All computer systems are using anti-virus because of threat against virus or malwares. Cyber security normally protect systems against all these viruses but as technology increasing the threat against technology also increasing. One of the new threats is Ransom ware. It is a kind of virus which directly steal user’s money or it forces victim to pay some Ransom in order to get the access of victim’s original files. These all can be done through Cryptography. Fact is that cryptography is used to secure information but here Ransom ware uses cryptography against it.
Ransom ware extort money from the victim by encrypting their valuable information. And to get back access of important files victim needs to pay some ransom.
This paper tries to investigate the working of a Crypto Locker (Ransom ware) and formal analysis of malware. This analysis leads to some conclusion concerning this phenomenon also few strength and weaknesses of money extort malware. As ransom ware infections continue to rise, and attacks employing refined algorithm become increasingly sophisticated, data protection faces serious challenges.
This chapter draws a ransom ware extortion scheme, compares ransom ware with other malware, and discusses future trends.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Although ransomware is usually aimed at individuals, it’s only a matter of time before business is targeted as well. The process is similar to how a virus or malware gets into a computer: Email messages claiming to contain important attachments, drive by download – from websites or even ads that seem to offer valuable/illegal stuff for free, fake antivirus/anti-malware downloads, fake updates for popular programs, social engineering methods, friends on social networks enticing you to click on certain links, through botnets, etc.
There are two types of ransomware
- Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide to provide the victim with the key that can decrypt the blocked content. Examples include Crypto Locker, Locky, CrytpoWall and more.
- Locker ransom ware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Example include the police-themed ransom ware or Win locker.
Ransomware has some key characteristics apart from malware.
- Unbreakable encryption, you can’t decrypt the files on your own.
- It encrypts all kind of files, like documents, audio, video, pictures etc.
- It can shuffle your file names, so you can’t predict the affected data. This is one of the social engineering tricks used to confuse victims into paying the ransom.
- It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back
- It requests payment in Bitcoins, because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies
- The ransom payment has a time-limit, deadline of time limit typically means that the ransom will increase, but the data will be destroyed and lost forever.
- It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and increase future attacks
- It can spread to other PCs connected in a local network, creating further damage.
- It has data excretion capabilities, which means that ransomware can extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals.
- It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.
Phase 1: Exploitations and Infection: When attack has successfully done, the malicious ransomware file needs to execute on a computer. Through some techniques like phishing attack and exploit kit exploitation has been done. In the case of the CryptoLocker malware, the Angler Exploit Kit is a preferred method to gain execution.
Phase 2:Delivery and Execution: During this phase, the actual ransomware executables are delivered to the victim’s system. Through which it can attack to the victim’s system.
Phase 3: Backup Spoliation: The ransomware targets the backup files and folders on the victim’s system and removes them to prevent restoring from backup. The unique feature of ransomware is it deletes the backup files, while the kind of malware don’t bother to delete the backup file. Other kind of crimeware are not so feasible than ransomware that it can easily attack successfully. The ransomware infects the user’s machine using any of the typical methods, such as sending victims convincing email and encouraging them to run the attachment. It infects on the backup files so victim can’t get the idea about the malware.
Phase 4: File Encryption: Once the phase 3 has completed, the malware will perform a secure key exchange with the command and control (C2) server. Those encryption keys are used on the local system.
Phase 5: User Notification and Clean-up: After removing the Backup files and encryption dirty work done, the demand instructions for extortion and payment are displayed. The victim is given time limit to pay, after that time the ransomware increases.
Accompanied by the survey analysis, the literature study on developments in transfer and mitigation of ransomware aims to make the recommendation for prevention of ransomware more practical due to clear understanding of the criminal mindsets.
Transfer of ransomware With time, ransomware has evolved now focusing its target on desktop computers and targeting less secured areas like mobiles and M2M(machine-to-machine) communication. The transfer happens via crypto-ransomware, which is defined as a type of malware that injects malicious code and gets installed as an executable in the system location that encrypts a users data. The access to data is restricted until the user pays a ransom for decryption. Locker-ransomware completely locks the device of user system or input device. The developments with type in transfer methods and its impacts are discussed in the Table 1. The historical developments are relevant to study because ransomware has risen when the opportunity arose. Thus, there is a good chance that the historical methods will be repeated.
Then, the ransomware scripts are pushed and executed on the fly. In some cases scripts are pushed to understand user browsing patterns and then the malicious applications use these sites for attacks. This study over the transfer methods reflects that how the complications in implementation of such ransomware have evolved and this suggests that x The targets have shifted from personal desktops in a physical form (like via a floppy) to more centralized systems like hospitals. x The transfer is not just based on torrents, mails and such Internet based applications. The latest trends have also made them possible to be activated on an offline system. x Also, the attacks have occurred at the systems which are not a major IT specific company, like health care centers, and thus security of the IT systems is not one of their major priorities. x Advertisements have become smarter,i.e., they are generated based on learning from the user generated patterns like browsing history. This makes a user more prone to the attacks.
How Ransomware Works
In the cyber world, computer users have faced certain types of threat such as worms, spyware, phishing, viruses, and other malware. Ransomware is an extortion scheme whereby attackers hijack and encrypt the victim’s computer files, and then demand a ransom from the victim for these files in original condition. Kaspersky, one of the global leading antivirus companies, warned that ransomware is a serious threat, because there is no way to recover the effected data. We thereby define ransomware as a piece of pernicious software that exploits a user’s computer vulnerabilities to sneak into the victim’s computer and encrypt all his/her files; then the attacker keeps the files locked unless the victim agrees to pay a ransom. In a typical ransomware attack, the attacker reaches into a compromised computer by seeking the exposed system vulnerabilities. If this system was victimized earlier by a worm or Trojan, the attacker can easily enter the weakly configured system. He then searches for various types of important files with such extension names as .txt,. doc,. rft, .ppt, .chm, .cpp, .asm, .db, .db1, .dbx, .cgi, .dsw, .gzip, .zip, .jpg, .key,. mdb,. pgp .pdf.
Knowing these files are of possible crucial importance to the victims, he then encrypts these files, making them impossible for the victim or owner to access. Later, the attacker sends the victim an e-mail ransom or pop-up window demanding for the encryption key that unlocks the frozen files. Once the attacker locates these files, there are several processing strategies that he might implement. First, he can compress all the located files into a password-protected zip package, then he removes the entire original files; second, he can individually encrypt each located file, and then remove the original files. For example, if the original file is DissertationFinalVersion.doc, ransomware will create a file such as Encrypted_DissertationFinalVersion.doc in order to label the original file; third, the attacker might create a hidden folder and move all the located files to this folder, producing a pseudo phase to deceive the victim. The third strategy, of course, carries the slightest damage, and is comparatively feasible for the victim to retrieve all the lost files.
Furthermore, when ransomware attacks successfully take control of an enterprise’s data, the attacker encrypts the data using a sophisticated algorithm. The password to the encryption is only released if ransom is paid to the attackers carrying out the attack. The attacker usually notifies the victim by means of a striking message, which carries specific instructions as to how the victim reacts to retrieve the lost files. A text file or a pop-up window message is generally created in the same folder where files are encrypted. The text file or message box clearly indicates that all the important files are already encrypted and informs the victim of specific money remittance methods.
As rest of the nations India is less influenced by the WannaCry ransomware. The principle reason for this is, India is right now less digitalized when contrasted with different nations. This doesn’t imply that India isn’t influenced in any way, many organizations and people are influenced in India too.
This WannaCry ransomware assault could possibly be made by any nation subtly. Nobody can say in regards to it right now. A portion of the security scientists expressed that the mark an example of this ransomware are like some North Korean programmer gathering. This announcement isn’t yet affirmed so nobody can tell what is reality. Likewise there are a larger number of players other than the first makers of WannaCry ransomware in this assault. Initially the makers released this ransomware and it spread rapidly. Later a security scientist figured out how to back off this malware and keeping UT from tainting different PCs. However then a few other programmer bunches discharged new variations of this ransomware without off button. Even after such a large number of endeavors WannaCry got into the market and spread around the world. Presently we have more than one sort of ransomware that is spreading at a disturbing rate and we can simply trust some security master to prevent this from tainting an ever-increasing number of PCs.
Courses of Action and Remediation: Detection Is a Losing Proposition – Unlike other malware threats, detective controls may not be as effective in identifying and stopping ransom ware before its effects are realized. This is due to the way ransom ware works to achieve its aims. For example, Trojans, remote-access toolkits, or other similar threats rely upon observable activity in order to facilitate their goals. This activity involves regular over-the-network communication to a command-and-control infrastructure in order to receive commands, execute infiltration tasks, or exfiltrate data. Much of the ransomware observed by Deloitte threat intelligence analysts, however, follows an entirely different playbook. In fact, many ransomware kits communicate only once, if at all, usually during or immediately after infection to obtain or transmit data necessary to carry out their encryption operations and present ransom demands.
Consequently, a detective measure such as an intrusion detection system (IDS) or other similar detective device that notifies a security operations team of a threat is not going to stop ransomware. At a minimum, a detective device would be superfluous as an Security Operations Centre (SOC) would receive notification from the security controls, as well as from users complaining that they received a ransom popup on their computers. At this point, the damage has already been done (i.e., files encrypted on an endpoint, server, or network share). This is counterintuitive to everything the marketplace has said for years – that the proper cybersecurity focus should be on detective controls because it is not possible to stop every threat. In the case of ransomware (and other destructive malware kits), preventative controls are at least as important as detective capabilities. So which preventative controls should an enterprise focus on in order to stop ransomware? To get the answer to this question, one has to look at the attack vectors.
This threat study represents a thorough analysis of ransomware, including some of the well-known variants, evolution, vectors, notable attacks, and how to prevent an organization from becoming the next victim. From Deloitte’s analysis, it is clearly evident that ransomware will grow in sophistication and become more widespread as it continues to plague individual users, as well as the enterprise. The successes thus far in the extortion of money from victims is paving the way for more cybercriminals to utilize ransomware as their main tactic. Deloitte Advisory hopes that by leveraging this study, your organization will be armed with the necessary knowledge and tools to protect your environment.
- Admin, 2015 The year of the Ransomware, Apps & Tech, News, December 17, 2015 [Online]. Available: [Accessed 20 May 2016].
- L. Abrams, Emsisoft releases Decrypter for the LeChiffre Ransomware, Bleeping Computer, 25 January 2016 [Online].
- Angler exploit kit pushes new variant of ransomware:
- Email Statistics Report, 2015-2019 Executive
- L. Kelion, “Cryptolocker ransomware has ‘infected about 250,000 PCs’,” BBC News techology, 2013. [Online]. Available: [Accessed 2016].  G. O’Gorman and G. McDonald, “Ransomware: a growing menace,” Symantec Corporation, 2012.
- B. N. Giri, N. Jyoti and M. AVERT, “The Emergence of Ransomware,” AVAR, Auckland, 2006.
- J.-L. Richet, “Extortion on the internet: the rise of crypto-ransomware.,” Harvard , 2016.
- A. Bhardwaj, G. Subrahmanyam, V. Avasthi and H. Sastry, “Ransomware: A rising threat of new age digital extortion.,” in arXiv preprint arXiv:1512.01980, 2015.
- X. Luo and Q. Liao, “Awareness education as the key to ransomware prevention.,” Information Systems Security, vol. 16, no. 4, pp. 195-202, 2007.
- A. Gazet, “Comparative analysis of various ransomware virii,” Journal in computer virology, vol. 6, no. 1, pp. 77-90, 2010.
- M. Fossi, G. Egan, K. Haley, E. Johnson, T. Mack, T. Adams, J. Blackbird, M. Low, D. Mazurek
Cite this essay
Deloitte’s Analysis of Ransomware. (2019, Dec 10). Retrieved from https://studymoose.com/deloittes-analysis-of-ransomware-essay