Abstract
In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim’s computer desktop or attempts to encrypt or delete the victim’s files using only superficial techniques. Our analysis also suggests that stop** advanced ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Minotaur Analysis - Malware Repository. http://minotauranalysis.com
VX Vault - Online Repository of Malware Samples. http://vxvault.siri-urz.net
Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.104/
MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.com
Police ransomware threat assessment. Europol Public Information (2014)
Ajjan, A.: Ransomware: Next-Generation Fake Antivirus (2013). http://www.sophos.com/en-us/medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, April 2006
Blockchain.info. Bitcoin Block Explorer. https://blockchain.info
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. Springer (2009)
Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional (2005)
Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of WWW 2013, May 2013
Cisco, Inc., Ransomware on Steroids: Cryptowall 2.0. (2015). http://blogs.cisco.com/security/talos/cryptowall-2
Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)
Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis (2014). http://www.cuckoosandbox.org
Dell SecureWorks. Cryptolocker Ransomware (2014). http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
Donohue, B.: Reveton Ransomware Adds Password Purloining Function (2013). http://threatpost.com/reveton-ransomeware-adds-password-purloining-function/100712
Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2012)
Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional (2005)
Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 145–160. ACM (2013)
Krebs, B.: Inside a Reveton Ransomware Operation (2012). http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/
Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 399–412. ACM (2010)
Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. (2015). http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html
Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., Savage, S.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)
Microsoft, Inc. Microsoft Security Intelegence Report, vol. 16 (2013). http://www.microsoft.com/security/sir/default.aspx
Microsoft, Inc. File System Minifilter Drivers (2014). https://msdn.microsoft.com/en-us/library/windows/hardware/ff540402
Möser, M.: Anonymity of bitcoin transactions: an analysis of mixing services. In: Proceedings of Monster Bitcoin Conference (2013)
Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2011 (2011)
O’Gorman, G., McDonald, G.: Ransomware: A Growing Menance (2012). http://www.symantec.com/connect/blogs/ransomware-growing-menace
Prince, B.: CryptoLocker Could Herald Rise of More Sophisticated Ransomware (2013). http://www.darkreading.com/attacks-breaches/cryptolocker-could-herald-rise-of-more-sophisticated-ransomware
QuickBT. Disturbing Bitcoin Virus, October 2013. http://www.reddit.com/r/Bitcoin/comments/1o53hl/
Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013)
Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 65–79. IEEE (2012)
Sophos, Inc. Security Threat Report 2014, Smarter, Shadier, Stealthier Malware (2014). http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf
Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 452–463. Springer, Heidelberg (2014)
Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 55–78. Springer, New York (2013)
Symantec, Inc. Internet Security Threat Report (2014). http://www.symantec.com/security_response/publications/threatreport.jsp
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 129–140. IEEE (1996)
Young, A.L.: Building a cryptovirus using microsoft’s cryptographic API. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 389–401. Springer, Heidelberg (2005)
Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122. IEEE (2004)
Acknowledgements
This work is supported by the National Science Foundation (NSF) under grant CNS-1116777, and Secure Business Austria.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E. (2015). Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-20550-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20549-6
Online ISBN: 978-3-319-20550-2
eBook Packages: Computer ScienceComputer Science (R0)