Ransomware and Malware Sandboxing

The threat of ransomware that encrypts data on a device and asks for payment to decrypt the data affects individual users, businesses, and vital systems including healthcare. This threat has become increasingly more prevalent in the past few years. To understand ransomware through malware analysis, care must be taken to sandbox the ransomware in an environment that allows for a detailed and comprehensive analysis while also preventing it from being able to further spread. Modern malware often takes measures to detect whether it has been placed into an analysis environment to prevent examination. In this work, several notable pieces of ransomware were placed into sandbox environments to discover how they might obfuscate themselves for evading analysis and to determine ways they propagate. The goal of the work is to identify and understand these how these obfuscation and propagation techniques function in a sandbox, so that mitigation methods can be developed

Técnicas de proteção contra ameaças digitais do tipo ransomware em plataformas Windows

Trabalho de Conclusão de Curso, apresentado para obtenção do grau de Bacharel no Curso de Ciência da Computação da Universidade do Extremo Sul Catarinense, UNESC.Com o advento de um mundo cada dia mais conectado, muitas brechas de segurança se abrem para cibe criminosos. Os crimes eletrônicos são hoje o maior desafio de qualquer companhia no mundo e este problema se reflete nos números, chegando na casa de trilhões de dólares em prejuízos anuais. Este trabalho tem como objetivo realizar uma avaliação experimental de ferramentas contra ameaças do tipo Ransomware. Os experimentos foram conduzidos utilizando-se duas ferramentas, sendo uma específica para proteção contra Ransomware e um antivírus. Para a execução dos testes foram utilizadas duas amostras de Ransomwares conhecidos. Os resultados demonstraram que, no geral, ferramentas modernas têm o que é necessário para proteger os dispositivos destas ameaças

Secure Storage Model for Digital Forensic Readiness

Securing digital evidence is a key factor that contributes to evidence admissibility during digital forensic investigations, particularly in establishing the chain of custody of digital evidence. However, not enough is done to ensure that the environment and access to the evidence are secure. Attackers can go to extreme lengths to cover up their tracks, which is a serious concern to digital forensics – particularly digital forensic readiness. If an attacker gains access to the location where evidence is stored, they could easily alter the evidence (if not remove it altogether). Even though integrity checks can be performed to ensure that the evidence is sound, the collected evidence may contain sensitive information that an attacker can easily use for other forms of attack. To this end, this paper proposes a model for securely storing digital evidence captured pre- and post-incident to achieve reactive forensics. Various components were considered, such as integrity checks, environment sandboxing, strong encryption, two-factor authentication, as well as unique random file naming. A proof-of-concept tool was developed to realize this model and to prove its validity. A series of tests were conducted to check for system security, performance, and requirements validation, Overall, the results obtained showed that, with minimal effort, securing forensic artefacts is a relatively inexpensive and reliable feat. This paper aims to standardize evidence storage, practice high security standards, as well as remove the need to create new systems that achieve the same purpose

Secure storage model for digital forensic readiness

Securing digital evidence is a key factor that contributes to evidence admissibility during digital forensic investigations, particularly in establishing the chain of custody of digital evidence. However, not enough is done to ensure that the environment and access to the evidence are secure. Attackers can go to extreme lengths to cover up their tracks, which is a serious concern to digital forensics – particularly digital forensic readiness. If an attacker gains access to the location where evidence is stored, they could easily alter the evidence (if not remove it altogether). Even though integrity checks can be performed to ensure that the evidence is sound, the collected evidence may contain sensitive information that an attacker can easily use for other forms of attack. To this end, this paper proposes a model for securely storing digital evidence captured pre- and post-incident to achieve reactive forensics. Various components were considered, such as integrity checks, environment sandboxing, strong encryption, two-factor authentication, as well as unique random file naming. A proof-of-concept tool was developed to realize this model and to prove its validity. A series of tests were conducted to check for system security, performance, and requirements validation, Overall, the results obtained showed that, with minimal effort, securing forensic artefacts is a relatively inexpensive and reliable feat. This paper aims to standardize evidence storage, practice high security standards, as well as remove the need to create new systems that achieve the same purpose.https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639Computer Scienc

RanAware, analysis and detection of ransomware on Windows systems

These past years the use of the computers increased significantly with the introduction of the home office policy caused by the pandemic. This grow has been accompanied by malware attacks and ransomware in particular. Therefore, it is mandatory to have a system able to protect, to prevent and to reduce the impact that this type of malware has in an organization. RanAware is a tool that performs an early ransomware detection based on recording file system operations. This information allows RanAware to monitor activity on the file system, collect and process statistics used to determine the presence of a ransomware in the system. After detection, RanAware handles the termination and isolation of the malicious program as well as the creation of an activity report of the ransomware operations. In addition, this project performs an evaluation of the impact that RanAware has in a system

Cashing out crypto: state of practice in ransom payments

The fast pace of blockchain technology and cryptocurrencies’ evolution makes people vulnerable to financial fraud and provides a relatively straightforward monetisation mechanism for cybercriminals, in particular ransomware groups which exploit crypto’s pseudo-anonymity properties. At the same time, regulatory efforts for addressing crimes related to crypto assets are emerging worldwide. In this work, we shed light on the current state of practice of ransomware monetisation to provide evidence of their payment traceability, explore future trends, and—above all—showcase that over-regulating cryptocurrencies is not the best way to mitigate their risks. For that purpose, first, we provide an overview of the legislative initiatives currently taken by the USA, the EU, and the OECD to regulate cryptocurrencies, showing that strict laws and the divergences between the regulatory regimes can hardly efficiently regulate the global phenomenon of cryptocurrency, which transcends borders and states. Next, we focus on illicit payments in bitcoin to ransomware groups, illustrating how these payments are siphoned off and how criminals cash out the ransom, often leaving traceable evidence behind. To this end, we leverage a publicly available dataset and a set of state-of-the-art blockchain analysis tools to identify payment patterns, trends, and transaction trails, which are provided in an anonymised form. Our work reveals that a significant amount of illicit bitcoin transactions can be easily traced, and consequently, many cyber crimes like ransomware can actually be tracked down and investigated with existing tools and laws, thus providing fertile ground for better and fairer legislation on crypto

Esquema metodológico apoyado en una herramienta (software) para la detección y prevención de Crypto Ransomware en una estación de trabajo

En los últimos años, los malware tipo ransomware han demostrado ser una amenaza de seguridad para las empresas y personas, esto se debe a que los métodos de detección y prevención son insuficientes y las variantes de ransomware actúan de manera diferente debido a los diferentes vectores de ataque que utiliza para comprometer un equipo, por lo que comprender el comportamiento y funcionamiento del gran numero variables es complicado, en esta investigación se tomaron 22 muestras representativas y fueron probadas en un ambiente controlado con el fin entender el proceso del ciclo de vida del ransomware. La metodología propuesta para la detección y prevención de ransomware se elaboró con las bases científicas existentes de los diferentes métodos de detección y prevención ransomware y apoyado mediante una herramienta o software desarrollada en el lenguaje de programación Python y el marco lógico escalable llamado (Malice) minimizando el impacto negativo que tiene el ransomware en las empresas u hogares. En la investigación se presenta la formulación de un esquema metodológico basado en la detección y prevención de malware tipo crypto ransomware, se desarrolló mediante la búsqueda de los métodos existentes determinando la efectividad a la hora de detectar y prevenir un ransomware. Se inició con la selección y caracterización de los criterios y variables más comunes del ransomware mediante el análisis dinámico de las variantes de ransomware que fueron usadas para conocer el origen y evolución que ha tenido dicho malware. Una vez entendiendo el comportamiento del ransomware se agruparon las acciones que combaten los patrones de comportamiento de cada variante de ransomware, y a partir de ahí se empezó con la conceptualización de los diferentes métodos de detección y prevención de ransomware, logrando el diseño del esquema metodológico que reunió todos los métodos o acciones para la detección y prevención de ransomware en una estación de trabajo. Por último se inició el desarrollo de un software basado en alguno de los métodos propuestos del esquema metodológico, además valoramos la efectividad del método detección y prevención con respecto de los patrones de comportamiento establecidos. Con la solución propuesta se generaron nuevos mecanismos para la prevención y detección de los nuevos tipos de crypto ransomwareIn recent years, ransomware type malware has proven to be a security threat to businesses and individuals, this is because the detection and prevention methods are insufficient and the variants of ransomware act differently due to different attack vectors used to compromise a computer, so understanding the behavior and operation of the large number of variables is complicated, in this research were taken 22 representative samples and were tested in a controlled environment in order to understand the process of the life cycle of ransomware. The methodology proposed for the detection and prevention of ransomware was elaborated with the existing scientific bases of the different methods of detection and prevention ransomware and supported by a tool or software developed in the programming language Python and the scalable logical framework called (Malice) minimizing the negative impact that ransomware has in companies or homes. The research presents the formulation of a methodological scheme based on the detection and prevention of crypto ransomware type badware, was developed by searching for existing methods determining the effectiveness in detecting and preventing ransomware. It began with the selection and characterization of the most common criteria and variables of ransomware through the dynamic analysis of the variants of ransomware that were used to know the origin and evolution of this badware. Once the behavior of ransomware was understood, the actions that combat the behavior patterns of each variant of ransomware were grouped together, and from there the conceptualization of the different methods of detection and prevention of ransomware began, achieving the design of the methodological scheme that brought together all the methods or actions for the detection and prevention of ransomware on a workstation. Finally, the development of a software based on some of the methods proposed in the methodological scheme was started. We also assessed the effectiveness of the detection and prevention method with respect to the established behavior patterns. The proposed solution generated new mechanisms for the prevention and detection of new types of crypto ransomwareMagister en Seguridad Informátic

Deception in double extortion ransomware attacks:An analysis of profitability and credibility

Ransomware attacks have evolved with criminals using double extortion schemes, where they signal data exfiltration to inflate ransom demands. This development is further complicated by information asymmetry, where victims are compelled to respond to ambiguous and often deceptive signals from attackers. This study explores the complex interactions between criminals and victims during ransomware attacks, especially focusing on how data exfiltration is communicated. We use a signaling game to understand the strategies both parties use when dealing with uncertain information. We identify five distinct equilibria, each characterized by the criminals' varied approaches to signaling data exfiltration, influenced by the strategic parameters inherent in each attack scenario. Calibrating the game parameters with real-world like values, we identify the most probable equilibrium, offering insights into anticipated ransom amounts and corresponding payoffs for both victims and criminals. Our findings suggest criminals are likely to claim data exfiltration, true or not, highlighting a strategic advantage for intensifying attack efforts. The study underscores the need for victims' caution towards criminals' claims and highlights the unintended consequences of policies making false claims costlier for criminals.</p

Ransomware from yesterday to today development and future

98 pagesFidye yazılımları (ransomware), son yıllarda hem kurumları hem de bireyleri ciddi ölçüde etkileyen ve mağduriyetlerine yol açan küresel bir tehdit olarak karşımıza çıkmaktadır. Şantaj yazılımları da olarak bilinen bu yazılım türü, kurbanlarının makinelerini şifreleme, kilitleme yoluyla ele geçirerek şifreyi çözecek anahtarı belirli bir ücreti ödemeleri karşılığında verebileceğini söyleyen siber saldırganların kullandığı zararlı yazılımlar olarak tanımlanmaktadır. Fidye yazılımları, özellikle uygun güncelleme ve yedekleme prosedürlerini yerine getirmeyen, uygun bir siber güvenlik altyapısı bulunmayan kurbanları etkilemektedir. 30 yıl önce ortaya çıkmasına karşın, son yıllarda gelişen otomasyon seviyesi, bilişime olan bağımlılığın vazgeçilmez hale gelmesi ile birlikte önem derecesini zirveye taşımış ve zirvedeki yerini korumayı sürdürmüştür. Dünya çapında milyarlarca kullanıcıyı etkileyen ve milyarlarca dolarlık kayıp ve hasara neden olan fidye yazılımları, küresel suç örgütleri için silah ya da uyuşturucu ticareti gibi lokomotif iş alanlarından biri haline gelmiştir. Günümüze kadar fidye yazılımı saldırıları halen kayda değer etkisini devam ettirerek gelmiş, gelecek için de ciddi tehdit oluşturacağının sinyallerini vermiştir. Bu yazılımların, kurumlar ve bireyleri potansiyel hedef kitlesi olarak aldığı ve toplam cihaz sayısının milyarlarca olduğu düşünüldüğünde, bu konunun araştırmaların ve yatırımların merkezinde olması yadsınamaz bir gerçeklik olarak karşımıza çıkmaktadır. Bu tezde, fidye yazılımlarının gelişimi gözetilerek, fidye yazılımlarındaki ortak ve sıra dışı yöntemler incelenerek geleceğin fidye yazılım dünyası için ön analiz gerçekleştirilmiştir. Bu tez, geleceğin teknoloji dünyasında kurumsal şirketlerin, kamu kuruluşlarının ve bireylerin, bu zararlı etkiler nedeniyle nelere dikkat etmeleri ve neleri dikkate alacak şekilde geleceklerini şekillendireceklerine ışık tutmak amacıyla kaleme alınmıştır. Ayrıca, gelecekte yapılacak akademik çalışmalar açısından da literatür ihtiyaçlarını açığa çıkaracaktır. Bunların yanı sıra, bugüne kadar fidye yazılımlarına, kayıtsız kalan bireylerin ve kurumların bu konunun yıkıcı sonuçlarından dolayı dikkatlerini de çekmeyi hedeflemektedir. ix Tezde, birinci bölümde fidye yazılımları ile ilgili genel bilgilere, ikinci bölümde etkilerine, üçüncü bölümde fidye yazılımlarının geleceğine, dördüncü bölümde alınabilecek önlemlere ve son bölümde ise genel değerlendirme ve önerilere yer verilmiştir.Ransomware has emerged as a global threat that has significantly affected both institutions and individuals in recent years. This type of software, also known as blackmail software, is defined as malicious software used by cyber intruders who say that they can give their victims in exchange for a certain fee by deciphering their machines by encrypting, locking, and decoding the key. In particular, ransomware affects victims who do not have an appropriate cyber security infrastructure, especially if they are not performing the appropriate update and backup procedures. Although it emerged 30 years ago, the level of automation developed in recent years, with the dependence on cognition becoming indispensable, carried the importance level to the top and continued to maintain its place in the top. Ransomware, which affects billions of users worldwide and causes billions of dollars of loss and damage, has become one of the locomotive business fields for global criminal organizations such as weapons or drug trafficking. Until now, ransomware attacks have continued to have a considerable impact and have signaled that it will pose a serious threat to the future. Considering that these softwares take the institutions and individuals as their potential target audience and the total number of devices is billions, it is an undeniable reality that this issue is at the center of research and investments. In this thesis, by considering the development of ransomware, common and extraordinary methods in ransomware were examined and preliminary analysis was carried out for the future of the ransomware world. This thesis has been written in order to shed light on what the corporate companies, public institutions and individuals in the future of the future will shape their future by taking into account what these harmful effects are and what they will take into consideration. It will also reveal the needs of literature in terms of future academic studies. In addition to this, the aim is to draw attention to the ransomware and the indifferent individuals and institutions to the attention of the devastating consequences of this issue. In the thesis, general information about ransomware in the first section, the effects of the second part, the future of ransomware in the third part, the measures that can be taken in the fourth section and the final evaluations are given in the last section

An ensemble-based anomaly-behavioural crypto-ransomware pre-encryption detection model

Crypto-ransomware is a malware that leverages cryptography to encrypt files for extortion purposes. Even after neutralizing such attacks, the targeted files remain encrypted. This irreversible effect on the target is what distinguishes crypto-ransomware attacks from traditional malware. Thus, it is imperative to detect such attacks during pre-encryption phase. However, existing crypto-ransomware early detection solutions are not effective due to inaccurate definition of the pre-encryption phase boundaries, insufficient data at that phase and the misuse-based approach that the solutions employ, which is not suitable to detect new (zero-day) attacks. Consequently, those solutions suffer from low detection accuracy and high false alarms. Therefore, this research addressed these issues and developed an Ensemble-Based Anomaly-Behavioural Pre-encryption Detection Model (EABDM) to overcome data insufficiency and improve detection accuracy of known and novel crypto-ransomware attacks. In this research, three phases were used in the development of EABDM. In the first phase, a Dynamic Pre-encryption Boundary Definition and Features Extraction (DPBD-FE) scheme was developed by incorporating Rocchio feedback and vector space model to build a pre-encryption boundary vector. Then, an improved term frequency-inverse document frequency technique was utilized to extract the features from runtime data generated during the pre-encryption phase of crypto-ransomware attacks’ lifecycle. In the second phase, a Maximum of Minimum-Based Enhanced Mutual Information Feature Selection (MM-EMIFS) technique was used to select the informative features set, and prevent overfitting caused by high dimensional data. The MM-EMIFS utilized the developed Redundancy Coefficient Gradual Upweighting (RCGU) technique to overcome data insufficiency during pre-encryption phase and improve feature’s significance estimation. In the final phase, an improved technique called incremental bagging (iBagging) built incremental data subsets for anomaly and behavioural-based detection ensembles. The enhanced semi-random subspace selection (ESRS) technique was then utilized to build noise-free and diverse subspaces for each of these incremental data subsets. Based on the subspaces, the base classifiers were trained for each ensemble. Both ensembles employed the majority voting to combine the decisions of the base classifiers. After that, the decision of the anomaly ensemble was combined into behavioural ensemble, which gave the final decision. The experimental evaluation showed that, DPBD-FE scheme reduced the ratio of crypto-ransomware samples whose pre-encryption boundaries were missed from 18% to 8% as compared to existing works. Additionally, the features selected by MM-EMIFS technique improved the detection accuracy from 89% to 96% as compared to existing techniques. Likewise, on average, the EABDM model increased detection accuracy from 85% to 97.88% and reduced the false positive alarms from 12% to 1% in comparison to existing early detection models. These results demonstrated the ability of the EABDM to improve the detection accuracy of crypto-ransomware attacks early and before the encryption takes place to protect files from being held to ransom