Cyber-attacks, malware, and aspects of ransomware
Cyber-attack stories and data breaches are becoming common, and perpetrators are more skilled and motivated to commit sophisticated attacks than ever. Although the proliferation of services, applications, and computers has positively impacted our lives, the number of threats has increased exponentially over the last two decades. This has also increased the vulnerability of the systems, infrastructure, networks, and applications. The increasing digitalization and interconnection of industrial control systems, often in controlling critical infrastructures within intelligent cities and nuclear plants, pose a severe threat to humanity. Exposing cyber criminals to such systems can have fatal consequences on a large scale. Security threat analysis indicates that the financial damage to a ransom in 2014 was estimated at 380 dollars (Symantec, 2017). The following year, the amount doubled and continued to increase exponentially along with the rise of the Bitcoin value, which was a game changer owing to its anonymity. This has led to cryptocurrency being the most adopted untraceable payment method by criminals, and studies have shown that this type of payment was used in 98% of cases (Berrueta et al., 2019).
In May 2017, a significant cyberattack using ransomware known as WannaCry or WannaCrypt infected more than 300.000 systems in over 150 countries. The attack mainly affected Windows systems in different sectors, such as healthcare, the government, and oil and gas production lines (Akbanov et al., 2019). NotPetya and BadRabbit are other ransomware in the modern day that have used advanced tools for infection, persistence, and recovery prevention mechanisms and are well-known for their effectiveness.
These types of malicious software were explicitly designed to exploit the vulnerability of Microsoft Windows systems by spreading them via insecure websites, causing global financial losses of over $8 billion.
Defence against Ransomware
Ransomware is one of the most common types of malware designed to prohibit or restrict users from using their computers by locking the screen or encrypting the files until a ransom is paid (Berrueta et al., 2019). Ransomware attacks can harm private businesses, large corporations, hospitals, and consumers, causing massive damages, financial loss, and even human deaths. The two primary forms of ransomware attackers used in 2016 were Crypto-ransomware and device lockers. Both types of malware are designed to use a new form of attack called Denial-of-Resources (DoR). The world has changed, and cybercriminals are no longer just a few script kiddies but rather large groups of well-funded, organized individuals who can attack end users and enterprises by blackmailing and creating malware that gains popularity daily. Malicious attackers have developed new, more advanced, and more malicious types of ransomware that can mutate and exploit unknown vulnerabilities in your application or operating system.
Types of ransomware
The Global Threat Report (CrowdStrike, 2023) indicates that there are many ransomware discovered over the last years, such as:
BadRabbi, BitPaymer, Cerber, Cryptolocker, Dharma, DoppelPaymer, GandCrab, Locky, Maze, NotPetya, Petya, REvil, WannaCry etc.
Some of the most common types of malware circulating today are:
As the name suggests, device lockers can lock your entire system, folders, and personal files, making them hidden and inaccessible. The screen displays a message demanding ransom. Lockers can be dismantled using special tooling and techniques, while encryption can be complicated to decrypt (Arsene & Gheorghe, 2016).
Crypto-ransomware is an advanced file encryptor that presents a higher threat than lockers. Unlike any other type of malware, it employs irreversible encryption of personal data such as folders, files, videos, etc. Often, the only way to decipher the encrypted data is to use a decryption key obtained when the ransom is paid. However, there is no guarantee since this is an agreement with cybercriminals.
Doxware, or Leakware, is primarily used in phishing or spam emails or on unpatched and vulnerable websites. When Doxware gains access to files and sensitive information, the data is usually encrypted using the Advanced Encryption Standard (AES-256) or Rest Endpoint with Sensitive Data (RSA-2048) encryption. In addition to ransomware, the data might be for sale on the dark web, underground forums, or auctions.
Scareware is defined as fake scripts or software that claim to have detected a problem or virus on your system and require payment to solve it. These types of ransomware are often limited in their performance and can do nothing but generate pop-up messages on your system or, in the worst-case scenario, lock the computer.
Ransomware as a service provider (RaaS) recently became a cloud-based ransomware development platform. Therefore, malware is frequently hosted by a cybercriminal who does all the hard work and even collects the ransom payment. (Source: 2023 Global Threat Report | CrowdStrike, n.d.)
Ransomware as a Service (Raas) is one of the most popular and widely used by cybercriminals mainly because it provides package services such as:
- Identifying unknown and known vulnerabilities in service to create a payload.
- To spread the payload via phishing, spamming, and exploiting
- Tracking and locating sensitive files.
- Demanding ransom to retrieve the data and restore to original files.
Ransomware feature Taxonomy
The rapidly increasing ransomware families and attacks seriously threaten our critical infrastructure, data, and digital infrastructure. Due to the prominent increase in services, types and numbers of researchers and cyber defenders are struggling to keep up with all these challenges and understand the level of risk posed by ransomware. To help security analysts and researchers understand this complex problem and protect our assets, it has made a ransomware feature taxonomy aligned with the Cyber Kill Chain (GKC) model created by Lockheed Martin (Dargahi et al., 2019).
The Cyber Kill Chain model consists of seven steps:
1. Reconnaissance is the step that the attackers take to collect information by harvesting e-mail addresses, information from conferences, services, applications, and known information gathering.
2. Weaponization is the second step an attacker would take using tools and techniques to couple the exploit with a backdoor into a deliverable payload, a piece of malicious code delivered to a target system to perform a specific task. The backdoor is a way to access a computer system by bypassing the existing security mechanisms and keeping their presence for easy return (Dargahi et al., 2019).
3. Delivery is this step, during which the attackers send phishing emails with malware attached or simply hack into the victim’s network.
4. Exploitation is when the attacker exploits a vulnerability to execute code on the victim’s systems or infrastructure.
5. Installation is the step attackers use after exploiting their target’s vulnerability to gain access to a network; they begin installing malware on the asset.
6. Command and Control (C&C, or C2): In this stage, the attackers communicate with the malware installed on the target’s network to accomplish their objective.
7. Actions on Objectives In this step, the attackers have already created their cyberweapons, installed them onto the victim’s network, and, having control of their target network, can begin the final stage of the Cyberkill Chain. This stage may include cyberattacks, such as controlling a botnet to launch a Distributed Denial of Services (DDoS) attack (Brewer, 2016).
Botnets are among the most dangerous network attacks because they comprise many internet-connected devices or computers that penetrate other machines and systems. They are also known as zombies, which can have a catastrophic impact on networks and disrupt services (Strayer et al., 2008).
References
1. Anand, P. M., Charan, P. V. S., & Shukla, S. K. (2023). Hiper—Early Detection of a Ransomware Attack Using Hardware Performance Counters. Digital Threats: Research and Practice, 4(3), 1–24.
2. Berrueta, E., Morato, D., Magaña, E., & Izal, M. (2019). A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access, 7, 144925–144944. https://doi.org/10.1109/ACCESS.2019.2945839
3. Brewer, R. (2016). Ransomware attacks: Detection, prevention and cure. Network Security, 2016(9), 5–9. https://doi.org/10.1016/S1353-4858(16)30086-1
4. Chaithanya, B. N., & Brahmananda, S. H. (2022). AI-enhanced Defense Against Ransomware Within the Organization’s Architecture. Journal of Cyber Security and Mobility. https://doi.org/10.13052/jcsm2245-1439.1146
5. Chang, J., Venkatasubramanian, K. K., West, A. G., & Lee, I. (2013). Analyzing and defending against web-based malware. ACM Computing Surveys, 45(4), 1–35. https://doi.org/10.1145/2501654.2501663
6. Dargahi, T., Dehghantanha, A., Nikkhah Bahrami, P., Conti, M., Bianchi, G., & Benedetto, L. (2019). A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15. https://doi.org/10.1007/s11416-019-00338-7
Full details and actions for Ransomware: Defending Against Digital Extortion. (n.d.). Retrieved December 1, 2023, from https://www.vlebooks.com/Product/Index/897257
7. Kolodenker, E., Koch, W., Stringhini, G., & Egele, M. (2017). PayBreak: Defense Against Cryptographic Ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, 599–611. https://doi.org/10.1145/3052973.3053035
8. Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., & Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity. Cybersecurity, 3(1), 10. https://doi.org/10.1186/s42400-020-00050-w
Thanks for reading.