A cyber-kill-chain based taxonomy of crypto-ransomware features

In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to be simple, security specialists ranked ransomware as a sophisticated attack vector with many variations and families. Wide range of features which are available in different families and versions of ransomware further complicates their detection and analysis. Though the existing body of research provides significant discussions about ransomware details and capabilities, the all research body is fragmented. Therefore, a ransomware feature taxonomy would advance cyber defenders’ understanding of associated risks of ransomware. In this paper we provide, to the best of our knowledge, the first scientific taxonomy of ransomware features, aligned with Lockheed Martin Cyber Kill Chain (CKC) model. CKC is a well-established model in industry that describes stages of cyber intrusion attempts. To ease the challenge of applying our taxonomy in real world, we also provide the corresponding ransomware defence taxonomy aligned with Courses of Action matrix (an intelligence-driven defence model). We believe that this research study is of high value for the cyber security research community, as it provides the researchers with a means of assessing the vulnerabilities and attack vectors towards the intended victims

Cyber kill chain

Статья посвящена изучению модели Cyber Kill Chain (CKC). В статье рассматриваются терминология модели СКС и ее история. Также представлены этапы модели и их особенности. Произведен детальный анализ каждого этапа. На основе проведенного исследования была создана схема модели для упрощенного понимания.The article is devoted to the study of the CKC model. The article discusses the terminology of the SCS model and its history. The steps of the model and their features are also presented. A detailed analysis of each stage was made. Based on the study, a model diagram was created for simplified understanding

Optimization of Investments in Cybersecurity: A Linear Programming Approach

Cyber-attacks have globally escalated by 125% after the onset of the pandemic as businesses transitioned to online work setups. These cybercrimes incur significant costs. Consequently, organizations are giving heightened priority to cybersecurity investments, integrating them into their strategic decision-making. However, due to limited resources, a judicious approach is necessary, focusing on selective investment in effective mitigation strategies. This study addresses the challenge of optimally allocating investments among diverse cybersecurity measures to enhance cybersecurity efficacy while minimizing the risk of cyberattacks. Specifically, the study aims to anticipate potential losses based on breach likelihood and determine the optimal investment levels. The study employs a combination of machine learning (ML) and linear programming (LP) to determine suitable mitigation strategies for investment, considering constrained monetary resources. ML techniques, including Naïve Bayes and Decision Tree, assess breach likelihood and consequent losses. Subsequently, LP is employed to ascertain the most effective allocation of investments across different cybersecurity mitigation strategies, considering the constraints of monetary resources

Hermes ransomware v2.1 action monitoring using next generation security operation center (NGSOC) complex correlation rules

A new malware is identified every fewer than five seconds in today's threat environment, which is changing at a rapid speed. As part of cybercrime, there is a lot of malware activity that can infect the system and make it problematic. Cybercrime is a rapidly growing field, allowing cyber thieves to engage in a wide range of damaging activities. Hacking, scams, child pornography, and identity theft are all examples of cybercrime. Cybercrime victims might be single entities or groups of persons who are being targeted for harm. Cybercrime and malware become more hazardous and damaging because of these factors. Subsequent to these factors, there is a need to construct Next Generation Security Operation Centers (NGSOCs). SOC consists of human resources, processes, and technology designed to deal with security events derived from the Security Incident Event Management (SIEM) log analysis. This research examines how Next Generation Security Operation Centers (NGSOCs) respond to malicious activity. This study develops a use case to detect the latest Hermes Ransomware v2.1 malware using complex correlation rules for the SIEM anomalies engine. This study aims to analyze and detect Hermes Ransomware v2.1. As a result, NGSOC distinguishes malware activities' initial stages by halting traffic attempts to download malware. By forwarding logs to SIEM, the use case can support Threat Analyst in finding other Indicators of Compromise (IOC) to assist organizations in developing a systematic and more preemptive approach for ransomware detection

Ransomware anti-analysis and evasion techniques: a survey and research directions

Ransomware has been proven to constitute a severe threat to the world's digital assets. Resources or devices' recovery from a Crypto-Ransomware infection is practically infeasible unless an error in the malicious cryptographic implementation has been made, as robust encryption is irreversible. This paper attempts to justify as to why designing and deploying an effective and efficient detective solution against this particular malware category represents a formidable technical challenge. The paper starts with a recent presentation of the Ransomware's epidemic, as reported by the security industry. Subsequently, a taxonomy of Ransomware is presented. The anatomy of the malware's invariant intrusions and infection vectors are illustrated. In addition, the paper navigates and analyzes the various anti-analysis and evasive techniques that are deployable by Ransomware. In every context enumerated in the narrative, the technical difficulty being posed by this malware is illuminated. If a computer security researcher intends to devise a Crypto-Ransomware's preventive solution or a predictive or proactive one, then it is imperative to have a sound perception of the technical challenges that will manifest prior to launching the proposed research project - so as to be equipped to tackle the anticipated problems. This paper concludes with an advance notice underscoring the resilience of Ransomware intrusions and highlighting research open-problems

Ransomclave:Ransomware Key Management using SGX

Modern ransomware often generate and manage cryptographic keys on the victim's machine, giving defenders an opportunity to capture exposed keys and recover encrypted data without paying the ransom. However, recent work has raised the possibility of future enclave-enhanced malware that could avoid such mitigations using emerging support for hardware-enforced secure enclaves in commodity CPUs. Nonetheless, the practicality of such enclave-enhanced malware and its potential impact on all phases of the ransomware lifecyle remain unclear. Given the demonstrated capacity of ransomware authors to innovate in order to better extort their victims (e.g. through the adoption of untraceable virtual currencies and anonymity networks), it is important to better understand the risks involved and identify potential mitigations. As a basis for comprehensive security and performance analysis of enclave-enhanced ransomware, we present RansomClave, a family of ransomware that securely manage their cryptographic keys using an enclave. We use RansomClave to explore the implications of enclave-enhanced ransomware for the key generation, encryption and key release phases of the ransomware lifecycle, and to identify potential limitations and mitigations. We propose two plausible victim models and analyse, from an attacker's perspective, how RansomClave can protect cryptographic keys from each type of victim. We find that some existing mitigations are likely to be effective during the key generation and encryption phases, but that RansomClave enables new trustless key release schemes that could potentially improve attacker's profitability and, by extension, make enclaves an attractive target for future attackers

RENTAKA: A novel machine learning framework for crypto-ransomware pre-encryption detection

Crypto ransomware is malware that locks its victim’s file for ransom using an encryption algorithm. Its popularity has risen at an alarming rate among the cyber community due to several successful worldwide attacks. The encryption employed had caused irreversible damage to the victim’s digital files, even when the victim chose to pay the ransom. As a result, cybercriminals have found ransomware a lucrative and profitable cyber-extortion approach. The increasing computing power, memory, cryptography, and digital currency advancement have caused ransomware attacks. It spreads through phishing emails, encrypting sensitive data, and causing harm to the designated client. Most research in ransomware detection focuses on detecting during the encryption and post-attack phase. However, the damage done by crypto-ransomware is almost impossible to reverse, and there is a need for an early detection mechanism. For early detection of crypto-ransomware, behavior-based detection techniques are the most effective. This work describes RENTAKA, a framework based on machine learning for the early detection of crypto-ransomware.The features extracted are based on the phases of the ransomware lifecycle. This experiment included five widely used machine learning classifiers: Naïve Bayes, kNN, Support Vector Machines, Random Forest, and J48. This study proposed a pre-encryption detection framework for crypto-ransomware using a machine learning approach. Based on our experiments, support vector machines (SVM) performed with the best accuracy and TPR, 97.05% and 0.995, respectively

Malware Resistant Data Protection in Hyper-connected Networks: A survey

Data protection is the process of securing sensitive information from being corrupted, compromised, or lost. A hyperconnected network, on the other hand, is a computer networking trend in which communication occurs over a network. However, what about malware. Malware is malicious software meant to penetrate private data, threaten a computer system, or gain unauthorised network access without the users consent. Due to the increasing applications of computers and dependency on electronically saved private data, malware attacks on sensitive information have become a dangerous issue for individuals and organizations across the world. Hence, malware defense is critical for keeping our computer systems and data protected. Many recent survey articles have focused on either malware detection systems or single attacking strategies variously. To the best of our knowledge, no survey paper demonstrates malware attack patterns and defense strategies combinedly. Through this survey, this paper aims to address this issue by merging diverse malicious attack patterns and machine learning (ML) based detection models for modern and sophisticated malware. In doing so, we focus on the taxonomy of malware attack patterns based on four fundamental dimensions the primary goal of the attack, method of attack, targeted exposure and execution process, and types of malware that perform each attack. Detailed information on malware analysis approaches is also investigated. In addition, existing malware detection techniques employing feature extraction and ML algorithms are discussed extensively. Finally, it discusses research difficulties and unsolved problems, including future research directions.Comment: 30 pages, 9 figures, 7 tables, no where submitted ye

DECEPTION BASED TECHNIQUES AGAINST RANSOMWARES: A SYSTEMATIC REVIEW

Ransomware is the most prevalent emerging business risk nowadays. It seriously affects business continuity and operations. According to Deloitte Cyber Security Landscape 2022, up to 4000 ransomware attacks occur daily, while the average number of days an organization takes to identify a breach is 191. Sophisticated cyber-attacks such as ransomware typically must go through multiple consecutive phases (initial foothold, network propagation, and action on objectives) before accomplishing its final objective. This study analyzed decoy-based solutions as an approach (detection, prevention, or mitigation) to overcome ransomware. A systematic literature review was conducted, in which the result has shown that deception-based techniques have given effective and significant performance against ransomware with minimal resources. It is also identified that contrary to general belief, deception techniques mainly involved in passive approaches (i.e., prevention, detection) possess other active capabilities such as ransomware traceback and obstruction (thwarting), file decryption, and decryption key recovery. Based on the literature review, several evaluation methods are also analyzed to measure the effectiveness of these deception-based techniques during the implementation process

Majority Voting Ransomware Detection System

Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets and suggestions are offered as to how these tests, and combinations of tests, could be adapted to further improve the detection accuracy