A new ransomware detection scheme based on tracking file signature and file entropy

Jethva, Brijesh

26 August 2019

Ransomware is a type of malware that hijack victims’ computers, by encrypting or locking corresponding files, and demanding the payment of some ransom in cryptocurrency for the restoration of the files. The last few years have witnessed a sudden rise in ransomware attack incidents, causing significant amount of financial loss to individuals, institutions, and businesses. In reaction to that, ransomware detection has become an important topic for research in recent years. Currently, there are three types of ransomware detection techniques available in the wild: static, dynamic and hybrid. Unfortunately, the current static detection techniques can be easily evaded by code-obfuscation and encryption techniques. Furthermore, current dynamic and hybrid techniques face difficulties to detect novel ransomware. In the current thesis, we present an upgraded dynamic ransomware detection model with two new sets of features: grouped registry key operation, and combined file entropy and file signature. We analyze the new feature model by exploring and comparing 3 different linear machine learning techniques: SVM, Logistic Regression and Random Forest. The proposed approach help achieves improved detection accuracy and provides the ability to detect novel ransomware. Furthermore, the proposed approach helps differentiate user-triggered encryption from ransomware-triggered encryption, which allows saving as many files as possible during an attack. To conduct our study, we use a new public ransomware detection dataset collected at the ISOT lab, which consists of 666 ransomware and 103 benign binaries. Our experimental results show that our proposed approach achieves relatively high accuracy in detecting both previously seen and novel ransomware samples. / Graduate

Dynamic Malware Detection

Machine Learning

Ransomware

File Entropy & File Signature

Vad gör att människor faller för Spear-Phishing? / Why do people fall for Spear-Phishing?

Danesten, Jacob

January 2016

Det är inte många som känner till begreppet spear-phishing. Spear-phishing är ett sätt att attackera en person via mejl. De som utför den här typen av attacker använder sig av sociala aspekter för att lura dig. De kan säga att det är från ett företag som du som person har kontakt med. Det kan t.ex. vara från en bank eller skatteverket. Studien har som syfte att försöka förstå varför människor faller för de här attackerna och hur de kan hindra att sprida andra attacker. De virus som den här typen av attack sprider kan vara t.ex. trojaner och ransomware.

Spear-Phishing

Nätfiske

APT

Säkerhet

Ransomware

Computer and Information Sciences

Data- och informationsvetenskap

REACTIONS TO RANSOMWARE VARIANTS AMONG INTERNET USERS: MEASURING PAYMENT EVOCATION

Jason Cameron Bays (6613361)

15 May 2019

<p>Ransomware, a form of malicious software, takes users’ files hostage via encryption and demands payment for their return. Since its inception, ransomware has branched into many different variants, some of which threaten users with scare tactics in order to evoke payment. For this study, four variants of ransomware were examined by presenting vignettes via an anonymous online survey. No actual malware was installed on any devices throughout this study. Their emotional responses were captured as well as their level of familiarity with information security. Responses to the survey after the simulated ransomware vignette were recorded to gauge how users would react to a ransomware attack. Data was analyzed to discover which types of ransomware evoked payment as well as if information security knowledge also had an effect on likelihood to pay. This data is intended to be used to develop better prevention methods and messaging, with an emphasis on promoting training on malware avoidance. The study found most individuals did not choose to pay, and this could be attributed to a distrust of the ransomware threat. Self-reported information security behavior appeared to decrease payment evocation, however, peer information security experience and prior exposure to malware appeared to increase payment evocation.</p>

Human Information Behaviour

Computer System Security

ransomware

malware

human behavior

payment evocation

survey

Obfuskační techniky ransomware / Ransomware Obfuscation Techniques

Jacko, Jerguš

January 2019

This master's thesis seeks to design, implement, and point out new techniques for obfuscation of ransomware activity using the entropy principles of data that do not fall within the detection capabilities of known anti-ransomware and anti-virus tools. The proposed techniques are aimed at changing the ransomware activity in the downgrading phase (encryption or obfuscation) of files on the infected system.

Behaviour-based detection ofransomware attacks in the Cloud usingmachine learning

Popryho, Yaroslav, Popryho, Leonid

January 2023

Background: Ransomware attacks are a significant threat to digital informa-tion, and with the increasing adoption of cloud storage services, attackers now targetcloud environments. The existing literature on ransomware detection has primarilyfocused on local environments, and there is a limited body of research on applyingthese approaches to the cloud environment. Objectives: In this thesis, we aim to develop a behavior-based ransomware de-tection system for cloud environments, specifically focusing on Google Drive, usingmachine learning techniques. We will create a dedicated Google Workspace and uti-lize the Google Cloud Platform for developing the anomaly detection classifier. Methods: We will review related work in ransomware detection and machinelearning approaches to select suitable techniques for our research. Our anomaly de-tection classifier will analyze user activities in the cloud, such as file access patternsand permission changes, to detect deviations indicative of ransomware attacks. Results: We will validate our system’s performance by conducting experimentsin our Google Workspace, emulating ransomware attacks, and comparing the classi-fier’s performance against existing techniques. Conclusions: Our thesis aims to contribute a novel, behavior-based detectionsystem for ransomware attacks in cloud environments, advancing the state-of-the-artand providing a scalable solution for various cloud storage providers.Keywords: ransomware detection, cloud environments, behavior-based detec-tion, machine learning, Google Drive.

ransomware detection

cloud environments

behavior-based detec- tion

machine learning

Google Drive

Computer Sciences

Datavetenskap (datalogi)

Patterns of malware and digital attacks : A guideline for the security enthusiast / Patterns of malware and digital attacks : A guideline for the security enthusiast

Güven, Wolf

January 2018

Context: In today’s era, many things are dependent on the internet thus the devices and applications that are using it proliferates. Every day, many devices are getting targeted by malevolent virus authors. To protect the data from malicious factors becomes a preposterous dispute. A ransomware named CryptoLocker has caused many individuals, hospitals, and institutions thousands if not millions of dollars in damage due to encrypting the computer files thus demanding a ransom in return. Once the ransomware strikes a system, the recoverability is almost non-existent if no backup or system restore is present due to the private key which was used to encrypt files is encrypted and sent to the attacker’s database. Without the key, there is no recovery for restoring files. Objective: Exploratory research is conducted to reveal unique methods ransomware and keylogger may use to strike a system. The goal is to disclose protection policies of the Windows systems for the security enthusiasts and computer users. Three main objectives are present; how viruses hide in a system without servicing any rootkits to hide the malware, how ransomware and keylogger can be used together to deliver damage, and how to covert CPU usage of the ransomware during the encryption routine. Method: To answer the questions and exploit new features, ransomware, keylogger and a trojan horse is built. Original CryptoLocker architecture has been analyzed, and some methods have been derived. The final application is running on the Windows operating system; Windows 10. Win32 API, C++, and C# are used for the construction of the malware programs. Visual Studio 2017 has been used as an IDE. Results: The testing results reveal that running encryption routine as a background thread covert the CPU usage except the operation time increases by five times. The experiments show that disguising a malware program among the task manager process list is possible by setting Win32 API flag within the execution of the program. Changing the malware name, signature, and description of the program further enhance the sustainability rate from the everyday users.

malware

ransomware

keylogger

virus

antivirus

encryption

infection

protection

user guideline

digital attack

Software Engineering

Programvaruteknik

Ransomware Detection Using Windows API Calls and Machine Learning

Karanam, Sanjula

31 May 2023

Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. This research builds upon the existing body of research pertaining to ransomware detection for Windows-based platforms through behavioral analysis using sandboxing techniques and classification using machine learning (ML), considering the various predefined function calls, known as API (Application Programming Interface) calls, made by ransomware and benign samples as classifying features. The primary aim of this research is to study the effect of the frequency of API calls made by ransomware samples spanning across a large number of ransomware families exhibiting varied behavior, and benign samples on the classification accuracy of various ML algorithms. Conducting an experiment based on this, a quantitative analysis of the ML classification algorithms was performed, for the frequency of API calls based input and binary input based on the existence of an API call, resulting in the conclusion that considering the frequency of API calls marginally improves the ransomware recall rate. The secondary research question posed by this research aims to justify the ML classification of ransomware by conducting behavioral analysis of ransomware and goodware in the context of the API calls that had a major effect on the classification of ransomware. This research was able to provide meaningful insights into the runtime behavior of ransomware and goodware, and how such behavior including API calls and their frequencies were in line with the MLbased classification of ransomware. / Master of Science / Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. It infects a user machine, encrypts user files or locks the user out of their machine, or both, demanding ransom in exchange for decrypting or unlocking user data. Analyzing ransomware either statically or behaviorally is a prerequisite for building detection and countering mechanisms. Behavioral analysis of ransomware is the basis for this research, wherein ransomware is analyzed by executing it on a safe sandboxed environment such as a virtual machine to avoid infecting a real-user machine, and its runtime characteristics are extracted for analysis. Among these characteristics, the various predefined function calls, known as API (Application Programming Interface) calls, made to the system by ransomware will serve as the basis for the classification of ransomware and benign software. After analyzing ransomware samples across various families, and benign samples in a sandboxed environment, and considering API calls as features, the curated dataset was fed to a set of ML algorithms that have the capability to extract useful information from the dataset to take classification decisions without human intervention. The research will consider the importance of the frequency of API calls on the classification accuracy and also state the most important APIs for classification along with their potential use in the context of ransomware and goodware to justify ML classification. Zero-Day detection, which refers to testing the accuracy of trained ML models on unknown ransomware samples and families was also performed.

Ransomware Detection

Behavioral Analysis

Windows OS

API Calls

API Call Frequency

Machine Learning

Sandboxing

Feature Importance

The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures

Connolly, Lena Y., Wall, D.S.

16 June 2020

Yes / Year in and year out the increasing adaptivity of offenders has maintained ransomware's position as a major cybersecurity threat. The cybersecurity industry has responded with a similar degree of adaptiveness, but has focussed more upon technical (science) than ‘non-technical’ (social science) factors. This article explores empirically how organisations and investigators have reacted to the shift in the ransomware landscape from scareware and locker attacks to the almost exclusive use of crypto-ransomware. We outline how, for various reasons, victims and investigators struggle to respond effectively to this form of threat. By drawing upon in-depth interviews with victims and law enforcement officers involved in twenty-six crypto-ransomware attacks between 2014 and 2018 and using an inductive content analysis method, we develop a data-driven taxonomy of crypto-ransomware countermeasures. The findings of the research indicate that responses to crypto-ransomware are made more complex by the nuanced relationship between the technical (malware which encrypts) and the human (social engineering which still instigates most infections) aspects of an attack. As a consequence, there is no simple technological ‘silver bullet’ that will wipe out the crypto-ransomware threat. Rather, a multi-layered approach is needed which consists of socio-technical measures, zealous front-line managers and active support from senior management. / This work was supported by the Engineering and Physical Sciences Research Council and is part of the EMPHASIS (EconoMical, PsycHologicAl and Societal Impact of RanSomware) project [EP/P011721/1].

Crypto-ransomware

Malware

Social engineering

Security countermeasures

Management support

Organisational settings

Cybercrime

Ransomware-attacker mot svenska kommuner : En kvalitativ studie kring genomförda ransomware-attackers påverkan / Ransomware Attacks at Swedish Municipalities : A Qualitative Study on the Impact of Executed Ransomware Attacks

Englund, Sofie, Lundquist, Wilma

January 2024

Ransomware increases severely in quantity and besides that, increases in scope as well as in complexity. Moreover, Swedish organizations acknowledge to be exposed in particular, this includes municipalities which have an essential function for the society. Executed ransomware attacks almost never go unnoticed, and can leave a large impact on the affected ones. This study addresses the impact that executed ransomware attacks have on Swedish municipalities and also how the impact has led to changes in several aspects within the municipality. To understand this, the impact is analyzed by taking a theoretical approach from Work System Theory, by analyzing the impact on different work systems that these municipalities consist of. This study highlights that a prominent work system was the social service department, which seems to be particularly vulnerable to unexpected disturbances such as ransomware attacks. Furthermore, municipalities are affected by technological disruptions, which then force them to apply changed working methods. At the same time, trust in external actors decreases and people's security awareness increases, which is reflected in security work and contributes to the upgrade in security technologies. / Ransomware-attacker ökar inte bara i antalet, utan även i omfattning och komplexitet. Utöver det anses svenska verksamheter vara särskilt utsatta för ransomware-attacker, däribland kommuner som har en samhällsviktig funktion. Genomförda ransomware-attacker går sällan obemärkt förbi, utan kan lämna stort avtryck på den drabbade. Denna studie adresserar vilken påverkan genomförda ransomware-attacker har på svenska kommuner och hur denna påverkan bidragit till förändringar i olika avseenden inom kommunen. För att få ett grepp om detta analyseras påverkan genom att ta en teoretiskt ansats från Work System Theory (WST) och genom att betrakta den påverkan som skett på olika arbetssystem som kommunerna består av. Denna studie visar på att ett utstående arbetssystem var socialförvaltningen som anses vara särskilt sårbart för oväntade rubbningar som ransomware-attacker. Vidare påverkas kommuner genom att teknologier slås ut vilket tvingar verksamheterna att tillämpa förändrade arbetssätt. Samtidigt minskas tilliten till externa aktörer och likaså ökar människors säkerhetsmedvetenhet, något som återspeglas i säkerhetsarbete och bidrar till en upprustning av säkerhetsteknologier.

ransomware attack

ransomware

cyber attacks

information security

IT-security

cyber security

The Work System Theory

The Work System Framework

The Work System Life Cycle Model

work system

impact

ransomware-attack

ransomware

cyberattacker

informationssäkerhet

IT-säkerhet

cybersäkerhet

The Work System Theory

The Work System Framework

The Work System Life Cycle Model

arbetssystem

påverkan

Information Systems

Ransomware-attacker : En kvalitativ studie kring informationssäkerhetsarbetet inom mindre svenska kommuner

Järgenstedt, Tindra, Kvernplassen, Nelly

January 2023

Ransomware-attacker har blivit ett allt större hot i och med samhällets ständigt pågående digitalisering. Denna studie undersöker vilka faktorer som är viktiga för att förhindra ransomware-attacker mot mindre svenska kommuner. För att åstadkomma detta genomfördes semistrukturerade intervjuer med sex olika respondenter. De som intervjuades arbetade alla i mindre svenska kommuner och hade god insyn och kunskap kring kommunens IT- och informationssäkerhetsarbete. Materialet analyserades sedan utifrån Protection Motivation Theory (PMT). Studien diskuterar både kommunernas attityd till informationssäkerhet samt konstaterar vilka säkerhetsåtgärder som utmärker sig som viktigast. Dessa var skyddade säkerhetskopior, utbildning samt kontinuitetsplaner kopplade till just IT-attacker. / Ransomware attacks have become an increasing threat with the ongoing digitalization of society. This study investigates what factors are important to prevent ransomware attacks against smaller Swedish municipalities. To accomplish this, semi-structured interviews were conducted with six different respondents. The interviewees all worked in smaller Swedish municipalities and had good insight and knowledge of the municipality's IT and information security work. The material was then analyzed using Protection Motivation Theory (PMT). The study discusses both the municipalities' attitude to information security and notes which security measures stand out as most important. These were protected backups, education and continuity plans linked to IT attacks. The paper then concludes with suggestions for further research.

Information Security

Cyber security

Ransomware attack

Qualitative research

Swedish municipalities

Protection Motivation Theory

Kill-chain

Informationssäkerhet

Cybersäkerhet

Ransomware-attack

Kvalitativ studie

Svenska kommuner

Protection Motivation Theory

Kill Chain

Information Systems, Social aspects