Modern Ransomware Essay

Evolution of Ransomware The service of ransomware was introduced in May, 2015. This service helped attackers in creating free ransoms by use of a website know as TOR. In September, this service released a locker pin that is used to change a user’s pin by infecting the Android system. This lead to the emergence of a ransomware service called JavaScript, this enables attackers to be able access multi-platform attack which are MacOS X and Linus. What makes hard disks to be inaccessible after when infected by the ransom service is called Petya which overwrites the mater boot record (MBR) of the computer. The malware contained in cryptowall sends information to the C&C containing the user’s IP address and its unique identifier.

If the communication is successful a PNG image is send to the user. The user accepts the reception and all the data. The process takes time whereby the exchange of data occurs as the encryption process continues and the user receives an encrypted file with a decryption key. Crypto wall has been improved to come up with strategies to make its detection harder. Ransomware has advanced to mobile users and attacked android and IOS devices. Android users have been easy prey to the malware as users allow installation of application that has third party sources. An unsuspected file known as an APK file is installed distributed and attempts to hijack all applications mostly by displaying a blocking message. The file manipulates the user to giving it administrative access to the device so as to gain more access and control of the device.

IOS users are harder to access but the malware has found a way through the iphone’s find my system to gain access to the device. Virtual machines as well as xen hypervisor were experimented on by running different number of active rules. The first experiment showed results of downloaded test file while the second dealt with firewall and final experiment tested on the HTTP servers. Observations from the experiment showed that there were high rates of increase in the number of delays resulting in high values of the active rules. Network performance that was impacted was only unacceptable if the results showed more than 1000 of the number of rules. This xen machine contained a RAM memory of 4GB and showed i5-2500K intel, processing at a speed of 3.

Domain Generation Algorithm is a program seen in many families’ example; malware attackers used the command and control C&C servers for communication and this was enabled by the locky family that generated large numbers of domain names. Findings indicate that locky modified these domains every day. The principal of the effective mitigation solution was worth nothing if it stays the same as the cryptowall family. The encryption process required a successful complete connection to servers that maliciously enabled the start of the encryption process. The concept required was a two proof concept on SDN based mitigation methods for ransomware was proposed, designed and evaluated; SDN1 and SDN2. Thus the infected host never gets the response as it is discarded in the process.

An alert is always sent to the administrator of the system when a blacklisted proxy server is detected. This cause’s complete blockage from the host as further communication is not possible. The SDN2 was developed as an upgrade of SDN1 to improve its performance. The SDN1 potential disadvantage was its delay of infected host and DNS legitimate traffic. The protocol was also used for forwarding the traffic from all monitored machines. As a controller the Python-based Pox was used where the functionality and implementation of both SDN security applications was used (Fahad, and Zbigniew, pg. OVS wasn’t used as the main switch to prevent the influence of other management traffic on the experimental traffic. The SDN applications, the two proposed proof of concept were subject to an evaluation performance.

The main reason for the direct impact on network performances of the majority on currently used blacklisting for security is associated with two facts; 1. Another requirement is before receiving the encryption key the deniability of HTTP traffic is important. During the experiments, a DNS response time was measured during the inspection of the DNS packets and the control of the SDN before sent to the receiving side. The first query which is directed towards remote DNS servers was omitted to provide reliable results. Depending on the number of domains stored in the database depends on the average value presented data which showed 20queries. the internet community by Bambenek provided the real malicious domains which was used during the experiment and the domains included database.

This means that the code form used cannot easy to retrieve and this is through use of box cryptography. The second property is that attacker is the only person who can decrypt the victim’s computer or device. Lastly, the key used in decrypting a given device cannot be used to decrypt other devices. Use of ransomwares to infect devices can be by maliciously attaching an email, use of compromised software as well as downloads. Other ways of infecting devices are; social engineering, malvertisements and by hacking of the devise by the attacker. In order for fulfilment of the second property of a successful ransomware attack, the victims must communicate with the attacker by use of server known as a command and control (C&C) server.

To fulfil the third property, the author must ensure that decryption key of every victim is unique. Law enforcement agencies are able to easily disable central command and control servers that static. Attackers maintain the malicious payloads inactive because results on analysis of some ransomwares that contact the C&C have been unsuccessful. Ransom payloads are packed and obfuscated by the authors of ransomwares in a way that prevents any detection by antivirus and escape analysis tools. Many victims of cybercrime are faced with a difficult challenge on how to defend themselves but always resolve to paying the ransom ordered. Ad-hoc as a means of ransomware mitigation acts a defense mechanism that targets users that use cryptography incorrectly. Cyber-criminals have developed many approaches to make many in the underworld economy.

Underground enterprises sell kits used to explore victims by use of drive-by-download as a method attackers use to infect devices. Defense against ransomware The rising number of ransomware has attracted the attention of security vendors as well as that of the research community. Ransomware authors when using these hybrid cryptosystems randomly choose symmetric key for every file that needs encryption and encrypts every file under this key. This kind of symmetric key that is repeatedly used to encrypt messages is called a session key. A symmetric message key is encrypted using a hybrid cryptosystem. Therefore, the operation of asymmetric cryptographic performance only requires encryption of the small symmetric key however the size of the file to encrypted does not matter. On paying a ransom and receiving the key, the receiver has to decrypt the files using the private key to reverse the encrypted data.

There is need to instruct an unconditional jump for the hook as it overwrites the original function by five bytes and this helps with the activation of the detour hook in redirecting control to the hook from the original functionalities. With the hook complete, it helps redirect calls of the original function to that of the hook function. Ransomware users link this malware dynamically when using cryptography by using external libraries that are statistically linked. Ransomware Prevention With emergence of malwares such a ransomware, the security of information assets is at great risks as ransomware authors normally hack into user files, which they encrypt and demand victims to pay ransoms in order to receive decryption the key. The high speed at which new ransomware forms are emerging show how entrepreneurs in the underworld economy are developing faster than the technology used to create security measures.

This can be done by creation of a longer key which appear with new creation and this leads to a war between information security business and malware authors. Ransomware will therefore keep to be a major security threat for service based businesses. Recommendation for Anti-ransomwares Historically, many those affected by ransomware mostly include the business community but with recent years, attackers have gained access of consumer information because small-scale businesses and individuals working from home neglect activities such as backing up data and following up with upcoming security policies. These ransomware attacks have not only lead to individuals paying large ransom amounts but also lead to organizations losing important business data contained in files lost when ransoms are not paid. Ransomware may to increased malware attacks in organization systems and this may lead to system failure.

Research shows an example of a large scale ransomware attack a few years back against one of the largest companies in the globe, Sony. The company was releasing a famous film known as the interview which was delayed due to the attack. as described above ransomware locks the infected host computer denying them access through encryption or overriding the user’s files. Malware detection has proven to be a challenge as time passes as the malware has advanced making it harder to detect. The proposal of different malware detection an example; generic have been attempted and none of the malwares was able to solve the main problem of timely detection. The experiment carried out was introducing the malware to the system and record its behavior and how it interacts with the system.

UNVEIL design For a ransomware to attack a user’s computer it needs access to the data which the user is tricked into giving for example in an android system the ransomware gains access when the user gives application permission to install and it comes disguised as an APK file. The new modern approach, the UNVEIL, is design to scan large files and data whereby the system shows any ransomware behavior. in the process the system shows the ransomware operations (Kharrazi, pgs. 2-9) An analysis was carried out to determine the capability of UNVEIL by sending 148,223 malwares all over the world and UNVEIL managed to detect 13,637 samples of ransomware. They target the private and most important files. Without access to the decryption key the infected host becomes a victim and vulnerable to paying the ransom.

Only the malware can decode the encryption on the desktop remotely when communicating with the C&C servers or if it has got an encryption key already. The cybercriminal gains access to the computer and uses customized functions to delete the original main files of the user. The malware has been upgraded so as to avoid detection and be able to delete users file. This has been brought by the advancement of the storage, data collected and the processing speed in information technology (IT). potential users especially the ones who have doubts about privacy issues and the data collected in IT have increased tremendously. Causes of their increase is the treats that they may face of being spied on, pharming, phishing and many more this creating a lot of doubt especially about confidentiality, integrity and information availability.

Therefore, the importance of cyber security, information regulatory, and theoretic has become the number one priority to the IT community. In these modern times IT companies are not only worrying about the competition but also about the cyber they face in the day to day business. They tend to move from one system to the next via the internet mostly through emails as they find the IP addresses and send themselves. As for spyware, the virus monitors the victims’ activity their data hidden files and sends the gathered information to a remote machine. The virus appears as a free download that tempts users to download. Spyware is dangerous as it’s not a must to be on the web, if already in the system spyware gathers all the useful information without the user’s knowledge and can only be removed if the user deletes the original downloaded software.