Ransomware Appeared in 2019

Ransomware has become a form of electronic warfare and cybercrime, which is increasing day by day due to the large revenue of money it has generated, which estimated at millions of dollars. The act of paying or refusing it also poses another challenge to the countries and organizations, as their laws and regulations say not to pay the extortionists, but in return, to the needs of these organizations for their data, it will respond to the blackmailers and pay the ransom, which encouraged the extortionists to produce much dangerous ransomware.A part of the results in this paper includes the timeline for the most ransomware that appeared in 2019, such that the paper listed nine ransomware this year, started by (Mega Cortex) which appeared in January 2019, and ended by (Double Extortion) which appeared in November from the same year. In addition, the study found that: most of the ransomware uses a combination of three algorithms, like REvil and NetWalker, which use (RSA-2048, ECDH, and Chacha20) algorithms, while most of the ransomware jointly uses the RSA & AES algorithms. In addition, the paper pointed out that: REvil and LockBit2.0 have the largest amounts of ransoms, which is ($50) million for each one, instead (DoppelPaymer) has the lowest ransom which is ($1.2) million. While CLOP, REvil, and LockBit2.0 are the most dangerous ransomware in 2019, because of their wide separation and attacks in many countries in Europe, Asia, and USA. Keywords: Cyberattack, Ransomware, Ransom, Encryption, AES, RSA, RC4 DOI: 10.7176/CEIS/10-1-02 Publication date:September 30th 202

Understanding the Role of Leadership Competencies in Cyber Crisis Management: A Case Study

The amount and severity of cyber-attacks has been constantly increasing in recent years, and the number of cyber-related organizational crises grew accordingly. Despite the relevance of the topic, the literature on the subject is still limited, especially from a non-technical point of view. In the context of leadership, traditional crisis management literature identified specific competencies that organizations can leverage to mitigate the effects of a crisis, but there is a research gap as to whether or not these capabilities make sense in a cyber crisis context. This study aims to bridge this gap by analyzing the case of Norsk Hydro – a Norwegian company that in 2019 fell victim of a disruptive ransomware attack – through the lenses of a traditional crisis leadership model

Operations-informed incident response playbooks

Cyber security incident response playbooks are critical for establishing an effective incident response capability within organizations. We identify a significant conceptual gap in the current research and practice of cyber security playbook design: the lack of ability to communicate the operational impact of an incident and of incident response on an organization. In this paper, we present a mechanism to address the gap by introducing the operational context into an incident response playbook. This conceptual contribution calls for a shift from playbooks that consist only of process models to playbooks that consist of process models closely linked with a model of operations. We describe a novel approach to embed a model of operations into the incident response playbook and link it with the playbook's incident response activities. This allows to reflect, in an accurate and systematic way, the interdependencies and mutual influences of incident response activities on operations and vice versa. The approach includes the use of a new metric for evaluating the change in operations in coordination with critical thresholds, supporting decision-making during cyber security incident response. We demonstrate the application of the proposed approach to playbook design in the context of a ransomware attack incident response, using a newly developed open-source tool

Cryptographic ransomware encryption detection: Survey

The ransomware threat has loomed over our digital life since 1989. Criminals use this type of cyber attack to lock or encrypt victims' data, often coercing them to pay exorbitant amounts in ransom. The damage ransomware causes ranges from monetary losses paid for ransom at best to endangering human lives. Cryptographic ransomware, where attackers encrypt the victim's data, stands as the predominant ransomware variant. The primary characteristics of these attacks have remained the same since the first ransomware attack. For this reason, we consider this a key factor differentiating ransomware from other cyber attacks, making it vital in tackling the threat of cryptographic ransomware. This paper proposes a cyber kill chain that describes the modern crypto-ransomware attack. The survey focuses on the Encryption phase as described in our proposed cyber kill chain and its detection techniques. We identify three main methods used in detecting encryption-related activities by ransomware, namely API and System calls, I/O monitoring, and file system activities monitoring. Machine learning (ML) is a tool used in all three identified methodologies, and some of the issues within the ML domain related to this survey are also covered as part of their respective methodologies. The survey of selected proposals is conducted through the prism of those three methodologies, showcasing the importance of detecting ransomware during pre-encryption and encryption activities and the windows of opportunity to do so. We also examine commercial crypto-ransomware protection and detection offerings and show the gap between academic research and commercial applications

Predictors of Ransomware From Binary Analysis

Ransomware, a type of malware that extorts payment from a victim by encrypting her data, is a growing threat that is becoming more sophisticated with each generation. Attackers have shifted from targeting individuals to entire organizations, raising extortions from hundreds of dollars to hundreds of thousands of dollars. In this work, we analyze a variety of ransomware and benign software binaries in order to identify indicators that may be used to detect ransomware. We find that several combinations of strings, cryptographic constants, and a large number loops are key indicators useful for detecting ransomware

Automated security analysis in a SCADA system

Supervisory control and data acquisition (SCADA) is a computer system for analysing, and monitoring data, as well as, controlling a plant in industries such as power grids, oil, gas refining, and water control. SCADA belongs to the category of critical systems that are needed to maintain the infrastructure of cities and households. Therefore, the security aspect of such a system has a significant role. The early SCADA systems were designed with the operation as the primary concern rather than security since they were a monolithic networked system without external access. However, the systems evolved, and SCADA systems were embedded with web technologies for users to monitor the data externally. These changes improved the efficiency of monitoring and productivity; however, this caused a problem of potential cyber-attacks to a SCADA system. One such example was Ukraine's power grid blackout in 2015. Therefore, it is beneficial for the security of a SCADA system to create a threat modeling technique that can understand the critical components of SCADA, discover potential threats, and propose possible mitigation strategies. One issue when creating a threat model is the significant difference of SCADA from traditional Operational Technology (OT) systems. Another significant issue is that SCADA is a highly customisable system, and each SCADA instance can have different components. Therefore, for this work, we implemented a threat modeling language scadaLang, which is specific to the domain of a SCADA system. We started by defining the major assets of a SCADA system, attackers, entry surfaces, and built attacks and defense strategies. Then we developed a threat modeling domain-specific language scadaLang that can create a threat model for a particular instance of SCADA taking the differences in components and connections into account. As a result, we achieved a threat modeling language for SCADA, ensured the reliability of the results by peer-reviewing of an engineer familiar with the domain of the problem, and proposed a Turing test to ensure the validity of the result of scadaLang as the future development of the project

Generating Threat Intelligence based on OSINT and a Cyber Threat Unified Taxonomy

Tese de mestrado em Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020As ameaças cibernéticas atuais utilizam múltiplos meios de propagação, tais como a engenharia social, vulnerabilidades de e-mail e aplicações e, muitas vezes, operam em diferentes fases, tais como o comprometimento de um único dispositivo, o movimento lateral na rede e a exfiltração de dados. Estas ameaças são complexas e dependem de táticas bem avançadas, por forma a passarem despercebidas nas defesas de segurança tradicionais, como por exemplo firewalls. Um tipo de ameaças que tem tido um impacto significativo na ascensão do cibercrime são as ameaças persistentes avançadas (APTs), as quais têm objetivos claros, são altamente organizadas, têm acesso a recursos praticamente ilimitados e tendem a realizar ataques ocultos por longos períodos e com múltiplas tentativas. À medida que as organizações têm tido consciência que os ciberataques estão a aumentar em quantidade e complexidade, a utilização de informação sobre ciberameaças está a ganhar popularidade para combater tais ataques. Esta tendência tem acompanhado a evolução das APTs, uma vez que estas exigem um nível de resposta diferente e mais específico a cada organização. A informação sobre ciberameaças pode ser obtida de diversas fontes e em diferentes formatos, sendo a informação de fonte aberta (OSINT) uma das mais comuns. Também pode ser obtida por plataformas especificas de ameaças (TIPs) que ajudam a consumir, produzir e partilhar informações sobre ciberameaças. As TIPs têm múltiplas vantagens que permitem às organizações explorar facilmente os principais processos de recolha, enriquecimento e partilha de informações relacionadas com ameaças. No entanto, devido ao elevado volume de informação OSINT recebido por dia e às diversas taxonomias existentes para classificação de ciberameaças provenientes do OSINT, as TIPs atuais apresentam limitações de processamento desta, capaz de produzir informação inteligente (threat intelligence, TI) de qualidade que seja útil no combate de ciberataques, impedido assim a sua adoção em massa. Por sua vez, os analistas de segurança desperdiçam um tempo considerável em analisar o OSINT e a classificá-lo com diferentes taxonomias, por vezes, correspondentes a ameaças da mesma categoria. Esta dissertação propõe uma solução, denominada Automated Event Classification and Correlation Platform (AECCP), para algumas das limitações das TIPs mencionadas anteriormente e relacionadas com a gestão do conhecimento de ameaças, a triagem de ameaças, o elevado volume de informação partilhada, a qualidade dos dados, as capacidades de análise avançadas e a automatização de tarefas. Esta solução procura aumentar a qualidade da TI produzidas por TIPs, classificando-a em conformidade com um sistema de classificação comum, removendo a informação irrelevante, ou seja, com baixo valor, enriquecendo-a com dados importantes e relevantes de fontes OSINT, e agregando-a em eventos com informação semelhante. O sistema de classificação comum, denominado de Unified Taxonomy, foi definido no âmbito desta dissertação e teve como base uma análise de outras taxonomias públicas conhecidas e utilizadas na partilha de TI. O AECCP é uma plataforma composta por componentes que podem trabalhar em conjunto ou individualmente. O AECCP compreende um classificador (Classifier), um redutor de informação irrelevante (Trimmer), um enriquecedor de informação baseado em OSINT (Enricher) e um agregador de agregador de eventos sobre a mesma ameaça, ou seja, que contêm informação semelhante (Clusterer). O Classifier analisa eventos e, com base na sua informação, classifica-os na Unified Taxonomy, por forma a catalogar eventos ainda não classificados e a eliminar a duplicação de taxonomias com o mesmo significado de eventos previamente classificados. O Trimmer elimina a informação menos pertinente dos eventos baseando-se na classificação do mesmo. O Enricher enriquece os eventos com dados externos e provenientes de OSINT, os quais poderão conter informação importante e relacionada com a informação já presente no evento, mas não contida no mesmo. Por último, o Clusterer agrega eventos que partilham o mesmo contexto associado à classificação de cada um e à informação que estes contêm, produzindo aglomerados de eventos que serão combinados num único evento. Esta nova informação garantirá aos analistas de segurança o acesso e fácil visibilidade a informação relativa a eventos semelhantes aos que estes analisam. O desenho da arquitetura do AECCP, foi fundamentado numa realizada sobre três fontes públicas de informação que continham mais de 1100 eventos de ameaças de cibersegurança partilhados por 24 entidades externas e colecradas entre os anos de 2016 e 2019. A Unified Taxonomy utilizada pelo Classifier, foi produzida com base na análise detalhada das taxonomias utilizadas por estes eventos e nas taxonomias mais utilizadas na comunidade de partilha de TI sobre ciberameaças. No decorrer desta análise foram também identificados os atributos mais pertinentes e relevantes para cada categoria da Unified Taxonomy, através da agregação da informação em grupos com contexto semelhante e de uma análise minuciosa da informação contida em cada um dos mais de 1100 eventos. A dissertação, também, apresenta os algoritmos utilizados na implementação de cada um dos componentes que compõem o AECCP, bem como a avaliação destes e da plataforma. Na avaliação foram utilizadas as mesmas três fontes de OSINT utilizadas na análise inicial, no entanto, com 64 eventos criados e partilhados mais recentemente que os utilizados nessa análise. Dos resultados, foi possível verificar um aumento de 72% na classificação dos eventos, um aumento médio de 54 atributos por evento, com uma redução nos atributos com pouco valor e aumento superior de atributos com maior valor, após os eventos serem processados pelo AECCP. Foi também possível produzir 24 eventos agregados, enriquecidos e classificados pelos outros componentes do AECCP. Por último, foram processados pelo AECCP 6 eventos com grande volume de informação produzidos por uma plataforma externa, denominada de PURE, onde foi possível verificar que o AECCP é capaz de processar eventos oriundos de outras plataformas e de tamanho elevando. Em suma, a dissertação apresenta quatro contribuições, nomeadamente, um sistema de classificação comum, a Unified Taxonomy, os atributos mais pertinentes para cada uma das categorias da Unified Taxonomy, o desenho da arquitetura do AECCP composto por 4 módulos (Classifier, Trimmer, Enricher e Clusterer) que procura resolver 5 das limitações das atuais TIPs (gestão do conhecimento de ameaças, a triagem de ameaças, o elevado volume de informação partilhada, a qualidade dos dados e as capacidades de análise avançadas e a automatização de tarefas) e a sua implementação e avaliação.Today’s threats use multiple means of propagation, such as social engineering, email, and application vulnerabilities, and often operate in different phases, such as single device compromise, network lateral movement and data exfiltration. These complex threats rely on well-advanced tactics for appearing unknown to traditional security defences. One type that had a major impact in the rise of cybercrime are the advanced persistent threats (APTs), which have clear objectives, are highly organized and well-resourced and tend to perform long term stealthy campaigns with repeated attempts. As organizations realize that attacks are increasing in size and complexity, threat intelligence (TI) is growing in popularity and use amongst them. This trend followed the evolution of the APTs as they require a different level of response that is more specific to the organization. TI can be obtained via many formats, being open source intelligence (OSINT) one of the most common; and using threat intelligence platforms (TIPs) that aid organization consuming, producing and sharing TI. TIPs have multiple advantages that enable organisations to easily bootstrap the core processes of collecting, normalising, enriching, correlating, analysing, disseminating and sharing of threat related information. However, current TIPs have some limitations that prevents theirs mass adoption. This dissertation proposes a solution to some of these limitations related with threat knowledge management, limited technology enablement in threat triage, high volume of shared threat information, data quality and limited advanced analytics capabilities and tasks automation. Overall, our solution improves the quality of TI by classifying it accordingly a common taxonomy, removing the information with low value, enriching it with valuable information from OSINT sources, and aggregating it into clusters of events with similar information. This dissertation offers a complete data analysis of three OSINT feeds and the results that made us to design our solution, a detailed description of the architecture of our solution, its implementations and its validation, including the processing of events from other academic solutions

Ethical Issues in cybersecurity: employing red teams, responding to ransomware attacks and attempting botnet takedowns

The following four research questions are analysed in this thesis: What are the ethical issues that arise in cybersecurity in the business domain? Is it ethically appropriate for organisations to employ red teams to find security vulnerabilities? What is the ethically appropriate organisational response to a ransomware attack? Is it ethically appropriate for organisations to attempt a botnet takedown in response to a DDoS attack? The first research question is answered by way of a literature review which reveals that many ethical issues arise in cybersecurity in the business domain. The second, third and fourth research questions are analysed using a strategic method described by Robert A Phillips. This method, based on stakeholder theory and the political theory of John Rawls, provides a philosophical basis for stakeholder legitimacy and the prioritisation of stakeholders’ interests should conflict of interests amongst stakeholders arise. This method can be replicated by decision-makers to determine ethically appropriate courses of action to take

Developing a usable security approach for user awareness against ransomware

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonThe main purpose of the research presented in this thesis is to design and develop a game prototype for improving user awareness against ransomware, which has been reported as the most significant cyber security threat to the United Kingdom by the National Cyber Security Centre. Digital transformation is helping individuals, organisations, governments and Industrial control systems to modernise and improve their effectiveness. At the same time, cyber crimes are evolving and targeting essential services. A successful cyber attack can compromise users’ privacy, bring bad publicity and financial damage to organisations and target national security. A literature review was conducted to understand threats to the cyber social system. Literature in this thesis reports attackers exploit humans as the weakest link to execute successful security breaches. Therefore to address this challenge, a significant gap has been identified as an opportunity to contribute to user awareness of the ransomware cyber security threat. The current thesis proposes RansomAware a novel game prototype to improve user awareness. The game is based on Technology Threat Avoidance Theory (TTAT) model. In this thesis two studies are carried out, study 1 empirically validates the elements of TTAT to be embedded in the RansomAware prototype and reports a significant change in users’ motivation to avoid ransomware cyber security threat 55% and avoidance behaviour 29%, whereas study 2 evaluates game usability and report significant results of SUS average score of 87.58 and statistical results of p < 0.01 indicate user’s satisfaction of the RansomAware. Finally, the research provides guidelines on how the proposed RansomAware game can be adopted by practitioners and individuals to improve their awareness against the ransomware cyber security threat