares use symmetric encryptions to
encrypt victims’ files, and the key is further encrypted by
attacker’s public key using asymmetric encryption. As the
result, to recover the decryption key may be even harder than
to recover the encrypted file, and only the attacker is able to
access the decryption key by using the private key [7].
Different Crypto Ransomwares have different targets. For
instance, CryptoWall’s targets include a big group of file
extensions, but CryptoLocker mainly focuses on professional-
class file types, like Word, Excel, Photoshop, and InDesign.
Based on this feature, CryptoWall may focus more on
common Internet users, but CryptoLocker is more interested at
attacking enterprises by locking important files [7].
Fig. 1. Example of C&C Server [8]
B. C&C Server
C&C Server is used by ransomware writers as part of the
attack. According to Kotov and Rajpal’s report [8], for
instance, Crypto Locker and CryptoWall fetch a public key
from the C&C server and then perform the encryption. Fig. 1
illustrates this process. First of all, client side gathers victim
machine’s information and encrypts it with an AES session
key. The information of victims’ machine includes the
malware version, system language, and a numeric ID [6]. AES
key is then encrypted using RSA and hardcoded C&C public
key. Both encrypted data and encrypted AES sessions keys are
concatenated and set to the server. At this time, server uses its
private key to decrypt both victim’s information and AES
session key. At the end, server generates a new key pair which
is used going to do the real encryptions on victims’ files and
sent them back to victims’ machines [8].
C. Infection Vector
Infection vectors of ransomware are quite similar to
common malwares. Some of them use exploit kits to reach
victims’ machines and execute themselves on victims’
systems, but nowadays, most of ransomware writers use spam
emails and adware to spread ransomwares over the Internet.
There are two main reasons to use phishing attacks instead
of exploit kits: first of all, it is easier; second of all, it is
cheaper. To use exploit kits, it requires a long term planning to
gather target’s information and make plans, but spam emails
only require victims to open the attachment, and attackers are
able to send out spam emails to thousands of victims by using
their botnet. Although humans created security mechanism to
prevent systems to be exploited, unfortunately, humans are
much easier to be exploited than systems. We will talk about
this specifically later in this paper.
The spam email comes from CryptoWall writer contains
an archive file, and within the archive file, a CHM file with an
Adobe PDF icon is included. CHM file is linked to the
payload of CryptoWall. Fig. 2 shows an example of spam
3. emails. When victim click the download button, ransomware
is also downloaded in the background [5].
Fig. 2. Example of a spam email that contains ransomware [9]
Crypto Ransomware also hides itself carefully as a well-
designed malware. In Sophos’ report [5], for example, when
CryptoWall is executed, it first launches a new instance of the
exploer.exe process and injects its unpacked binary and then
executes the injected code. Next, Crypto Ransomware deletes
volume shadow copies, for example, CryptoWall uses
vssadmin.exe tool to do this step. Then, Crypto Ransomware
launches a new process to connect to the C&C server to do the
rest of the work. Once the public key is granted, encryption of
files start.
D. Payment Process
As described at the beginning of this section, a successful
ransomware needs an untraceable way to pay the ransom [6].
Almost all ransomwares require victims to pay ransoms in
bitcoins. Moreover, the transactions are done over TOR
services. Based on these two features, Crypto Ransomware
writers hide themselves from legal investigations. Fig. 3 is an
example which shows the instructions victims get once they
get infected. By clicking the link, victims will be directed to
pay ransoms in bitcoins.
Fig. 3. Example of ransomware’s payment page [10]
E. CTB-Locker Ransomware
CTB-Locker Ransomware is a special type of
ransomwares that needs to be introduced solely. First of all,
CTB-Locker does not require network connections to perform
encryptions. Secondly, CTB-Locker use more efficient
asymmetric encryptions [5].
According to Sophos’ report [5], CTB-Locker uses Elliptic
Curve Cryptography to perform asymmetric encryptions. A
benefit that ECC has over RSA is that equivalent security
levels can be achieved with much smaller key sizes. For
example, a 256-bit ECC key is equivalent to 3072-bit RSA
key. Moreover, CTB-Locker does not need to contact C&C
server, and what it does is encrypting victims’ files directly
with keys embedded inside itself.
F. Passing Sandbox Detection
Sandbox deployment is a countermeasure that can be used
to defeat ransomwares, but ransomwares like CryptoWall is
able to detect if it is inside a sandbox. This feature is called
Anti-VM check. CryptoWall ransomware checks if it is in a
virtual environment. If so, it will keep being innocent until it
is inside the real systems [11].
G. Trends of Ransomwares
The trends of ransomwares are hard to be predicted, but
one thing is sure, it is going to be more complex. As Liao [12]
describes in the paper, for example, if ransomware writers add
a rootkit to hide the installer of the ransomware, although we
break its password, it will then encrypt files again. Or
ransomwares will use password protection; after certain
attempts of key input, it will delete all encrypted files.
Nowadays, one of the new type of ransomwares is Jigsaw
Ransomware. The feature is, it does not only encrypt the file,
but also deletes them if you do not pay ransoms. Jigsaw
Ransomware deletes files every hour [13].
Before, Crypto Ransomware uses AES in CTR mode with
the same key and a fixed IV. As the result, this encryption
scheme is breakable. After a generic decryption tool was
released, ransomware writers now mostly use AES in CBC
mode, which results in a unique keystream [5].
The trends of ransomwares are unknown, but the trends of
ransomware writers’ incentives are to make victims pay
ransoms faster and scare victims by doing real damages such
as deleting your files.
IV. RECENT INCIDENTS
According to CNN Money [14], the FBI says it received
2,453 complaints about ransomware hold-ups last year, and
potential losses are estimated to be more than $24 million
dollars.
It is only the fourth month of 2016, but there are many
ransomware incidents have been reported. TABLE I generally
lists some well-known ones.
The most recent incident, such as MedStar Health, causes
the center turned away patients, because it lost most functions
of its systems except reading records [15]. From TABLE I, all
three attackers were targeting at hospitals, and the reason
behind it is straightforward. When hospitals’ information
4. systems are locked, hospitals cannot afford to put their
patients on risk, and as the result, hospitals may prefer to pay
the ransom and save time for their patients.
TABLE I. THREE RECENT INCIDENTS
Date Victim Ransom Final solution
03/28/2016
MedStar Health
[15]
$19,000 In Progress
03/16/2016 A Kentucky
Hospital [16]
$1,600 Used backup
02/05/2016
Hollywood
Presbyterian
Medical Center [2]
$17,000 Paid
V. COUNTERMEASURES
While security professionals are conducting analysis of
ransomwares, the rest of community probably is more
interested at how to fight against it. In this section, we are
going to talk about how to prevent your systems to be infected
and how to minimize the loss if your systems are infected.
A. Awareness Training
Although ransomwares encrypt victims’ files, defeating
encryption schemes to recover your files should not be the
answer to this problem; it is not timely feasible. Almost every
ransomware now uses phishing attacks to reach victims, and
as we described above, when victims are deceived to open the
attachment in a spam email, ransomwares are then executed to
do further actions. Ransomwares not only gather intentions of
information security community, but also raises the
importance of human factors in information security one more
time.
When a corporate employee sees an email which claims is
from the CEO, the employee probably may open it instantly
since he/she really wants to be impressed by his/her boss. In
this case, awareness training is a necessary phase to defeat
ransomwares.
Without a good understanding of the importance of
security and potential risks of threats, people have a good
chance to make errors. According to Tversky and Kahneman’s
studies [17], first of all, people are not good at making trade-
offs between risks, losses, and gains. In 1981’s experiment,
they show two situations to participants and let them choose
the best option from it.
If Program A is adopted, 200 people will be saved.
(72 percent of participants chose this option)
If Program B is adopted, there is 1/3 probability that
600 people will be saved, and 2/3 probability that
nobody will be saved. (28 percent chose this option).
If anyone makes a simple calculation, it is easy to find out
these two choices actually end up with same results, but
people are not good at making tradeoffs, they rely on their
intuitions. This experiment reflects the fact that people are not
good at making choices when they are facing real risks.
On the other hand, security is an abstract concept in
people’s mind [18]. More importantly, people do not wish to
spend time on security. Security is a thing which generates
costs but does not bring any additional profits in most people’s
minds, and in order to improve the security level, the
efficiency of operations usually decreases. As the result,
people make worse decisions in order to make their life easier.
For example, when an organization requires employees to use
complicated passwords, employees end up writing down the
passwords on a piece of paper and stick it on the computer
monitor.
Awareness training might be more important than
purchasing more expensive firewalls and intrusion detection
systems. During awareness training, it is essential to teach
employees common techniques to validate email senders, and
if there is any unsureness, the employee should contact
security group first before making further decisions. On the
other hand, awareness training should also teach employees
how information security may bring you revenues. For
example, if you invest $100,000 to conduct security trainings,
and meanwhile, your competitors did not choose to do. When
there is a ransomware targets at companies in your field, all of
your competitors lost $500,000, and you only lost $200,000
because your previous security investments, and $300,000 is
the money you “earned”.
B. Back Up Your Data
The battle between hackers and security professional has
been lasting for decades. Keeping updating your software and
antivirus tools is encouraged, but it is not the essential plan to
solve the challenges from ransomwares.
Cryptography nowadays is designed to be unbreakable
within a feasible time frame. Although some encryption
schemes are able to be broken theoretically, victims in real
world cannot afford the loss for that long time. Efforts on
trying to do decryptions are meaningless.
Attackers want to extort money by making your files
unavailable, but what if you do not care about losing the
encrypted file. If your file is encrypted, the simplest way to
recover it is to recover it from your backups. Maintaining
backups has been recognized as the most efficient way against
ransomware. According to KrebsonSecurity.com [19], in
earlier this month, Methodist Hospital in Henderson,
Kentucky was struck by a ransomware. This attack prevented
healthcare providers from accessing patient files. The facility
declared a “state of emergency” on Friday, but surprisingly on
Monday, the hospital reported its systems were up and running.
Methodist officials said they did not pay the ransom; instead,
they had simply restored the hospital’s data from backups.
According to Kaspersky Lab’s report [20], when designing
the backup system, it is worth mentioning that some basic
principles. First, backup files should be stored in a distributed
system. If all backups are stored in a centralized environment,
5. they could be compromised together under one attack; as the
result, it is useless to keep backups. A good backup policy
should include local backup, remote backup and offsite
backup. Moreover, it is important to keep backups up to date.
Technologies used to keep backups have been evolving these
years. In the Kaspersky Lab’s Crypto Malware
Countermeasures Subsystem [20], a local protected backup is
made immediately every time a suspicious application tries to
open a file.
Although keeping backups are good strategies to save the
hacked file, we are still acting reactively to ransomwares. In
order to be proactive, there are countermeasures include
signature comparison and sandbox deployment.
C. Signature Comparison and Sandbox Deployment:
Nowadays, every software publisher requires every
genuine software to have a unique digital signature. This
signature mechanism was designed to make everyone capable
to verify if the software is modified. Security policies can also
take the advantages of this signature to detect ransomwares.
When a software is identified to be malicious, its signature
will be put into a global blacklist. So the next time a computer
detect a software’s signature is in a global blacklist, the
system will just deny to execute the software. Meanwhile, if a
software does not have a signature, the system should also
mark it as a potential malware. This mechanism is efficient
only when a malware has already been identified and stored in
the blacklist, however it is obviously to see it is just too hard
to keep every malware in a database [21].
Another good countermeasure is to isolate suspicious
programs, that is to say to keep the malicious program in a
special isolated space, so it cannot affect other files. This
method is called sandbox and is widely deployed in current
web services. However, as described before, some
ransomwares have grown to have the ability to recognize if it
is in a sandbox. If it figured out it is in a sandbox, it will not
do any malicious operations and stay calm until find an
opportunity to break out, but once it found out a way to get out,
it will unpack its payload and conduct the real malicious
behaviors. CryptoWall used this method to evade detection
[22].
Although current ransomware has been developed the
ability to bypass the traditional countermeasures, security
engineers are also trying their best in keeping up their tracks.
A new method was proposed recently by the Israel Cyber-
Tech Startup Minerva Labs [23], which was to trick the
malware into believing that it is always in the sandbox even
when it is not. In this way the real payload of the ransomware
will never be executed until anti-virus software finally
recognize it as a malware and delete it.
A more active way against ransomware is analyzing
software’s behaviors. A system-level monitor should keep
track of every process that is not totally trustworthy. The
monitor analyzes each process’s file access and system call
actions, and once a process tries to conduct suspicious
operations, the monitor will call a delete function and prevent
any malicious behaviors from happening. In this way, it is
pretty efficient to prevent ransomwares because ransomwares
have very distinct predictable behavior. The majority of
ransomwares launches straightforward attack payloads: they
use standard cryptography libraries to perform file encryptions.
Then ransomwares delete files not wiping them off disks.
These features help to detect ransomwares [24]. In Song, Kim
and Lee’s paper, a technique was proposed by using statistical
methods based on processor usage, memory usage and I/O
rates, so that the process with abnormal behaviors can be
detected and stopped in a timely manner. The cost of this
implementation is believed to be low enough even to deploy it
on mobile devices like Android smartphones [25].
In the past decade, technologies used in both ransomware
and anti-ransomware have been evolving and advancing. This
battle will not end in a short time, but security professionals
will always find methods to protect people’s information
assets.
VI. CONCLUSION
The rise of ransomware raises alerts in many aspects of
information security aspects. Not only the technical parts, but
also the importance of human factors.
As we talked about the sophistication of hybrid encryption
schemes ransomware uses, the key factor to be infected is
about human errors. When security professionals build up
more and more advanced security solutions, we now have to
pay more attentions on improving people’s security
awareness.
Last but not the least, when we invented encryption
schemes to protect ourselves, did we ever think about it could
be used against us?
REFERENCES
[1] B. Giri, N. Jyoti, and M. AVERT, “The Emergence of Ransomware,”
Auckland, 2006.
[2] T. Mogg, "Hollywood hospital pays $17, 000 to ransomware hackers,"
in Computing, Digital Trends, 2016. [Online]. Available:
http://www.digitaltrends.com/computing/hollywood-hospital-
ransomware-attack/. Accessed: Apr. 18, 2016.
[3] K. Wang, X. Chen, and Y. Xu, “A Brief Study of Trojan,” 2009.
[4] M. Rajab, L. Ballard, P. Mavrommatis, N. Provos, and X. Zhao, “The
Nocebo Effect on the Web: An Analysis of Fake Anti-Virus
Distribution,” Google Inc., 2010.
[5] J. Wyke and A. Ajjan, "The Current State of Ransomware," in Sophos,
2015. [Online]. Available: https://www.sophos.com/en-
us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-
ransomware.pdf. Accessed: Apr. 15, 2016.
[6] N. Hampton and Z. Baig, “Ransomware: Emergence of the cyber-
extortion menace,” in Australian Information Security Management
Conference, Australia: Edith Cowan University, 2015.
[7] A. Hansberry, A. Lasser, and A. Tarrh, “Cryptolocker: 2013’s Most
Malicious Malware,” 2013.
[8] V. Kotov and M. Rajpal, "Understanding Crypto-Ransomware,"
in Bromium, 2014. [Online]. Available:
https://www.bromium.com/sites/default/files/bromium-report-
ransomware.pdf. Accessed: Apr. 16, 2016.
[9] F. Rashid, "Tasty Spam: Ransomware hiding behind resumes,"
in PCMag, PCMag, 2015. [Online]. Available:
http://www.pcmag.com/article2/0,2817,2487177,00.asp. Accessed: Apr.
21, 2016.
[10] "The Secret Behind CryptoWall’s Success," in Imperva, 2015. [Online].
Available:
6. https://www.imperva.com/docs/IMPERVA_HII_CryptoWall_report.pdf.
Accessed: Apr. 21, 2016.
[11] A. Barjon, "Analysing a Ransomware: Cryptolocker - Lexsi security
hub," in Lexsi Security Hub, Lexsi Security Hub, 2015. [Online].
Available: https://www.lexsi.com/securityhub/analysing-ransomware-
cryptolocker/?lang=en. Accessed: Apr. 25, 2016.
[12] Q. Liao, “Ransomware: A Growing Threat to SMEs,” in Southwest
Decision Science Institutes Annual Conference, Houston,(online), 2008.
[13] L. Abrams, "Jigsaw Ransomware Decrypted: Will delete your files until
you pay the ransom," BleepingComputer.com, 2016. [Online].
Available: http://www.bleepingcomputer.com/news/security/jigsaw-
ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/.
Accessed: Apr. 25, 2016.
[14] J. Pagliery, "U.S. Hospitals are getting hit by hackers," in CNN, CNN,
2016. [Online]. Available:
http://money.cnn.com/2016/03/23/technology/hospital-ransomware/.
Accessed: Apr. 18, 2016.
[15] J. W. Cox, "MedStar health turns away patients after likely ransomware
cyberattack," in Washington Post, Washington Post, 2016. [Online].
Available: https://www.washingtonpost.com/local/medstar-health-turns-
away-patients-one-day-after-cyberattack-on-its-
computers/2016/03/29/252626ae-f5bc-11e5-a3ce-
f06b5ba21f33_story.html. Accessed: Apr. 25, 2016.
[16] S. Gallagher, "Kentucky hospital hit by ransomware attack," Ars
Technica, 2016. [Online]. Available:
http://arstechnica.com/security/2016/03/kentucky-hospital-hit-by-
ransomware-attack/. Accessed: Apr. 25, 2016.
[17] A. Tversky and D. Kahneman, “The framing of decisions and the
psychology of choice,” Science, vol. 211, no. 4481, pp.453-458, Jan.
1981.
[18] R. West, “The psychology of security,” Communications of the ACM,
vol. 51, no. 4, pp. 34-40, Apr. 2008.
[19] J. Gaige, "Hospital declares ‘internal state of emergency’ after
Ransomware infection," in Krebs on Security, 2016. [Online]. Available:
http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-
emergency-after-ransomware-infection/. Accessed: Apr. 18, 2016.
[20] M. the Robot, "Kaspersky lab expert Andrey Pozhogin answers
questions about ransomware," inKaspersky Lab Daily, 2015. [Online].
Available: https://blog.kaspersky.com/ask-expert-ransomware-
epidemic/9332/. Accessed: Apr. 18, 2016.
[21] B. Dickson, "How to deal with the rising threat of ransomware,"
in TechCrunch, TechCrunch, 2016. [Online]. Available:
http://techcrunch.com/2016/04/16/how-to-deal-with-the-rising-threat-of-
ransomware/. Accessed: Apr. 18, 2016.
[22] B. Prince, "CryptoWall Ransomware cost victims more than $18 Million
since april 2014: FBI," inSecurity Week, 2015. [Online]. Available:
http://www.securityweek.com/cryptowall-ransomware-cost-victims-
more-18-million-april-2014-fbi. Accessed: Apr. 25, 2016.
[23] G. Avner, "Israeli Minerva Labs wins CyBox cyber security
competition," in Geektime, Geektime, 2016. [Online]. Available:
http://www.geektime.com/2016/01/28/israeli-minerva-labs-wins-cybox-
cyber-security-competition-with-preventative-solution/. Accessed: Apr.
18, 2016.
[24] E. Kirda, “Most Ransomware Isn’t As Complex As You Might Think,”
blackhat, 2015
[25] S. Song, B. Kim, and S. Lee, “Effective Ransomware Prevention
Technique using Process Monitoring on Android Platform.”