See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/320346114

Ransomware: Current Trend, Challenges, and Research Directions

Conference Paper · October 2017

CITATIONS READS

7 7,615

6 authors, including:

Segun I. Popoola Faith Sweetwilliams

Manchester Metropolitan University Covenant University Ota Ogun State, Nigeria
117 PUBLICATIONS   985 CITATIONS    2 PUBLICATIONS   9 CITATIONS   

SEE PROFILE SEE PROFILE

Samuel Ndueso John Prof. Aderemi A. Atayero

Nigerian Defence Academy Covenant University Ota Ogun State, Nigeria
48 PUBLICATIONS   189 CITATIONS    251 PUBLICATIONS   1,554 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Massive MIMO for MTC in IoT/dense urban environment View project

Developing an Entrepreneurial Ecosystem View project

All content following this page was uploaded by Segun I. Popoola on 25 October 2017.

The user has requested enhancement of the downloaded file.

Proceedings of the World Congress on Engineering and Computer Science 2017 Vol I
WCECS 2017, October 25-27, 2017, San Francisco, USA

Ransomware: Current Trend, Challenges, and

Research Directions
Segun I. Popoola, Member, IAENG, Ujioghosa B. Iyekekpolo, Samuel O. Ojewande, Faith O.
Sweetwilliams, Samuel N. John, Aderemi A. Atayero, Member, IAENG

 attacks are typically carried out using a Trojan that has a

Abstract—Ransomware attacks have become a global payload disguised as a legitimate file. Although advanced
incidence, with the primary aim of making monetary gains encryption algorithms are useful for effective protection of
through illicit means. The attack started through e-mails and vital enterprise data, they have become tools for malicious
has expanded through spamming and phishing. Ransomware
encrypts targets’ files and display notifications, requesting for
attacks in the hand of cyber-criminals. Data protection is,
payment before the data can be unlocked. Ransom demand is therefore, under serious threat as hackers continue to utilize
usually in form of virtual currency, bitcoin, because it is enhanced algorithms in ransomware attacks.
difficult to track. In this paper, we give a brief overview of the Digital extortion has significantly increased in the last six
current trend, challenges, and research progress in the bid to years as the number of online applications and services, and
finding lasting solutions to the menace of ransomware that smart mobile devices continue to grow exponentially [3].
currently challenge computer and network security, and data
privacy.
The impact of ransomware has become so tremendous to the
point that it is now rated as the biggest cyber scam to hit
Index Terms—ransomware, cyber security, malware, businesses [4]. About 80% of ransomware attacks exploit
cryptography, data encryption vulnerabilities in Flash that firms should have patched.
Destructive ransomware can spread by itself and hold entire
I. INTRODUCTION networks (i.e. companies) hostage.
Ransomware attacks are shifting focus from individuals
R ANSOMWARE is a particular class of malwares that
demands payment in exchange for a stolen
functionality, mostly data. This class of malware has been
to organizations. For instance, the Hollywood Presbyterian
Medical Center in the United States was attacked in
identified as a major threat to computer and network February 2016. The health care organization was forced to
security across the globe [1]. Ransomware installs covertly shut down when it was hit by Crypto Ransomware. The
on a victim's device to either mount the cryptoviral extortion malicious program encrypted the files on their databases,
attack from cryptovirology that holds the victim's data denying medical staff the access to patients’ health records
hostage, or the cryptovirology leakware attack that threatens [5]. In another occasion, the Methodist Hospital in
to publish the victim's data. The real target of this form of Henderson, Kentucky only managed to recover its patient
attack are critical data that are very important to individuals records with backups after surviving a ransomware attack.
and enterprises alike. In fact, the attack has spread to mobile Stolen administrative credentials were used to infect servers
devices and mobile malware detection approaches are not so with ransomware variant dubbed ‘SamSam’. Active
effective because of the subtle nature of the malicious directory credentials were harvested to break into other
programs [2]. Therefore, billions of mobile device users are servers. Overall, nearly half (46%) of firms have
susceptible to this attack. encountered ransomware attacks: 57% of medium-size
Most of the ransomware variants depend on file organizations and; 53% of large organizations. Willingness
encryption as a strategy for extortion. Data stored on to pay is surprisingly high. IBM found that 20% of
victim’s device are encrypted while the hacker demands for executives would be prepared to pay over $40,000 each;
ransom before the files can be decrypted. Ransomware may 25% would shell out $20,000-$40,000 and; 11% would pay
encrypt the Computer's Master File Table (MFT) or entire $10,000-$20,000.
hard drive. It is a denial-of-access attack that prevents Ransomware are now delivered as Word macros and
computer users from accessing files since it is intractable to PowerShell scripts. ‘Petya’ encrypted hard drive master
decrypt the files without the decryption key. Ransomware boot record (MBR), as well as files, rendering computers
completely unusable. The MBR is replaced with the
Manuscript received July 15, 2017; revised August 01, 2017.
malware’s own bootloader so that the ransom note can be
The authors wish to appreciate the Center for Research, Innovation, and displayed. The most common method of delivering
Discovery (CU-CRID) of Covenant University, Ota, Nigeria, for the partial ransomware is the phishing attack and it is not easily
funding of this research. recoverable.
This work was supported in part by the Center for Research, Innovation,
and Discovery (CU-CRID) of Covenant University, Ota, Nigeria. According to the Federal Bureau of Investigation (FBI),
S. I. Popoola, U. B. Iyekekpolo, S. O. Ojewande, F. O. Sweetwilliams, estimated losses of about one billion US dollars ($1 billion)
S. N. John, and A. A. Atayero are with the Department of Electrical and was incurred to ransomware attacks in the year 2016. The
Information Engineering, Covenant University, Ota, Nigeria.
(Corresponding Author: +2348058659008; +2347038049956; e-mail: boom recorded by this crime shows that a good number of
[email protected]; [email protected]). victims eventually pay the ransom to have their data

ISBN: 978-988-14047-5-6 WCECS 2017

ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)
Proceedings of the World Congress on Engineering and Computer Science 2017 Vol I
WCECS 2017, October 25-27, 2017, San Francisco, USA

unlocked. Nearly 40 percent of ransomware victims paid the files and communicate with the command and control
ransom. Three out of four ransomware gangs are willing to server. CryptoWall is one of the popular ransomware
negotiate prices for decryption. On average, they will give a variants; about 31% of ransomware attacks were traced to
29% discount on the fee initially demanded. Unfortunately, this malware [13]. However, the encryption of victim’s files
traditional preventive and reactive security measures are not can be frustrated by the disruption of the connection
adequate to handle the effect of ransomware attacks [6]. between the target’s computer and the command and control
In this paper, we provide a brief overview of the current server [14].
trend, challenges, and research progress in the bid to finding In CryptoWall 2.0, multiple propagation of e-mail
lasting solutions to the menace of ransomware that currently attachments, drive-by download, exploit kits, and malicious
challenge computer and network security, and data privacy. portable document formats were added. The Onion Router
(TOR) network was also introduced to guarantee
II. COMMON RANSOMWARE VARIANTS anonymous network communication between the target’s
PC Cyborg was reported as the first ransomware variant computer and the command and control server [15]. Some
[4]. The malware attack was launched in December, 1989. randomized data were introduced into CryptoWall 3.0 and
The victim was deceived with a message display that reads 4.0 to make malware detection more difficult by using
that the user license has expired. However, the encryption exploit kits for privilege escalation and the Invisible Internet
algorithm, symmetric cryptography, was not difficult to Project (I2P) network for achieve anonymous peer-to-peer
decrypt [7]. network.
GpCode [8] also employed the custom symmetric CryptoLocker creates a set of extensions in the
encryption but the malware have been improved upon over administrator’s account which enables it to manipulate the
time. The malware was propagated as job advert through Internet files [11]. Executable files are created in
spam e-mail attachment. In its first attack in May 2005, a localAppData folder and critical files are detected for
static key was generated to encrypt all the non-system files. subsequent encryption. The malware uses the RSA + AES
The original data was deleted as soon as the encryption is algorithm for its encryption process. Its exploit kit is known
completed [9]. However, the key was discovered simply by as Angler [16]. On the other hand, CryptoDefense uses a
comparing the original data to the encrypted data. A new low-level cryptographic API that is available in Windows
variant of GpCode, called GpCode.AG was discovered in operating systems [17].
June 2016. Its encryption was based on 660-bit RSA public Curve Tor Bitcoin (CTB) Locker is also distributed
key. In June 2008, another variant, GpCode.AK, was through exploit kits and e-mail. Here, the command and
identified but it was really difficult to crack owing to the control server is hidden on the Tor network. What is
computational demand. different in CTB Locker is its ability to encrypt victim’s files
Reveton, which is also known as Police Ransomware, is without any connection to the Internet. It uses a combination
commonly spread through pornographic websites [10]. It of AES, SHA256, and Curve25519 for its encryption
changes the extensions in the windows/system32 folder and process. This malware essentially targets WordPress-based
displays a notification page to its victims [11]. websites and it unleashes its terror through a PHP script
Locker Ransomware was identified in 2007 [8]. It does [13].
not tamper with its victims’ data but only locks their TeslaCrypt, a recent variant of ransomware, exploits
devices. Therefore, the data on the device can be transferred vulnerable websites using AnglerINuclear exploit kits. It has
to another location. Similarly, ColdBrother Ransomware a similar distribution scheme as CryptoWall and all shadow
locks victims’ mobile devices, takes photographs with copies are deleted using the vssadmin command [12].
mobile phone cameras, answers and drops incoming calls, Locky had its first attack in February 2016. The malware
and seeks to defraud victims through mobile banking program was spread by attaching a Microsoft Office
applications. document to spam e-mail. The attached document contains a
Crypto Ransomware encrypts critical files on victims’ macro that downloads the malicious program to the target’s
computer as a payload for extortion. Important files are computer. Unlike other ransomware variants, Locky extends
identified and encrypted with ‘hard-to-guess’ keys. The its encryption to external storage devices, all network
choice of encryption keys and coordination of attacks are resources, database files, and wallet.dat. The wallet.dat is
performed by a command and control server [12]. Crypto attacked to put the victim under a more intense pressure to
Wall, Tesla Crypt, CTB Locker, and Lock are all variants of pay [18]. Extra efforts were made to prevent easy shut down
Crypto Ransomware. of the command and control server. This kind of malware
CryptoWall was introduced in November 2013. The employs hardcoded command and control server Internet
malware is distributed by e-mail as an attached zip file. The Protocol (IP) addresses [15].
attachment usually consists of a script file and an exploit kit. Cerber leverages the Dridex spam network to distribute
The malware is injected into explorer.exe and the codes are the malware via large spam campaigns. The notification of
copied into %APPDATA%. This creates a registry value attack is voiced through a text-to-speech module [15].
run key in the local user registry root path. This is done to Devices that run on Windows 10 Enterprise have been
keep the malware in the victim’s computer even after a attacked with more than 200 cases between December 2016
reboot. The malware also ensure that the system cannot be and January 2017 [18].
restored to an earlier point by running processes vssadmin PowerWare was launched through a phishing campaign
and dcbedit. Thereafter, a svchost.exe is initiated to encrypt [11]. The operation of the malicious program is similar to

ISBN: 978-988-14047-5-6 WCECS 2017

ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)
Proceedings of the World Congress on Engineering and Computer Science 2017 Vol I
WCECS 2017, October 25-27, 2017, San Francisco, USA

that of Locky but its encryption and hard-coded keys are notorious Locky strain, had weak encryption and hard-
relatively weak. A decryption tool has been published to coded keys. The company published a decryption tool and
evade ransom. AVG created a decryptor for Bart due to the malware's poor
ScareMeNot Ransomware is mainly targeted at Android- encryption algorithm.
based devices and it has attacked over 30,000 devices [19]. D. Chimera Ransomware
TROJ_CRYZIP.A was discovered in 2005 [7]. Files on
The decryption keys of the Chimera ransomware have
victim’s computer are usually zipped and locked, displaying
also been published by a rival ransomware gang known as
a notification of attack on the screen. It employs an Janus. Janus aimed at ensuring there are enough victims
asymmetric cryptography, which is stronger than the available for its own malware, dubbed Mischa, which also
symmetric. On the other hand, KeRanger is targeted at uses some of the Chimera source code. The Chimera
Apple operating system. The malware is spread as a Trojan malware was never especially widespread, being aimed
on the Transmission Bit Torrent client. As the target installs mainly at smaller German businesses. But it was notable for
the program software, a binary file that is covertly the threat from its creators that they would publish victims'
embedded in the package is renamed and stored in the private documents and login credentials if they didn't pay
library directory as ‘Kernel_process’ for subsequent up. Security firms had yet to write a decryptor using the
execution of the malicious program. All the files on the published keys. Victims are advised to keep the encrypted
victim’s computer with a particular file extension are versions of their files safe for later decryption once the
encrypted after three days [20]. relevant tool is available.
Seftad launches its attack on Master Boot Record (MBR),
which contains the executable boot code and partition table IV. CURRENT RESEARCH FINDINGS AND SOLUTIONS
[9]. Replacing the boot code in the active partition with a The vulnerability of targets to Crypto ransomware attacks
robust MBR that displays the attack notification prevents was identified in [23]. Easy recovery of users’ data is
the target computer from loading its boot code. However, prevented after being encrypted by exploiting the tools
payment of ransom can be evaded through reverse available on the victim’s computer. However, victims can
engineering since the key is not usually hard-coded. recover their data after a Crypto ransomware attack by
LowLevel04, also known as Onion Trojan-Ransom, was changing the name of the system tool that performs shadow
spread through the Remote Desktop or Terminal Services copies [23]. Information on the features of CryptoLockers
using brute force attack. Files were encrypted using AES and the prevention measures against attack can be found in
encryption scheme using the RSA algorithm [21]. [24].
Unlike previous variants, SilentCrypt looks out for Ill-preparedness of organizations offers cyber-criminals
specific artifacts and private files to know if the code is the ample opportunity of taking advantage of their targets.
running in an analysis environment or not [22]. DirCrypt Therefore, businesses must engage relevant resources,
uses a hybrid approach to encrypt user’s files. The first 1024 develop strategic plans toward incidence response, educate
bytes are encrypted using RSA while the rest are encrypted their staff, and implement policies and regulations that
using the popular RC4 [17]. guarantee network security, in order to forestall any attempt
of ransomware invasion [25].
III. FAILED RANSOMWARE ATTACKS It has been established that more than 60% of the
ransomware attacks gain access to victim’s computer
A. Hitler Ransomware through drive-by downloads [26]. Currently, drive-by
It claims to have encrypted the victim's files, but in fact downloads are largely controlled by Exploit Kits (EK) and
simply deletes file extensions for anything found in certain the choice of EK is determined by the control panel based
directories. After an hour it crashes the PC and, on reboot, on the vulnerabilities. A framework was proposed in [26] to
deletes the files. The payment demanded is a cash code for detect malicious Rig EK communication and protect users’
E25 Euro Vodafone Card. Text found in the code suggests it data from being encrypted using a combination of Software
originates in Germany.
Defined Networking and Certificate Authority Checker
B. Fake Windows 10 Lock Screen (CAC).
It tells the user that their license has expired, turns out to Two countermeasures that free victims of ransomware
have the decryption key buried in the code. Researchers attacks from paying the cyber-criminals were presented in
from Symantec discovered that, while the criminals had [27]. These were achieved by exploiting the weakness of the
gone to considerable effort to set up fake tech support working operation of the malware, and intercepting calls
websites for the scam, the phone number they gave out for made to Microsoft’s Cryptographic API respectively.
victims to call was never answered and was soon Useful information can be obtained from system API
disconnected. On reverse engineering the code, the packages. These packages can be used to define applications
researchers found the decryption key (8716098676542789) without any prior knowledge of user-defined content. R-
plainly visible. PackDroid was developed in [28] to detect Android-based
C. ‘PowerWare’ and ‘Bart’ ransomware and differentiate it from generic malware using
machine learning approach.
They have been cracked by security researchers who
On data recovery after ransomware attack incidence, a
found flaws in the malware. A team at Palo Alto Networks
found that PowerWare, while trying to emulate the key-backup technique was suggested in [29]. This technique
will store copies of the encryption keys in a secure

ISBN: 978-988-14047-5-6 WCECS 2017

ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)
Proceedings of the World Congress on Engineering and Computer Science 2017 Vol I
WCECS 2017, October 25-27, 2017, San Francisco, USA

repository. Relevant data security laws that borders on based on abnormal behavior analysis and detection in cloud
ransomware were discussed in [18]. analysis system. It offers more sophisticated attack
Ganorkar and Kandasamy [30] explained the similarities prevention by monitoring the network, file, and server in
and the differences among ransomware variants. Detailed real time. A cloud system is installed to gather and analyze
knowledge of the working structure of these malwares different data that originate from user’s device.
provides enough information that is needed to develop an
efficient defense scheme against the malicious attacks. V. PRECAUTIONARY MEASURES
Important steps to follow in order to avoid ransomware In order to prevent the user’s data from getting into
attacks are stated in [31]. Ransomware attacks targeted at unrecoverable state, users should have an incremental online
Android devices can be prevented based on the method and offline backups of all the important data and images. In
proposed in [32]. addition, all the in-built defense mechanisms and detection
Ransomware attack is more prevalent in the health sector. tools should be kept up and running all the time. Exposure
An Electronic Health Record (EHR) system can be secured to threats should be minimized, where possible, with
by using a socio-technical method [33]. Computers and common sense, site or IP address blocking and endpoint
networks that connect health IT professionals should be protection. Organizations and individuals should ensure that
properly installed and configured to guarantee data security. their electronic defense is as impenetrable as possible
In addition, system defense strategies adopted by health care through the
organizations should be user-centric. Continuous monitoring use of anti-virus, firewalls, IPS, web and mail filtering.
of computers and applications must be ensured to promptly Policies that prevent penetration should be enforced in
discover security vulnerabilities before they are being organizations by ensuring correct system configuration and
exploited by cyber-criminals. Quick recovery plans must be device ‘hardening’. A robust and incremental back-up
in place in case of any attack. Similarly, proactive actions system of business and personal-critical details should be
must be taken to prevent a repeat of such occurrence. A implemented.
dynamic system, which learns new behavior while under Also, personnel must ensure that offline back-ups remain
attack, was presented in [34]. offline at all times so they are protected. Backups should be
Scaife et al. [35] presented an early-warning detection tested regularly to guarantee protection. Organizations
system, called CryptoDrop, which notifies the target of any should put robust policy and processes and a practical
suspicious activity. This system stops any process that system of educating users on how to best prevent and deal
seems to modify a large amount of data on the target’s with ransomware attacks in place. Users should enforce a
computer based on certain indicators. Technical solutions general information policy pertaining to what websites are
are not sufficient to handle ransomware attacks because the Safe for Work (SFW) and Not Safe for Work (NSFW) and
malicious programs exploit social engineering approach. In educate themselves and their team on the risks and the
view of this, a honeypot folder can be created and methods by which ransomware is activated and attacks are
monitored to detect changes. Either of Microsoft File Server carried out from beginning to end.
Resource Manager characteristics or EventSentry can be Organizations need a system in place that looks for
chosen to modify the Windows security logs [36]. anomalous behavior such as rapid encryption or malicious
The analysis of selected ransomware variants from non-human activity, to avoid falling prey to rapidly
existing ransomware families in Windows and Android evolving and adapting ransomware attacks. The location
environments in [37] established that ransomware variants where data is stored on file systems should be known,
exhibit homogeneous characteristics; their main difference especially in unstructured formats in documents,
is in the payloads that are used. The encryption techniques presentations, and spreadsheets. Access to personal data
employed by these ransomware have significantly should be limited on a need-to-know basis or through role-
improved. However, the malicious programs can be detected based access controls. The goal is to make it difficult for
in Windows by keeping close watch on abnormal file attackers to access important data after hacking an ordinary
system and registry activities. On the other, permission user – say, through a phishing email – and launching
request by any Android application should be carefully ransomware based on that user’s credentials. Organizations
screened before it is granted. should also remove and/or archive outdated or stale personal
Formal methods were applied in [38] to detect data, further reducing the attack surface.
ransomware and discover the malicious instruction set in the Ordinary users whose credentials the ransomware is
malware’s code. Model checking was used in [39] to screen leveraging, do not perform a large-scale scans of crawling a
ransomware automatically with the aim of determining file system, navigating through each directory
whether the characteristics of the program have the same and examining file. Therefore, monitoring software,
pattern as that of the malicious programs. particularly based on User Behaviour Analytics (UBA),
Online processes can be screened for ransomware when should be able to detect the ransomware and limit the
suspected to be accessing a large amount of data based on number of files that are encrypted. Companies should
the method proposed in [40]. The authors used the perform should regularly perform back-ups of their file
Kullback-Liebler divergence to detect a process that systems, especially critical and sensitive data and have
transforms structured input files (i.e. JPEG files) into in place a recovery plan for restoring the data in the case of
unstructured encrypted files. Similarly, the enhanced cyber-attacks.
ransomware prevention system, CloudRPS, in [41] works In order to handling a ransomware attack: systems must

ISBN: 978-988-14047-5-6 WCECS 2017

ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)
Proceedings of the World Congress on Engineering and Computer Science 2017 Vol I
WCECS 2017, October 25-27, 2017, San Francisco, USA

be aggressively patched; back-ups must be created and [8] R. Richardson and M. North, "Ransomware: Evolution, Mitigation
and Prevention," International Management Review, vol. 13, p. 10,
protected; an incidence response plan must be developed; 2017.
and user awareness training must be conducted. Detection [9] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda,
"Cutting the gordian knot: A look under the hood of ransomware
VI. CONCLUSION attacks," in International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, 2015, pp. 3-24.
Ransomware attacks have become a global incidence, [10] D. P. Pathak and Y. M. Nanded, "A dangerous trend of cybercrime:
with the primary aim of making monetary gains through ransomware growing challenge," International Journal of Advanced
Research in Computer Engineering & Technology (IJARCET)
illicit means. The attack started through e-mails and has Volume, vol. 5, 2016.
expanded through spamming and phishing. Ransomware [11] P. Zavarsky and D. Lindskog, "Experimental Analysis of
encrypts targets’ files and display notifications, requesting Ransomware on Windows and Android Platforms: Evolution and
Characterization," Procedia Computer Science, vol. 94, pp. 465-472,
for payment before the data can be unlocked. Ransom 2016.
demand is usually in form of virtual currency, bitcoin, [12] M. Weckstén, J. Frick, A. Sjöström, and E. Järpe, "A novel method
because it is difficult to track. for recovery from Crypto Ransomware infections," in Computer and
Communications (ICCC), 2016 2nd IEEE International Conference
The variants of ransomware has continue to increase on, 2016, pp. 1354-1358.
because of the profitability of the illicit act. However, there [13] H. Haughey, G. Epiphaniou, and H. M. Al-Khateeb, "Anonymity
is a growing effort to curb the spread of this malware. A networks and the fragile cyber ecosystem," Network Security, vol.
2016, pp. 10-18, 2016.
good understanding of the behavior of ransomware will help
[14] K. Cabaj and W. Mazurczyk, "Using software-defined networking for
individuals and enterprises to tidy up their vulnerabilities to ransomware mitigation: the case of cryptowall," IEEE Network, vol.
this kind of attack. State-of-the-art research findings, 30, pp. 14-20, 2016.
proposed solutions, and precautionary measures are [15] E. Kalaimannan, S. K. John, T. DuBose, and A. Pinto, "Influences on
ransomware’s evolution and predictions for the future challenges,"
provided in this study. With the recent spread of Journal of Cyber Security Technology, vol. 1, pp. 23-31, 2017.
ransomware attacks on Linux and Mac operating systems, [16] K. K. Gagneja, "Knowing the ransomware and building defense
the analysis of ransomware on these platforms is needful. against it-specific to healthcare institutes," in Mobile and Secure
Services (MobiSecServ), 2017 Third International Conference on,
Kaspersky Lab and Intel have joined forces with Interpol 2017, pp. 1-5.
and the Dutch National Police to set up a website [17] B. Herzog and Y. Balmas, "Great Crypto Failures," 2016.
(www.nomoreransom.org) aimed at helping people to avoid [18] A. Green, "Ransomware and the GDPR," Network Security, vol. 2017,
pp. 18-19, 2017.
falling victim to ransomware. The website will host [19] T. C. Back, "Intel’s Core M Chip could let manufacturers build
decryption keys and tools for those ransomware strains that ultraslim laptops."
have been cracked by security researchers. [20] B. Kim, "AN ANALYSIS OF VULNERABILITY EXPLOITATION
To avoid data theft and undue extortion of ransomware, TECHNIQUES USED BY OSX MALWARE AND THEIR
DEFENSES."
individuals and organization needs robust network security [21] M. H. U. Salvi and M. R. V. Kerkar, "Ransomware: A cyber
platform. This topic is an emerging field of study in extortion," Asian Journal of Convergence in Technology, 2016.
academic research. Therefore, more research effort is [22] A. Kharraz, S. Arshad, C. Mulliner, W. K. Robertson, and E. Kirda,
"UNVEIL: A Large-Scale, Automated Approach to Detecting
needed to stop the growing trend of ransomware attacks. Ransomware," in USENIX Security Symposium, 2016, pp. 757-772.
[23] M. Wecksten, J. Frick, A. Sjostrom, and E. Jarpe, "A novel method
for recovery from Crypto Ransomware infections," in 2nd IEEE
International Conference on Computer and Communications, ICCC
ACKNOWLEDGMENT 2016, 2017, pp. 1354-1358.
The authors wish to appreciate the Center for Research, [24] L. Usman, Y. Prayudi, and I. Riadi, "Ransomware analysis based on
the surface, runtime and static code method," Journal of Theoretical
Innovation, and Discovery (CU-CRID) of Covenant and Applied Information Technology, vol. 95, pp. 2426-2433, 2017.
University, Ota, Nigeria, for the partial funding of this [25] M. Simmonds, "How businesses can navigate the growing tide of
research. ransomware attacks," Computer Fraud and Security, vol. 2017, pp. 9-
12, 2017.
[26] P. Raunak and P. Krishnan, "Network detection of ransomware
REFERENCES delivered by exploit kit," ARPN Journal of Engineering and Applied
[1] A. Gazet, "Comparative analysis of various ransomware virii," Sciences, vol. 12, pp. 3885-3889, 2017.
Journal in Computer Virology, vol. 6, pp. 77-90, 2010. [27] A. Palisse, H. Le Bouder, J. L. Lanet, C. Le Guernic, and A. Legay,
[2] N. Andronio, S. Zanero, and F. Maggi, "HELDROID: Dissecting and "Ransomware and the legacy crypto API," in 11th International
detecting mobile ransomware," in 18th International Symposium on Conference on Risks and Security of Internet and Systems, CRISIS
Research in Attacks, Intrusions, and Defenses, RAID 2015 vol. 9404, 2016 vol. 10158 LNCS, N. Cuppens, F. Cuppens, J. L. Lanet, and A.
H. Bos, G. Blanc, and F. Monrose, Eds., ed: Springer Verlag, 2015, Legay, Eds., ed: Springer Verlag, 2017, pp. 11-28.
pp. 382-404. [28] D. Maiorca, F. Mercaldo, G. Giacinto, C. A. Visaggio, and F.
[3] A. Bhardwaj, "Ransomware: A rising threat of new age digital Martinelli, "R-PackDroid: API package-based characterization and
extortion," in Online Banking Security Measures and Data detection of mobile ransomware," in 32nd Annual ACM Symposium
Protection, ed: IGI Global, 2016, pp. 189-221. on Applied Computing, SAC 2017, 2017, pp. 1718-1723.
[4] R. Brewer, "Ransomware attacks: detection, prevention and cure," [29] K. Lee, I. Oh, and K. Yim, "Ransomware-prevention technique using
Network Security, vol. 2016, pp. 5-9, 2016. key backup," in 7th International Conference on Big Data
[5] C. Everett, "Ransomware: To pay or not to pay?," Computer Fraud Technologies and Applications, BDTA 2016 vol. 194 LNICST, J. J.
and Security, vol. 2016, pp. 8-12, 2016. Jung and P. Kim, Eds., ed: Springer Verlag, 2017, pp. 105-114.
[6] A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. [30] S. S. Ganorkar and K. Kandasamy, "Understanding and defending
Barenghi, S. Zanero, et al., "ShieldFS: A self-healing, ransomware- crypto-ransomware," ARPN Journal of Engineering and Applied
aware file system," in 32nd Annual Computer Security Applications Sciences, vol. 12, pp. 3920-3925, 2017.
Conference, ACSAC 2016, 2016, pp. 336-347. [31] K. K. Gagneja, "Knowing the ransomware and building defense
[7] D. Kansagra, M. Kuhmar, and D. Jha, "Ransomware: A threat to against it-Specific to healthcare institutes," in 3rd Conference on
Cyber-Security," CS Journals, vol. 7, 2016. Mobile and Secure Services, MOBISECSERV 2017, 2017.

ISBN: 978-988-14047-5-6 WCECS 2017

ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)
Proceedings of the World Congress on Engineering and Computer Science 2017 Vol I
WCECS 2017, October 25-27, 2017, San Francisco, USA

[32] S. Song, B. Kim, and S. Lee, "The Effective Ransomware Prevention Conference on Mobile Systems and Pervasive Computing, MobiSPC
Technique Using Process Monitoring on Android Platform," Mobile 2016, 2016, pp. 465-472.
Information Systems, vol. 2016, 2016. [38] F. Mercaldo, V. Nardone, A. Santone, and C. A. Visaggio,
[33] D. F. Sittig and H. Singh, "A socio-technical approach to preventing, "Ransomware steals your phone. Formal methods rescue it," in 36th
Mitigating, and recovering from Ransomware attacks," Applied IFIP WG 6.1 International Conference on Formal Techniques for
Clinical Informatics, vol. 7, pp. 624-632, 2016. Distributed Objects, Components, and Systems, FORTE 2016 and
[34] M. Shukla, S. Mondal, and S. Lodha, "POSTER: Locally virtualized Held as Part of the 11th International Federated Conference on
environment for mitigating ransomware threat," in 23rd ACM Distributed Computing Techniques, DisCoTec 2016 vol. 9688, E.
Conference on Computer and Communications Security, CCS 2016, Albert and I. Lanese, Eds., ed: Springer Verlag, 2016, pp. 212-221.
2016, pp. 1784-1786. [39] F. Mercaldo, V. Nardone, and A. Santone, "Ransomware inside out,"
[35] N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler, "CryptoLock in 11th International Conference on Availability, Reliability and
(and Drop It): Stopping Ransomware Attacks on User Data," in 36th Security, ARES 2016, 2016, pp. 628-637.
IEEE International Conference on Distributed Computing Systems, [40] F. Mbol, J. M. Robert, and A. Sadighian, "An efficient approach to
ICDCS 2016, 2016, pp. 303-312. detect torrentlocker ransomware in computer systems," in 15th
[36] C. Moore, "Detecting ransomware with honeypot techniques," in 1st International Conference on Cryptology and Network Security, CANS
Cybersecurity and Cyberforensics Conference, CCC 2016, 2016, pp. 2016 vol. 10052 LNCS, G. Persiano and S. Foresti, Eds., ed: Springer
77-81. Verlag, 2016, pp. 532-541.
[37] Monika, P. Zavarsky, and D. Lindskog, "Experimental Analysis of [41] J. K. Lee, S. Y. Moon, and J. H. Park, "CloudRPS: a cloud analysis
Ransomware on Windows and Android Platforms: Evolution and based enhanced ransomware prevention system," Journal of
Characterization," in 11th International Conference on Future Supercomputing, pp. 1-20, 2016.
Networks and Communications, FNC 2016 / 13th International

ISBN: 978-988-14047-5-6 WCECS 2017

ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)
View publication stats