1 s2.0 S016740482100314X Main
1 s2.0 S016740482100314X Main
1 s2.0 S016740482100314X Main
TC 11 Briefing Papers
a r t i c l e i n f o a b s t r a c t
Article history: The COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks.
Received 8 February 2021 Different institutions such as healthcare, financial, and government have been targeted.
Revised 15 August 2021 There can be numerous reasons for such a sudden rise in attacks, but it appears working
Accepted 21 September 2021 remotely in home-based environments (which is less secure compared to traditional in-
Available online 24 September 2021 stitutional networks) could be one of the reasons. Cybercriminals are constantly exploring
different approaches like social engineering attacks, such as phishing attacks, to spread
Keywords: ransomware. Hence, in this paper, we explored recent advances in ransomware prevention
Ransomware and detection and highlighted future research challenges and directions. We also carried
Cybersecurity out an analysis of a few popular ransomware samples and developed our own experimen-
Antivirus tal ransomware, AESthetic, that was able to evade detection against eight popular antivirus
Malware programs.
Ransomware prevention © 2021 Elsevier Ltd. All rights reserved.
COVID-19
Ransomware detection
∗
Corresponding author.
E-mail address: [email protected] (S. Hakak).
https://doi.org/10.1016/j.cose.2021.102490
0167-4048/© 2021 Elsevier Ltd. All rights reserved.
2 computers & security 111 (2021) 102490
egy for attackers (Richardson and North, 2017; Wilner et al., locker ransomware is to block primary computer functions.
2019). Targets shifted from individuals to companies and or- Locker ransomware may encrypt certain files which can lock
ganizations in order to fetch larger ransoms (Muslim et al., the computer screen and/or keyboard, but it is generally easy
2019). The following industries were particularly targeted: to overcome and can often be resolved by rebooting the com-
transportation, healthcare, financial services, and govern- puter in safe mode or running an on-demand virus scanner
ment (Alshaikh et al., 2020). The number of ransomware at- (Adamu and Awan, 2019). Locker ransomware may allow lim-
tacks has grown exponentially thanks to easily obtainable ran- ited user access. Crypto ransomware encrypts the user’s sen-
somware toolkits and ransomware-as-a-service (RaaS) that al- sitive files but does not interfere with basic computer func-
lows novices to launch ransomware attacks (Sharmeen et al., tions. Unlike locker ransomware, crypto ransomware is often
2020). irreversible as current encryption techniques (e.g., AES and
Ransomware is a type of malware designed to facilitate dif- RSA) are nearly impossible to revert if implemented prop-
ferent nefarious activities, such as preventing access to per- erly (Gomez-Hernandez et al., 2018; Nadir and Bakhshi, 2018).
sonal data unless a ransom is paid (Khammas, 2020; Komat- Table 1 presents a few popular ransomware families. Crypto
war and Kokare, 2020; Meland et al., 2020). This ransom typi- ransomware can use one of three encryption schemes: sym-
cally uses cryptocurrency like Bitcoin, which makes it difficult metric, asymmetric, or hybrid (Cicala and Bertino, 2020). A
to track the recipient of the transaction and is ideal for attack- purely symmetric approach is problematic as the encryption
ers to evade law enforcement agencies (Kara and Aydos, 2020; key must be embedded in the ransomware (Dargahi et al.,
Karapapas et al., 2020). There has been a surge in ransomware 2019). This makes this approach vulnerable to reverse engi-
attacks in the past few years. For example, during the on- neering. The second approach is to use asymmetric encryp-
going COVID-19 pandemic, an Android app called CovidLock tion. The issue with this approach is that asymmetric encryp-
was developed to monitor heat map visuals and statistics on tion is slow compared to symmetric encryption and hence
COVID-19 (Saeed, 2020). The application tricked users by lock- struggles to encrypt larger files (Bajpai et al., 2018).
ing user contacts, pictures, videos, and access to social media The most effective approach (i.e., the hardest to decrypt) is
accounts as soon as they installed it. To regain access, users hybrid encryption, which uses both symmetric and asymmet-
were asked to pay some ransom in Bitcoin; otherwise, their ric encryption. An overview of the hybrid approach is given
data was made public (Hakak et al., 2020c). Another notori- in Fig. 2. For hybrid encryption, the first step is to create a
ous example of ransomware is the WannaCry worm, which random symmetric key. The ransomware usually creates this
spread rapidly across many computer networks in May 2017 key by calling a cryptographic API on the user’s operating sys-
(Akbanov et al., 2019; Mackenzie, 2019). Within days, it had tem (Zimba et al., 2019). The symmetric key encrypts the vic-
infected over 200,000 computers spanning across 150 coun- tim’s files as the ransomware traverses through the file sys-
tries (Mattei, 2017). Hospitals across the U.K. were knocked tem. Once all files are encrypted, a public-private key pair is
offline (Chen and Bridges, 2017); government systems, rail- generated by a command and control (C&C) server which the
way networks, and private companies were affected as well ransomware connects to. The public key is sent to the ran-
(Cosic et al., 2019). somware and is used to encrypt the symmetric key, while the
Ransomware can be categorized into three main forms - private key is held by the C&C server. The plaintext version
locker, crypto, and scareware (Gomez-Hernandez et al., 2018; of the symmetric key is then deleted to ensure that the vic-
Kok et al., 2019a) - as shown in Fig. 1. Scareware may use pop- tim cannot use it to recover their files. Instructions for how
up ads to manipulate users into assuming that they are re- to pay the ransom are left for the victim. If the ransom is
quired to download certain software, thereby using coercion paid, then the decryption process will begin. Decryption starts
techniques for downloading malware. In scareware, the cyber by requesting the private key from the C&C server. Once ob-
crooks exploit the fear rather than lock the device or encrypt tained, the private key is used to decrypt the symmetric key.
any data (Andronio et al., 2015). This form of ransomware Finally, the symmetric key is used to recover the victim’s files.
does not do any harm to the victim’s computer. The aim of Generally, a unique public-private key pair is generated for
computers & security 111 (2021) 102490 3
Fig. 2 – The typical steps used by ransomware to encrypt and decrypt a user’s data. This illustrates a hybrid approach where
both symmetric and asymmetric cryptography are used.
each new ransomware infection; this prevents victims from nounced in its findings that, among roughly 2000 respondents
sharing private keys with other victims to enable them to re- whose organizations had been hit by a ransomware attack, the
cover the symmetric key. average total cost to an organization to rectify the impacts of
Ransomware attacks can cause significant financial dam- a ransomware attack (considering downtime, people time, de-
age, reduce productivity, disrupt normal business operations, vice cost, network cost, lost opportunity, ransom paid etc.) was
and harm the reputations of individuals or companies (Jain US$1.85 million, which is more than double the US$761,106
and Rani, 2020; Zhang-Kennedy et al., 2018). The global survey cost reported in 2020 (ran, 2021). These attacks may also re-
‘The State of Ransomware 2021’ commissioned by Sophos an- sult in a permanent loss of information or files. Paying the
4 computers & security 111 (2021) 102490
Fig. 3 – An overview of the utilized tools observed in literature for both ransomware prevention/mitigation and detection.
them, including WannaCry, Locky, CryptoLocker, CryptoWall, gestions to improve the information security risk assessments
and NotPetya samples. to better address ransomware threats, and presented a new
Data Backup tool for conducting backup system evaluations during infor-
Keeping regular backups of the data stored on a computer mation security risk assessments that enables auditors to ef-
or network can greatly minimize the impact of ransomware. fectively analyze backup systems and improve and organiza-
Instead, the damage is simply limited to any data that has tion’s ability to combat and recover from a ransomware attack.
been created since the last backup. There is overhead in back- Min et al. Min et al. (2018) proposed Amoeba, an au-
ing up large amounts of data, and so choosing how often back- tonomous backup and recovery SSD system to defend against
ups should be taken and how long they will be kept are impor- ransomware attacks. Amoeba contains a hardware accelera-
tant decisions to be made. tor to detect the infection of pages by ransomware attacks at
Huang et al. Huang et al. (2017) proposed a solution called high speed, as well as a fine-grained backup control mech-
FlashGuard that does not rely on software at all. Instead, it anism to minimize space overhead for original data backup.
uses the fact that Solid State Drives (SSD) don’t overwrite data To evaluate their system, the authors extended the Microsoft
right away - a garbage collector does this after a while. The au- SSD simulator to implement Amoeba and evaluated it using
thors modified SSD firmware so the garbage collector doesn’t realistic block-level traces collected while running the actual
remove data as quickly, and hence lost data can be restored. ransomware. Their experiments found that Amoeba had neg-
When tested against ransomware samples, FlashGuard suc- ligible overhead and outperformed in performance and space
cessfully recovered encrypted data with little impact on SSD efficiency over the state-of-the-art SSD, FlashGuard.
performance and life span. Kharraz and Kirda Kharraz and Kirda (2017) proposed Re-
Thomas and Galligher Thomas and Galligher (2018) con- demption, a system that requires minimal modification of the
ducted a literature review of the ransomware process, func- operating system to maintain a transparent buffer for all stor-
tional backup architecture paradigms, and the ability of back- age I/O. Redemption monitors the I/O request patterns of ap-
ups to address ransomware attacks. They also provided sug- plications on a per-process basis for signs of ransomware-
computers & security 111 (2021) 102490 7
like behavior. If I/O request patterns are observed that indi- gardless of which cryptographic API is being used by the mal-
cate possible ransomware activity, the offending processes ware and regardless of whether a cryptographic API is being
can be terminated and the data restored. The evaluation of used by the malware at all. Their attack was able to iden-
their system showed that Redemption can ensure zero data tify exposed AES keys in ransomware process memory with
loss against current ransomware families without detracting a 100% success rate in preliminary experiments, including
from the user experience or inducing alarm fatigue. Addition- against NotPetya, WannaCry, LockCrypt, CryptoRoger, and Au-
ally, they proved that Redemption incurs modest overhead, av- toIT samples.
eraging 2.6% for realistic workloads. User Awareness
Key Management Chung Chung (2019) looked at preventing ransomware at-
Key management refers to recovering the encryption key tacks within companies and organizations, arguing that they
that was used to encrypt files and using that to decrypt them should help individual employees take precautions against
without paying the ransom. For some ransomware samples, ransomware scams. This is especially important since, as
such as samples that hard code the key directly into their ex- mentioned previously, ransomware attacks are increasingly
ecutable binary, this may be rather straightforward. For hybrid targeting institutions such as financial or healthcare organi-
models, this can be more challenging, as the key is only avail- zations. The author listed five prevention tips for employees
able in plaintext while the files are actively being encrypted. to follow: install antivirus or anti-malware software on ev-
Bajpai and Enbody Bajpai and Enbody (2020a) decompiled ery computer and mobile device in use; choose strong and
eight different .NET ransomware variants and determined unique passwords for personal and work accounts; regularly
that some ransomware samples use poor key generation tech- back up files to an external hard drive; never open suspicious
niques that call common libraries. This insight can be uti- email attachments; and use mirror shielding technology such
lized by ransomware countermeasures by keeping a backup as NeuShield as a failsafe data protection measure.
of an attacker’s symmetric encryption key. This key can be Thomas Thomas (2018) also examined how users and em-
used to recover any encrypted files later on. For example, Lee ployees within organizations can avoid ransomware attacks,
et al. Lee et al. (2018) observed that many ransomware pro- but this paper focused on how individuals can avoid falling
grams use the CNG library, a cryptographic library for Win- for phishing attacks, which are a common first step for ran-
dows machines, to generate the encryption key. They devel- somware. The author surveyed several security professionals
oped a prevention system that hooks these functions such and, based on the findings from the survey, proposed several
that when ransomware calls them, the system stores the en- recommendations. The first recommendation was to segment
cryption key. For the evaluation of their system, Lee et al. company employees based on factors such as their familiar-
Lee et al. (2018) implemented a sample ransomware program. ity with phishing and the impact level of their jobs. After seg-
They also implemented their prevention solution which at- mentation, the next recommendation was to develop targeted
tempts hooking into the process from the ransomware pro- training for each group; this training should include real-life
gram that performs encryption so that it can extract the en- examples highlighting the seriousness and damage caused by
cryption key. After hooking, the prevention program displays phishing, use real case studies, and include actual incidents
the extracted encryption key when the sample ransomware within the company. Sharing these actual and personal exam-
generates the key for the encryption. In experiments where ples will result in a strong realization of the dangerous impact
the ransomware program attempted encryption 10, 100, 1,000, of spear phishing and will evoke a more personal protection
10,000, and 100,000 times, their ransomware prevention pro- response.
gram was able to extract the encryption key 100% of the time.
One limitation of this solution is the assumption that ran- 2.2.2. Ransomware detection approaches
somware calls a specific library to obtain the encryption key; Researchers have proposed various detection solutions to spot
if the assumption is invalid, the solution fails. ongoing ransomware attacks. Once ransomware programs
Some ransomware programs use a symmetric session have been spotted, they can be stopped and removed. Below is
key for encryption. This key is stored in the victim’s com- a classification of different detection approaches. A summary
puter which then encrypts the user’s files. Kolodenker et al. of the tools used in the surveyed literature on ransomware de-
Kolodenker et al. (2017) developed a key backup solution called tection can be found in Table 4. An overview of the experimen-
Paybreak which relies on signatures. PayBreak implements tal results, which includes sensitivity and specificity rates, of
a key escrow approach that stores session keys in a vault, the surveyed literature on ransomware detection can be found
including the symmetric key that the attacker uses. When in Table 5.
tested, PayBreak successfully recovered all files encrypted Analyzing System Information
with known encryption signatures. A few of the surveyed papers used system information,
The security of the symmetric encryption key is vital for such as log files or changes to the Windows Registry, as a
ransomware developers. Furthermore, a large subset of cur- method of detecting ransomware. A brief summary of all those
rent ransomware exclusively deploy AES for data encryp- works is presented below.
tion. With this in mind, Bajpai and Enbody Bajpai and En- Monika et al. Monika et al. (2016) noted that ransomware
body (2020) developed a side-channel attack on ransomware’s samples tend to add and modify many Windows registry val-
key management to extract exposed ransomware keys from ues. They suggested that the continuous monitoring of Win-
system memory during the encryption process. Their attack dows registry values, along with file system activity, can be
leverages the knowledge that the encryption process is a used to detect ransomware attacks. Chen et al. Chen and
white box on the host system; this approach is successful re- Bridges (2017) analyzed system log files to detect ransomware
8 computers & security 111 (2021) 102490
Table 5 (continued)
∗
Entries that contain a dash were not found in the reviewed source.
insight that ransom notes generally cover a significant part, if infected by ransomware. Scaife et al. Scaife et al. (2016) cal-
not all, of the display. UNVEIL monitors the desktop of the vic- culated file entropy with Shannon’s formula and used
tim machine and takes screenshots of the desktop before and it as one feature to detect ransomware. Mehnaz et al.
after a sample is executed. The series of screenshots are then Mehnaz et al. (2018) also used Shannon entropy as a metric
analyzed and compared with image analysis methods to de- for detecting ransomware. Lee et al. Lee et al. (2019) applied
termine if a large part of the screen has changed substantially machine learning to classify infected files based on file en-
between captures. When evaluated against 148,223 samples, tropy analysis.
UNVEIL achieved a 96.3% detection rate with zero false posi- • File type: A file’s type refers to its extension. Ran-
tives. somware typically changes the extension of any
File Analysis file that it encrypts. In addition to entropy, both
Crypto ransomware modifies a file when encrypting it. Scaife et al. Scaife et al. (2016) and Mehnaz et al.
Large changes made to many files in a computer’s file sys- Mehnaz et al. (2018) used file type changes as a feature
tem could indicate that a ransomware attack is underway. to determine the presence of ransomware. The detection
There are several metrics that can be used to detect signif- system designed by Ramesh and Menen Ramesh and
icant changes in files. The three metrics identified from the Menen (2020) monitors for changes such as large numbers
surveyed literature are entropy, file type, and file differences of files being created with the same extension or any files
(i.e. similarity). In addition, several researchers analyzed file with more than one extension.
I/O operations to detect suspicious activity. These four meth- • Similarity: In comparison with benign file changes, such as
ods of file analysis are defined below. modifying parts of a file or adding new text, the contents
of a file encrypted by ransomware should be completely
dissimilar from the original plaintext content. Hence, mea-
• File entropy: This measures the ”randomness” of a file. En-
suring the similarity of two versions of the same file can
crypted and compressed files have high entropy compared
be used to detect whether ransomware is present. Scaife
to plaintext files. Hence, calculating the entropy of the file
et al. Scaife et al. (2016) measured the similarity between
and comparing the value to previous calculations for the
two files with a hash function sdhash, which outputs a
same file can be used to determine whether a file has been
computers & security 111 (2021) 102490 11
similarity score from 0 to 100 that describes the confi- tem is considered to be under a ransomware attack. Their
dence of similarity between two files. Comparisons be- method was tested against 475 different ransomware sam-
tween previous versions of a file and the encrypted ver- ples and 1500 benign programs. It detected 98.1% of the tested
sion of the file should yield a score close to 0, as the ci- samples and had a 0% false positive rate. The main draw-
phertext should be indistinguishable from random data. backs of this approach are its inability to detect locker-type
Mehnaz et al. Mehnaz et al. (2018) also used sdhash to per- ransomware and its inability to detect ransomware samples
form similarity checks between file versions to determine that use sophisticated code-obfuscation and incremental un-
if a file has been encrypted by ransomware. packing techniques, such as NotPetya.
• File I/O: These operations are used to access the host com- Honeypots
puter’s file system. Examples of I/O operations include Honeypots (or honeyfiles) are decoy files set up for the
open, close, read, and write fil (2021). Ransomware typi- ransomware to attack. Once these files are attacked, the
cally performs read operations to read user files without attack is detected and stopped. Honeyfiles are easy to set
the user’s permission. It executes write operations either up and require little maintenance. However, there is no
to create encrypted copies of the target files or to over- guarantee the attacker will target these decoys, so an at-
write the original files. In the case of the former option, tacker may encrypt other files while leaving the honey-
ransomware performs additional operations to delete the files untouched Moore (2016). Gómez-Hernández and Álvarez-
original files. Baek et al. Baek et al. (2018) developed a González Gomez-Hernandez et al. (2018) proposed R-Locker, a
system to detect ransomware in SSDs which learns the tool for Unix platforms containing a ”trap layer” with a se-
behavioural characteristics of ransomware by observing ries of honeyfiles. Any process or application that accesses the
the request headers of the I/O operations that it performs trap layer is detected and stopped. Unfortunately, R-Locker only
on data blocks. These request headers include the logical protects part of the complete file system, and the tool can be
block address, the type of operation (read/write), and the defeated by deleting the central trap file.
size of the data. Natanzon et al. Natanzon et al. (2018) de- Similarly, Kharraz et al. Kharaz et al. (2016) designed UN-
veloped a system that generates a ransomware probability VEIL to limit the damage that can be done by attackers be-
by comparing recent I/O activity to historical I/O activity; fore they are detected with honeyfiles. UNVEIL generates a vir-
if the ransomware probability exceeds a specified thresh- tual environment that aims to attract attackers. It then mon-
old value, the system takes actions to mitigate the effects itors its file system I/O and detects any presence of a screen
of ransomware within the host. The detection system pro- locker. Their solution detected 96.3% of ransomware samples
posed by Kharraz et al. Kharaz et al. (2016) extracts features and had zero false positives.
from I/O requests during a sample’s execution such as the Shaukat and Rebeiro Shaukat and Ribeiro (2018) proposed
type of request (e.g., open, read, write). These events are RansomWall, a multi-layered defense system that incorporates
then matched against a set of I/O access pattern signatures honeyfiles to protect against crypto-ransomware. When the
as evidence that the sample is in fact ransomware. trap layer suspects a process is malicious, any modified files
are backed up until it is classified as either ransomware or be-
Finite State Machines nign by other layers. When tested, RansomWall had a 98.25%
An abstract mathematical model that can be used to rep- accuracy rate and generated zero false positives. One chal-
resent the state of a system and track changes. It has been lenge is that some ransomware samples have limited file sys-
noted that many ransomware samples tend to carry out simi- tem activity.
lar sets of actions once they reach a target system. Also, the Network Traffic Analysis
changes made by ransomware differ significantly from be- Network traffic analysis intercepts network packets and
nign programs. Hence, ransomware can be quickly identified analyzes communication traffic patterns to detect ongoing
in most cases. FSM’s can be used to track those actions by as- malware attacks. For certain ransomware families, the com-
sociating system events with transitions between the states munication between the victim host and the C&C server be-
in the FSM. The state of the FSM can be monitored and if cer- haves much differently compared to normal conditions. This
tain states are reached, the FSM can signal that a ransomware anomalous behavior can be revealed by studying certain traf-
attack is underway. Monitoring the state changes that occur fic features. The four main features of network traffic used by
in the computer system in terms of utilization, persistence, researchers to detect ransomware are discussed below.
and the lateral movement of resources can detect ransomware
(Ramesh and Menen, 2020).
Ramesh and Menen Ramesh and Menen (2020) proposed a • Packet size: The size of messages exchanged may be un-
finite state machine (FSM) with eight total states. The changes usually large if they contain an encryption key or en-
represented in the FSM include: changes in file entropy, as cryption instructions. Cabaj et al. Cabaj et al. (2018) an-
encrypted files have higher levels of entropy; changes in re- alyzed CryptoLocker and Locky ransomware samples un-
tention state, which occurs if a process has been added to der execution and extracted the message size from HTTP
the Run registry or startup directory; lateral movement, which packet headers to determine the average size of mes-
checks for suspicious file names such as doubled file exten- sages exchanged between the infected host and the C&C
sions (e.g..pdf.exe); and system resources, which looks for pro- server, then used these statistics to build an anomaly de-
cesses that modify the system-restore settings or stop a large tection system based on message size. Bekerman et al.
number of other processes in a short amount of time. If the Bekerman et al. (2015) used TCP packet size as a feature
FSM ever moves into one of its four final states, then the sys- in a supervised-based system for detecting ransomware.
12 computers & security 111 (2021) 102490
• Message frequency: Determining an uptick in cer- calls are service requests made by the ransomware to the
tain kinds of traffic can be used to detect the pres- OS or kernel api (2018). Often, ransomware makes API calls
ence of a ransomware attack. Almasshadani et al. to the C&C server to obtain an encryption or decryption
Almashhadani et al. (2019) observed that Locky ran- key. Other API calls can be made to maintain execution
somware significantly increases the number of HTTP privileges on the host computer, enumerate the list of files
POST request packets within the traffic stream compared to encrypt, and access or modify files. Ransomware and be-
to the normal traffic. Additionally, they found that there nign programs have specific call patterns or a unique order
are numerous TCP RST and TCP ACK packets in Locky’s of calls that can be used to differentiate them. Examples of
traffic used to terminate the malicious TCP connections system calls include create, delete, execute, and terminate
abnormally. The authors used these features and others as Bajpai and Enbody (2020b); Qin et al. (2020); api (2018).
part of a multi-classifier intrusion detection system. Bek- • Log files: Log files can come from a variety of sources
erman et al. Bekerman et al. (2015) used the number of TCP and record information that can indicate whether a
RST packets, TCP ACK packets, and duplicate ACK packets ransomware attack is underway. For instance, Herrera
as well as the number of sessions in communication as Silva and Hernández-Alvarez (Silva and Hernandez-
features for their supervised ransomware classification Alvarez, 2017) found that both WannaCry and Petya ran-
model. somware exploit DNS and NetBIOS and can be spotted by
• Malicious domains: Communication between the ran- analyzing DNS and NetBIOS logs. I/O request packets are
somware and the C&C server can be blocked if the server’s generated for each file operation and contain parameters
domain is identified as malicious. Cabaj and Mazurczyk such as the type of operation and the address and size of
Cabaj and Mazurczyk (2016) proposed a software-defined the data being read or written to. These parameters can
networking solution that relies on dynamic blacklisting be extracted from I/O request packet logs and used as fea-
of proxy servers to block communication between the in- tures.
fected computer and the C&C server. Their proposal for- • File I/O: Ransomware typically executes many more read
wards all DNS traffic to a controller that checks the do- operations than benign programs, since it must read every
mains with a blacklist database. If a malicious domain is file it encrypts. Additionally, it executes more write opera-
detected, the DNS message is discarded and traffic from tions on average. File operation metrics such as the num-
the host is blocked. ber of files written to or read from; the average entropy
• DGA detection: Rather than using hardcoded domain ad- of file-write operations; the number of file operations per-
dresses, which are susceptible to domain blacklisting, formed for each file extension; and the total number of
some types of ransomware employ a Domain Generation files accessed can be used to gauge if the file operations
Algorithm (DGA) to generate a large number of domain being performed are benign or part of a ransomware at-
names that can be used as rendezvous points for their tack(Continella et al., 2016; Sgandurra et al., 2016).
C&C servers. Some detection systems such as the one pro- • HPC values: Hardware Performance Counters (HPCs) are
posed by Chadha and Kumar Chadha and Kumar (2017) and a set of special-purpose registers that were first intro-
Salehi et al. Salehi et al. (2018) work by determining the duced to verify the static and dynamic integrity of pro-
DGA and subsequently blocking all generated domains. grams in order to detect any malicious modifications
• Other features: Hundreds of other extracted network to them (Alam et al., 2020). The time-series data col-
features from various OSI layers can also be used for lected from these counters can be fed into a model
ransomware detection. Many of these are outlined in to learn the behaviour of a system and detect mali-
Bekerman et al. (2015), where they did not focus on ran- cious programs through any statistical deviations in the
somware detection specifically, but instead on general data.
malware detection. • Network traffic: Network traffic features include average
packet size, the number of packets exchanged between the
Machine Learning host and other machines, and the source and/or destina-
Many studies proposed machine learning models that de- tion IP addresses contained within packet headers. Ran-
tect ransomware by classifying computer programs as either somware frequently displays anomalous communications
benign or ransomware based on their behaviour. With suffi- patterns. For example, the work by Cabaj et al. Cabaj and
cient training data, these models can spot attacks with a high Mazurczyk (2016) found that CryptoWall and Locky ran-
degree of accuracy. Additionally, they are frequently able to somware samples involve a defined sequence of HTTP
detect ransomware before it has a chance to encrypt any files. packets exchanged between the host and a C&C server to
However, finding a suitable model requires trial and error, and distribute the encryption key; in addition, these packets
biasness or overfitting may occur if proper measures are not tend to be larger than average. Machine learning models
taken (Kok et al., 2019b). What distinguishes the models pro- can learn normal and anomalous traffic features to distin-
posed by different researchers are the classifier algorithms guish normal communication from malicious communica-
that are applied and the features that are used for training. tion. Chadha and Kumar Chadha and Kumar (2017) ana-
The features used in the surveyed literature include the fol- lyzed network traffic to obtain the names of benign and
lowing: malicious domains to use as features for their model,
which detects ransomware by predicting if incoming or
• APIs / System calls: API calls are functions that facilitate outgoing packets transmitted to or from the host contains
the exchange of data among applications, while system a malicious domain.
computers & security 111 (2021) 102490 13
• Opcode/Bytecode sequences: Opcodes (”operation codes”) from other known ransomware families. Through these ex-
specify the basic processor instructions to be performed periments, our motive is just to highlight the need of effective
by a machine, whereas bytecode is a form of instruction countermeasures against known/unknown ransomware sam-
designed to be executed by a program interpreter (e.g., ples.
Java Virtual Machine). These sequences have rich context
and semantic information that provide a snapshot of the 3.2. Experimental setup
program’s behaviour. This information can be extracted
through dynamic analysis and fed into a model to predict Testing was done using a VirtualBox virtual machine running
if a given program is benign or malicious. the latest version of Windows 10. VirtualBox Guest Additions
• Process actions: This refers to the sequence of events that were not installed as some malware samples are known to
occur while a program or application is running. Ran- detect these additions (gue, 2017). Ransomware samples were
somware will typically cause different events to occur taken from the work of sam (2021). The samples were in a bi-
compared to a benign program; these events can be trans- nary format and had to be extracted from an encrypted ZIP
formed into feature vectors and learned by a model by ex- file before use. In most cases, the file extensions were man-
tracting information such as text and encoding it as nu- ually added before the execution of the ransomware. To con-
merical values (Homayoun et al., 2019). duct the tests safely on these ransomware samples, a few pre-
• Others: Many other features were used by researchers cautions were taken. This included setting the network adap-
and extracted from assorted sources. Some of these fea- tor to host only, ensuring all software was up-to-date, and re-
tures are derived from the raw bytes extracted from exe- moving any shared folders between the guest and the host
cutable files using static analysis (Khammas, 2020). Other operating systems. On the host side, data was backed up to an
features related to web domains (e.g., the length of the do- external hard drive and the internet connection was discon-
main name, the number of days a domain is registered for nected. The reason for disconnecting the internet was to make
Quinkert et al. (2018b)) or DNS (e.g., the number of DNS sure ransomware did not escape the environment of the vir-
name errors, the number of meaningless domain names tual machine. The ransomware samples were all taken from
(Almashhadani et al., 2019)). Portable Executable (PE) file https://github.com/ytisf/theZoo in January of 2021.
headers, which show the structure of a file and contain im- Several test folders were placed in different areas of the
portant information about the nature of the executable file, file system including Desktop, Documents, and Picture folders.
have components that be used as features. Other sources Test folders were also placed in protected areas of the file sys-
for features include the CPU (e.g., power usage), k-mer sub- tem such as Program Files, Program Files (x86), and Windows.
strings (e.g., frequencies), volatile memory, and the Win- One of the folders was placed in the Recycle Bin to analyze if
dows Registry (Azmoodeh et al., 2018; Cohen and Nissim, the ransomware scans Recycle Bin or not. The test folders con-
2018; Sgandurra et al., 2016). tained four different file formats that included rich-text, text,
PDF, and image files. All these respective files had a non-zero
A complete list of the works that focused on detecting ran- size.
somware using machine learning is highlighted in Table 6.
3.3. Testing
3. Ransomware implementation and
Testing consisted of three parts, where in each part vari-
evaluation
ous ransomware samples are pitted against various antivirus
products. The first test was on well-known ransomware sam-
In this section, we have highlighted the motivation of im-
ples. The second test used a RaaS generator. The third and fi-
plementing existing ransomware samples and testing the ef-
nal test used a novel custom-made ransomware sample. All
fectiveness of existing countermeasures against those ran-
of the antivirus products were the most up-to-date versions
somware samples. A brief description of our new ransomware
as of January, 2021.
is also presented.
SVM: Support Vector Machines, ANN: Artificial Neural Networks, KNN: k-nearest neighbors, LDA: Linear discriminant analysis, CART: Clas-
sification and regression trees, SGD: Stochastic Gradient Descent, CNN: Convolutional Neural Networks, LSTM: Long short-term memory
Other ransomware samples were also tested, but unfortu- 3.3.2. RAASNet Testing
nately, we were not able to analyze them. As mentioned ear- The second round of testing was done using a RaaS gener-
lier, some forms of ransomware need to connect via the inter- ator called RAASNet, which can be downloaded from https:
net to a C&C server before they can be executed. In our sce- //github.com/leonv024/RAASNet. RAASNet is a free, cross-
nario, due to the testing being done offline, it was not possible platform, and open-source software project designed to ed-
to analyze that category of ransomware. ucate the public about how easy it is to create and use ran-
The same ransomware samples were then tested against somware. It allows for custom ransomware to be created and
eight popular antivirus programs. In all cases, the ransomware tested. Although RAASNet generates real ransomware, the de-
samples were rapidly detected and removed before any test cryption key can be freely obtained from the author’s website.
files became encrypted. The samples were often removed be- A control test was performed for two different RAASNet
fore they were even clicked on. generated ransomware samples with no antivirus software
computers & security 111 (2021) 102490 15
Table 7 – Control test results where ransomware samples Table 9 – RAASNet test results for different antivirus soft-
were tested without any form of protection. ware. Both Microsoft Defender and Avira failed to stop the
sample.
WannaCry Cerber Thanos Jigsaw
Desktop Documents Pictures OneDrive
Desktop Encrypted Encrypted Encrypted Encrypted
Encrypted Encrypted Encrypted Encrypted Microsoft Encrypted Encrypted Encrypted Encrypted
Documents Defender
Pictures Encrypted Safe Encrypted Encrypted Avira Free Encrypted Encrypted Encrypted Encrypted
One Drive Encrypted Safe Encrypted Encrypted MalwareBytes Safe Safe Safe Safe
Recycle Deleted Safe Encrypted Encrypted Premium
Bin AVG Free Safe Safe Safe Safe
C: Encrypted Encrypted Encrypted Encrypted Bitdefender Safe Safe Safe Safe
Program Safe Safe Safe Safe Free
Files Avast Free Safe Safe Safe Safe
Program Safe Safe Safe Safe Kaspersky Free Safe Safe Safe Safe
Files (x86) Adaware Safe Safe Safe Safe
Windows Safe Safe Safe Safe Antivirus Free
rectory that AESthetic traverses through. Once all of the files code signature, but has difficulty changing its attack pattern
are encrypted, AESthetic connects to the C&C server to obtain (Kok et al., 2019b). However, many of these models require an
an RSA public key that it uses to encrypt the symmetric key. attack to already be underway in order to detect suspicious
Once the symmetric key is encrypted, the plaintext version of activity, such as file access or communication to a malicious
the symmetric key is deleted. New files are created to store domain. Khan et al.’s Khan et al. (2020) use of digital DNA se-
the encrypted data and the original plaintext files are deleted. quencing is a promising approach since it is designed to detect
After ten seconds, it will automatically start to decrypt the ransomware before infection.
encrypted files. To do this, it once again connects to the C&C Based on the results of our experiments, which were con-
server to obtain the corresponding RSA private key to decrypt ducted on a number of different ransomware samples, we
the encrypted AES symmetric key. This sample was tested have learned a few interesting things about ransomware. Our
against eight popular antivirus programs (which are the same tests using RAASNet have shown how easy it is to acquire
as those listed in Table 9). All of the test files got encrypted by and use ransomware through RaaS software. RaaS lets ran-
AESthetic. None of the antivirus programs reported any sus- somware developers sell or lease their ransomware variants
picious activity. Both the source code and an executable JAR to affiliates, who use these variants to perform attacks; both
file were uploaded to VirusTotal.com, and in both cases, this developers and affiliates get a cut of any profits. As previously
resulted in zero detections. There were zero detections since mentioned, RaaS enables users without technical expertise to
the malware was made just for this research and its signature launch ransomware attacks, meaning that ransomware is no
has not yet been added to any signature database. longer limited to the developers who create it. For developers,
RaaS reduces their risk since they do not launch the attacks
themselves. The RaaS model has gained popularity amongst
4. Discussion cybercriminals and has caused a dramatic increase in the rate
of ransomware attacks in recent years (Al-rimy et al., 2018).
From the results of our literature review and experiments, Although antivirus programs were successful against pre-
we can make several observations on the current trends viously known samples, they did not fare quite so well against
and limitations of ransomware countermeasure solutions. the lesser-known RAASNet sample and the completely novel
Most papers preferred to study ransomware using dynamic AESthetic sample. The novel sample of course is not present
analysis over static analysis, or used a combination of the in antivirus signature databases and it was completely unde-
two. This is perhaps unsurprising, as static analysis can fre- tected. This highlights that current antivirus software likely
quently be evaded through code obfuscation or polymor- rely too heavily on simple signature-based static analysis de-
phic/metamorphic attacks (Shaukat and Ribeiro, 2018). How- tection and hence should invest more into the approaches
ever, some papers found that certain dynamic analysis ap- seen in literature, especially in regards to dynamic analysis
proaches can be evaded as well. For instance, the virtual en- or honeypot approaches. For example, our ransomware AES-
vironment in UNVEIL (Kharaz et al., 2016) could potentially thetic was designed with many tell-tale ransomware behav-
be detected and avoided by attackers. One limitation of both iors in mind, such as leaving ransom notes, reading and writ-
types of analysis is that the results cannot usually be gen- ing to many files throughout the file system, and using crypto-
eralized to all ransomware variants. For example, the key graphic libraries. These behaviors could have potentially been
backup technique proposed by Lee et al. Lee et al. (2018) re- used to detect AESthetic as malicious using dynamic analy-
lies on their analysis that ransomware calls specific functions sis. The only tested antivirus countermeasure that success-
in the CNG library. The HTTP traffic characteristics that Cabaj fully repelled all of the tested ransomware samples was ran-
et al. Cabaj et al. (2018) used to detect ransomware comes somware folder protection, such as ”Controlled folder access”
from studying ransomware families: CryptoWall and Locky. which is offered by Windows Defender. Such an approach re-
Almashhadani et al. Almashhadani et al. (2019) based their quires the user to manually decide which folders to protect
detection system on the behavioural analysis of one family however and it is not very user-friendly, as one needs to man-
– Locky. ually allow benign programs through the protection wall.
Preventative techniques such as access control and key or
data backups can reduce the damage that ransomware can
inflict on systems and possibly deter future attacks. However,
these prevention-based approaches suffer from several short-
comings as well. Firstly, they can have significant overhead. 5. Research challenges and future research
Access control or key backup schemes can incur significant directions
computational costs (Wang et al., 2015). Creating data back-
ups can cause the system to take a significant performance In this section, we have highlighted key research challenges
hit, especially under high workloads (Alshaikh et al., 2020). based on the literature review and explored future research di-
Machine learning models were the most common tech- rections. The identified research challenges include unaware-
nique for detecting ransomware. These models can be trained ness among users, lack of open-access ransomware libraries,
to recognize the general behaviour patterns of ransomware and inadequate detection and false-positive rates for ran-
through suspicious behaviour or specific basic processor in- somware. Future research directions include edge and fog-
struction patterns. The ability for machine learning to de- assisted ransomware, DeepFake ransomware, remote working
tect the general behaviour of ransomware is important, as vulnerabilities, blockchain-based countermeasures, increases
ransomware is constantly evolving and can easily change its in RaaS attacks, and expansion to AESthetic.
computers & security 111 (2021) 102490 17
5.1. Research challenges concepts to detect and prevent ransomware, based on ma-
chine learning approaches (Liu et al., 2020). One of the possibil-
1. Unawareness among users: Awareness among users is one of ities arises by training and deploying machine learning-based
the fundamental challenges that needs to be addressed to re- algorithms into Edge/Fog-based nodes to detect and prevent
duce the impact of ransomware. For example, there is no full- ransomware. Through Federated learning, we can personalize
proof automatic system that is able to consistently counter the learning process of each respective node.
ransomware attacks that propagate through phishing cam- 2. DeepFake Ransomware: Deepfakes are the manipulated
paigns. Although existing spam filters are efficient, there is al- digital representations such as images, videos where an at-
ways a possibility that some malicious emails will make their tacker tries to mimic the real person (Güera and Delp, 2018).
way into your inbox. In that scenario, basic knowledge of rec- In the future, it could be possible for attackers to create ran-
ognizing spam can save a victim from being infected. There somware that will automatically generate DeepFake content
are currently many workshops, programs, and online websites of a victim performing some incriminatory or intimate action
available to educate users of such threats, but based on the which he/she never did. The victim will be asked to pay the
statistics of ransomware attacks, it seems more efforts are ransom in order to avoid that content being published online.
needed. To mitigate such ransomware attacks will be challenging due
2. Lack of Open-Access Ransomware Libraries: In order to pro- to the velocity of data and the availability of numerous social
pose and develop new solutions that can tackle ransomware, media channels to spread the content.
there is an emerging need for open ransomware libraries. The 3. Remote Working Vulnerabilities: The recent COVID-19 pan-
availability of such libraries will help researchers to better demic made it mandatory for several institutions to initiate
understand the varying features behind existing ransomware the work-from-home scenarios or implement bring your own
samples, including their working mechanism, etc. Based on devices (BYOD) policies (Palanisamy et al., 2020). As a result
that understanding, researchers can propose better solutions of which, several vulnerabilities (Curran, 2020) were exploited
in a faster time span. As it stands, it is a tedious task to im- by the attackers that resulted in several ransomware attacks.
plement a particular ransomware sample and then test out In one of the reports by SkyBox Security, the ransomware at-
the countermeasure. However, collecting many of the exist- tacks witnessed 72 percent growth compared to the previous
ing ransomware samples is itself a big research challenge that years. Hence, it is one of the future research directions to look
needs international research collaboration, as well as a huge at mitigating such attacks during remote working scenarios.
amount of funding to obtain the necessary resources, etc. 4. Blockchain-based Countermeasures: Blockchain is an im-
3. Inadequate Detection and False Positive Rates: Existing ran- mutable decentralized ledger that makes tampering difficult
somware detection systems face a difficult challenge achiev- (Hakak et al., 2020a) due to its decentralized nature along
ing both a high detection rate and few false alarms. A with linked hash function, timestamp function and consen-
large number of false alarms is frustrating for administra- sus mechanism (Hakak et al., 2020b; Hakak et al., 2020). It
tors, whereas a low detection rate makes the system inef- seems to have potential and it is an interesting research di-
fective (Maimó et al., 2019). Signature-based detection sys- rection where blockchain-based solutions can be used to mit-
tems may miss attacks if the signature is too specific; con- igate ransomware-based attacks. The first step in this direc-
versely, the system may flag too many benign programs as tion is the work of Delgado-Mohatar et al. (2020) where the
ransomware if the signature is too generic. Anomaly-based authors have highlighted the use of smart contracts for the
detection systems flag behaviour that is sufficiently far from limited payment of ransoms to get the decryption keys.
normal (Kathareios et al., 2017). However, not all abnormal be- 5. Increase in Ransomware-as-a-service (RaaS) Attacks: Ran-
haviour is malicious. Consequently, these systems can gen- somware as a service or RaaS is gaining popularity from the
erate a high number of false alarms and require a human to past few years (Keijzer, 2020). In RaaS model, an experienced
manually review each alarm. This manual validation adds to attacker creates ransomware and offers that code to script
the system workload and reduces the system’s practicality. kiddies or gray-hat hackers for some price (Meland et al., 2020;
Al-Rimy et al. Al-rimy et al. (2018) were able to achieve both Puat and Rahman, 2020). The script kiddies or gray-hat hack-
high detection and low false-positive rates by combining two ers then use that code to carry out their own attacks. The Cer-
behavioural detection methods into a single model. However, ber ransomware attack is one example of the RaaS model in
their system relies on a time-based threshold. Hence, more action. With emerging technologies and an increasing num-
research is needed to improve ransomware detection models ber of internet users, there is a strong possibility for a surge in
and to increase their applicability. these types of attacks. Hence, mitigating such attacks in the
future seems to be a potential research direction.
5.2. Future research directions 6. AESthetic Ransomware Artifact Development: The source
code of AESthetic ransomware has been posted to GitHub at
1. Edge and Fog-assisted Ransomware Detection and Prevention https://github.com/kregg34/AESthetic and has been made pri-
using Federated Learning: There have been huge advance- vate. As we are still in initial phases of developing decryption
ments in the area of Edge and Fog-based related technologies. tool for AESthetic, we aim to create artifacts for AESthetic ran-
Mukherjee et al. (2018), Hakak et al. (2020c), Hakak et al. (2020), somware so that researchers can evaluate the efficacy of their
Pham et al. (2020). Besides, with the arrival of federated learn- solutions against ransomware. On the other hand, once the
ing (Yang et al., 2019), numerous opportunities in terms of im- decryption tool is finalised, we will release the code of AES-
proving state-of-the-art machine-learning-based approaches thetic.
have emerged. There is a huge possibility of utilizing these
18 computers & security 111 (2021) 102490
Alzahrani A, Alshehri A, Alshahrani H, Alharthi R, Fu H, Liu A, Chen Q, Bridges RA. Automated behavioral analysis of malware:
Zhu Y. Randroid: Structural similarity approach for detecting A case study of wannacry ransomware. In: 2017 16th IEEE
ransomware applications in android platform. In: 2018 IEEE International Conference on Machine Learning and
International Conference on Electro/Information Technology Applications (ICMLA); 2017. p. 454–60
(EIT). IEEE; 2018. p. 0892–7. doi:10.1109/ICMLA.2017.0-119.
Ami O, Elovici Y, Hendler D. Ransomware prevention using Chung M. Why employees matter in the fight against
application authentication-based file access control. In: ransomware. Computer Fraud & Security 2019;2019(8):8–11.
Proceedings of the 33rd Annual ACM Symposium on Applied Cicala F, Bertino E. Analysis of encryption key generation in
Computing; 2018. p. 1610–19. modern crypto ransomware. IEEE Trans Dependable Secure
Andronio N, Zanero S, Maggi F. Heldroid: Dissecting and Comput 2020 doi:10.1109/TDSC.2020.3005976. 1–1
detecting mobile ransomware. Berlin, Heidelberg: Cohen A, Nissim N. Trusted detection of ransomware in a private
Springer-Verlag; 2015. p. 382–404. cloud using machine learning methods leveraging
Aslan O, Samet R. A comprehensive review on malware detection meta-features from volatile memory. Expert Syst Appl
approaches. IEEE Access 2020;8:6249–71. 2018;102:158–78.
Aurangzeb S, Aleem M, Iqbal M, Islam M, et al. Ransomware: a Continella A, Guagnelli A, Zingaro G, Pasquale GD, Barenghi A,
survey and trends. J. Inf. Assur. Secur 2017;6(2):48–58. Zanero S, Maggi F. Shieldfs: a self-healing, ransomware-aware
Ayub MA, Continella A, Siraj A. An i/o request packet (irp) driven filesystem. In: Proceedings of the 32nd Annual Conference on
effective ransomware detection scheme using artificial neural Computer Security Applications; 2016. p. 336–47.
network; 2020. p. 319–24. Cosic J, Schlehuber C, Morog D. New challenges in forensic
Azmoodeh A, Dehghantanha A, Conti M, Choo K-KR. Detecting analysis in railway domain. In: 2019 IEEE 15th International
crypto-ransomware in iot networks based on energy Scientific Conference on Informatics; 2019. p. 000061–4
consumption footprint. J Ambient Intell Humaniz Comput doi:10.1109/Informatics47936.2019.9119288.
2018;9(4):1141–52. Creating a simple free malware analysis environment,
Bae S, Lee G, Im E. Ransomware detection using machine 2017https://www.malwaretech.com/2017/11/
learning algorithms. Concurrency and Computation: Practice creating- a- simple- free- malware- analysis- environment.html.
and Experience 2020;32(18):e5422. Curran K. Cyber security and the remote workforce. Computer
Baek S, Jung Y, Mohaisen A, Lee S, Nyang D. Ssd-insider: Internal Fraud & Security 2020;2020(6):11–12.
defense of solid-state drive against ransomware with perfect Cusack G, Michel O, Keller E. Machine learning-based detection of
data recovery. In: 2018 IEEE 38th International Conference on ransomware using sdn. In: Proceedings of the 2018 ACM
Distributed Computing Systems (ICDCS). IEEE; 2018. p. 875–84. International Workshop on Security in Software Defined
Bajpai P, Enbody R. Attacking key management in ransomware. Networks & Network Function Virtualization; 2018. p. 1–6.
IT Prof 2020;22(2):21–7. file i/o, 2021https://www.pcmag.com/encyclopedia/term/file-io.
Bajpai P, Enbody R. Dissecting.net ransomware: key generation, for Cyber Security, C. C., 2018. Ransomware: How to prevent and
encryption and operation. Network Security 2020;2020(2):8–14. recover (itsap.00.099). https://www.cyber.gc.ca/en/guidance/
Bajpai P, Enbody R. An empirical study of api calls in ransomware. ransomware- how- prevent- and- recover-itsap00099.
In: 2020 IEEE International Conference on Electro Information Dargahi T, Dehghantanha A, Bahrami PN, Conti M, Bianchi G,
Technology (EIT); 2020. p. 443–8 Benedetto L. A cyber-kill-chain based taxonomy of
doi:10.1109/EIT48999.2020.9208284. crypto-ransomware features. Journal of Computer Virology
Bajpai P, Sood AK, Enbody R. A key-management-based and Hacking Techniques 2019;15:277–305.
taxonomy for ransomware. In: 2018 APWG Symposium on Delgado-Mohatar O, Sierra-Cámara J, Anguiano E.
Electronic Crime Research (eCrime); 2018. p. 1–12 Blockchain-based semi-autonomous ransomware. Future
doi:10.1109/ECRIME.2018.8376213. Generation Computer Systems 2020.
Baldwin J, Dehghantanha A. Leveraging Support Vector Machine Genç Z, Lenzini G, Ryan P. No random, no ransom: a key to stop
for Opcode Density Based Detection of Crypto-ransomware. cryptographic ransomware. In: International Conference on
In: Cyber Threat Intelligence. Springer; 2018. p. 107–36. Detection of Intrusions and Malware, and Vulnerability
Bekerman D, Shapira B, Rokach L, Bar A. Unknown malware Assessment. Springer; 2018. p. 234–55.
detection using network traffic classification. In: 2015 IEEE Gomez-Hernandez J, Alvarez-Gonzalez L, Garcia-Teodoro P.
Conference on Communications and Network Security (CNS). R-Locker: thwarting ransomware action through a
IEEE; 2015. p. 134–42. honeyfile-based approach. Computers & Security
Berrueta Irigoyen E, Morató Osés D, Magaña Lizarrondo E, Izal 2018;73:389–98.
Azcárate M. A survey on detection techniques for Groenewegen A, Alqabandi M, Elamin M, Paardekooper P. A
cryptographic ransomware. IEEE Access, 2019, 7, behavioral analysis of the ransomware strain nefilim; 2020.
144925–144944 2019. doi:10.13140/RG.2.2.18301.59360.
Brewer R. Ransomware attacks: detection, prevention and cure. Güera D, Delp E. Deepfake video detection using recurrent neural
Network Security 2016;2016(9):5–9. networks. In: 2018 15th IEEE International Conference on
Cabaj K, Gregorczyk M, Mazurczyk W. Software-defined Advanced Video and Signal Based Surveillance (AVSS). IEEE;
networking-based crypto ransomware detection using http 2018. p. 1–6.
traffic characteristics. Computers & Electrical Engineering Hakak S, Khan W, Gilkar G, Assiri B, Alazab M, Bhattacharya S,
2018;66:353–68. Reddy G. Recent advances in blockchain technology: a survey
Cabaj K, Mazurczyk W. Using software-defined networking for on applications and challenges. arXiv preprint
ransomware mitigation: the case of cryptowall. IEEE Netw arXiv:2009.05718 2020.
2016;30(6):14–20. Hakak S, Khan W, Gilkar G, Imran M, Guizani N. Securing smart
Chadha S, Kumar U. Ransomware: Let’s fight back!. In: 2017 cities through blockchain technology: architecture,
International Conference on Computing, Communication and requirements, and challenges. IEEE Netw 2020;34(1):8–14.
Automation (ICCCA). IEEE; 2017. p. 925–30.
20 computers & security 111 (2021) 102490
Hakak S, Khan W, Imran M, Choo K, Shoaib M. Have you been a Kok S, Abdullah A, Jhanjhi N. Early detection of
victim of covid-19-related cyber incidents? survey, taxonomy, crypto-ransomware using pre-encryption detection
and mitigation strategies. IEEE Access 2020;8:124134–44. algorithm. Journal of King Saud University-Computer and
Hakak, S., Ray, S., Khan, W., Scheme, E., 2020. A framework for Information Sciences 2020.
edge-assisted healthcare data analytics using federated Kok S, Abdullah A, Jhanjhi N, Supramaniam M. Prevention of
learning. crypto-ransomware using a pre-encryption detection
Hakak S, WZ Khan WZ, Gilkar GA, Haider N, Imran M, algorithm. Computers 2019;8(4):79.
Alkatheiri MS. Industrial wastewater management using Kok S, Abdullah A, Jhanjhi N, Supramaniam M. Ransomware,
blockchain technology: architecture, requirements, and future threat and detection techniques: areview. Int. J. Comput. Sci.
directions. IEEE Internet of Things Magazine 2020;3(2):38–43. Netw. Secur 2019;19(2):136.
Hassan N. Ransomware Families. In: Ransomware Revealed. Kolodenker E, Koch W, Stringhini G, Egele M. Paybreak: Defense
Springer; 2019. p. 47–68. against cryptographic ransomware. In: Proceedings of the
Homayoun S, Dehghantanha A, Ahmadzadeh M, Hashemi S, 2017 ACM on Asia Conference on Computer and
Khayami R, Choo K, Newton D. Drthis: deep ransomware Communications Security; 2017. p. 599–611.
threat hunting and intelligence system at the fog layer. Future Komatwar R, Kokare M. A survey on malware detection and
Generation Computer Systems 2019;90:94–104. classification. Journal of Applied Security Research 2020:1–31.
Huang J, Xu J, Xing X, Liu P, Qureshi MK. Flashguard: Leveraging Lallie H, Shepherd L, Nurse J, Erola A, Epiphaniou G, Maple C,
intrinsic flash properties to defend against encryption Bellekens X. Cyber security in the age of covid-19: a timeline
ransomware. In: Proceedings of the 2017 ACM SIGSAC and analysis of cyber-crime and cyber-attacks during the
Conference on Computer and Communications Security; pandemic. arXiv preprint arXiv:2006.11929 2020.
2017. p. 2231–44. Lee K, Lee S, Yim K. Machine learning based file entropy analysis
Hull G, John H, Arief B. Ransomware deployment methods and for ransomware detection in backup systems. IEEE Access
analysis: views from a predictive model and human 2019;7:110205–15.
responses. Crime Sci 2019;8(1):2. Lee K, Yim K, Seo J. Ransomware prevention technique using key
Jain G, Rani N. Awareness learning analysis of malware and backup. Concurrency and Computation: Practice and
ransomware in bitcoin. Springer Singapore; 2020. p. 765–76. Experience 2018;30(3):e4337.
Javaheri D, Hosseinzadeh M, Rahmani A. Detection and Liu X, Li H, Xu G, Lu R, He M. Adaptive privacy-preserving
elimination of spyware and ransomware by intercepting federated learning. PEER-TO-PEER NETWORKING AND
kernel-level system routines. IEEE Access 2018;6:78321–32. APPLICATIONS 2020.
Jung S, Won Y. Ransomware detection method based on Ltd., S., 2020. Paying the ransom doubles cost of recovering from a
context-aware entropy analysis. Soft comput ransomware attack, according to sophos. https:
2018;22(20):6731–40. //www.globenewswire.com/news-release/2020/05/12/2031961/
Kara I, Aydos M. Cyber fraud: Detection and analysis of the 0/en/Paying- the- Ransom- Doubles- Cost- of- Recovering- from-
crypto-ransomware. In: 2020 11th IEEE Annual Ubiquitous a-Ransomware-Attack-According-to-Sophos.html.
Computing, Electronics Mobile Communication Conference Mackenzie P. Wannacry aftershock. Sophos, disponible en ligne:
(UEMCON); 2020. p. 0764–9 https://www. sophos. com/en-us/medialibrary/PDFs/
doi:10.1109/UEMCON51285.2020.9298128. technical-papers/WannaCry-Aftershock. pdf 2019.
Karapapas C, Pittaras I, Fotiou N, Polyzos GC. Ransomware as a Maimó L, Celdran A, Gomez A, Clemente F, Weimer J, Lee I.
service using smart contracts and ipfs. In: 2020 IEEE Intelligent and dynamic ransomware spread detection and
International Conference on Blockchain and Cryptocurrency mitigation in integrated clinical environments. Sensors
(ICBC); 2020. p. 1–5 doi:10.1109/ICBC48266.2020.9169451. 2019;19(5):1114 doi:10.3390/s19051114.
Kathareios G, Anghel A, Mate A, Clauberg R, Gusat M. Catch it if Manavi F, Hamzeh A. A new method for ransomware detection
you can: real-time network anomaly detection with low false based on pe header using convolutional neural networks.
alarm rates. 2017 16th IEEE International Conference on 2020 17th International ISC Conference on Information
Machine Learning and Applications (ICMLA) 2017 Security and Cryptology (ISCISC) 2020
doi:10.1109/icmla.2017.00-36. doi:10.1109/ISCISC51277.2020.9261903.
Keijzer N. The new generation of ransomware: an in depth study Mattei T. Privacy, confidentiality, and security of health care
of Ransomware-as-a-Service. University of Twente; 2020. information: lessons from the recent wannacry cyberattack.
Khammas B. Ransomware detection using random forest World Neurosurg 2017;104:972–4.
technique. ICT Express 2020;6(4):325–31. McIntosh T, Watters P, Kayes A, Ng A, Chen Y. Enforcing
Khan F, Ncube C, Ramasamy LK, Kadry S, Nam Y. A digital dna situation-aware access control to build malware-resilient file
sequencing engine for ransomware detection using machine systems. Future Generation Computer Systems
learning. IEEE Access 2020;8:119710–19 2021;115:568–82 doi:10.1016/j.future.2020.09.035.
doi:10.1109/ACCESS.2020.3003785. Mehnaz S, Mudgerikar A, Bertino E. Rwguard: A real-time
Kharaz A, Arshad S, Mulliner C, Robertson W, Kirda E. {UNVEIL}: detection system against cryptographic ransomware. In:
A large-scale, automated approach to detecting ransomware. International Symposium on Research in Attacks, Intrusions,
In: 25th {USENIX} Security Symposium ({USENIX} Security 16); and Defenses. Springer; 2018. p. 114–36.
2016. p. 757–72. Meland P, Bayoumy Y, Sindre G. The ransomware-as-a-service
Kharraz A, Kirda E. Redemption: Real-time protection against economy within the darknet. Computers & Security
ransomware at end-hosts. In: International Symposium on 2020:101762.
Research in Attacks, Intrusions, and Defenses. Springer; 2017. Min D, Park D, Ahn J, Walker R, Lee J, Park S, Kim Y. Amoeba: an
p. 98–119. autonomous backup and recovery ssd for ransomware attack
Kim D, Lee J. Blacklist vs. whitelist-based ransomware solutions. defense. IEEE Comput. Archit. Lett. 2018;17(2):245–8.
IEEE Consum. Electron. Mag. 2020;9(3):22–8
doi:10.1109/MCE.2019.2956192.
computers & security 111 (2021) 102490 21
Monika, Zavarsky P, Lindskog D. Experimental analysis of Quinkert F, Holz T, Hossain K, Ferrara E, Lerman K. Raptor:
ransomware on windows and android platforms: evolution ransomware attack predictor. arXiv preprint arXiv:1803.01598
and characterization. Procedia Comput Sci 2016;94:465–72. 2018.
Moore C. Detecting ransomware with honeypot techniques. In: Ramesh G, Menen A. Automated dynamic approach for detecting
2016 Cybersecurity and Cyberforensics Conference (CCC). ransomware using finite-state machine. Decis Support Syst
IEEE; 2016. p. 77–81. 2020;138:113400.
Morato D, Berrueta E, Magaña E, Izal M. Ransomware early Richardson R, North M. Ransomware: evolution, mitigation and
detection by the analysis of file sharing traffic. Journal of prevention. International Management Review
Network and Computer Applications 2018;124:14–32. 2017;13(1):10–21.
Mukherjee M, Shu L, Wang D. Survey of fog computing: Saeed M. Malware in computer systems: problems and solutions.
fundamental, network applications, and research challenges. IJID (International Journal on Informatics for Development)
IEEE Communications Surveys & Tutorials 2018;20(3):1826–57. 2020;9(1):1–8.
Muslim A, Dzulkifli D, Nadhim MH, Abdellah R. A study of Salehi S, Shahriari H, Ahmadian MM, Tazik L. A novel approach
ransomware attacks: Evolution and prevention; 2019. for detecting dga-based ransomwares. In: 2018 15th
Nadir I, Bakhshi T. Contemporary cybercrime: A taxonomy of International ISC (Iranian Society of Cryptology) Conference
ransomware threats mitigation techniques. In: 2018 on Information Security and Cryptology (ISCISC); 2018. p. 1–7
International Conference on Computing, Mathematics and doi:10.1109/ISCISC.2018.8546941.
Engineering Technologies (iCoMET); 2018. p. 1–7 Scaife N, Carter H, Traynor P, Butler KRB. Cryptolock (and drop it):
doi:10.1109/ICOMET.2018.8346329. Stopping ransomware attacks on user data. In: 2016 IEEE 36th
Nahmias D, Cohen A, Nissim N, Elovici Y. Deep feature transfer International Conference on Distributed Computing Systems
learning for trusted and automated malware signature (ICDCS); 2016. p. 303–12 doi:10.1109/ICDCS.2016.46.
generation in private cloud environments. Neural Networks Sgandurra D, Muñoz-González L, Mohsen R, Lupu EC. Automated
2020;124:243–57. dynamic analysis of ransomware: benefits, limitations and
Naseer A, Mir R, Mir A, Aleem M. Windows-based ransomware: a use for detection. arXiv preprint arXiv:1609.03020 2016.
survey. Journal of Information Assurance & Security Sharafaldin I, Lashkari A, Hakak S, Ghorbani A. Developing
2020;15(3). realistic distributed denial of service (ddos) attack dataset and
Natanzon, A., Derbeko, P., Stern, U., Bakshi, M., Manusov, Y., 2018. taxonomy. In: 2019 International Carnahan Conference on
Ransomware detection using i/o patterns. US Patent Security Technology (ICCST). IEEE; 2019. p. 1–8.
10,078,459. Sharmeen S, Ahmed YA, Huda S, Koçer BA, Hassan MM. Avoiding
Or-Meir O, Nissim N, Elovici Y, Rokach L. Dynamic malware future digital extortion through robust protection against
analysis in the modern era’a state of the art survey. ACM ransomware threats using deep learning based adaptive
Computing Surveys (CSUR) 2019;52(5):1–48. approaches. IEEE Access 2020;8:24522–34
Or-Meir O, Nissim N, Elovici Y, Rokach L. Dynamic malware doi:10.1109/ACCESS.2020.2970466.
analysis in the modern era’a state of the art survey. ACM Shaukat S, Ribeiro V. Ransomwall: A layered defense system
Comput. Surv. 2019;52(5) doi:10.1145/3329786. against cryptographic ransomware attacks using machine
Palanisamy R, Norman A, Kiah M. Byod policy compliance: risks learning. In: 2018 10th International Conference on
and strategies in organizations. Journal of Computer Communication Systems & Networks (COMSNETS). IEEE; 2018.
Information Systems 2020:1–12. p. 356–63.
Parkinson S. Use of access control to minimise ransomware Shijo P, Salim A. Integrated static and dynamic analysis for
impact. Network Security 2017;2017(7):5–8. malware detection. Procedia Comput Sci 2015;46:804–11.
Pham Q, Fang F, Ha V, Piran M, Le M, Le L, Hwang W, Ding Z. A Silva J, Hernandez-Alvarez M. Large scale ransomware detection
survey of multi-access edge computing in 5g and beyond: by cognitive security. In: 2017 IEEE Second Ecuador Technical
fundamentals, technology integration, and state-of-the-art. Chapters Meeting (ETCM). IEEE; 2017. p. 1–4.
IEEE Access 2020;8:116974–7017. Srinivasan C. Hobby hackers to billion-dollar industry: the
Poudyal S, Dasgupta D, Akhtar Z, Gupta K. A multi-level evolution of ransomware. Computer Fraud & Security
ransomware detection framework using natural language 2017;2017(11):7–9 doi:10.1016/S1361- 3723(17)30081- 7.
processing and machine learning. 14th International Tailor J, Patel A. A comprehensive survey: ransomware attacks
Conference on Malicious and Unwanted Software” MALCON, prevention, monitoring and damage control. International
2019. Journal of Research and Scientific Innovation (IJRSI)
Poudyal S, Subedi KP, Dasgupta D. A framework for analyzing 2017;4:2321–705.
ransomware using machine learning. In: 2018 IEEE Takeuchi Y, Sakai K, Fukumoto S. Detecting ransomware using
Symposium Series on Computational Intelligence (SSCI). IEEE; support vector machines. In: Proceedings of the 47th
2018. p. 1692–9. International Conference on Parallel Processing Companion;
Pranggono B, Arabo A. Covid-19 pandemic cybersecurity issues. 2018. p. 1–6.
Internet Technology Letters 2020;n/a(n/a) doi:10.1002/itl2.247. Thezoo, 2021https:
Puat H, Rahman N. Ransomware as a service and public //github.com/ytisf/theZoo/tree/master/malwares/Binaries.
awareness. PalArch’s Journal of Archaeology of Thomas J. Individual cyber security: empowering employees to
Egypt/Egyptology 2020;17(7):5277–92. resist spear phishing to prevent identity theft and
Qin B, Wang Y, Ma C. Api call based ransomware dynamic ransomware attacks. Thomas, JE (2018). Individual cyber
detection approach using textcnn. In: 2020 International security: Empowering employees to resist spear phishing to
Conference on Big Data, Artificial Intelligence and Internet of prevent identity theft and ransomware attacks. International
Things Engineering (ICBAIE); 2020. p. 162–6 Journal of Business Management 2018;12(3):1–23.
doi:10.1109/ICBAIE49996.2020.00041. Thomas J, Galligher G. Improving backup system evaluations in
Quinkert, F., Holz, T., Hossain, K., Ferrara, E., Lerman, K., 2018a. information security risk assessments to combat
Raptor: Ransomware attack predictor. 1803.01598. ransomware. Computer and Information Science 2018;11(1).
22 computers & security 111 (2021) 102490
url, 2021 https://www.sophos.com/en- us/press- office/press- security. Ashley received a B.Sc. (Honours) from the University of
releases/2021/04/ransomware-recovery-cost-reaches-nearly British Columbia with a major in computer science and a minor
- dollar- 2- million- more- than- doubling- in- a- year.aspx. in mathematics in 2020. Her research interests include informa-
Walker A, Sengupta S. Insights into malware detection via tion security, cryptography, and data management in centralized
behavioral frequency analysis using machine learning. In: systems.
MILCOM 2019-2019 IEEE Military Communications Conference
(MILCOM). IEEE; 2019. p. 1–6. Toluwalope David Akande is a graduate student at the University
Wang Z, Huang D, Zhu Y, Li B, Chung C. Efficient attribute-based of New Brunswick, where he is completing a Master of Applied Cy-
comparable data access control. IEEE Trans. Comput. bersecurity. He received a B.Sc. (Honours) from Obafemi Awolowo
2015;64(12):3430–43. University with a major in Computer Engineering. His research
What is the difference between api and system call. interests include network security, intrusion detection using ma-
2018https://pediaa.com/ chine learning and cloud computing security.
what- is- the- difference- between- api- and- system- call.
Saqib Hakak is an assistant professor at the Canadian Institute
Wilner A, Jeffery A, Lalor J, Matthews K, Robinson K, Rosolska A,
for Cybersecurity (CIC), Faculty of Computer Science, University
Yorgoro C. On the social science of ransomware: technology,
of New Brunswick (UNB). Having more than 5+ years of indus-
security, and society. Comparative Strategy 2019;38(4):347–70.
trial and academic experience, he has received several Gold/Silver
Yang Q, Liu Y, Chen T, Tong Y. Federated machine learning:
awards in international innovation competitions and is serving
concept and applications. ACM Transactions on Intelligent
as the technical committee member/reviewer of several reputed
Systems and Technology (TIST) 2019;10(2):1–19.
conference/journal venues. His current research interests include
Yaqoob I, Ahmed E, ur Rehman M, Ahmed A, Al-garadi M,
Risk management, Fake news detection using AI, Security and Pri-
Imran M, Guizani M. The rise of ransomware and emerging
vacy concerns in IoE, Applications of Federated Learning in IoT,
security challenges in the internet of things. Comput.
and blockchain technology.
Networks 2017;129:444–58.
Zhang B, Xiao W, Xiao X, Sangaiah A, Zhang W, Zhang J.
Muhammad Khurram Khan is currently working as a Professor
Ransomware classification using patch-based cnn and
of Cybersecurity at the Center of Excellence in Information As-
self-attention network on embedded n-grams of opcodes.
surance, King Saud University, Kingdom of Saudi Arabia. He is
Future Generation Computer Systems 2020;110:708–20.
founder and CEO of the ‘Global Foundation for Cyber Studies
Zhang-Kennedy L, Assal H, Rocheleau J, Mohamed R, Baig K,
and Research’, an independent and non-partisan cybersecurity
Chiasson S. The aftermath of a crypto-ransomware attack at a
think-tank in Washington D.C, USA. He is the Editor-in-Chief of
large academic institution. In: 27th {USENIX} Security
‘Telecommunication Systems’ published by Springer-Nature with
Symposium ({USENIX} Security 18); 2018. p. 1061–78.
its recent impact factor of 2.314 (JCR 2021). He is also the Editor-in-
Zimba A, Mulenga M. A dive into the deep: demystifying
Chief of Cyber Insights Magazine. He is on the editorial board of
wannacry crypto ransomware network attacks via digital
several journals including, IEEE Communications Surveys & Tuto-
forensics. International Journal on Information Technologies
rials, IEEE Communications Magazine, IEEE Internet of Things Jour-
and Security 2018;10:57–68.
nal, IEEE Transactions on Consumer Electronics, Journal of Net-
Zimba A, Wang Z, Chen H, Mulenga M. Recent advances in
work & Computer Applications (Elsevier), IEEE Access, IEEE Con-
cryptovirology: state-of-the-art crypto mining and crypto
sumer Electronics Magazine, PLOS ONE, and Electronic Commerce
ransomware attacks. KSII Trans. Internet Inf. Syst.
Research, etc. He has published more than 400 papers in the jour-
2019;13:3258–79 doi:10.3837/tiis.2019.06.027.
nals and conferences of international repute. In addition, he is an
inventor of 10 US/PCT patents. He has edited 10 books/proceedings
Craig Beaman is a graduate student at the University of New
published by Springer-Verlag, Taylor & Francis and IEEE. His re-
Brunswick, where he is completing a Master of Applied Cyberse-
search areas of interest are Cybersecurity, digital authentication,
curity. Craig received a B.Sc. (Honours) from the University of New
IoT security, biometrics, multimedia security, cloud computing se-
Brunswick with a major in physics and minors in mathematics
curity, cyber policy, and technological innovation management.
and computer science. His research interests include cryptogra-
He is a fellow of the IET (UK), a fellow of the BCS (UK), and a
phy, network security, and malware detection and prevention.
fellow of the FTRA (Korea). His detailed profile can be visited at
Ashley Barkworth is a graduate student at the University of New http://www.professorkhurram.com.
Brunswick, where she is completing a masters in applied cyber-