RH
Uploaded byRen Hao
289 views

Ransomware_PDF

This document summarizes a paper about the history, mechanisms, and countermeasures of ransomware. It describes how ransomware has evolved since 1989 from simply encrypting file names to using sophisticated encryption techniques and ransom payment through cryptocurrencies. Recent ransomware incidents have targeted hospitals, which feel pressure to pay ransoms to avoid putting patients at risk. Key countermeasures include awareness training to prevent infection through phishing emails, as well as maintaining backups to recover data without paying ransoms. Sandbox deployment and signature analysis can also help detect and block ransomware.

Embed presentation

Download to read offline
Ransomware: The History, Mechanisms and Countermeasures Yue Zhu Information Security Institute Johns Hopkins University Baltimore, MD, United States yzhu48@jhu.edu Ren Hao Information Security Institute Johns Hopkins University Baltimore, MD, United States rhao1@jhu.edu Abstract—This paper generally introduces the history, mechanism and potential countermeasures of ransomwares. Ransomware nowadays introduces new risks to our community, and targets of ransomwares are hospitals in recent incidents. From 1989 to now, the sophistications of ransomwares have been increasing rapidly. Nowadays, ransomware writers use hybrid encryption schemes to lock victims’ files, and to recover encrypted files or encrypted keys with brute force are not timely feasible. Especially for hospitals, they cannot afford to wait by putting their patients on risk. Currently, ransomwares use spam emails to reach victims; once victims download malicious attachments, they get infected. In order to prevent Internet users’ systems to be infected by ransomwares, awareness training is the key factor to decrease the infection rate. Moreover, if victims get infected by ransomwares, the most efficient way to minimize loss is to recover data from backups. In this paper, we also briefly talk about countermeasures such as signature comparison and sandbox deployment. Keywords—Ransomware, Encryption, Awareness Training, Sandbox I. INTRODUCTION Malware is not a strange term to the majority of our community anymore. As information technology becomes more advanced, the sophistication of malwares is also increased rapidly. Incentives to write malwares also have been changed. As Giri and Jyoti [1] state in their research, “The days when computer malware was written for fame are long gone. Money is what causes the adrenaline rush in cyber criminals these days”. Hackers nowadays become more interested at making money faster than ever. Ransomware, as its name indicates, demands ransoms from victims. For common Internet users, ransoms can just be money, but for enterprises or organizations, ransoms can be more valuable items, such as organizational resources or even secret information. Without paying ransoms, ransomwares restrict victims’ accesses to their own files. The potential risk for not paying ransoms also depends on the role of victims. For common Internet users, it may not be severe, but for enterprises or organizations, restrictions to access information systems or files can cause huge damages. Recently, according to Digital Trends’ report [2], “a Hollywood hospital whose computer systems were locked up by ransomware earlier this month has paid $17,000 in bitcoin in regain access to its data”. Hackers locked the hospital’s information system and restricted normal accesses to patients’ records, and the hospital finally decided to pay the ransom because that was the fastest way to solve the problem; hospitals cannot afford to put their patients on risk. Ransomwares have also been evolving since its first appearance. Although ransomware’s first appearance can be traced back to 1989, it was not peaked until 2009. Nowadays, the most common type of ransomware is Crypto Ransomware, and this type of ransomware is also the most efficient way for hackers to make money. In this paper, Crypto Ransomware will be provided with details. The way Internet users may get infected by ransomwares is actually quite similar to other malwares, and phishing attack is the most common way to spread ransomwares over the Internet by attackers. In this paper, we will provide more details about how to prevent being infected by ransomwares, and more importantly if victims are infected, how we can solve the problem. II. HISTORY OF RANSOMWARE Ransomware was peaked since 2009, but the first ransomware actually appeared in 1989. From the AIDS Trojan, Fake AV to CryptoWall and CrypotoLocker, sophistications of ransomwares have been increasing dramatically. One of the most recent version of ransomwares is CryptoWall 3.0, and its sophistication includes the use of hybrid encryption schemes and C&C server. A. The First Ransomware The origin of ransomware can be traced back to 1989, which was the first appearance of the AIDS Trojan. According to Wang, Chen and Xu’s review on Trojans [3], “To call it AIDS, because certain information about price of HIV medicines and prevention measures is stored in that disk”. Moreover, the Trojan will hide dietaries and encrypt all the file names on drive C. Then the user will be asked to contact PC Cyborg Corporation for payment in order to renew the license. AIDS Trojan represents the originality of ransomwares. First of all, it hided itself as a Trojan, and the way it worked
was to encrypt all the file names on drive C and asked for money. This functionality defined what ransomware was. B. Scareware In 2009, Fake Antivirus peaked. Scareware may be a better name for this type of ransomwares. As Google’s research paper [4] describes, Fake AV scares people by claiming there are viruses on people’s systems, and Fake AV then asks people to pay for anti-virus service. Of course Fake AV does not know if there are viruses on people’s systems, but Fake AV writers do know they can scare someone to pay them money. Fake AV represents the phishing attack version of ransomware, and surprisingly, researchers from Google [4] found Fake AV accounts for 15% of all malwares detected by their systems. C. Crypto Ransomware Crypto Ransomware represents a family of ransomwares that encrypts victims’ files in order to restrict victims’ access to their own systems or files. Comparing to AIDS Trojan, Crypto Ransomware uses much more complicated encryption schemes. Once victims’ files are kidnapped by attackers, victims have to pay ransoms and get decryption keys as an exchange. In most cases, strong encryptions are used which means trying to break the encryption with brute force is an infeasible action. Crypto ransomware is also currently the most popular type, and it includes CryptoWall and CryptoLocker [5]. III. ANALYSIS OF CRYPTO RANSOMWARE Various types of Crypto Ransomware have been detected, and all of them share many similarities. In this section, we are going to talk about encryption schemes, infection vectors and payment process of Crypto Ransomwares. According to Hampton and Baig’s research [6] on ransomwares, a successful ransomware requires three core technologies. First, it requires strong and reversible encryption to lock victims’ files. Second, it needs a system for anonymously communicate keys and decryption tools. Last but not the least, it requires an untraceable way to pay the ransom. In this section, we are going to introduce how Crypto Ransomwares include these three factors. A. Encryption As Hansberry, Lansser and Tarrh stated in their research [7], “encryption, which is designed to protect people’s privacy, is now the weapon that are used by hackers to kidnap people’s files and systems”. New versions of ransomware use hybrid encryption schemes to hijack victims’ files. In most cases, current Crypto Ransomwares use symmetric encryptions to encrypt victims’ files, and the key is further encrypted by attacker’s public key using asymmetric encryption. As the result, to recover the decryption key may be even harder than to recover the encrypted file, and only the attacker is able to access the decryption key by using the private key [7]. Different Crypto Ransomwares have different targets. For instance, CryptoWall’s targets include a big group of file extensions, but CryptoLocker mainly focuses on professional- class file types, like Word, Excel, Photoshop, and InDesign. Based on this feature, CryptoWall may focus more on common Internet users, but CryptoLocker is more interested at attacking enterprises by locking important files [7]. Fig. 1. Example of C&C Server [8] B. C&C Server C&C Server is used by ransomware writers as part of the attack. According to Kotov and Rajpal’s report [8], for instance, Crypto Locker and CryptoWall fetch a public key from the C&C server and then perform the encryption. Fig. 1 illustrates this process. First of all, client side gathers victim machine’s information and encrypts it with an AES session key. The information of victims’ machine includes the malware version, system language, and a numeric ID [6]. AES key is then encrypted using RSA and hardcoded C&C public key. Both encrypted data and encrypted AES sessions keys are concatenated and set to the server. At this time, server uses its private key to decrypt both victim’s information and AES session key. At the end, server generates a new key pair which is used going to do the real encryptions on victims’ files and sent them back to victims’ machines [8]. C. Infection Vector Infection vectors of ransomware are quite similar to common malwares. Some of them use exploit kits to reach victims’ machines and execute themselves on victims’ systems, but nowadays, most of ransomware writers use spam emails and adware to spread ransomwares over the Internet. There are two main reasons to use phishing attacks instead of exploit kits: first of all, it is easier; second of all, it is cheaper. To use exploit kits, it requires a long term planning to gather target’s information and make plans, but spam emails only require victims to open the attachment, and attackers are able to send out spam emails to thousands of victims by using their botnet. Although humans created security mechanism to prevent systems to be exploited, unfortunately, humans are much easier to be exploited than systems. We will talk about this specifically later in this paper. The spam email comes from CryptoWall writer contains an archive file, and within the archive file, a CHM file with an Adobe PDF icon is included. CHM file is linked to the payload of CryptoWall. Fig. 2 shows an example of spam
emails. When victim click the download button, ransomware is also downloaded in the background [5]. Fig. 2. Example of a spam email that contains ransomware [9] Crypto Ransomware also hides itself carefully as a well- designed malware. In Sophos’ report [5], for example, when CryptoWall is executed, it first launches a new instance of the exploer.exe process and injects its unpacked binary and then executes the injected code. Next, Crypto Ransomware deletes volume shadow copies, for example, CryptoWall uses vssadmin.exe tool to do this step. Then, Crypto Ransomware launches a new process to connect to the C&C server to do the rest of the work. Once the public key is granted, encryption of files start. D. Payment Process As described at the beginning of this section, a successful ransomware needs an untraceable way to pay the ransom [6]. Almost all ransomwares require victims to pay ransoms in bitcoins. Moreover, the transactions are done over TOR services. Based on these two features, Crypto Ransomware writers hide themselves from legal investigations. Fig. 3 is an example which shows the instructions victims get once they get infected. By clicking the link, victims will be directed to pay ransoms in bitcoins. Fig. 3. Example of ransomware’s payment page [10] E. CTB-Locker Ransomware CTB-Locker Ransomware is a special type of ransomwares that needs to be introduced solely. First of all, CTB-Locker does not require network connections to perform encryptions. Secondly, CTB-Locker use more efficient asymmetric encryptions [5]. According to Sophos’ report [5], CTB-Locker uses Elliptic Curve Cryptography to perform asymmetric encryptions. A benefit that ECC has over RSA is that equivalent security levels can be achieved with much smaller key sizes. For example, a 256-bit ECC key is equivalent to 3072-bit RSA key. Moreover, CTB-Locker does not need to contact C&C server, and what it does is encrypting victims’ files directly with keys embedded inside itself. F. Passing Sandbox Detection Sandbox deployment is a countermeasure that can be used to defeat ransomwares, but ransomwares like CryptoWall is able to detect if it is inside a sandbox. This feature is called Anti-VM check. CryptoWall ransomware checks if it is in a virtual environment. If so, it will keep being innocent until it is inside the real systems [11]. G. Trends of Ransomwares The trends of ransomwares are hard to be predicted, but one thing is sure, it is going to be more complex. As Liao [12] describes in the paper, for example, if ransomware writers add a rootkit to hide the installer of the ransomware, although we break its password, it will then encrypt files again. Or ransomwares will use password protection; after certain attempts of key input, it will delete all encrypted files. Nowadays, one of the new type of ransomwares is Jigsaw Ransomware. The feature is, it does not only encrypt the file, but also deletes them if you do not pay ransoms. Jigsaw Ransomware deletes files every hour [13]. Before, Crypto Ransomware uses AES in CTR mode with the same key and a fixed IV. As the result, this encryption scheme is breakable. After a generic decryption tool was released, ransomware writers now mostly use AES in CBC mode, which results in a unique keystream [5]. The trends of ransomwares are unknown, but the trends of ransomware writers’ incentives are to make victims pay ransoms faster and scare victims by doing real damages such as deleting your files. IV. RECENT INCIDENTS According to CNN Money [14], the FBI says it received 2,453 complaints about ransomware hold-ups last year, and potential losses are estimated to be more than $24 million dollars. It is only the fourth month of 2016, but there are many ransomware incidents have been reported. TABLE I generally lists some well-known ones. The most recent incident, such as MedStar Health, causes the center turned away patients, because it lost most functions of its systems except reading records [15]. From TABLE I, all three attackers were targeting at hospitals, and the reason behind it is straightforward. When hospitals’ information
systems are locked, hospitals cannot afford to put their patients on risk, and as the result, hospitals may prefer to pay the ransom and save time for their patients. TABLE I. THREE RECENT INCIDENTS Date Victim Ransom Final solution 03/28/2016 MedStar Health [15] $19,000 In Progress 03/16/2016 A Kentucky Hospital [16] $1,600 Used backup 02/05/2016 Hollywood Presbyterian Medical Center [2] $17,000 Paid V. COUNTERMEASURES While security professionals are conducting analysis of ransomwares, the rest of community probably is more interested at how to fight against it. In this section, we are going to talk about how to prevent your systems to be infected and how to minimize the loss if your systems are infected. A. Awareness Training Although ransomwares encrypt victims’ files, defeating encryption schemes to recover your files should not be the answer to this problem; it is not timely feasible. Almost every ransomware now uses phishing attacks to reach victims, and as we described above, when victims are deceived to open the attachment in a spam email, ransomwares are then executed to do further actions. Ransomwares not only gather intentions of information security community, but also raises the importance of human factors in information security one more time. When a corporate employee sees an email which claims is from the CEO, the employee probably may open it instantly since he/she really wants to be impressed by his/her boss. In this case, awareness training is a necessary phase to defeat ransomwares. Without a good understanding of the importance of security and potential risks of threats, people have a good chance to make errors. According to Tversky and Kahneman’s studies [17], first of all, people are not good at making trade- offs between risks, losses, and gains. In 1981’s experiment, they show two situations to participants and let them choose the best option from it.  If Program A is adopted, 200 people will be saved. (72 percent of participants chose this option)  If Program B is adopted, there is 1/3 probability that 600 people will be saved, and 2/3 probability that nobody will be saved. (28 percent chose this option). If anyone makes a simple calculation, it is easy to find out these two choices actually end up with same results, but people are not good at making tradeoffs, they rely on their intuitions. This experiment reflects the fact that people are not good at making choices when they are facing real risks. On the other hand, security is an abstract concept in people’s mind [18]. More importantly, people do not wish to spend time on security. Security is a thing which generates costs but does not bring any additional profits in most people’s minds, and in order to improve the security level, the efficiency of operations usually decreases. As the result, people make worse decisions in order to make their life easier. For example, when an organization requires employees to use complicated passwords, employees end up writing down the passwords on a piece of paper and stick it on the computer monitor. Awareness training might be more important than purchasing more expensive firewalls and intrusion detection systems. During awareness training, it is essential to teach employees common techniques to validate email senders, and if there is any unsureness, the employee should contact security group first before making further decisions. On the other hand, awareness training should also teach employees how information security may bring you revenues. For example, if you invest $100,000 to conduct security trainings, and meanwhile, your competitors did not choose to do. When there is a ransomware targets at companies in your field, all of your competitors lost $500,000, and you only lost $200,000 because your previous security investments, and $300,000 is the money you “earned”. B. Back Up Your Data The battle between hackers and security professional has been lasting for decades. Keeping updating your software and antivirus tools is encouraged, but it is not the essential plan to solve the challenges from ransomwares. Cryptography nowadays is designed to be unbreakable within a feasible time frame. Although some encryption schemes are able to be broken theoretically, victims in real world cannot afford the loss for that long time. Efforts on trying to do decryptions are meaningless. Attackers want to extort money by making your files unavailable, but what if you do not care about losing the encrypted file. If your file is encrypted, the simplest way to recover it is to recover it from your backups. Maintaining backups has been recognized as the most efficient way against ransomware. According to KrebsonSecurity.com [19], in earlier this month, Methodist Hospital in Henderson, Kentucky was struck by a ransomware. This attack prevented healthcare providers from accessing patient files. The facility declared a “state of emergency” on Friday, but surprisingly on Monday, the hospital reported its systems were up and running. Methodist officials said they did not pay the ransom; instead, they had simply restored the hospital’s data from backups. According to Kaspersky Lab’s report [20], when designing the backup system, it is worth mentioning that some basic principles. First, backup files should be stored in a distributed system. If all backups are stored in a centralized environment,
they could be compromised together under one attack; as the result, it is useless to keep backups. A good backup policy should include local backup, remote backup and offsite backup. Moreover, it is important to keep backups up to date. Technologies used to keep backups have been evolving these years. In the Kaspersky Lab’s Crypto Malware Countermeasures Subsystem [20], a local protected backup is made immediately every time a suspicious application tries to open a file. Although keeping backups are good strategies to save the hacked file, we are still acting reactively to ransomwares. In order to be proactive, there are countermeasures include signature comparison and sandbox deployment. C. Signature Comparison and Sandbox Deployment: Nowadays, every software publisher requires every genuine software to have a unique digital signature. This signature mechanism was designed to make everyone capable to verify if the software is modified. Security policies can also take the advantages of this signature to detect ransomwares. When a software is identified to be malicious, its signature will be put into a global blacklist. So the next time a computer detect a software’s signature is in a global blacklist, the system will just deny to execute the software. Meanwhile, if a software does not have a signature, the system should also mark it as a potential malware. This mechanism is efficient only when a malware has already been identified and stored in the blacklist, however it is obviously to see it is just too hard to keep every malware in a database [21]. Another good countermeasure is to isolate suspicious programs, that is to say to keep the malicious program in a special isolated space, so it cannot affect other files. This method is called sandbox and is widely deployed in current web services. However, as described before, some ransomwares have grown to have the ability to recognize if it is in a sandbox. If it figured out it is in a sandbox, it will not do any malicious operations and stay calm until find an opportunity to break out, but once it found out a way to get out, it will unpack its payload and conduct the real malicious behaviors. CryptoWall used this method to evade detection [22]. Although current ransomware has been developed the ability to bypass the traditional countermeasures, security engineers are also trying their best in keeping up their tracks. A new method was proposed recently by the Israel Cyber- Tech Startup Minerva Labs [23], which was to trick the malware into believing that it is always in the sandbox even when it is not. In this way the real payload of the ransomware will never be executed until anti-virus software finally recognize it as a malware and delete it. A more active way against ransomware is analyzing software’s behaviors. A system-level monitor should keep track of every process that is not totally trustworthy. The monitor analyzes each process’s file access and system call actions, and once a process tries to conduct suspicious operations, the monitor will call a delete function and prevent any malicious behaviors from happening. In this way, it is pretty efficient to prevent ransomwares because ransomwares have very distinct predictable behavior. The majority of ransomwares launches straightforward attack payloads: they use standard cryptography libraries to perform file encryptions. Then ransomwares delete files not wiping them off disks. These features help to detect ransomwares [24]. In Song, Kim and Lee’s paper, a technique was proposed by using statistical methods based on processor usage, memory usage and I/O rates, so that the process with abnormal behaviors can be detected and stopped in a timely manner. The cost of this implementation is believed to be low enough even to deploy it on mobile devices like Android smartphones [25]. In the past decade, technologies used in both ransomware and anti-ransomware have been evolving and advancing. This battle will not end in a short time, but security professionals will always find methods to protect people’s information assets. VI. CONCLUSION The rise of ransomware raises alerts in many aspects of information security aspects. Not only the technical parts, but also the importance of human factors. As we talked about the sophistication of hybrid encryption schemes ransomware uses, the key factor to be infected is about human errors. When security professionals build up more and more advanced security solutions, we now have to pay more attentions on improving people’s security awareness. Last but not the least, when we invented encryption schemes to protect ourselves, did we ever think about it could be used against us? REFERENCES [1] B. Giri, N. Jyoti, and M. AVERT, “The Emergence of Ransomware,” Auckland, 2006. [2] T. Mogg, "Hollywood hospital pays $17, 000 to ransomware hackers," in Computing, Digital Trends, 2016. [Online]. Available: http://www.digitaltrends.com/computing/hollywood-hospital- ransomware-attack/. Accessed: Apr. 18, 2016. [3] K. Wang, X. Chen, and Y. Xu, “A Brief Study of Trojan,” 2009. [4] M. Rajab, L. Ballard, P. Mavrommatis, N. Provos, and X. Zhao, “The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution,” Google Inc., 2010. [5] J. Wyke and A. Ajjan, "The Current State of Ransomware," in Sophos, 2015. [Online]. Available: https://www.sophos.com/en- us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf. Accessed: Apr. 15, 2016. [6] N. Hampton and Z. Baig, “Ransomware: Emergence of the cyber- extortion menace,” in Australian Information Security Management Conference, Australia: Edith Cowan University, 2015. [7] A. Hansberry, A. Lasser, and A. Tarrh, “Cryptolocker: 2013’s Most Malicious Malware,” 2013. [8] V. Kotov and M. Rajpal, "Understanding Crypto-Ransomware," in Bromium, 2014. [Online]. Available: https://www.bromium.com/sites/default/files/bromium-report- ransomware.pdf. Accessed: Apr. 16, 2016. [9] F. Rashid, "Tasty Spam: Ransomware hiding behind resumes," in PCMag, PCMag, 2015. [Online]. Available: http://www.pcmag.com/article2/0,2817,2487177,00.asp. Accessed: Apr. 21, 2016. [10] "The Secret Behind CryptoWall’s Success," in Imperva, 2015. [Online]. Available:
https://www.imperva.com/docs/IMPERVA_HII_CryptoWall_report.pdf. Accessed: Apr. 21, 2016. [11] A. Barjon, "Analysing a Ransomware: Cryptolocker - Lexsi security hub," in Lexsi Security Hub, Lexsi Security Hub, 2015. [Online]. Available: https://www.lexsi.com/securityhub/analysing-ransomware- cryptolocker/?lang=en. Accessed: Apr. 25, 2016. [12] Q. Liao, “Ransomware: A Growing Threat to SMEs,” in Southwest Decision Science Institutes Annual Conference, Houston,(online), 2008. [13] L. Abrams, "Jigsaw Ransomware Decrypted: Will delete your files until you pay the ransom," BleepingComputer.com, 2016. [Online]. Available: http://www.bleepingcomputer.com/news/security/jigsaw- ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/. Accessed: Apr. 25, 2016. [14] J. Pagliery, "U.S. Hospitals are getting hit by hackers," in CNN, CNN, 2016. [Online]. Available: http://money.cnn.com/2016/03/23/technology/hospital-ransomware/. Accessed: Apr. 18, 2016. [15] J. W. Cox, "MedStar health turns away patients after likely ransomware cyberattack," in Washington Post, Washington Post, 2016. [Online]. Available: https://www.washingtonpost.com/local/medstar-health-turns- away-patients-one-day-after-cyberattack-on-its- computers/2016/03/29/252626ae-f5bc-11e5-a3ce- f06b5ba21f33_story.html. Accessed: Apr. 25, 2016. [16] S. Gallagher, "Kentucky hospital hit by ransomware attack," Ars Technica, 2016. [Online]. Available: http://arstechnica.com/security/2016/03/kentucky-hospital-hit-by- ransomware-attack/. Accessed: Apr. 25, 2016. [17] A. Tversky and D. Kahneman, “The framing of decisions and the psychology of choice,” Science, vol. 211, no. 4481, pp.453-458, Jan. 1981. [18] R. West, “The psychology of security,” Communications of the ACM, vol. 51, no. 4, pp. 34-40, Apr. 2008. [19] J. Gaige, "Hospital declares ‘internal state of emergency’ after Ransomware infection," in Krebs on Security, 2016. [Online]. Available: http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of- emergency-after-ransomware-infection/. Accessed: Apr. 18, 2016. [20] M. the Robot, "Kaspersky lab expert Andrey Pozhogin answers questions about ransomware," inKaspersky Lab Daily, 2015. [Online]. Available: https://blog.kaspersky.com/ask-expert-ransomware- epidemic/9332/. Accessed: Apr. 18, 2016. [21] B. Dickson, "How to deal with the rising threat of ransomware," in TechCrunch, TechCrunch, 2016. [Online]. Available: http://techcrunch.com/2016/04/16/how-to-deal-with-the-rising-threat-of- ransomware/. Accessed: Apr. 18, 2016. [22] B. Prince, "CryptoWall Ransomware cost victims more than $18 Million since april 2014: FBI," inSecurity Week, 2015. [Online]. Available: http://www.securityweek.com/cryptowall-ransomware-cost-victims- more-18-million-april-2014-fbi. Accessed: Apr. 25, 2016. [23] G. Avner, "Israeli Minerva Labs wins CyBox cyber security competition," in Geektime, Geektime, 2016. [Online]. Available: http://www.geektime.com/2016/01/28/israeli-minerva-labs-wins-cybox- cyber-security-competition-with-preventative-solution/. Accessed: Apr. 18, 2016. [24] E. Kirda, “Most Ransomware Isn’t As Complex As You Might Think,” blackhat, 2015 [25] S. Song, B. Kim, and S. Lee, “Effective Ransomware Prevention Technique using Process Monitoring on Android Platform.”

More Related Content

PPTX
The Rise of Ransomware
byTharindu Edirisinghe
 
PDF
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
bySymantec
 
DOCX
trojon horse Seminar report
byNamanKikani
 
PDF
Step FWD IT_Ransomware-Guide
bychrismannering
 
PDF
Dyre: Emerging Threat on Financial Fraud Landscape
bySymantec
 
DOCX
The malware (r)evolution
byITrust - Cybersecurity as a Service
 
PDF
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
byEyal Doron
 
PDF
What are the possible damages of phishing and spoofing mail attacks part 2#...
byEyal Doron
 
The Rise of Ransomware
byTharindu Edirisinghe
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
bySymantec
 
trojon horse Seminar report
byNamanKikani
 
Step FWD IT_Ransomware-Guide
bychrismannering
 
Dyre: Emerging Threat on Financial Fraud Landscape
bySymantec
 
The malware (r)evolution
byITrust - Cybersecurity as a Service
 
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
byEyal Doron
 
What are the possible damages of phishing and spoofing mail attacks part 2#...
byEyal Doron
 

What's hot

PDF
Wannacry Virus
byEast West University
 
PDF
Ransomware-as-a-Service: The business of distributing cyber attacks
byΔρ. Γιώργος K. Κασάπης
 
PDF
Ransomware
byPrachi Gulihar
 
PDF
Modern Malware and Threats
byMarketingArrowECS_CZ
 
PPTX
The trojan horse virus
byHTS Hosting
 
DOCX
External threats to information system: Malicious software and computer crimes
bySouman Guha
 
PDF
Phishing attack types and mitigation strategies
bySarim Khawaja
 
DOCX
Ransomware The Rise of GP Code
byPerry Francis
 
PDF
Ransomware Trends 2017 & Mitigation Techniques
byAvinash Sinha
 
PDF
The Evolution of Phising Attacks
byBee_Ware
 
PDF
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
byMZERMA Amine
 
PDF
Malware and malicious programs
byAmmar Hasayen
 
PDF
Scaling Web 2.0 Malware Infection
byWayne Huang
 
PDF
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
byCSCJournals
 
PDF
Fire eye spearphishing
byZeno Idzerda
 
PDF
Network security
byMd. Asifur Rahman Siddiki
 
PDF
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
byIJECEIAES
 
PDF
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
byCybersecurity Education and Research Centre
 
Wannacry Virus
byEast West University
 
Ransomware-as-a-Service: The business of distributing cyber attacks
byΔρ. Γιώργος K. Κασάπης
 
Ransomware
byPrachi Gulihar
 
Modern Malware and Threats
byMarketingArrowECS_CZ
 
The trojan horse virus
byHTS Hosting
 
External threats to information system: Malicious software and computer crimes
bySouman Guha
 
Phishing attack types and mitigation strategies
bySarim Khawaja
 
Ransomware The Rise of GP Code
byPerry Francis
 
Ransomware Trends 2017 & Mitigation Techniques
byAvinash Sinha
 
The Evolution of Phising Attacks
byBee_Ware
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
byMZERMA Amine
 
Malware and malicious programs
byAmmar Hasayen
 
Scaling Web 2.0 Malware Infection
byWayne Huang
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
byCSCJournals
 
Fire eye spearphishing
byZeno Idzerda
 
Network security
byMd. Asifur Rahman Siddiki
 
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
byIJECEIAES
 
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
byCybersecurity Education and Research Centre
 

Similar to Ransomware_PDF

PDF
WHITE PAPER▶ The Evolution of Ransomware
bySymantec
 
PDF
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byAshishDPatel1
 
PDF
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byRSIS International
 
PDF
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
byRSIS International
 
PDF
Ransomware hostage rescue manual
byRoel Palmaers
 
PDF
Combating RANSOMWare
byUmer Saeed
 
PPTX
MMW April 2016 Ransomware Resurgence
byCyphort
 
PDF
wp-understanding-ransomware-strategies-defeat
byRobert Leong
 
PPTX
Ransomware Attack.pptx
byIkramSabir4
 
PPTX
Defend Your Company Against Ransomware
byKevo Meehan
 
PPTX
Ransomware by lokesh
byLokesh Bysani
 
PDF
Ransomware - Rameez Shahzada
byRAMEEZ SHAHZADA
 
PPTX
Ransomware : A cyber crime without solution ? by Prashant Mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PDF
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
PPTX
Ransomware: Emergence of the Cyber-Extortion Menace
byZubair Baig
 
PPTX
Ransomware- A reality check (Part 1).pptx
byInfosectrain3
 
PPTX
Ransomware: A Perilous Malware
byHTS Hosting
 
PDF
xu the ma doc tấn công các trang web và thương mại .pdf
byNguyncAnh55
 
PDF
NAGTRI Journal Article
byTaylre Janak
 
PDF
Ransomware: Attack, Human Impact and Mitigation
byMaaz Ahmed Shaikh
 
WHITE PAPER▶ The Evolution of Ransomware
bySymantec
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byAshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byRSIS International
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
byRSIS International
 
Ransomware hostage rescue manual
byRoel Palmaers
 
Combating RANSOMWare
byUmer Saeed
 
MMW April 2016 Ransomware Resurgence
byCyphort
 
wp-understanding-ransomware-strategies-defeat
byRobert Leong
 
Ransomware Attack.pptx
byIkramSabir4
 
Defend Your Company Against Ransomware
byKevo Meehan
 
Ransomware by lokesh
byLokesh Bysani
 
Ransomware - Rameez Shahzada
byRAMEEZ SHAHZADA
 
Ransomware : A cyber crime without solution ? by Prashant Mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
Ransomware: Emergence of the Cyber-Extortion Menace
byZubair Baig
 
Ransomware- A reality check (Part 1).pptx
byInfosectrain3
 
Ransomware: A Perilous Malware
byHTS Hosting
 
xu the ma doc tấn công các trang web và thương mại .pdf
byNguyncAnh55
 
NAGTRI Journal Article
byTaylre Janak
 
Ransomware: Attack, Human Impact and Mitigation
byMaaz Ahmed Shaikh
 

Ransomware_PDF

  • 1.
    Ransomware: The History,Mechanisms and Countermeasures Yue Zhu Information Security Institute Johns Hopkins University Baltimore, MD, United States yzhu48@jhu.edu Ren Hao Information Security Institute Johns Hopkins University Baltimore, MD, United States rhao1@jhu.edu Abstract—This paper generally introduces the history, mechanism and potential countermeasures of ransomwares. Ransomware nowadays introduces new risks to our community, and targets of ransomwares are hospitals in recent incidents. From 1989 to now, the sophistications of ransomwares have been increasing rapidly. Nowadays, ransomware writers use hybrid encryption schemes to lock victims’ files, and to recover encrypted files or encrypted keys with brute force are not timely feasible. Especially for hospitals, they cannot afford to wait by putting their patients on risk. Currently, ransomwares use spam emails to reach victims; once victims download malicious attachments, they get infected. In order to prevent Internet users’ systems to be infected by ransomwares, awareness training is the key factor to decrease the infection rate. Moreover, if victims get infected by ransomwares, the most efficient way to minimize loss is to recover data from backups. In this paper, we also briefly talk about countermeasures such as signature comparison and sandbox deployment. Keywords—Ransomware, Encryption, Awareness Training, Sandbox I. INTRODUCTION Malware is not a strange term to the majority of our community anymore. As information technology becomes more advanced, the sophistication of malwares is also increased rapidly. Incentives to write malwares also have been changed. As Giri and Jyoti [1] state in their research, “The days when computer malware was written for fame are long gone. Money is what causes the adrenaline rush in cyber criminals these days”. Hackers nowadays become more interested at making money faster than ever. Ransomware, as its name indicates, demands ransoms from victims. For common Internet users, ransoms can just be money, but for enterprises or organizations, ransoms can be more valuable items, such as organizational resources or even secret information. Without paying ransoms, ransomwares restrict victims’ accesses to their own files. The potential risk for not paying ransoms also depends on the role of victims. For common Internet users, it may not be severe, but for enterprises or organizations, restrictions to access information systems or files can cause huge damages. Recently, according to Digital Trends’ report [2], “a Hollywood hospital whose computer systems were locked up by ransomware earlier this month has paid $17,000 in bitcoin in regain access to its data”. Hackers locked the hospital’s information system and restricted normal accesses to patients’ records, and the hospital finally decided to pay the ransom because that was the fastest way to solve the problem; hospitals cannot afford to put their patients on risk. Ransomwares have also been evolving since its first appearance. Although ransomware’s first appearance can be traced back to 1989, it was not peaked until 2009. Nowadays, the most common type of ransomware is Crypto Ransomware, and this type of ransomware is also the most efficient way for hackers to make money. In this paper, Crypto Ransomware will be provided with details. The way Internet users may get infected by ransomwares is actually quite similar to other malwares, and phishing attack is the most common way to spread ransomwares over the Internet by attackers. In this paper, we will provide more details about how to prevent being infected by ransomwares, and more importantly if victims are infected, how we can solve the problem. II. HISTORY OF RANSOMWARE Ransomware was peaked since 2009, but the first ransomware actually appeared in 1989. From the AIDS Trojan, Fake AV to CryptoWall and CrypotoLocker, sophistications of ransomwares have been increasing dramatically. One of the most recent version of ransomwares is CryptoWall 3.0, and its sophistication includes the use of hybrid encryption schemes and C&C server. A. The First Ransomware The origin of ransomware can be traced back to 1989, which was the first appearance of the AIDS Trojan. According to Wang, Chen and Xu’s review on Trojans [3], “To call it AIDS, because certain information about price of HIV medicines and prevention measures is stored in that disk”. Moreover, the Trojan will hide dietaries and encrypt all the file names on drive C. Then the user will be asked to contact PC Cyborg Corporation for payment in order to renew the license. AIDS Trojan represents the originality of ransomwares. First of all, it hided itself as a Trojan, and the way it worked
  • 2.
    was to encryptall the file names on drive C and asked for money. This functionality defined what ransomware was. B. Scareware In 2009, Fake Antivirus peaked. Scareware may be a better name for this type of ransomwares. As Google’s research paper [4] describes, Fake AV scares people by claiming there are viruses on people’s systems, and Fake AV then asks people to pay for anti-virus service. Of course Fake AV does not know if there are viruses on people’s systems, but Fake AV writers do know they can scare someone to pay them money. Fake AV represents the phishing attack version of ransomware, and surprisingly, researchers from Google [4] found Fake AV accounts for 15% of all malwares detected by their systems. C. Crypto Ransomware Crypto Ransomware represents a family of ransomwares that encrypts victims’ files in order to restrict victims’ access to their own systems or files. Comparing to AIDS Trojan, Crypto Ransomware uses much more complicated encryption schemes. Once victims’ files are kidnapped by attackers, victims have to pay ransoms and get decryption keys as an exchange. In most cases, strong encryptions are used which means trying to break the encryption with brute force is an infeasible action. Crypto ransomware is also currently the most popular type, and it includes CryptoWall and CryptoLocker [5]. III. ANALYSIS OF CRYPTO RANSOMWARE Various types of Crypto Ransomware have been detected, and all of them share many similarities. In this section, we are going to talk about encryption schemes, infection vectors and payment process of Crypto Ransomwares. According to Hampton and Baig’s research [6] on ransomwares, a successful ransomware requires three core technologies. First, it requires strong and reversible encryption to lock victims’ files. Second, it needs a system for anonymously communicate keys and decryption tools. Last but not the least, it requires an untraceable way to pay the ransom. In this section, we are going to introduce how Crypto Ransomwares include these three factors. A. Encryption As Hansberry, Lansser and Tarrh stated in their research [7], “encryption, which is designed to protect people’s privacy, is now the weapon that are used by hackers to kidnap people’s files and systems”. New versions of ransomware use hybrid encryption schemes to hijack victims’ files. In most cases, current Crypto Ransomwares use symmetric encryptions to encrypt victims’ files, and the key is further encrypted by attacker’s public key using asymmetric encryption. As the result, to recover the decryption key may be even harder than to recover the encrypted file, and only the attacker is able to access the decryption key by using the private key [7]. Different Crypto Ransomwares have different targets. For instance, CryptoWall’s targets include a big group of file extensions, but CryptoLocker mainly focuses on professional- class file types, like Word, Excel, Photoshop, and InDesign. Based on this feature, CryptoWall may focus more on common Internet users, but CryptoLocker is more interested at attacking enterprises by locking important files [7]. Fig. 1. Example of C&C Server [8] B. C&C Server C&C Server is used by ransomware writers as part of the attack. According to Kotov and Rajpal’s report [8], for instance, Crypto Locker and CryptoWall fetch a public key from the C&C server and then perform the encryption. Fig. 1 illustrates this process. First of all, client side gathers victim machine’s information and encrypts it with an AES session key. The information of victims’ machine includes the malware version, system language, and a numeric ID [6]. AES key is then encrypted using RSA and hardcoded C&C public key. Both encrypted data and encrypted AES sessions keys are concatenated and set to the server. At this time, server uses its private key to decrypt both victim’s information and AES session key. At the end, server generates a new key pair which is used going to do the real encryptions on victims’ files and sent them back to victims’ machines [8]. C. Infection Vector Infection vectors of ransomware are quite similar to common malwares. Some of them use exploit kits to reach victims’ machines and execute themselves on victims’ systems, but nowadays, most of ransomware writers use spam emails and adware to spread ransomwares over the Internet. There are two main reasons to use phishing attacks instead of exploit kits: first of all, it is easier; second of all, it is cheaper. To use exploit kits, it requires a long term planning to gather target’s information and make plans, but spam emails only require victims to open the attachment, and attackers are able to send out spam emails to thousands of victims by using their botnet. Although humans created security mechanism to prevent systems to be exploited, unfortunately, humans are much easier to be exploited than systems. We will talk about this specifically later in this paper. The spam email comes from CryptoWall writer contains an archive file, and within the archive file, a CHM file with an Adobe PDF icon is included. CHM file is linked to the payload of CryptoWall. Fig. 2 shows an example of spam
  • 3.
    emails. When victimclick the download button, ransomware is also downloaded in the background [5]. Fig. 2. Example of a spam email that contains ransomware [9] Crypto Ransomware also hides itself carefully as a well- designed malware. In Sophos’ report [5], for example, when CryptoWall is executed, it first launches a new instance of the exploer.exe process and injects its unpacked binary and then executes the injected code. Next, Crypto Ransomware deletes volume shadow copies, for example, CryptoWall uses vssadmin.exe tool to do this step. Then, Crypto Ransomware launches a new process to connect to the C&C server to do the rest of the work. Once the public key is granted, encryption of files start. D. Payment Process As described at the beginning of this section, a successful ransomware needs an untraceable way to pay the ransom [6]. Almost all ransomwares require victims to pay ransoms in bitcoins. Moreover, the transactions are done over TOR services. Based on these two features, Crypto Ransomware writers hide themselves from legal investigations. Fig. 3 is an example which shows the instructions victims get once they get infected. By clicking the link, victims will be directed to pay ransoms in bitcoins. Fig. 3. Example of ransomware’s payment page [10] E. CTB-Locker Ransomware CTB-Locker Ransomware is a special type of ransomwares that needs to be introduced solely. First of all, CTB-Locker does not require network connections to perform encryptions. Secondly, CTB-Locker use more efficient asymmetric encryptions [5]. According to Sophos’ report [5], CTB-Locker uses Elliptic Curve Cryptography to perform asymmetric encryptions. A benefit that ECC has over RSA is that equivalent security levels can be achieved with much smaller key sizes. For example, a 256-bit ECC key is equivalent to 3072-bit RSA key. Moreover, CTB-Locker does not need to contact C&C server, and what it does is encrypting victims’ files directly with keys embedded inside itself. F. Passing Sandbox Detection Sandbox deployment is a countermeasure that can be used to defeat ransomwares, but ransomwares like CryptoWall is able to detect if it is inside a sandbox. This feature is called Anti-VM check. CryptoWall ransomware checks if it is in a virtual environment. If so, it will keep being innocent until it is inside the real systems [11]. G. Trends of Ransomwares The trends of ransomwares are hard to be predicted, but one thing is sure, it is going to be more complex. As Liao [12] describes in the paper, for example, if ransomware writers add a rootkit to hide the installer of the ransomware, although we break its password, it will then encrypt files again. Or ransomwares will use password protection; after certain attempts of key input, it will delete all encrypted files. Nowadays, one of the new type of ransomwares is Jigsaw Ransomware. The feature is, it does not only encrypt the file, but also deletes them if you do not pay ransoms. Jigsaw Ransomware deletes files every hour [13]. Before, Crypto Ransomware uses AES in CTR mode with the same key and a fixed IV. As the result, this encryption scheme is breakable. After a generic decryption tool was released, ransomware writers now mostly use AES in CBC mode, which results in a unique keystream [5]. The trends of ransomwares are unknown, but the trends of ransomware writers’ incentives are to make victims pay ransoms faster and scare victims by doing real damages such as deleting your files. IV. RECENT INCIDENTS According to CNN Money [14], the FBI says it received 2,453 complaints about ransomware hold-ups last year, and potential losses are estimated to be more than $24 million dollars. It is only the fourth month of 2016, but there are many ransomware incidents have been reported. TABLE I generally lists some well-known ones. The most recent incident, such as MedStar Health, causes the center turned away patients, because it lost most functions of its systems except reading records [15]. From TABLE I, all three attackers were targeting at hospitals, and the reason behind it is straightforward. When hospitals’ information
  • 4.
    systems are locked,hospitals cannot afford to put their patients on risk, and as the result, hospitals may prefer to pay the ransom and save time for their patients. TABLE I. THREE RECENT INCIDENTS Date Victim Ransom Final solution 03/28/2016 MedStar Health [15] $19,000 In Progress 03/16/2016 A Kentucky Hospital [16] $1,600 Used backup 02/05/2016 Hollywood Presbyterian Medical Center [2] $17,000 Paid V. COUNTERMEASURES While security professionals are conducting analysis of ransomwares, the rest of community probably is more interested at how to fight against it. In this section, we are going to talk about how to prevent your systems to be infected and how to minimize the loss if your systems are infected. A. Awareness Training Although ransomwares encrypt victims’ files, defeating encryption schemes to recover your files should not be the answer to this problem; it is not timely feasible. Almost every ransomware now uses phishing attacks to reach victims, and as we described above, when victims are deceived to open the attachment in a spam email, ransomwares are then executed to do further actions. Ransomwares not only gather intentions of information security community, but also raises the importance of human factors in information security one more time. When a corporate employee sees an email which claims is from the CEO, the employee probably may open it instantly since he/she really wants to be impressed by his/her boss. In this case, awareness training is a necessary phase to defeat ransomwares. Without a good understanding of the importance of security and potential risks of threats, people have a good chance to make errors. According to Tversky and Kahneman’s studies [17], first of all, people are not good at making trade- offs between risks, losses, and gains. In 1981’s experiment, they show two situations to participants and let them choose the best option from it.  If Program A is adopted, 200 people will be saved. (72 percent of participants chose this option)  If Program B is adopted, there is 1/3 probability that 600 people will be saved, and 2/3 probability that nobody will be saved. (28 percent chose this option). If anyone makes a simple calculation, it is easy to find out these two choices actually end up with same results, but people are not good at making tradeoffs, they rely on their intuitions. This experiment reflects the fact that people are not good at making choices when they are facing real risks. On the other hand, security is an abstract concept in people’s mind [18]. More importantly, people do not wish to spend time on security. Security is a thing which generates costs but does not bring any additional profits in most people’s minds, and in order to improve the security level, the efficiency of operations usually decreases. As the result, people make worse decisions in order to make their life easier. For example, when an organization requires employees to use complicated passwords, employees end up writing down the passwords on a piece of paper and stick it on the computer monitor. Awareness training might be more important than purchasing more expensive firewalls and intrusion detection systems. During awareness training, it is essential to teach employees common techniques to validate email senders, and if there is any unsureness, the employee should contact security group first before making further decisions. On the other hand, awareness training should also teach employees how information security may bring you revenues. For example, if you invest $100,000 to conduct security trainings, and meanwhile, your competitors did not choose to do. When there is a ransomware targets at companies in your field, all of your competitors lost $500,000, and you only lost $200,000 because your previous security investments, and $300,000 is the money you “earned”. B. Back Up Your Data The battle between hackers and security professional has been lasting for decades. Keeping updating your software and antivirus tools is encouraged, but it is not the essential plan to solve the challenges from ransomwares. Cryptography nowadays is designed to be unbreakable within a feasible time frame. Although some encryption schemes are able to be broken theoretically, victims in real world cannot afford the loss for that long time. Efforts on trying to do decryptions are meaningless. Attackers want to extort money by making your files unavailable, but what if you do not care about losing the encrypted file. If your file is encrypted, the simplest way to recover it is to recover it from your backups. Maintaining backups has been recognized as the most efficient way against ransomware. According to KrebsonSecurity.com [19], in earlier this month, Methodist Hospital in Henderson, Kentucky was struck by a ransomware. This attack prevented healthcare providers from accessing patient files. The facility declared a “state of emergency” on Friday, but surprisingly on Monday, the hospital reported its systems were up and running. Methodist officials said they did not pay the ransom; instead, they had simply restored the hospital’s data from backups. According to Kaspersky Lab’s report [20], when designing the backup system, it is worth mentioning that some basic principles. First, backup files should be stored in a distributed system. If all backups are stored in a centralized environment,
  • 5.
    they could becompromised together under one attack; as the result, it is useless to keep backups. A good backup policy should include local backup, remote backup and offsite backup. Moreover, it is important to keep backups up to date. Technologies used to keep backups have been evolving these years. In the Kaspersky Lab’s Crypto Malware Countermeasures Subsystem [20], a local protected backup is made immediately every time a suspicious application tries to open a file. Although keeping backups are good strategies to save the hacked file, we are still acting reactively to ransomwares. In order to be proactive, there are countermeasures include signature comparison and sandbox deployment. C. Signature Comparison and Sandbox Deployment: Nowadays, every software publisher requires every genuine software to have a unique digital signature. This signature mechanism was designed to make everyone capable to verify if the software is modified. Security policies can also take the advantages of this signature to detect ransomwares. When a software is identified to be malicious, its signature will be put into a global blacklist. So the next time a computer detect a software’s signature is in a global blacklist, the system will just deny to execute the software. Meanwhile, if a software does not have a signature, the system should also mark it as a potential malware. This mechanism is efficient only when a malware has already been identified and stored in the blacklist, however it is obviously to see it is just too hard to keep every malware in a database [21]. Another good countermeasure is to isolate suspicious programs, that is to say to keep the malicious program in a special isolated space, so it cannot affect other files. This method is called sandbox and is widely deployed in current web services. However, as described before, some ransomwares have grown to have the ability to recognize if it is in a sandbox. If it figured out it is in a sandbox, it will not do any malicious operations and stay calm until find an opportunity to break out, but once it found out a way to get out, it will unpack its payload and conduct the real malicious behaviors. CryptoWall used this method to evade detection [22]. Although current ransomware has been developed the ability to bypass the traditional countermeasures, security engineers are also trying their best in keeping up their tracks. A new method was proposed recently by the Israel Cyber- Tech Startup Minerva Labs [23], which was to trick the malware into believing that it is always in the sandbox even when it is not. In this way the real payload of the ransomware will never be executed until anti-virus software finally recognize it as a malware and delete it. A more active way against ransomware is analyzing software’s behaviors. A system-level monitor should keep track of every process that is not totally trustworthy. The monitor analyzes each process’s file access and system call actions, and once a process tries to conduct suspicious operations, the monitor will call a delete function and prevent any malicious behaviors from happening. In this way, it is pretty efficient to prevent ransomwares because ransomwares have very distinct predictable behavior. The majority of ransomwares launches straightforward attack payloads: they use standard cryptography libraries to perform file encryptions. Then ransomwares delete files not wiping them off disks. These features help to detect ransomwares [24]. In Song, Kim and Lee’s paper, a technique was proposed by using statistical methods based on processor usage, memory usage and I/O rates, so that the process with abnormal behaviors can be detected and stopped in a timely manner. The cost of this implementation is believed to be low enough even to deploy it on mobile devices like Android smartphones [25]. In the past decade, technologies used in both ransomware and anti-ransomware have been evolving and advancing. This battle will not end in a short time, but security professionals will always find methods to protect people’s information assets. VI. CONCLUSION The rise of ransomware raises alerts in many aspects of information security aspects. Not only the technical parts, but also the importance of human factors. As we talked about the sophistication of hybrid encryption schemes ransomware uses, the key factor to be infected is about human errors. When security professionals build up more and more advanced security solutions, we now have to pay more attentions on improving people’s security awareness. Last but not the least, when we invented encryption schemes to protect ourselves, did we ever think about it could be used against us? REFERENCES [1] B. Giri, N. Jyoti, and M. AVERT, “The Emergence of Ransomware,” Auckland, 2006. [2] T. Mogg, "Hollywood hospital pays $17, 000 to ransomware hackers," in Computing, Digital Trends, 2016. [Online]. Available: http://www.digitaltrends.com/computing/hollywood-hospital- ransomware-attack/. Accessed: Apr. 18, 2016. [3] K. Wang, X. Chen, and Y. Xu, “A Brief Study of Trojan,” 2009. [4] M. Rajab, L. Ballard, P. Mavrommatis, N. Provos, and X. Zhao, “The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution,” Google Inc., 2010. [5] J. Wyke and A. Ajjan, "The Current State of Ransomware," in Sophos, 2015. [Online]. Available: https://www.sophos.com/en- us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf. Accessed: Apr. 15, 2016. [6] N. Hampton and Z. Baig, “Ransomware: Emergence of the cyber- extortion menace,” in Australian Information Security Management Conference, Australia: Edith Cowan University, 2015. [7] A. Hansberry, A. Lasser, and A. Tarrh, “Cryptolocker: 2013’s Most Malicious Malware,” 2013. [8] V. Kotov and M. Rajpal, "Understanding Crypto-Ransomware," in Bromium, 2014. [Online]. Available: https://www.bromium.com/sites/default/files/bromium-report- ransomware.pdf. Accessed: Apr. 16, 2016. [9] F. Rashid, "Tasty Spam: Ransomware hiding behind resumes," in PCMag, PCMag, 2015. [Online]. Available: http://www.pcmag.com/article2/0,2817,2487177,00.asp. Accessed: Apr. 21, 2016. [10] "The Secret Behind CryptoWall’s Success," in Imperva, 2015. [Online]. Available:
  • 6.
    https://www.imperva.com/docs/IMPERVA_HII_CryptoWall_report.pdf. Accessed: Apr. 21,2016. [11] A. Barjon, "Analysing a Ransomware: Cryptolocker - Lexsi security hub," in Lexsi Security Hub, Lexsi Security Hub, 2015. [Online]. Available: https://www.lexsi.com/securityhub/analysing-ransomware- cryptolocker/?lang=en. Accessed: Apr. 25, 2016. [12] Q. Liao, “Ransomware: A Growing Threat to SMEs,” in Southwest Decision Science Institutes Annual Conference, Houston,(online), 2008. [13] L. Abrams, "Jigsaw Ransomware Decrypted: Will delete your files until you pay the ransom," BleepingComputer.com, 2016. [Online]. Available: http://www.bleepingcomputer.com/news/security/jigsaw- ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/. Accessed: Apr. 25, 2016. [14] J. Pagliery, "U.S. Hospitals are getting hit by hackers," in CNN, CNN, 2016. [Online]. Available: http://money.cnn.com/2016/03/23/technology/hospital-ransomware/. Accessed: Apr. 18, 2016. [15] J. W. Cox, "MedStar health turns away patients after likely ransomware cyberattack," in Washington Post, Washington Post, 2016. [Online]. Available: https://www.washingtonpost.com/local/medstar-health-turns- away-patients-one-day-after-cyberattack-on-its- computers/2016/03/29/252626ae-f5bc-11e5-a3ce- f06b5ba21f33_story.html. Accessed: Apr. 25, 2016. [16] S. Gallagher, "Kentucky hospital hit by ransomware attack," Ars Technica, 2016. [Online]. Available: http://arstechnica.com/security/2016/03/kentucky-hospital-hit-by- ransomware-attack/. Accessed: Apr. 25, 2016. [17] A. Tversky and D. Kahneman, “The framing of decisions and the psychology of choice,” Science, vol. 211, no. 4481, pp.453-458, Jan. 1981. [18] R. West, “The psychology of security,” Communications of the ACM, vol. 51, no. 4, pp. 34-40, Apr. 2008. [19] J. Gaige, "Hospital declares ‘internal state of emergency’ after Ransomware infection," in Krebs on Security, 2016. [Online]. Available: http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of- emergency-after-ransomware-infection/. Accessed: Apr. 18, 2016. [20] M. the Robot, "Kaspersky lab expert Andrey Pozhogin answers questions about ransomware," inKaspersky Lab Daily, 2015. [Online]. Available: https://blog.kaspersky.com/ask-expert-ransomware- epidemic/9332/. Accessed: Apr. 18, 2016. [21] B. Dickson, "How to deal with the rising threat of ransomware," in TechCrunch, TechCrunch, 2016. [Online]. Available: http://techcrunch.com/2016/04/16/how-to-deal-with-the-rising-threat-of- ransomware/. Accessed: Apr. 18, 2016. [22] B. Prince, "CryptoWall Ransomware cost victims more than $18 Million since april 2014: FBI," inSecurity Week, 2015. [Online]. Available: http://www.securityweek.com/cryptowall-ransomware-cost-victims- more-18-million-april-2014-fbi. Accessed: Apr. 25, 2016. [23] G. Avner, "Israeli Minerva Labs wins CyBox cyber security competition," in Geektime, Geektime, 2016. [Online]. Available: http://www.geektime.com/2016/01/28/israeli-minerva-labs-wins-cybox- cyber-security-competition-with-preventative-solution/. Accessed: Apr. 18, 2016. [24] E. Kirda, “Most Ransomware Isn’t As Complex As You Might Think,” blackhat, 2015 [25] S. Song, B. Kim, and S. Lee, “Effective Ransomware Prevention Technique using Process Monitoring on Android Platform.”