Analysis of encryption schemes in modern ransomware

In the past few years, activity of ransomware increased. As new variants and families of ransomware are developed, security systems have to keep up. Well designed encryption system is at the heart of ransomware and even a small mistake in the algorithm can break it. This paper analyzes 10 ransomware samples from various families. The goal of the analysis is to describe encryption schemes used in current ransomware. This includes key generation and storage, symmetric and asymmetric ciphers and their chosen implementation

Ransomware: Current Trend, Challenges, and Research Directions

Ransomware attacks have become a global incidence, with the primary aim of making monetary gains through illicit means. The attack started through e-mails and has expanded through spamming and phishing. Ransomware encrypts targets’ files and display notifications, requesting for payment before the data can be unlocked. Ransom demand is usually in form of virtual currency, bitcoin, because it is difficult to track. In this paper, we give a brief overview of the current trend, challenges, and research progress in the bid to finding lasting solutions to the menace of ransomware that currently challenge computer and network security, and data privacy

A note on different types of ransomware attacks

Ransomware are malware whose purpose is to generate income for the attacker. The first of these malware made intense use of cryptography, specifically for file encryption. They encrypt some or most files on the computer before asking a ransom for the decryption. Since they appeared, however, ransomware have evolved into different types which fulfill their task in different ways. Some encrypt files and data from the hard drive, others block access to the OS or use private user data to blackmail the user, some aren’t even a real threat, but they scare the user into paying for some fake service or software. The software security industry is well aware of these threats and is constantly analyzing the new versions and types to determine how dangerous they are and to provide an updated protection solution. This article tries to investigate and compare the way these malware work and how they affect the victims computer. Our analysis will provide interesting insight into how they work, it will highlight the particularities of ransomware and will give some information about why some of these malware are more dangerous than others

Know abnormal, find evil : frequent pattern mining for ransomware threat hunting and intelligence

Emergence of crypto-ransomware has significantly changed the cyber threat landscape. A crypto ransomware removes data custodian access by encrypting valuable data on victims’ computers and requests a ransom payment to reinstantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky ransomware samples, 535 Cerber ransomware samples and 572 samples of TeslaCrypt ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99% accuracy in detecting ransomware instances from goodware samples and 96.5% accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different ransomware families which can be used for identification of a ransomware sample family for building intelligence about threat actors and threat profile of a given target

S.O. usados por los clientes de la red de la Universidad Cooperativa de Colombia campus Villavicencio

El Propósito de este investigación fue el de generar una estrategia de sensibilización en los estudiantes, administrativos y docentes del programa de ingeniería de sistemas de la Universidad Cooperativa de Colombia sede Villavicencio, sobre los riesgos presentes en el momento en el que se conectan con sus dispositivos informáticos a las redes de la universidad. Para esto se realizó una caracterización piloto, en la cual se inspeccionó que conocian los usuarios de algunos terminos de seguridad informatica. Mediante el análisis de los datos obtenidos se puedierón identificar cuáles eran los posibles riesgos a los que se sometian los usuarios de las redes de la UCC. En este trabajo se plantea una estrategia para mitigar los riesgos detectados y se socializan estos resultados a la comunidad académica afectada por el piloto. Como conclusión, se pueden observar muchas similitudes en los datos obtenidos en la encuesta realizada y las estadísticas disponibles en Internet sobre dispositivos y sistemas operativos que se conectan a internet. Aunque no se puede garantizar una seguridad total al conectarse a una red, la educación y conocer sobre los riesgos que generamos sigue siendo la forma más eficiente de fortalecer el eslabón más débil de la cadena, permitiendo minimizar este riesgo mediante el uso de unas buenas prácticas de seguridad informática

A proposed adaptive pre-encryption crypto-ransomware early detection model

Crypto-ransomware is a malware that uses the system's cryptography functions to encrypt user data. The irreversible effect of crypto-ransomware makes it challenging to survive the attack compared to other malware categories. When a crypto-ransomware attack encrypts user files, it becomes difficult to access these files without having the decryption key. Due to the availability of ransomware development tool kits like Ransomware as a Service (RaaS), many ransomware variants are being developed. This contributes to the rise of ransomware attacks witnessed nowadays. However, the conventional approaches employed by malware detection solutions are not suitable to detect ransomware. This is because ransomware needs to be detected as early as before the encryption takes place. These attacks can effectively be handled only if detected during the pre-encryption phase. Early detection of ransomware attacks is challenging due to the limited amount of data available before encryption. An adaptive pre-encryption model is proposed in this paper which is expected to deal with the population concept drift of crypto-ransomware given the limited amount of data collected during the pre-encryption phase of the attack lifecycle. With such adaptability, the model can maintain up-to-date knowledge about the attack behavior and identify the polymorphic ransomware that continuously changes its behavior