Cyber-attacks, malware, and aspects of ransomware
Cyber-attacks and data breaches are becoming more common, with perpetrators becoming increasingly skilled and motivated. While the growth of technology has benefited our lives, threats have surged significantly over the past two decades.
This has also increased the vulnerability of systems, infrastructure, networks, and applications. The increasing digitalization and interconnection of industrial control systems often used to control critical infrastructures within intelligent cities and nuclear plants, pose a severe threat to humanity.
Exposing cybercriminals to such systems can have devastating consequences. In 2014, the financial damage from ransomware was estimated at $380 (Symantec, 2017). This amount doubled the following year and continued to rise significantly, largely due to Bitcoin’s anonymity.
This has led to cryptocurrency being the most adopted untraceable payment method by criminals, and studies have shown that this type of payment was used in 98% of cases (Berrueta et al., 2019).
In May 2017, a significant cyberattack using ransomware known as WannaCry or WannaCrypt infected more than 300.000 systems in over 150 countries. The attack mainly affected Windows systems in different sectors, such as healthcare, the government, and oil and gas production lines (Akbanov et al., 2019).
NotPetya and BadRabbit are other modern ransomware that use advanced tools for infection, persistence, and recovery prevention mechanisms and are well-known for their effectiveness.
These types of malicious software were explicitly designed to exploit the vulnerability of Microsoft Windows systems by spreading them via insecure websites, causing global financial losses of over $8 billion.
Defence against Ransomware
Ransomware is a typical malware that restricts computer access by locking screens or encrypting files until a ransom is paid (Berrueta et al., 2019). These attacks can severely impact businesses, hospitals, and individuals, leading to significant financial losses and potential harm to lives.
The two primary forms of ransomware attackers used in 2016 were Crypto-ransomware and device lockers. Both types of malware are designed to use a new form of attack called Denial-of-Resources (DoR).
Cybercriminals have evolved into organized, well-funded groups that target individuals and enterprises with blackmail and widespread malware.
Attackers have created advanced ransomware that exploits unknown vulnerabilities.
Types of ransomware
The Global Threat Report (CrowdStrike, 2023) indicates that there are many ransomware discovered over the last years, such as:
BadRabbi, BitPaymer, Cerber, Cryptolocker, Dharma, DoppelPaymer, GandCrab, Locky, Maze, NotPetya, Petya, REvil, WannaCry etc.
The most common types of malware circulating today are:
As the name suggests, device lockers can lock your entire system, folders, and personal files, making them hidden and inaccessible. The screen displays a message demanding ransom. Lockers can be dismantled using special tooling and techniques, while encryption can be complicated to decrypt (Arsene & Gheorghe, 2016).
Crypto-ransomware is an advanced file encryptor that presents a higher threat than lockers. Unlike any other type of malware, it employs irreversible encryption of personal data such as folders, files, videos, etc. Often, the only way to decipher the encrypted data is to use a decryption key obtained when the ransom is paid. However, there is no guarantee since this is an agreement with cybercriminals.
Doxware, or Leakware, is primarily used in phishing or spam emails or on unpatched and vulnerable websites. When Doxware gains access to files and sensitive information, the data is usually encrypted using the Advanced Encryption Standard (AES-256) or Rest Endpoint with Sensitive Data (RSA-2048) encryption. In addition to ransomware, the data might be for sale on the dark web, underground forums, or auctions.
Scareware is defined as fake scripts or software that claim to have detected a problem or virus on your system and require payment to solve it. These types of ransomware are often limited in their performance and can do nothing but generate pop-up messages on your system or, in the worst-case scenario, lock the computer.
Ransomware as a service provider (RaaS) recently became a cloud-based ransomware development platform. Therefore, malware is frequently hosted by a cybercriminal who does all the hard work and even collects the ransom payment. (Source: 2023 Global Threat Report | CrowdStrike, n.d.)
Ransomware as a Service (Raas) is one of the most popular and widely used by cybercriminals mainly because it provides package services such as:
- Identifying unknown and known vulnerabilities in service to create a payload.
- To spread the payload via phishing, spamming, and exploiting
- Tracking and locating sensitive files.
- Demanding ransom to retrieve the data and restore to original files.
Ransomware feature Taxonomy
The rise in ransomware families and attacks severely threatens our critical infrastructure and data. Many researchers and cyber defenders struggle to keep pace and assess the associated risks.
To help security analysts and researchers understand this complex problem and protect our assets, it has created a ransomware feature taxonomy aligned with Lockheed Martin’s Cyber Kill Chain (GKC) model (Dargahi et al., 2019).
The Cyber Kill Chain model consists of seven steps:
1. Reconnaissance is the step that the attackers take to collect information by harvesting e-mail addresses, information from conferences, services, applications, and known information gathering.
2. Weaponization is the second step an attacker would take using tools and techniques to couple the exploit with a backdoor into a deliverable payload, a piece of malicious code delivered to a target system to perform a specific task. The backdoor is a way to access a computer system by bypassing the existing security mechanisms and keeping their presence for easy return (Dargahi et al., 2019).
3. Delivery is this step, during which the attackers send phishing emails with malware attached or simply hack into the victim’s network.
4. Exploitation is when the attacker exploits a vulnerability to execute code on the victim’s systems or infrastructure.
5. Installation is the step attackers use after exploiting their target’s vulnerability to gain access to a network; they begin installing malware on the asset.
6. Command and Control (C&C, or C2): In this stage, the attackers communicate with the malware installed on the target’s network to accomplish their objective.
7. Actions on Objectives In this step, the attackers have already created their cyberweapons, installed them onto the victim’s network, and, having control of their target network, can begin the final stage of the Cyberkill Chain. This stage may include cyberattacks, such as controlling a botnet to launch a Distributed Denial of Services (DDoS) attack (Brewer, 2016).
Botnets are dangerous network attacks made up of many internet-connected devices, known as “zombies.” They can infiltrate other systems and disrupt networks and services (Strayer et al., 2008).
References
1. Anand, P. M., Charan, P. V. S., & Shukla, S. K. (2023). Hiper—Early Detection of a Ransomware Attack Using Hardware Performance Counters. Digital Threats: Research and Practice, 4(3), 1–24.
2. Berrueta, E., Morato, D., Magaña, E., & Izal, M. (2019). A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access, 7, 144925–144944. https://doi.org/10.1109/ACCESS.2019.2945839
3. Brewer, R. (2016). Ransomware attacks: Detection, prevention and cure. Network Security, 2016(9), 5–9. https://doi.org/10.1016/S1353-4858(16)30086-1
4. Chaithanya, B. N., & Brahmananda, S. H. (2022). AI-enhanced Defense Against Ransomware Within the Organization’s Architecture. Journal of Cyber Security and Mobility. https://doi.org/10.13052/jcsm2245-1439.1146
5. Chang, J., Venkatasubramanian, K. K., West, A. G., & Lee, I. (2013). Analyzing and defending against web-based malware. ACM Computing Surveys, 45(4), 1–35. https://doi.org/10.1145/2501654.2501663
6. Dargahi, T., Dehghantanha, A., Nikkhah Bahrami, P., Conti, M., Bianchi, G., & Benedetto, L. (2019). A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15. https://doi.org/10.1007/s11416-019-00338-7
Full details and actions for Ransomware: Defending Against Digital Extortion. (n.d.). Retrieved December 1, 2023, from https://www.vlebooks.com/Product/Index/897257
7. Kolodenker, E., Koch, W., Stringhini, G., & Egele, M. (2017). PayBreak: Defense Against Cryptographic Ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, 599–611. https://doi.org/10.1145/3052973.3053035
8. Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., & Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity. Cybersecurity, 3(1), 10. https://doi.org/10.1186/s42400-020-00050-w
Thanks for reading.