- Open Access
- Authors : Nagaraja Seshadri, Rubia Fathima
- Paper ID : IJERTCONV8IS15015
- Volume & Issue : NCAIT – 2020 (Volume 8 – Issue 15)
- Published (First Online): 21-09-2020
- ISSN (Online) : 2278-0181
- Publisher Name : IJERT
- License: This work is licensed under a Creative Commons Attribution 4.0 International License
REVA Academy for Corporate Excellence REVA University
REVA Academy for Corporate Excellence REVA University
Abstract – Ransomware is a malware that prevents users from accessing their system or limits their use of the system. It locks the system's screen or the users' files thus preventing them from accessing or using it. Demand for a ransom is made and access is denied unless ransom is paid. Now a days, some modern ransomwares, collectively called as crypto ransomware can encrypt certain file types on infected systems. The users are then forced to pay the ransom through certain online payment methods to get a decryption key.
Ransomware incidents are targeted at various organizations across industries and geographies and have brought a threat of disruptive and destructive attacks.
The purpose of this paper is to examine and raise awareness on ransomware attack, its effects, and some of the preventive measures from both general and technical perspectives.
Keywords – Ransomware; Attack Vectors; MITRE ATT&CK; Malware; Kill Chain; Crypto and Locker
Ransomware is a type of malicious software which encrypts data stored on computer networks with the intention of getting financial gains by selling the targets information.
Ransomware attacks are increasing day by day as also the variety of ransomwares. The number of reported incidents has spiked exponentially as well as the amount that the cyber hackers are extorting from the organizations. Below Fig.1 explains how Ransomware works .
Fig. 1. Ransomware attack
However, the payment of ransom does not guarantee the encrypted files will be released. Similarly, when attackers send back the decrypted files after being paid the ransom that does not mean that the malware was removed from the attacked system.
Ransomware uses robust algorithms for encrypting data efficiently and it is exceedingly difficult to decrypt and restore the files. Ransomware can spread through critical vulnerabilities in the network, which may be through malicious email attachments, by blocking access to important files and a notification of demanding payment. The invention of cryptocurrencies gave the attackers an added advantage of anonymity.
IMPACT OF RANSOMWARE
Fig. 2. Ransomware impact
Ransomware attacks have impacted the industries with loss of sensitive data and loss of hundreds of millions of dollars annually across the globe. Statistics show most of the companies that suffered a major attack filed for bankruptcy later.
RANSOMWARE KILL CHAIN
Fig. 3. Ransomware Kill Chain
Ransomware Kill Chain is depicted in the above Fig.3 .
Fig. 4. Ransomware Kill Chain Details
RANSOMWARE ATTACK VECTORS 
Files and Apps – by shadow-IT, Drop Box shared folder, files and applications can be infected images or infected pirated applications.
Exploit Kits – by means of toolkits to exploit multiple vulnerabilities in operating systems, third-party software, hardware etc.
Malvertising – by ads which are basically pieces of software that perform malicious activities like download and install malwares.
Compromised Websites – by attacking through the malicious website from where malware is downloaded and installed
Phishing – by sending an email message to impersonate an official or familiar sender, urging to click open an attachment or click a link which in turn downloads and runs the malware.
Instant Messaging – by acting as a graphics file to drop a malicious file while bypassing traditional file extension filters through instant messengers like WhatsApp and Facebook Messenger.
Remote Access – by hijacking an RDP connection or brute-force their way into the network through an open RDP connection.
Below Fig.5 shows the Ransomware Attack Vector .
Fig. 5. Ransomeware Attack Vector
RANSOMWARE TYPES 
Crypto ransomware is a type of ransomware attack that finds and encrypts the organizations vital data stored on the network, making the data not usable unless the user gets the decryption key.
Locker ransomware usually lock a victims devices by affecting the operating system and applications and the network from performing usual operations and demanding the user to pay a ransom fee to restore it for use.
RANSOMWARE FAMILY 
Ransomware families dominate with unique characteristics such as the system or device they infect, the kinds of files they target and the ransom amount. Many users, institutions, industries, and organizations have been exposed to ransomware threats, resulting in considerable financial and reputational loss.
Fig. 6. Ransomware family
The Petya Ransomware, a malware that infects a target infrastructure, encrypts the crucial data from the server, and provides a message with a timeline explaining how
they can pay to get their data back. It can self-spread like a worm by attacking computers and spreading using the Eternal Blue exploit.
The WannaCry Ransomware targets Microsofts widely used operating systems by encrypting the crucial data, critical documents, and files. This attack preyed on unsuspicious users by get the most out of on an imperfection in the structure of Microsoft windows operating systems referred to as server message block protocol.
The Bad Rabbit Ransomware, a malware distributed through drive-by downloads on infected websites, are tricked into clicking the malware by falsely alerting them that their adobe flash player requires a vital update.
The Crypto-locker Ransomware, a malware which encrypts files using AES with a random key, which is then encrypted with a 2048-bit RSA public key by entering through a protected network through email, file sharing, and downloads.
The Locky Ransomware, a malware uses RSA-2048 + AES-128 with Electronic Code book mode to encrypt files, infection involves receiving emails that contain a Word document, spreadsheet, PowerPoint, zip file, etc., where the attachment is infected using malicious macros.
The Crypto wall Ransomware, a malware which is a file-encrypting ransomware program that targets earlier versions of windows. crypto-wall encrypts data by checking through its command-and-control server and reporting the IP address of the infected computer by taking control of database.
The Ryuk Ransomware, a malware which identifies and encrypts files along the network, while at the same time deleting the shadow copies stored on the endpoints which includes the process starts with phishing attacks and later branches into network mapping, password scraping, and droppers in different combinations.
MAZE RANSOMWARE ANALYSIS
The Maze ransomware is a malware created to disrupt and steal information by moving across the network to encrypt files in the systems for extortions. Its intrusion method includes creation of malicious crypto currency sites, copying government agency sites and security product companies.
This attack is targeting IT, Banking, Healthcare and other sectors by delivering emails with MACRO attachments that include FALLOUT or SPELEVO exploit kits.
Fallout Exploit kit  takes the users browser profile patterns and distributes malicious content to the ser who is redirected from the original page to the exploit kit landing page URL. Discovered in August 2018, this exploit kit gains access through Adobe Flash Player and Microsoft Windows flaws. The attacker downloads additional malware onto the victims computer during the effective infection.
The Spelevo Exploit Kit  is used to deliver ransomware to internet users via Adobe Flash Player vulnerabilities. It is used to gain access to remote systems via corrupted advertisements, spam emails with fixed scripts, misleading Adobe Flash Updates.
Maze ransomware TA2101 threat actor uses 2048-bit RSA and the ChaCha20 stream cipher to encrypt files, adds different extensions to the files throughout the encryption progression.
The user's desktop wallpaper is changed to a message about the encrypted files and the ransom note filename is dropped. The labels used to specify the computer types are like home computer, standalone server, backup server, primary domain controller, etc. Fig.7 below shows the various stages of attack 
Fig. 7. Maze Ransomware Attack Stages
Fig. 8. Ransomware Note
Above Fig.8 shows a typical Ransomware note . The ransomware amount is based on the device type it detects during the attack.
Preventive Stategy for Ransomware
MITRE ATT&CK MATRIX 
MITRE Corporation, an American non-profit organisation developed ATT&CK as a model to document and track techniques attackers use during the different stages of a cyberattack to intrude the network and breach the data. Below Fig.9 compares MITRE ATT&CK can Cyber Kill Chain .
Fig. 9. MITRE ATT&CK Matrix
ATT&CK  specifies Adversarial Tactics, Techniques, and Common Knowledge. The framework is a pattern of various cyberattack techniques classified by different tactics.
Based on MITRE ATT&CK framework, mitigations can be designed at three levels:
Assessment analysing current configuration and security practices to find security vulnerabilities and holes by testing Weak Passwords, Privileged Accounts, detect misconfigurations, open RDP servers with no NLA, servers with no SMB signing, etc
Detection monitor network traffic and data continuously and detect malicious activity simultaneously. Credentials detection by scanning, dumping domain hashes, creation of fresh privileged accounts, or code execution in the domain controller, etc
Prevention by defining clear custom conditional access policies to block access or trigger MFA based on varying behaviour pattern, this well-defined approach reduces user conflicts when accessing applications and resources.
Fig. 10. MITRE ATT&CK Mitigation Steps
Mitigation steps in the MITRE ATT&CK framework  is shown in the above Fig.10.
PREVENTIVE MEASURES 
Install ad blockers to fight exploit kits that are distributed via malicious advertising.
Protect personal/official devices with licensed Antivirus.
Implement strong email security protection software that detects Word attachments which is possibly implanted with malicious macros.
Lockdown Remote Desktop Protocol.
Deploy effective backup plans including keeping the backup safe at remote location, so that they can be used to recover lost data in the event of breach.
Use legitimate VPN services instead of free services.
Enforce sessions with specific time periods.
Adopt advanced protocols like IPSEC to establish a connection,
Enforce multifactor authentication in advance for every user activity.
Do not plug any unattended external media into the devices.
Validate senders emails IDs before opening an email.
Install a sandbox solution to detect malware not detected by antivirus software.
Perform regular updates of operating systems and application software
CONTAINMENT, RECOVERY AND RESPONSE 
Network traffic analysis: To limit the ransomwares ability to spread and create damage by monitoring network traffic, detect suspicious communications that cannot be detected by signature-based security systems, analyse and block data on end devices.
Malware analysis: To detect paths quickly and efficiently, keep malicious code from becoming fixed in systems while preventing the infrastructure from being re- infected, neutralize threats that have already spread and become deep-rooted.
Forensic analysis: To identify where the compromise originated, how the attackers moved across the network, what tools were used and what vulnerabilities were exploited
It is crucial to recover from the attack and to quickly return to normal IT services and business operations.
The cybersecurity world is advancing at a rapid pace and attackers are targeting the victim with new tactics to attain their goals. Frameworks like MITRE ATT&CK are essential
to developing a stronger cybersecurity program. With proper implementation of ATT&CK framework, security team will be able to measure the efficiency of their security program.
Simple steps like monitoring for weak passwords, limiting account privileges, and enforcing strict authentication steps can reduce most of the risk of being the ransomware victim. It is essential for computer users to follow the general and technical protective procedures to reduce such attacks.
Dealing with Cyber Crime in 2019 by Peter Bowey Computer Solutions. https://www.peterboweycomputerservices.com.au/blog/dealing-with- cyber-crime-in-2019
Combating Ransomware challenge with Cisco Ransomware Defense solution – Cisco Security Newsletter-Issue 7_June 20
Seven Ways Ransomware Infects Your Network https://www.maya-security.com/blog
Ransomware attack what is it and what is it impact https://blog.eccouncil.org/ransomware-attack-what-is-it-and-what-is-it- impact/
Fallout Exploit Kit is Back with New Vulnerabilities and Payloads by Sergiu Gatlan https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-is- back-with-new-vulnerabilities-and-payloads/
Spelevo EK Exploits Flash Player Vulnerability to Deliver Maze Ransomware by David Bisson https://securityintelligence.com/news/spelevo-ek-exploits-flash-player- vulnerability-to-deliver-maze-ransomware/
MAZE Ransomware Campaign spoofs Italian Revenue Agency Correspondence
https://www.infoblox.com/wp-content/uploads/threat-intelligence- report-maze-ransomware-campaign-spoofs-Italian-revenue-agency- correspondence.pdf
MAZE Ransomware NASSCOM-DSCI Advisory https://www.dsci.in/sites/default/files/Maze_Ransomware_Advisory.pdf
MITRE ATT&CK Framework
Getting Started with ATT&CK: Adversary Emulation and Red Teaming by Blake Strom
What is MITRE ATT&CK: An Explainer by Tim Matthews Chief Marketing Officer
Ransomware Uncovered: Attackers Latest Methods https://www.group-ib.com/whitepapers/ransomware-uncovered.html