+ All Categories
Home > Documents > Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the...

Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the...

Date post: 30-Dec-2020
Category:
Upload: others
View: 5 times
Download: 0 times
Share this document with a friend
27
Techniques and Solutions for Addressing Ransomware Attacks Amin Kharraz College of Computer and Information Science Northeastern University Engin Kirda Advisor, Northeastern University William Robertson Advisor, Northeastern University Manuel Egele External Member, Boston University Long Lu Northeastern University – Stony Brook University July 2017
Transcript
Page 1: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Ph.D. Thesis Proposal

Techniques and Solutions for AddressingRansomware Attacks

Amin Kharraz

College of Computer and Information Science

Northeastern University

Ph.D. Committee

Engin Kirda Advisor, Northeastern University

William Robertson Advisor, Northeastern University

Manuel Egele External Member, Boston University

Long Lu Northeastern University – Stony Brook University

July 2017

Page 2: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Abstract

Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests

money to release them. Although the concept of ransomware is not new (i.e., such attacks date back

at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity.

In fact, over the last few years, a number of high-profile ransomware attacks were reported. Very

recently, WannaCry ransomware infected thousands of vulnerable machines around the world, and

substantially disrupted critical services such as British healthcare system. Given the size and variety of

threats we are facing today, having solutions to effectively detect and analyze unknown ransomware

attacks seems necessary.

In this thesis, we argue that it is possible to extend existing defense mechanisms, and protect user data

from a large number of ransomware attacks with zero data loss. To support this claim, in the first

part of the thesis, we perform an evolutionary-based analysis to understand the destructive behavior

of ransomware attacks. We show that by monitoring the interaction of malicious processes with the

operating system, it is possible to design practical defense mechanisms that could stop even very

successful cryptographic ransomware attacks. In the second part, we propose a novel dynamic analysis

system, called Unveil, that is designed to analyze ransomware attacks, and model their interactions.

In the third and the last part, we propose an end-point framework, called Redemption, to protect user

data from ransomware attacks. We present an operating system-independent design, and also provide

implementation details which show that such lightweight solutions could be integrated into existing

operating systems while achieving zero data loss in a large number of successful ransomware attacks.

Page 3: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Contents

1 Introduction 1

1.1 Focus of this Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 An Analysis on Current Ransomware Attacks 4

2.1 Ransomware Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Developing the Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 Characterization and Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 A Dynamic Analysis Approach to Detecting Ransomware 6

3.1 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2 Analysis and Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Detecting Zero-Day Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Protecting End-Points from Ransomware Attacks 14

4.1 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.3 Analysis on Labeled Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5 Future Work and Timeline 18

5.1 Evaluating the Redemption Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.2 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

II

Page 4: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

1 Introduction

Malware attacks continue to remain one of the most popular attack vectors in the wild [60, 47].

Among all classes of malware, ransomware has recently become very popular among malware au-

thors [9, 16, 20, 26]. Ransomware is a kind of scareware that locks the victims’ computers until

they make a payment to re-gain access to their data. In fact, this class of malware is not a new

concept (such attacks have been in the wild since the last decade), but the growing number of high-

profile ransomware attacks has resulted in increasing concerns on how to defend against this class

of malware.

In 2016, several public and private sectors, including the healthcare industry, were impacted

by ransomware [13, 10, 66]. Lately, US officials have also expressed their concerns about ran-

somware [23, 30], and even asked the U.S. government to focus on fighting ransomware under

the Cybersecurity National Action Plan [30]. Very recently, WannaCry ransomware, the most re-

cent successful ransomware attack, impacted thousands of users around the world by exploiting the

EternalBlue vulnerability, encrypting user data, and demanding bitcoin payments in exchange for

unlocking files [48].

In response to the increasing number of ransomware attacks, users are often advised to create

backups of their critical data. Certainly, having a reliable data backup policy minimizes the potential

costs of being infected with ransomware, and is an important part of the IT management process.

However, the growing number of paying victims [11, 51, 24] suggests that technically unsophisticated

users – who are the main target of these attacks – do not follow these recommendations, and easily

become a paying victim of ransomware. Hence, ransomware authors continue to create new attacks

and evolve their creations as evidenced by the emergence of more sophisticated ransomware every

day [62, 8, 60, 53].

Unfortunately, many of the recent security reports about ransomware [19, 31, 32, 60, 61, 47]

mainly focus on the advancements in ransomware attacks and their levels of sophistication, rather

than providing some insights about effective defense techniques that should be adopted against

this threat. Furthermore, the current defense mechanisms to detect, analyze, and defend against

ransomware are not very different from the ones that are used to detect other types of evasive

malware. Perhaps, the main assumption here is that this class of malware employs all possible

evasion techniques, similar to other classes of malware, to bypass detection tools, reach end-users,

and successfully launch attacks. While we agree that this is a valid assumption, we claim that these

mechanisms cannot lead to the best defense mechanisms against ransomware, as evidenced by the

increasing number of very successful ransomware attacks in the wild.

1

Page 5: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

1.1 Focus of this Work

In this thesis, we investigate the feasibility of developing solutions to detect and analyze ransomware

attacks. In fact, the thesis of this dissertation is that, unlike other malware, the nature of ransomware

attacks is not very broad, and protecting against a large number of ransomware attacks is possible.

We argue that ransomware attacks follow very similar patterns in order to be successful and force

victims to pay the ransom fee. For example, unlike other classes of malware that aims to be stealthy

to collect banking credentials or keystrokes without raising suspicion, ransomware notifies victims

that they are infected. Moreover, a successful ransomware usually needs to prevent user’s access to

his own data by performing encryption and/or deletion operations, and repeating these destructive

actions during an attack. This thesis aims to show that if we use these insights in the defense side,

and accurately model these behaviors, we can reliably detect a significant number of ransomware

attacks in the wild.

In the first part of this thesis, we perform an evolutionary-based analysis on ransomware attacks

to understand the main characteristics of these attacks. This work is motivated by our need to study

the core functionalities of these attacks from a filesystem perspective. To this end, we created a

dataset of ransomware samples that covers the majority of the existing ransomware families which

have been observed in the wild. We design and implement a kernel level module to closely monitor

the interaction of user mode processes with the filesystem. Our analysis shows that different classes

of ransomware attacks with multiple levels of sophistication share very similar characteristics from

a filesystem perspective due to the nature of these attacks.

In the second part of this thesis, we present a novel dynamic analysis system, called Unveil, that

is designed to analyze ransomware attacks and model their behaviors. In our approach, the system

automatically creates an artificial, realistic execution environment and monitors how ransomware

interacts with that environment. We evaluate Unveil using more than 148,000 distinct samples

belonging to different malware families. The evaluation of Unveil shows that our approach was

able to correctly detect 13,637 ransomware samples from multiple ransomware families in a real-

world data feed with zero false positives. Our analysis shows that Unveil can significantly enhance

the current anti-malware solutions with regard to ransomware.

In the third part of the thesis, we investigate the possibility of protecting user data from ran-

somware attacks at end-hosts with zero data loss. To this end, we propose a general framework,

called Redemption, to augment the operating system with ransomware protection capabilities. Re-

demption does not require performing any significant changes in the semantics of the underlying

filesystem functionality, or modifying the architecture of the operating systems.

2

Page 6: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

1.2 Related Work

Malware attacks are important problems. They have been extensively investigated in security re-

search over the last couple of years. For example, a number of approaches have been proposed to

describe program behavior from analyzing byte patterns [42, 59, 57, 67] to transparently running

programs in malware analysis systems [6, 36, 35, 63]. Early steps to analyze and capture the main

intent of a program focused on analysis of control flow. Kruegel et al. [40] and Bruschi et al. [14]

showed that by modeling programs based on their instruction-level control flow, it is possible to

bypass some forms of obfuscation. Similarly, Christodorescu et al. [18] used instruction-level control

flow to design obfuscation-resilient detection systems. Later work focused on analyzing and detect-

ing malware using higher-level semantic characterizations of their runtime behavior derived from

sequences of system call invocations and OS resource accesses [37, 38, 17, 46, 58, 68].

In order to analyze the malicious behavior of malware samples, dynamic analysis tools have be-

come popular over the last few years. Most of these techniques depend on extracting system calls or

Windows API call traces using sandboxing techniques. For example, CWSandbox [65] and Norman

Sandbox [5] trace API calls, while Anubis [12] and Panorama [68] are examples of emulation-based

malware analysis systems that can perform data-flow analysis. More recently, BareCloud [36] has

been proposed which is a bare-metal analysis system to detect evasive malware samples.

A first report on specific ransomware families was made by Gazet where the author analyzed

three ransomware families including Krotten and Gpcode [25]. The recent resurgence of ransomware

attacks has attracted the attention of several researchers once more. Kharraz et al. [34] analyzed 15

ransomware families including desktop locker and cryptographic ransomware, and provided an

evolution-based study on ransomware attacks. The authors concluded that a significant number

of ransomware in the wild has a very similar strategy to attack user files, and can be recognized

from benign processes. In another work, Kharraz et al. [33] proposed Unveil, a dynamic analysis

system, that is specifically designed to assist reverse engineers to analyze the intrinsic behavior of

an arbitrary ransomware sample.

Scaife et al. [52] proposed CryptoDrop which is built upon the premise that the malicious process

aggressively encrypts user files. In the paper, as a limitation of CryptoDrop, the authors state that

the tool does not provide any recovery or minimal data loss guarantees. Their approach is able to detect

a ransomware attack after a median of ten file losses. Very recently, Continella et al. [21], and

Kolodenker et al. [39] proposed protection schemes to detect ransomware. Continella et al. [21]

proposed ShieldFS which has a similar goal to us. The authors also look at the filesystem layer to

find typical ransomware activity. While ShieldFS is a significant improvement over the status quo,

it would be desirable to complement it with a more generic approach which is also resistant to

unknown cryptographic functions. Unlike ShieldFS, the approach we proposed in Section4 does not

rely on cryptographic primitive identification.

3

Page 7: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Kolodenker et al. [39] proposed PayBreak which securely stores cryptographic encryption keys

in a key vault that is used to decrypt affected files after a ransomware attack. In fact, PayBreak

intercepts calls to functions that provide cryptographic operations, encrypts symmetric encryption

keys, and stores the results in the key vault. After a ransomware attack, the user can decrypt the

key vault with his private key and decrypt the files without making any payments. As mentioned

earlier, our proposed solution in Section 4 does not depend on any hooking technique to identify

cryptographic functions. Furthermore, the detection accuracy of the framework is not impacted by

the type of packer a ransomware family may use to evade common anti-malware systems. This

makes our proposed technique a more generic solution to the same problem space.

This dissertation proposal consists of the following sections:

In Section 2, we provide an overview of current ransomware attacks and the techniques they use. In

Section 3. we describe a dynamic analysis system that is specifically designed to detect and analyze

ransomware samples. Section 4 describes an end-point solution to protect the consistent state of

user data during a ransomware attack. In Section 5, we briefly explain our milestones, the proposed

research plan, and timeline to complete each task.

2 An Analysis on Current Ransomware Attacks

Given the significant growth of ransomware attacks [9, 16, 20, 26], it is very important to understand

how ransomware payloads are developed, how they evolved over time, and how the malicious

process attacks user data. Answering these questions allows us to develop models that look for

specific behaviors in ransomware attacks. Currently, most of the recent security reports about ran-

somware [62, 8, 60, 53] rely on ad-hoc procedures rather than a scientific assessment. In fact, these

reports mainly focus on the advancements in ransomware attacks and their levels of sophistica-

tion, rather than providing some insights about effective defense techniques that should be adopted

against this threat. As a first step, we investigate the key functionalities of ransomware attacks to

understand how these functionalities differ from other malware behaviors so that we can construct

accurate models to detect unknown ransomware attacks.

2.1 Ransomware Dataset

To build the ransomware dataset, we collected malware samples from multiple sources such as

Anubis, a public malware analysis system, and a set of public malware repositories [4, 2, 1] and

manually browsing through security forums [45, 3]. We collected 3,921 ransomware samples from

all these sources. However, after removing the samples that did not execute properly in our analysis

environment, our dataset contained a total of 1,359 active ransomware samples from 15 ransomware

families. To obtain accurate labels for these samples, we cross-checked the malware samples by au-

4

Page 8: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Table 1: The list of malware families used in our experiments.

Family Family Description Types of AttacksSamples Variants First Seen Most Recent Encypting Files Changing MBR Deleting Files Stealing Info

Reveton 244(17.95%) 14 2012 2014 ✓ ✓Cryptolocker 32 (2.35%) 4 2013 2014 ✓ ✓CryptoWall 11(0.8) 2 2014 2014 ✓Tobfy 122 (8.97%) 12 2010 2014 ✓Seftad 23 (1.69%) 4 2006 2010 ✓Winlock 308(22.66%) 27 2008 2013 ✓Loktrom 4 (0.29%) 2 2012 2013Calelk 9 (0.663%) 2 2009 2010Urausy 523 (38.48%) 16 2009 2014 ✓ ✓Krotten 17 (1.25%) 3 2008 2009 ✓BlueScreen 4 (0.29%) 1 2008 2009 ✓Kovter 8 (0.58%) 2 2013 2013 ✓Filecoder 9 (0.66%) 3 2012 2014 ✓ ✓GPcode 21 (1.54%) 4 2004 2008 ✓Weelsof 24 (1.76%) 3 2012 2013 ✓No. of Samples 1,359 - - - 73(5.37%) 23(1.69%) 484(35.61%) 44(3.23%)No. of Variants - 99 - - 13(13.13%) 4(4.04%) 29(21.33%) 6(6.06%)

tomatically submitting the list of MD5 hashes to VirusTotal. To be conservative on our ransomware

malware selection, we consider a malware to be ransomware if at least three AV engines recognized

it as belonging to this category. Table 1 represents the set of ransomware families we used in our

experiments.

2.2 Developing the Monitoring Tool

One of our first goals in this project is to describe how a malicious process interacts with the filesys-

tem when a machine is under a ransomware attack. To answer this question, we investigate the com-

mon characteristics of ransomware attacks from a filesystem perspective regardless of the technical

differences that these attacks might have (such as the infection and the key generation techniques).

In order to monitor filesystem activity, multiple approaches could be used. One classic approach

is to hook the SSDT table [28, 41] to monitor interesting function calls. In our analysis, we devel-

oped a minifilter driver [49] to capture all I/O requests that the I/O manager generates on behalf of

user-mode processes to access the filesystem.

To monitor the I/O requests, we define callback routines to precisely record any I/O and trans-

action activity on the files. For each filesystem request, we collect the process name, the process

ID, the parent process ID, the pre-operation and post-operation callback time, the IRP type, the ar-

guments and the result of the operation. Our minifilter driver is deployed in a privileged kernel

mode that has access to nearly all objects of the operating system. Furthermore, since we capture

the filesystem activity directly from Windows I/O manager in the kernel, there is a low chance that

malware authors develop code in the user mode that could bypass our monitor.

5

Page 9: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

2.3 Characterization and Evolution

In this project, the characterization of ransomware attacks was based on 1,359 ransomware samples

among 15 families that have emerged over the last few years. Encryption and deletion operations

are two important components of most of recent ransomware attack as they allow the malicious

payload to prevent access to digital resources, and minimize the chance of regaining access to them.

We performed an analysis on these two operations by running malware samples in an isolated

environment, and monitoring the filesystem activity traces.

Our results show that a significant number of ransomware families share very similar character-

istics in the core part of the attacks, but still lack reliable destructive functions to successfully target

victims files. We also observed that suspicious filesystem activity of multiple types of destructive

ransomware families can be reliably extracted. More specifically, when looking at the execution

traces of malware programs, we observed that the way malicious processes generate requests to

access filesystem was significantly different from benign processes. We also observed that different

classes of ransomware attacks with multiple levels of sophistication share very similar character-

istics from filesystem perspective due to the nature of these attacks. Unlike recent discussions in

security community about ransomware attacks, our analysis suggests that implementing practical

defense mechanisms is still possible, if we effectively monitor the filesystem activity for example the

changes in Master File Table (MFT) or the types of I/O Request Packets (IRP) generated on behalf

of processes to access the filesystem.

3 A Dynamic Analysis Approach to Detecting Ransomware

Today, an important enabler for behavior-based malware detection is dynamic analysis. These sys-

tems execute a captured malware sample in a controlled environment, and record its behavior (e.g.,

system calls, API calls, and network traffic). Unfortunately, malware detection systems that focus on

stealthy malware behavior (e.g., suspicious operating system functionality for keylogging) might fail

to detect ransomware because this class of malicious code engages in activity that appears similar to

benign applications that use encryption or compression. Furthermore, these systems are currently

not well-suited for detecting the specific behaviors that ransomware engages in, as evidenced by

misclassifications of ransomware families by AV scanners [15, 55].

In this section, we propose a novel dynamic analysis system that is designed to analyze, and

model their behaviors. In our approach, the system automatically creates a realistic execution en-

vironment, and monitors how ransomware interacts with that environment. Closely monitoring

process interactions with the filesystem allows the system to precisely characterize cryptographic

ransomware behavior.

In parallel, the system tracks changes to the computers desktop that indicates ransomware-like

6

Page 10: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

behavior. The key insight is that in order to be successful, ransomware will need to access and

tamper with a victim’s files or desktop. Our automated approach, called Unveil, allows the system

to analyze many malware samples at a large scale, and to reliably detect and flag those that exhibit

ransomware-like behavior. In addition, the system is able to provide insights into how the ran-

somware operates, and how to automatically differentiate between different classes of ransomware

3.1 System Design

In this section, we describe our techniques for detecting multiple classes of ransomware attacks.

Generating Arti�cial User Environments: Protecting malware analysis environments against

fingerprinting techniques is non-trivial in a real-world deployment. Sophisticated malware authors

exploit static features inside analysis systems (e.g., name of a computer) and launch reconnaissance-

based attacks [44] to fingerprint both public and private malware analysis systems.

The static features of analysis environments can be viewed as the Achilles’ heel of malware

analysis systems. One static feature that can have a significant impact on the effectiveness of the

malware analysis systems is the user data that can be effectively used to fingerprint the analysis

environment. That is, even on bare-metal environments where classic tricks such as virtualization

checks are not possible, an unrealistic looking user environment can be a telltale sign that the code

is running in a malware analysis system.

Intuitively, a possible approach to address such reconnaissance attacks is to build the user envi-

ronment in such a way that the user data is valid, real, and non-deterministic in each malware run.

These automatically-generated user environments serve as an “enticing target” to encourage ran-

somware to attack user data while at the same time preventing the possibility of being recognized

by adversaries. Before each run, Unveil automatically generates an artificial – yet realistic – user

environment for ransomware.

Filesystem Activity Monitor: Th first core component of Unveil is a filesystem monitor which

is used to collect filesystem activities during a cryptographic ransomware attack. The filesystem

monitor in Unveil has direct access to data buffers involved in I/O requests, giving the system

full visibility into all filesystem modifications. Figure 4 shows a high-level design of Unveil in the

Windows environment.

For all of the cryptographic ransomware samples that we studied, we empirically observed that

these samples issue I/O traces that exhibit distinctive, repetitive patterns. This is due to the fact

that these samples each use a single, specific strategy to deny access to user data. This attack

strategy is accurately reflected in the form of I/O access patterns that are repeated for each file when

performing the attack. Consequently, these I/O access patterns can be extracted as a distinctive I/O

7

Page 11: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Calculate Entropy

Identify Process

I/O Type

I/O Scheduler

FileSystem Driver

Physical Device

I/O Requests

I/O MonitorEXIT

file’s data Buffer

UNVEIL

User ModeKernel Mode

I/O MonitorENTER Record I/O

Request

Identify File OP

. . .

Process 1 Process 2 Process 3 Process N

read write delete write

I/O Access Monitor

Figure 1: Overview of the design of I/O access monitor in Unveil. The module monitors system-wide filesys-

tem accesses of user-mode processes. This allows Unveil to have full visibility into interactions with user files.

fingerprint for a particular family. We note that our approach mainly considers write or delete

requests. We elaborate on extracting I/O access patterns per file in Section 3.1.

For every read and write request to a file, Unveil computes the entropy of the corresponding

data buffer. Comparing the entropy of read and write requests to and from the same file offset serves

as an excellent indicator of cryptographic ransomware behavior. This is due to the common strategy

to read in the original file data, encrypt it, and overwrite the original data with the encrypted version.

The system uses Shannon entropy [43] for this computation.

Constructing Access Patterns: For each execution, after Unveil generates I/O access traces for

the sample, it sorts the I/O access requests based on file names and request timestamps. This allows

the system to extract the I/O access sequence for each file in a given run, and check which processes

accessed each file. The key idea is that after sorting the I/O access requests per file, repetition can

be observed in the way I/O requests are generated on behalf of the malicious process.

The particular detection criterion used by the system to detect ransomware samples is to identify

write and delete operations in I/O sequences in each malware run. In a successful ransomware

attack, the malicious process typically aims to encrypt, overwrite, or delete user files at some point

during the attack. In Unveil, these I/O request patterns raise an alarm, and are detected as suspi-

cious filesystem activity. We studied different cryptographic ransomware samples across different

ransomware families. Our analysis shows that although these attacks can be very different in their

attack strategies (e.g., evasion techniques, key generation, key management, connecting to C&C

8

Page 12: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

overwrite

Open

Write

Close

read File x

Read

File x

Open

Read

Close

File x.locked

Open

Write

Close

encrypt delete File x

Open

Delete

Close

read File x

Open

Read

Close

File x.locked

Open

Write

Close

encrypt overwrite File x

Open

Read

Close

Write

(2)(1) (3)

Figure 2: Strategies differ across ransomware families with respect to I/O access patterns. (1) Attacker over-

writes the users’ file with an encrypted version; (2) Attacker reads, encrypts and deletes files without wiping

them from storage; (3) Attacker reads, creates a new encrypted version, and securely deletes the original files by

overwriting the content.

servers), they can be categorized into three main classes of attacks based on their access requests.

Figure 2 shows the high-level access patterns for multiple ransomware families we studied during

our experiments. For example, the access pattern shown to the left is indicative of Cryptolocker

variants that have varying key lengths and desktop locking techniques. However, its access pattern

remains constant with respect to family variants. We observed the same I/O activity for samples

in the CryptoWall family as well. While these families are identified as two different ransomware

families, since they use the same encryption functions to encrypt files (i.e., the Microsoft CryptoAPI),

they have similar I/O patterns when they attack user files.

As another example, in FileCoder family, the ransomware first creates a new file, reads data

from a victim’s file, generates an encrypted version of the original data, writes the encrypted data

buffer to the newly generated file, and simply unlinks the original user’s file (See Figure 2.2). In this

class of cryptographic ransomware, the malware does not wipe the original file’s data from the disk.

For attack approaches like this, victims have a high chance of recovering their data without paying

the ransom. In the third approach (Figure 2.3), however, the ransomware creates a new encrypted

file based on the original file’s data and then securely deletes the original file’s data using either

standard Windows APIs or custom overwriting implementations (e.g., such as CrypVault family).

Detecting Screen Lockers: The second core component of Unveil is aimed at detecting screen

locker ransomware. The key insight behind this component is that the attacker must display a

ransom note to the victim in order to receive a payment. In most cases, the message is prominently

displayed, covering a significant part, or all, of the display. As this ransom note is a virtual invariant

of ransomware attacks, Unveil aims to automatically detect the display of such notes.

9

Page 13: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

The approach adopted by Unveil to detect screen locking ransomware is to monitor the desktop

of the victim machine, and to attempt to detect the display of a ransom note. Similar to Grier

et al. [27], we take automatic screenshots of the analysis desktop before and after the sample is

executed. The screenshots are captured from outside of the dynamic analysis environment to prevent

potential tampering by the malware. This series of screenshots is analyzed and compared using

image analysis methods to determine if a large part of the screen has suddenly changed between

captures. However, smaller changes in the image such as the location of the mouse pointer, current

date and time, new desktop icons, windows, and visual changes in the task bar should be rejected

as inconsequential.

In Unveil, we measure the structural similarity (SSIM) [64] of two screenshots – before and af-

ter sample execution – by comparing local patterns of pixel intensities in terms of both luminance

and contrast as well as the structure of the two images. Extracting structural information is based

on the observation that pixels have strong inter-dependencies – especially when they are spatially

close. These dependencies carry information about the structure of the objects in the image. After a

successful ransomware attack, the display of the ransom note often results in automatically identi-

fiable changes in the structural information of the screenshot (e.g., a large rectangular object covers

a large part of the desktop). Therefore, the similarity of the pre- and post-attack images decreases

significantly, and can be used as an indication of ransomware.

Unveil also extracts the text within the area where changes in the structure of the image has

occurred. The system extracts the text inside the selected area and searches for specific keywords

that are highly correlated with ransom notes (e.g.,<lock, encrypt, desktop, decryption, key>).

Given two screenshots X and Y, we define the overall similarity between the two screenshots X

and Y as the arithmetic mean of the similarity of the image contents. We define a similarity threshold

τsim such that Unveil considers the sample a potential screen locking ransomware. If the structural

similarity score between two images exceeds the threshold values. Unveil then extracts the text

within the image and searches for ransomware-related words within the modified area. Applying

the image similarity test with the best similarity threshold (see Section 3.2) gives us the highest recall

with 100% precision for the entire dataset.

3.2 Analysis and Findings

We evaluated Unveil detection accuracy by running two experiments. The goal of the first exper-

iment is to demonstrate that the system can detect known ransomware samples, while the goal of

the second experiment is to demonstrate that Unveil can detect previously unknown ransomware

samples. The Unveil prototype is built on top of Cuckoo Sandbox [22]. Cuckoo provides basic

services such as sample submission, managing multiple VMs, and performing simple human inter-

action tasks such as simulating user input during an analysis. However, in principle, Unveil could

10

Page 14: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Family Type Samples

Cryptolocker crypto 33 (1.5%)

CryptoWall crypto 42 (2.0%)

CTB-Locker crypto 77 (3.6%)

CrypVault crypto 21 (1.0%)

CoinVault crypto 17 (0.8%)

Filecoder crypto 19 (0.9%)

TeslaCrypt crypto 39 (1.8%)

Tox crypto 71 (3.3%)

VirLock locker 67 (3.2%)

Reveton locker 501 (23.6%)

Tobfy locker 357 (16.8%)

Urausy locker 877 (41.3%)

Total Samples - 2,121

Table 2: The list of ransomware families used in the first experiment.

be implemented using any dynamic analysis system (e.g., BitBlaze [7], VxStream Sandbox [54]).

As described in Section 3.1, user environments were generated for each run, filesystem I/O traces

were recorded, and pre- and post-execution screenshots were captured. After each execution, the

VM was rolled back to a clean state to prevent any interference across executions. Each sample was

executed in the analysis environment for 20 minutes. All experiments were performed according to

well-established experimental guidelines [56] for malware experiments.

Ground Truth (Labeled) Dataset: In this experiment, we collected ransomware samples from

public repositories [1, 4] and online forums that share malware samples [3, 45]. We also received

labeled ransomware samples from two well-known anti-malware companies. In total, we collected

3,156 recent samples. In order to make sure that those samples were indeed active ransomware, we

ran them in our test environment. We confirmed 2,121 samples to be active ransomware instances.

After each run, we checked the filesystem activity of each sample for any signs of attacks on user

data. If we did not see any malicious filesystem activity, we checked whether running the sample

displayed a ransom note.

Table 2 describes the ransomware families we used in this experiment. We note that the dataset

covers the majority of the current ransomware families in the wild. In addition to the labeled

ransomware dataset, we also created a dataset that consisted of non-ransomware samples. These

samples were submitted to the Anubis analysis platform [29], and consisted of a collection of benign

as well as malicious samples. We selected 149 benign executables including applications that have

ransomware-like behavior such as secure deletion, encryption, and compression. A short list of these

applications are provided in Table 3. We also tested 384 non-ransomware malware samples from 36

malware families to evaluate the false positive rate of Unveil.

11

Page 15: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

We performed a precision-recall analysis to find the best similarity threshold τsim for desk-

top locking detection. The best threshold value to discriminate between similar and dissimilar

screenshots should be defined in such a way that Unveil is be able to detect screen locker ran-

somware while maintaining an optimal precision-recall rate. Our empirical analysis shows that with

τsim = 0.32 more than 97% of the ransomware samples across both screen locker and cryptographic

ransomware samples are detected with 100% precision. In the second experiment, we used this

similarity threshold to detect screen locker ransomware in a malware feed unknown to Unveil.

Application Main Capability Version

7-zip Compression 15.06

Winzip Compression 19.5

WinRAR Compression 5.21

DiskCryptor Encryption 1.1.846.118

AESCrypt Encryption —

Eraser Shredder 6.2.0.2969

SDelete Shredder 1.61

Table 3: The list of benign applications that generate similar I/O access patterns to ransomware.

3.3 Detecting Zero-Day Ransomware

The main goal of the second experiment is to evaluate the accuracy of Unveil when applied to a

large dataset of recent real-world malware samples. We then compared our detection results with

those reported by AV scanners in VirusTotal.

This dataset was acquired from the daily malware feed provided by Anubis [29] to security

researchers. The samples were collected from May 18th 2015 until February 12th 2016. The dataset

contained 148,223 distinct samples. Each sample was then submitted to Unveil to obtain I/O access

traces and pre-/post-execution desktop image dissimilarity scores.

Early Warning: One of the design goals of Unveil is to be able to automatically detect previously

unknown (i.e., zero-day) ransomware. In order to run this experiment, we did the following. Once

per day over the course of the experiment, we built a malware dataset that was concurrently sub-

mitted to Unveil and VirusTotal. If a sample was detected as ransomware by Unveil, we checked

the VirusTotal (VT) detection results. In cases where a ransomware sample was not detected by any

VT scanner, we reported it as a new detection.

In addition, we also measured the lag between a new detection by Unveil and a VT detection. To

that end, we created a dataset from the newly detected samples submitted on days {1, 2, . . . , n− 1, n}and re-submitted these samples to see whether the detection results changed. We considered the

12

Page 16: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

0.0 0.2 0.4 0.6 0.8 1.00.00.10.20.30.40.50.60.7

Submission #1

0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.200.25

Submission #2

0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.20 Submission #3

0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.20 Submission #4

0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.20 Submission #5

0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.200.25

Submission #6

Pollution Ratio

Dens

ity D

istr

ibut

ion

Figure 3: Evolution of VT scanner reports after six submissions. 72.2% of the samples detected by Unveil were

not detected by any of AV scanners in the first submission. After a few re-submissions, the detection results

do not change significantly. The detection results tend to be concentrated either towards small or very large

detection ratios. This means that a sample is either detected by a relatively small number of scanners, or almost

all of the scanners.

13

Page 17: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Evaluation Results

Total Samples 148,223

Detected Ransomware 13,637 (9.2%)

Detection Rate 96.3%

False Positives 0.0%

New Detection 9,872 (72.2%)

Table 4: Unveil detection results. 72.2% of the ransomware samples detected by Unveil were not detected by

any of AV scanners in VirusTotal at the time of the first submission. 7,572 (76.7%) of the newly detected samples

were destructive file locker ransomware samples.

result of all 55 VT scanners in this experiment. Since the number of scanners is relatively high,

we defined a VT detection ratio ρ as the ratio of the total number of scanners that identified the

sample as ransomware or malware to the total number of scanners checked by VT. ρ is therefore a

value on the interval [0,1] where zero means that the sample was not detected by any of the 55 VT

scanners, and 1 means that all scanners reported the sample as malware or ransomware. Since there

is no standard labeling scheme for malware in the AV industry, a scanner can label a sample using a

completely different name from another scanner. Consequently, to avoid biased results, we consider

the labeling of a sample using any name as a successful detection.

In our experiment, we submitted the detected samples every day to see how the VT detection ra-

tio ρ changes over time. The distribution of ρ for each submission is shown in Figure 3. Our analysis

shows that ρ does not significantly change after a small number of subsequent submissions. For the

first submission, 72.2% of the ransomware samples detected by Unveil were not detected by any

of the 55 VT scanners. After a few submissions, ρ does not change significantly, but generally was

concentrated either towards small or very large ratios. This means that after a few re-submissions,

either only a few scanners detected a sample, or almost all the scanners detected the sample.

The large scale experiment shows that Unveil outperforms all the public AV scanners in de-

tecting both superficial and technically sophisticated ransomware attacks. Among our findings was

also a new ransomware family that no AV scanners, including a modern industrial sandboxing

technology, had previously detected before we submitted it to VirusTotal.

4 Protecting End-Points from Ransomware Attacks

In response to the increasing number of ransomware attacks [9, 16, 20, 26], a desirable and comple-

mentary defense would be to augment the operating system with transparent techniques that would

make the operating system more resistant against ransomware-like behavior.

In this project, we introduce the concepts of a general framework, called Redemption, to protect

14

Page 18: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

user data from ransomware attacks in a real-time fashion. Our goal is to define a practical solution

that can be used as an augmented service to the operating system without changing the semantics

of the underlying filesystem functionality.

Redemption is based on two main components: First, an abstract characterization of the behavior

of a large class of current ransomware attacks is constructed. More precisely, our technique applies

the results of a long-term dynamic analysis to binary objects to determine if a process matches the

abstract model. A process is labeled as malicious if it exhibits behaviors that match the abstract model.

Second, a high-performance, high-integrity mechanism that protects and restores all attacked files

by utilizing a transparent data buffer to redirect access requests while tracking the write contents.

4.1 System Design

In this section, we introduce the components of Redemption which are: (1) a lightweight kernel

module that intercepts process interactions, and (2) a user-mode daemon, called behavioral monitor

and notification module, that assigns a malice score to a process, and is used to notify the user about

the potential malicious behavior of a process.

Intercepting Access Requests. In order to implement a reliable dynamic access control mechanism

over user data, this part of the system should be implemented in the kernel, and be able to mediate

the access to the filesystem. The prototype redirects each write access request to the user files to a

protected area without changing the status of the original file.

Figure 4 presents an example that illustrates how access requests are processed. The system

introduces the following changes. (1) Redemption receives the request A from the application X to

access the file F at the time t, (2) if At requests access with write or delete privilege to the file F, and

the file F resides in a user defined path, the Redemption’s monitor is called, (3) Redemption creates

a corresponding file in the protected area, called reflected file, and handles the write requests. These

changes are periodically flushed to the storage to ensure that they are physically available on the

disk. The meta-data entry of the corresponding file is updated with the offset and length of the data

buffer in the I/O request after a successful data write at Step 3. (4) the malice score of the process

is updated, and is compared to a pre-configured threshold α. (5) the Redemption monitor sends a

notification to the display monitor to alert the user depending on the calculated malice score. (6) a

success/failure notification is generated, and is sent to the system service manager.

Malice Score Calculation (MSC) Function. The MSC function allows the system to identify the

suspicious process and notify the user when the process matches the abstract model. Given a process

X, we assign a malice score S to the process each time it requests privileged access to a user file.

If the malice score S exceeds a pre-defined malice threshold α, it means that the process exhibits

abnormal behaviors. In section 4.3, we provide more details on how we selected the malice score for

our experiments.

15

Page 19: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Redemption Monitor

1

2

6

5 4

3

1

2

Figure 4: Redemption mediates the access to the filesystem and redirects each write request on the user files to

a protected area without changing the status of the original file. Reading the user files, creating and writing on

new files follow the standard 2-step procedure since they do not introduce any risk with regard to ransomware

attacks on user data.

Behavioral Detection and Notification Module. We implemented this module as a user-mode

service. This was a conscious design choice similar to the design of most anti-malware solutions.

Note that Microsoft officially supports the concept of protected services, called Early Launch Anti-

Malware (ELAM), to allow anti-malware user-mode services to be launched as protected services.

In fact, after the service is launched as a protected service, Windows uses code integrity to only

allow trusted code to load into a protected service. Windows also protects these processes from

code injection and other attacks from admin processes [50]. If Redemption identifies the existence

of a malicious process, it automatically terminates the malicious process.

4.2 Dataset

The ground truth dataset consists of filesystem traces of manually confirmed ransomware samples as

well as more than 230 GB of data which contains the interaction of benign processes with filesystem

on multiple machines. We used this dataset to verify the effectiveness of Redemption, and to

determine the best threshold value to label a suspicious process.

4.3 Analysis on Labeled Data

The prototype of the Redemption supports all Windows platforms. In our experiments, we used

Windows 7 by simply attaching Redemption to the filesystem. The remainder of this section dis-

cusses how benign and malicious dataset were collected, and how we will conduct the experiments

to evaluate the effectiveness of our approach.

One of the design requirements of the system is to produce low false positives, and to minimize

16

Page 20: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

Table 5: A list of Benign application and their

malice scores.

Program Min. Score Max. Score

Adobe Photoshop 0.032 0.088AESCrypt 0.37 0.72AxCrypt 0.31 0.75Adobe PDF reader 0.0 0.0Adobe PDF Pro 0.031 0.039Google Chrome 0.037 0.044Internet Explorer 0.035 0.045Matlab 0.038 0.92MS Words 0.041 0.089MS PowerPoint 0.025 0.102MS Excel 0.017 0.019VLC Player 0.0 0.0Vera Crypt 0.33 0.71WinRAR 0.0 0.16Windows Backup 0.0 0.0Windows paintit 0.029 0.083SDelete 0.283 0.638Skype 0.011 0.013Spotify 0.01 0.011Sumatra PDF 0.022 0.041Zip 0.0 0.16

Malice Score Median 0.027 0.0885

Table 6: A list of ransomware families and their

malice scores.

Family Samples Min. Score Max. Score Recovery

Cerber 33 0.41 0.73 5Cryptolocker 50 0.36 0.77 4CryptoWall3 39 0.4 0.79 6CryptXXX 46 0.49 0.71 3CTB-Locker 53 0.38 0.75 7CrypVault 36 0.53 0.73 3CoinVault 39 0.42 0.69 4Filecoder 54 0.52 0.66 5GpCode 45 0.52 0.76 2TeslaCrypt 37 0.43 0.79 4Virlock 29 0.51 0.72 3SilentCrypt 43 0.31 0.59 9

Samples 504 - - -Score Median - 0.43 0.73 -Recovery Median - - - 4

the number of unnecessary notifications to end-users. To this end, the system employs a threshold

value to determine when an end-user should be notified about the suspicious behavior of a process.

We tested a large set of benign as well as ransomware samples on a Redemption enabled ma-

chine. As depicted in Table 5 and Table 6, the median score of benign applications is significantly

lower than ransomware samples. For file encryption programs such as AxCrypt which are specifi-

cally designed to protect the privacy of the users, the original file is overwritten with random data

once the encrypted version is generated. In this case, Redemption reports the action as being ma-

licious – which, in fact, is a false positive. Unfortunately, such false positive cases are inevitable

since these programs are exhibiting the exact behavior that a typical ransomware exhibits. In such

cases, Redemption informs the end-user and asks for a manual confirmation. Given these corner

cases, we select the malice score as α = 0.12 where the system achieves the best detection and false

positive rates (FPs = 0.5% at a TP = 100%). This malice threshold is still significantly lower than the

minimum malice score of all the ransomware families in the dataset as provided in Table 6. The table

also shows the median file recovery rate. As depicted, Redemption detects a malicious process and

successfully recovers encrypted data after observing on average four files. Our experiment on the

dataset also showed that 7 GB storage is sufficiently large for the protected area in order to enforce

the data consistency policy.

17

Page 21: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

5 Future Work and Timeline

5.1 Evaluating the Redemption Prototype

In Section 4, we proposed an end-point framework that protects user data from ransomware attacks.

Designing a reliable end-point solution that guarantees minimal data loss is non-trivial. A successful

implementation of the framework should achieve a high true positive rate and a low false positive

rate. Furthermore, it should not impose a noticeable performance impact, or require significant

changes to the way users interact with standard operating systems.

We showed that the system achieves good detection results when using 10-fold cross validation

on the labeled dataset. In addition to this experiment, we plan to test the system with ransomware

samples that are not used in the model learning process. In this experiment, we plan to evaluate the

detection accuracy of the system in a real-world setting where the trained model has not necessarily

observed all types of attacks in this specific class of malware.

We also plan to measure the potential performance impacts of the system when it is deployed

on end-user machines. In fact, we plan to test which operations are more expensive when system

is deployed, and whether the incurred overhead makes the system inefficient. The goal of this

experiment is to test how the system works under heavy reads and writes. Furthermore, we would

like to measure how many files should be maintained in the protected area when Redemption is

actively monitoring the filesystem activity.

5.2 Timeline

Table 7 is the proposed timeline to complete our research:

Table 7: The proposed timeline to complete the research

To-do tasks Completion Date (end of)

Large Scale Evaluation July 2017

Usability Tests July 2017

Filesystem Benchmarks August 2017

Dissertation Defense August 2017

References

[1] Minotaur Analysis - Malware Repository. minotauranalysis.com.

[2] VX Vault - Online Repository of Malware Samples. vxvault.siri-urz.net.

18

Page 22: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

[3] Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.

104/.

[4] MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.

com.

[5] Norman Sandbox. http://www.norman.com/.

[6] Proof-of-concept Automated Baremetal Malware Analysis Framework. https://code.google.

com/p/nvmtrace/.

[7] BitBlaze Malware Analysis Service. http://bitblaze.cs.berkeley.edu/, 2016.

[8] Anand Ajjan. Ransomware: Next-Generation Fake Antivirus. http://www.sophos.com/en-us/

medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf, 2013.

[9] Alex Hern. Major sites including New York Times and BBC hit by ran-

somware malvertising. https://www.theguardian.com/technology/2016/mar/16/

major-sites-new-york-times-bbc-ransomware-malvertising, 2016.

[10] Alex Hern. Ransomware threat on the rise as almost 40 percent of bussi-

nesses attacked. https://www.theguardian.com/technology/2016/aug/03/

ransomware-threat-on-the-rise-as-40-of-businesses-attacked, 2016.

[11] Andrew Dalton. Hospital paid 17K ransom to hackers of its computer net-

work. http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/

hospital-paid-17k-ransom-hackers-its-computer-network, 2016.

[12] Ulrich Bayer, Christopher Kruegel, and Engin Kirda. TTAnalyze: A Tool for Analyzing Mal-

ware. In Proceedings of the European Institute for Computer Antivirus Research Annual Conference,

April 2006.

[13] BBC News. University pays 20,000 Dollars to ransomware hackers. http://www.bbc.com/news/

technology-36478650, 2016.

[14] Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Detecting self-mutating malware

using control-flow graph matching. In Detection of Intrusions and Malware & Vulnerability Assess-

ment, pages 129–143. Springer, 2006.

[15] Catalin Cimpanu. Breaking Bad Ransomware Completely Un-

detected by VirusTotal. http://http://news.softpedia.com/news/

breaking-bad-ransomware-goes-completely-undetected-by-virustotal-493265.shtml,

2015.

19

Page 23: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

[16] Chris Francescani. Ransomware Hackers Blackmail U.S. Police Departments. http://

www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html,

2016.

[17] Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining specifications of mali-

cious behavior. In Proceedings of the 1st India software engineering conference, pages 5–14. ACM,

2008.

[18] Mihai Christodorescu, Somesh Jha, Sanjit A Seshia, Dawn Song, and Randal E Bryant.

Semantics-aware malware detection. In Security and Privacy, 2005 IEEE Symposium on, pages

32–46. IEEE, 2005.

[19] Cisco, Inc. Ransomware on Steroids: Cryptowall 2.0. http://blogs.cisco.com/security/

talos/cryptowall-2, 2015.

[20] Connor Mannion. Three U.S. Hospitals Hit in String of

Ransomware Attacks. http://www.nbcnews.com/tech/security/

three-u-s-hospitals-hit-string-ransomware-attacks-n544366, 2016.

[21] Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro

Barenghi, Stefano Zanero, and Federico Maggi. Shieldfs: a self-healing, ransomware-aware

filesystem. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages

336–347. ACM, 2016.

[22] Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis. www.cuckoosandbox.

org, 2015.

[23] Dan Whitcomb. California lawmakers take step toward outlawing ransomware. http://www.

reuters.com/article/us-california-ransomware-idUSKCN0X92PA, 2016.

[24] Dell SecureWorks. University of Calgary paid 20K in ransomware attack. http://www.cbc.ca/

news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979, 2016.

[25] Alexandre Gazet. Comparative analysis of various ransomware virii. Journal in Computer Virol-

ogy, 6(1):77–90, February 2010.

[26] Grefgory Wolf. 8 High Profile Ransomware Attacks You

May Not Have Heard Of. https://www.linkedin.com/pulse/

8-high-profile-ransomware-attacks-you-may-have-heard-gregory-wolf, 2016.

[27] Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J Dietrich, Kirill Levchenko,

Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, et al. Manu-

20

Page 24: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

facturing compromise: the emergence of exploit-as-a-service. In Proceedings of the 2012 ACM

conference on Computer and communications security, pages 821–832, 2012.

[28] Greg Hoglund and Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley

Professional, 2005.

[29] International Secure System Lab. Anubis - Malware Analysis for Unknown Binaries. https:

//anubis.iseclab.org/, 2015.

[30] Jerry Zremski. New York Senator Seeks to Combat Ransomware. http://www.govtech.com/

security/New-York-Senator-Seeks-to-Combat-Ransomware.html, 2016.

[31] John Miller, Matt Allen, Christopher Glyer, Ian Ahl, Nick Carr. Petya Ransomware Spread-

ing Via EternalBlue Exploit. https://www.fireeye.com/blog/threat-research/2017/06/

petya-ransomware-spreading-via-eternalblue-exploit.html, 2017.

[32] Kevin Savage, Peter Coogan, Hon Lau. the Evolution of Ransomware. http:

//www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/

the-evolution-of-ransomware.pdf, 2015.

[33] Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. UNVEIL:

A Large-Scale, Automated Approach to Detecting Ransomware. In 25th USENIX Security Sym-

posium, 2016.

[34] Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting

the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Conference on Detection

of Intrusions and Malware & Vulnerability Assessment (DIMVA), 07 2015.

[35] Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. Barebox: efficient malware analysis

on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference, pages

403–412. ACM, 2011.

[36] Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. Barecloud: Bare-metal analysis-based

evasive malware detection. In 23rd USENIX Security Symposium (USENIX Security 14), pages

287–301. USENIX Association, 2014.

[37] Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard Kemmerer.

Behavior-based spyware detection. In Usenix Security, volume 6, 2006.

[38] Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiao-yong

Zhou, and XiaoFeng Wang. Effective and efficient malware detection at the end host. In USENIX

security symposium, pages 351–366, 2009.

21

Page 25: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

[39] Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. Paybreak: Defense

against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Com-

puter and Communications Security, ASIA CCS ’17, pages 599–611, New York, NY, USA, 2017.

ACM.

[40] Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. Poly-

morphic worm detection using structural information of executables. In Recent Advances in

Intrusion Detection, pages 207–226. Springer, 2006.

[41] Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda.

Accessminer: Using system-centric models for malware protection. In Proceedings of the 17th

ACM Conference on Computer and Communications Security, CCS ’10, pages 399–412. ACM, 2010.

[42] Wei-Jen Li, Ke Wang, Salvatore J Stolfo, and Benjamin Herzog. Fileprints: Identifying file types

by n-gram analysis. In Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth

Annual IEEE SMC, pages 64–71. IEEE, 2005.

[43] Jianhua Lin. Divergence measures based on the shannon entropy. IEEE Transactions on Informa-

tion theory, 37:145–151, 1991.

[44] Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. Detecting environment-

sensitive malware. In Recent Advances in Intrusion Detection, pages 338–357. Springer, 2011.

[45] Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. http://malware.

dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html, 2015.

[46] Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, and John C Mitchell. A

layered architecture for detecting malicious behaviors. In Recent Advances in Intrusion Detection,

pages 78–97. Springer, 2008.

[47] McAfee Labs. McAfee Labs 2017 Threat Predictions Report. https://www.mcafee.com/us/

resources/reports/rp-threats-predictions-2017.pdf, 2017.

[48] Michael Mimoso. Leaked NSA Exploit Spreading Ransomware WorldWide. https://

threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/, 2017.

[49] Microsoft, Inc. File System Minifilter Drivers. https://msdn.microsoft.com/en-us/library/

windows/hardware/ff540402%28v=vs.85%29.aspx, 2014.

[50] Microsoft, Inc. Protecting Anti-Malware Services. https://msdn.microsoft.com/en-us/

library/windows/desktop/dn313124(v=vs.85).aspx, 2016.

[51] Ms. Smith. Kansas Heart Hospital hit with ransomware; attackers de-

mand two ransoms. http://www.networkworld.com/article/3073495/security/

22

Page 26: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.

html, 2016.

[52] Patrick Traynor Nolen Scaife, Henry Carter and Kevin Butler. CryptoLock (and Drop It): Stop-

ping Ransomware Attacks on User Data. In In IEEE International Conference on Distributed Com-

puting Systems (ICDCS), 2016.

[53] Gavin O’Gorman and Geoff McDonald. Ransomware: A Growing Menance. http://www.

symantec.com/connect/blogs/ransomware-growing-menace, 2012.

[54] Payload Security Inc,. Payload Security. https://www.hybrid-analysis.com, 2016.

[55] REAQTA Inc,. HyraCrypt Ransomware. https://reaqta.com/2016/02/hydracrypt-

ransomware/, 2016.

[56] Christian Rossow, Christian J Dietrich, Chris Grier, Christian Kreibich, Vern Paxson, Norbert

Pohlmann, Herbert Bos, and Maarten Van Steen. Prudent practices for designing malware

experiments: Status quo and outlook. In Security and Privacy (SP), 2012 IEEE Symposium on,

pages 65–79. IEEE, 2012.

[57] Matthew G Schultz, Eleazar Eskin, Erez Zadok, and Salvatore J Stolfo. Data mining methods

for detection of new malicious executables. In Security and Privacy, 2001. S&P 2001. Proceedings.

2001 IEEE Symposium on, pages 38–49. IEEE, 2001.

[58] Elizabeth Stinson and John C Mitchell. Characterizing bots remote control behavior. In Detection

of Intrusions and Malware, and Vulnerability Assessment, pages 89–108. Springer, 2007.

[59] Andrew H Sung, Jianyun Xu, Patrick Chavez, and Srinivas Mukkamala. Static analyzer of

vicious executables (save). In Computer Security Applications Conference, 2004. 20th Annual, pages

326–334. IEEE, 2004.

[60] Symantec, Inc. Internet Security Threat Report. http://www.symantec.com/security_

response/publications/threatreport.jsp, 2017.

[61] Tom Spring. Second Global Ransomware Outbreak Under Way. https://threatpost.com/

second-global-ransomware-outbreak-under-way/126549/, 2017.

[62] TrendLabs. An Onslaught of Online Banking Malware and Ransomware. http:

//apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/

rpt-cashing-in-on-digital-information.pdf, 2013.

[63] Amit Vasudevan and Ramesh Yerraballi. Cobra: Fine-grained malware analysis using stealth

localized-executions. In Security and Privacy, 2006 IEEE Symposium on, 2006.

23

Page 27: Techniques and Solutions for Addressing Ransomware Attacks...Very recently, WannaCry ransomware, the most re cent successful ransomware attack, impacted thousands of users around the

[64] Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. Image quality assessment:

from error visibility to structural similarity. Image Processing, IEEE Transactions on, 13(4):600–612,

2004.

[65] Carsten Willems, Thorsten Holz, and Felix Freiling. Toward automated dynamic malware anal-

ysis using cwsandbox. IEEE Security and Privacy, 5(2):32–39, March 2007.

[66] WIRED Magazine. Why Hospitals Are the Perfect Targets for Ransomware. https://www.

wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/, 2016.

[67] J-Y Xu, Andrew H Sung, Patrick Chavez, and Srinivas Mukkamala. Polymorphic malicious

executable scanner by api sequence analysis. In Hybrid Intelligent Systems, 2004. HIS’04. Fourth

International Conference on, pages 378–383. IEEE, 2004.

[68] Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: cap-

turing system-wide information flow for malware detection and analysis. In Proceedings of the

14th ACM conference on Computer and communications security, pages 116–127. ACM, 2007.

24


Recommended