Assessing Ransomware Mitigation Strategies in Swedish Organizations: A Focus on Phishing Emails

Liedgren, Johan, von Bonsdorff, Felix

January 2023

Ransomware has been a growing threat to today's organizations, with irreparable damages and billions of dollars lost, it is crucial for organizations to implement mitigation strategies that can counter these attacks. With phishing attempts being the primary attack vector, it is evident that organizations need to implement the best practices in order to avoid the consequences. Thus, this study addresses the question “How do the actual ransomware mitigation strategies implemented by Swedish organizations compare to the best practices suggested in literature, with a focus on phishing emails as a common means of ransomware transmission?” The study was conducted by utilizing semi-structured interviews and interviewing five participants that work or have worked as IT-security consultants which are then summarized and analyzed with a thematic analysis approach. Seven relevant themes and fifteen sub-themes were introduced and analyzed in order to answer the proposed research question: attack vector, security awareness training, technical solutions, challenges of solutions, frameworks, evolution and keeping yourself updated. All participants were contacted via Linkedin and the interviews were done virtually via Zoom. The findings of this study shows that Swedish organizations utilize a minimal amount of ransomware mitigation strategies due to the lack of resources, care and overall awareness regarding the topic. According to the interviewed participants, basic forms of technical solutions and administrative solutions are mostly implemented, however they are a lacking form of medium and can generally be bypassed easily. The primary factors that were brought up and introduced was security awareness training and technical solutions. Essentially, it all boils down to employee’s incompetence and lack of security awareness. No matter how many technical solutions that are implemented within an organization, if an employee is not aware that they shouldn’t click on malicious links, an infection might spread.

Ransomware

ransomware mitigation

phishing

phishing emails

malware prevention strategies

Computer Sciences

Datavetenskap (datalogi)

Trestněprávní a kriminologické aspekty šíření ransomware / Criminal and criminological aspects of ransomware spreading

Zavadil, Stanislav

January 2019

Criminal and criminological aspects of ransomware spreading Abstract This diploma thesis deals with issues of ransomware spreading and examines certain criminal and criminological aspects of this cybercrime phenomenon. Ransomware is malware that encrypts, blocks or prevents access to the computer system or data in a computer system. In connection to this, it demands monetary or other ransom. This diploma thesis firstly describes ransomware from the point of view of its function and technical aspects, including its history, categorization of its variations and description of several notable infection examples, namely WannaCry, Petya, DoubleLocker and Vir Policie. Following section describes possible criminal qualifications according to Czech substantive criminal law, including the consideration of specifics of different ransomware variations and potential development of this criminal aktivity. The final part focuses on criminological aspects of ransomware spreading. It beggins with a description of the crime status and dynamics, including further details about latency and trends. Then follows the description of perpetrator and victim in view of certain criminological theories. Finally, criminological part comprises a chapter about crime control and prevention, which includes practical parts that aim to help...

Local And Network Ransomware Detection Comparison

Ahlgren, Filip

January 2019

Background. Ransomware is a malicious application encrypting important files on a victim's computer. The ransomware will ask the victim for a ransom to be paid through cryptocurrency. After the system is encrypted there is virtually no way to decrypt the files other than using the encryption key that is bought from the attacker. Objectives. In this practical experiment, we will examine how machine learning can be used to detect ransomware on a local and network level. The results will be compared to see which one has a better performance. Methods. Data is collected through malware and goodware databases and then analyzed in a virtual environment to extract system information and network logs. Different machine learning classifiers will be built from the extracted features in order to detect the ransomware. The classifiers will go through a performance evaluation and be compared with each other to find which one has the best performance. Results. According to the tests, local detection was both more accurate and stable than network detection. The local classifiers had an average accuracy of 96% while the best network classifier had an average accuracy of 89.6%. Conclusions. In this case the results show that local detection has better performance than network detection. However, this can be because the network features were not specific enough for a network classifier. The network performance could have been better if the ransomware samples consisted of fewer families so better features could have been selected.

Ransomware

Detection

Machine Learning

Computer Sciences

Datavetenskap (datalogi)

Att hindra en Notpetya- och WannaCry-attack : Redogörelse med förebyggande metoder och tekniker

Nilsson, Anton

January 2018

WannaCry och NotPetya är två ransomware-program som använder sig av National Security Agency (NSA) läckta penetreringsverktyg EternalBlue för att få operativsystemsbehörighet över ett Windowssystem som tillåter kommunikation med dess Service Message Block (SMB) server. WannaCry och NotPetya utnyttjar detta genom att söka igenom systemets alla lagringsmedier efter användarfiler och krypterar sedan dessa med både symmetriska och asymmetriska krypteringsalgoritmer. För att få tillgång till den nyckel som används för att dekryptera filerna krävs det att offret betalar förövaren en specifik summa, vanligtvis i Bitcoin. Det finns ingen garanti att filerna återfås efter betalning utan endast förövarens ord, uttryckt i ett utpressningsmeddelande som först uppenbarar sig efter att alla filer krypterats. Det finns flera metoder och tekniker som kan användas för att bygga ett försvar mot att ransomware infekterar eller kryptera data. En metod för att förhindra att NotPetya och WannaCry infektera ett system är att blockera all kommunikation med Windows-systemets SMB-server. Eftersom detta förhindrar alla program från att kommunicera med systemet genom SMB protokollet utgör denna metod endast ett alternativ om systemet inte är beroende av funktioner så som fil och skrivardelning. En metod för att förhindra att data försvinner vid en eventuell infektion är att kontinuerligt säkerhetskopiera sina filer till externa lagringsmedier så som till CD-skivor, USB-minnen och hårddiskar. Detta gör det möjligt att återfå data efter en infektion och offret behöver därför inte att förlita sig på förövaren för att få tillbaka sina filer.

wannacry

notpetya

malware

eternalblue

ransomware

crypto

Computer Systems

Datorsystem

Phishing attacks targeting hospitals : A study over phishing knowledge at Blekingesjukhuset

Nordgren, Daniella

January 2018

Context. Phishing emails is a type of computer attack targeting users and tries to trick them into giving out personal information, follow shady links or download malicious attachments. Phishing is often closely linked to ransomware, which is a type of attack that locks a users computer and asks for a ransom in order to give access back. Ransomware viruses often contaminate a computer through a phishing email. Hospitals are a growing target for these types of attacks because of their need of being able to access their system at all times. Objectives. This study intends to research the phishing knowledge among employees at Blekingesjukhuset and whether Blekingesjukhuset is at a risk of falling victim to a ransomware attack through a phishing email opened by an employee. Methods. This is researched by reading relevant literature and a survey sent out to employees at Blekingesjukhuset regarding their phishing knowledge. Results. The results show that the participants of the survey where overall unsure on how to detect phishing emails and thought that knowledge about the subject is necessary. Conclusions. The conclusion was made that the employees did not know what to look for in order to determine whether an email is a phishing email or not. Based on this information the conclusion can be made that it does exist a risk of Blekingesjukhuset falling victim to a ransomware attack through a phishing email unintentionally opened by an employee.

Phishing

Ransomware

Social engineering

Hospital

Computer Sciences

Datavetenskap (datalogi)

Towards Advanced Malware Classification: A Reused Code Analysis of Mirai Bonnet and Ransomware

January 2020

abstract: Due to the increase in computer and database dependency, the damage caused by malicious codes increases. Moreover, gravity and the magnitude of malicious attacks by hackers grow at an unprecedented rate. A key challenge lies on detecting such malicious attacks and codes in real-time by the use of existing methods, such as a signature-based detection approach. To this end, computer scientists have attempted to classify heterogeneous types of malware on the basis of their observable characteristics. Existing literature focuses on classifying binary codes, due to the greater accessibility of malware binary than source code. Also, for the improved speed and scalability, machine learning-based approaches are widely used. Despite such merits, the machine learning-based approach critically lacks the interpretability of its outcome, thus restricts understandings of why a given code belongs to a particular type of malicious malware and, importantly, why some portions of a code are reused very often by hackers. In this light, this study aims to enhance understanding of malware by directly investigating reused codes and uncovering their characteristics. To examine reused codes in malware, both malware with source code and malware with binary code are considered in this thesis. For malware with source code, reused code chunks in the Mirai botnet. This study lists frequently reused code chunks and analyzes the characteristics and location of the code. For malware with binary code, this study performs reverse engineering on the binary code for human readers to comprehend, visually inspects reused codes in binary ransomware code, and illustrates the functionality of the reused codes on the basis of similar behaviors and tactics. This study makes a novel contribution to the literature by directly investigating the characteristics of reused code in malware. The findings of the study can help cybersecurity practitioners and scholars increase the performance of malware classification. / Dissertation/Thesis / Masters Thesis Computer Science 2020

Computer science

Cyber-security

Mirai Botnet

Ransomware

Reused-code

Analýza ransomwaru GlobeImposter / Analysis of the GlobeImposter ransomware

Procházka, Ivo

January 2019

The aim of this diploma thesis is to analyze an instance of the GlobeImposter ransomware extracted from an affected device. The first part outlines various types of malware and ransomware and includes a description of encryption mechanisms and key distribution systems. It also discusses possible approaches of static and dynamic analysis of malware samples and requirements for test environments. The practical part describes the source of the malware sample, the physical and virtual test environment and the results of the static and dynamic analysis of the GlobeImposter ransomware. The final part discusses the results and the possibility of implementing a decryptor for the analyzed GlobeImposter ransomware.

Malware: Det moderna hotet mot företag

Karlsson, Oliver, Magnusson, Erik

January 2021

I denna uppsats granskas de vanligast förekommande typerna av malware, derasfunktioner samt de konsekvenser som förekommer vid angrepp. Konsekvenser innebär skador vid stöld eller förstörelse av data, som finns på den drabbade enheten. Syftet med denna uppsats är att ge en överblick av de nuvarande största hoten för företag med Windowsdatorer när det kommer till malware. En litteraturstudie användes för att framställa vilka de vanligaste typerna av malware är, hur de valda typerna av malware delas in och deras funktion. I arbetet genomförs även ett experiment för att utläsa mer exakt hur vissa malware opererar när de infekterar ett operativsystem. Informationen som utvunnits av experimentet kombinerades med informationen från litteraturstudien och har sammanställts i denna rapport. I diskussionen tas de olika konsekvenserna upp i mer detalj samt med exempel på hur de skiljer sig åt när de påverkar ett företag. Informationen utvunnen från experimentet diskuteras, vilken typ av malware de definieras som samt vad de ändrade i systemet. I slutsatsen visas de vanligaste typerna av malware i en tabell med hänsyn till både konsekvenserna samt sannolikheten. Effekterna av programvaran diskuteras också och några exempel tas upp.

Virus

malware

trojan

ransomware

malwareanalys

Information Systems

Essays on Innovation and Dynamic Capabilities: Evidence from Public Sector Operations and Cybersecurity

Miller, Marcus Soren

16 August 2024

The public sector needs the capacity for continual improvement and innovation. Cybersecurity threats against U.S. federal civilian agencies and national critical infrastructure stand out as a major problem area requiring agile and timely responses. Moreover, curbing ransomware attacks directed towards uniquely vulnerable domains, such as healthcare, education, and local government poses a particularly vexing policy challenge for government leaders. In three discrete essays, this dissertation examines management theories applied to the public sector and cybersecurity. The first two essays investigate a public management approach for improvement and innovation based on dynamic capabilities - that is, the organizational capacity to observe, understand, learn, and react in a transformational manner. The first essay of this dissertation presents a systematic literature review of empirical research on dynamic capabilities in the public sector which indicates clear benefits from the employment of dynamic capabilities through impacts on organizational capabilities, innovation, organizational change, operational performance, and public value. Building upon that literature review, the second essay of this dissertation applies archival data research and first-person interviews to examine the pivotal role played by dynamic capabilities in facilitating the generation and deployment of innovative cybersecurity approaches among the federal civilian agencies. This novel research identified and categorized dynamic capabilities in action and assessed their operational influence, specifically inter- and intra-agency collaboration, strategic planning, governance, and signature processes. The third essay of this dissertation was the first-ever documented system dynamics model of the ransomware ecosystem to understand incident trend patterns and provide insight into policy decisions. Simulation showed improvement by mandating incident reporting, reducing reporting delays, and strengthening passive defenses, but unexpectedly not by capping ransom payments. / Doctor of Philosophy / The public sector needs the capacity for continual improvement and innovation. Cybersecurity threats against U.S. federal civilian agencies and national critical infrastructure stand out as a major problem area requiring agile and timely responses. Moreover, curbing ransomware attacks directed towards uniquely vulnerable domains, such as healthcare, education, and local government poses a particularly vexing policy challenge for government leaders. In three discrete essays, this dissertation examines management theories applied to the public sector and cybersecurity. The first two essays investigate a public management approach for improvement and innovation based on dynamic capabilities - that is, the organizational capacity to observe, understand, learn, and react in a transformational manner. This dissertation first presents a review of prior research on dynamic capabilities in the public sector which indicates clear operational benefits. In the following essay, this dissertation examines the pivotal role played by dynamic capabilities in facilitating the generation and deployment of innovative cybersecurity approaches among the federal civilian agencies. The third essay of this dissertation highlights the simulation of the ransomware ecosystem to better understand incident trend patterns and provide insight into policy decisions such mandatory reporting requirements and defensive measures.

dynamic capabilities

innovation

public sector

cybersecurity

ransomware

system dynamics model

Brister i IT-säkerhet inom svensk sjöfart? : En kvalitativ undersökning om IT-säkerhet på svenska fartyg

Gustafsson, Daniel, Hamid, Mohammadi

January 2017

Vissa typer av cyberattacker har ökat kraftig mellan åren 2015 och 2016, detta uppmärksammas både i land och till sjöss. Med tanke på sjöfartens unika situation är det av intresse att undersöka hur rederier har valt att skydda sig mot cyberattacker. Fyra rederier har intervjuats angående IT-säkerheten på deras fartyg. Resultatet av intervjuerna har sedan ställts mot IMOs riktlinjer släppta år 2016 för att undersöka ifall det finns brister i IT-säkerheten på svenska fartyg. Resultatet visar att det finns brister på flera av rederierna som intervjuats framförallt i form av utbildning av personal. Resultatet visar också att det finns klara kontraster mellan mindre rederier och större rederier, där de mindre rederierna har färre åtgärder på plats medans de större rederierna har fler för att förhindra eller hantera en IT-attack. / Certain types of cyber attacks have increased between 2015 and 2016, this is acknowledged both on land in the shipping sector. Given the unique situation of shipping, it is of interest to investigate how shipping companies have chosen to protect themselves from cyberattacks. Four shipping companies have been interviewed regarding the cybersecurity of their vessels. The results of the interviews have since been compared against IMO's guidelines released in 2016 to investigate whether there are deficiencies in cybersecurity on swedish ships. The results show that there are shortcomings in several of the shipping companies interviewed, primarily in the form of training of personnel. The result also shows that there are clear contrasts between smaller shipping companies and larger shipping companies, where the smaller shipping companies have fewer measures in place while the larger shipping companies have more to prevent or handle a cyberattack.

IT-säkerhet

sjöfart

sverige

IT-attack

ransomware

IMO

Computer Systems

Datorsystem