Resurgence of Ransomware Attacks

Introduction

Ransomware attacks have recently developed resurgence and resounding popularity based on their ability to incur organizations a lot of damages; which can be costly to resolve. Pascariu et al., (2017) defined ransomware attacks as “a kind of scareware that locks the victims’ computers until they make a payment to regain access to their data.” The scholar pinpoints ransomware attacks are the most common malware attacks amongst other attacks including Locky, Crysis, Jaff, Not Petya and WannaCry. The increasingly reported cases of ransomware attacks have aroused the concerns of many companies to develop a preventative regiment against such attacks. This work is a construction of typical characteristics of ransomware attacks and attack vectors used for this type of attacks. Besides, this work will propose a strategy for preventing, mitigating effects and responding to successful ransomware attacks using the Facebook Company as the case study. Ransomware attacks are different from denial-of-service attacks based on the premise that they permanently erase or delete data although, some malware presenting them as ransomware can exterminate data or make systems inoperable (Wolf, and Goff, (2018). For instance, the most-reported and highly costly 2017 outbreak of malware known as NotPeyta (Diskcoder C), is usually combined with WannaCryptor (WannaCry) in discussions of ransomware. However, NotPetya was an agglomeration of brickware and wiperware, without the capacity to decrypt files but also modifying the MBR code in a manner which recovery would not be possible (Ganor, 2018).

The Evolution of Ransomware Malware

Based on the increasing ransomware, malware invasions, it is vital to comprehend the intrigues on how ransomware payloads are developed, their development; and how the malware attacks the user’s data. The concept of malware attacks dates back to many years. Ransomware attacks have been into existence for about one and a half decades now. Lau et al., (2018) notes that such attacks were prevalent in the year 2017 with hundreds of thousands of cases reported. Previously, ransomware attackers used to apply the same encryption and decryption keys. Reverse engineers used to develop decryption tool for every variant thus encrypted files were easy to restore in a short period. The ransomware authors became emancipated after learning from previous mistakes; and adopted asymmetric-key cryptography in which information is encrypted using one key whereas decryption is done using a different key which is not readily available to the victim (Piper, 2018). Besides, information is encrypted by use of a symmetric key, which s encrypted by an asymmetric key. However, the restoration of files will demand that one pay for the decryption key. This has induced efficiency in perpetrating ransomware attacks by cybercriminals; making the victims unable to access their valuable data (Richardson, and North, 2017). Besides, in the circumstance where the cybercriminals applying symmetric keys and security analysts are capable of identifying the decryption key; and release it; then the cybercriminal can swiftly unleash an updated version which harnesses a unique decryption key.

Recovering from the tragedies of ransomware attack begs for huge time and financial consumptions. Sittig and Singh, (2016) recommend it is better to evade the attack than really resolving after it has transpired. The best way to escape a ransomware attack is first to develop a mastery of understanding concerning how the malware operates. Malware authors and cybercriminals intend to induce their destructive code into the likely target companies or persons’ computers or any other device, and indeed there are different vectors they use to accomplish this mission. These vectors are discussed below; Kolodenker et al., (2917) in their research maintained that the concept of spam had been an internet problem for quite long; but yet ransomware authors have used it as one of the attack vector of choice for the induction of malicious code. According to Kharaz et al., (2016), there have been inadequate innovations spelling out how ransomware authors seek to open ransomware containing files. Ransomware authors use email subjects which are compelling and more inclined to invite the victims into opening them. Such emails subjects are mostly related to unpaid invoices, account suspensions, undelivered packages; which all intend to inspire victims’ attention. Furthermore, the authors of some particular ransomware strains tend to aim the victims based on geographical extractions. For instance, the TorrentLocker ransomware has been targeting European and Australian countries with relevant language, and the spam emails usually appear to be sent from local companies (Zimba, and Chishimba, 2019).

It is the characteristic of ransomware spam email to be imploring and relevant to the matters concerning the intended victim (Richardson, and North, 2017). In the context Facebook Company, it, therefore, means that users can receive a message purportedly from a particular company stakeholder. Besides, the email extends to warm of penalty charges to be accrued on failure to collect the parcel within one month to motivate the recipient to click on the shipment confirmation link. The authors also ensure to use appropriate language to intended victims, and provide the email addresses they send the spam message are legitimate; rather than sending randomized usernames in hope to catch some victims (Van Heerden et al., 2018).

Commonly Used Attack Vectors

According to Gupta (2008), ransomware authors are cautious while sending their malicious emails; with particular focus being on the element of time when the emails are sent. The timeslots when the malicious emails are sent usually coincides with business r working hours in the destination states. For instance, CryptoWall ransomware email is sent 5a.m.and 9 a.m. EST; whereas TorrentLocker emails go by between 1 p.m. and 7 p.m. EST. The developers of such ransomware equally tend to spread the emails over these particular timeslots to make sure a relatively low volume is disseminated at once making it difficult for spam filters to detect them.

Compromised Websites

A compromised website is another vector through which ransomware authors engineer their tricks in search for culprits. Cybercriminals get to compromise the legitimacy of websites by embedding them with malicious codes. When the victim opens such a compromised website, it directs them into a landing site which launches the ransomware payload (Shukla, Mondal, and Lodha, 2016). This is a suitable avenue for coaxing users to click on malicious links found in emails. It is a profound characteristic of authors to apply compromised web sites as a vector for an attack.

This approach is advantageous to the attackers based on the premise that it does not need social engineering or any other logistic deeming to lure users into clicking onto the malicious URL. Alternatively, the online user visits a web site based on their own volition especially those websites that are periodically visited. The frequently visited page can be a well-established and re-known company or a popular blogging site on a susceptible blogging software threshold. Based on this scenario, a probable ransomware victim can visit the most preferred blog and spontaneously get referred to some pages asking for updates of the current application the user is using. The user is again prompted to download or run some software which upon execution activates the ransomware (Tuttle, 2016).

Malvertising

Malvertising is another typical way by which online users are infected with ransomware (Pope, 2016). Based on this scenario, a probable victim, visits a legitimate website displaying advertisements done by a third party advertising network. When any of the appearing (advertised) constitutes a malicious strain, it will seek to exploit the unpatched vulnerability in the victim’s browser or attempt to run a zero-day exploit for which there is no a matching patch to download ransomware. According to Kao, and Hsiao, (2018), cyber criminals utilize web advertisements (such as banner content) provided through legal ad services to disseminate ransomware and malicious code. The ad services attempt to stop any malicious ads, but the attacker is skillful at evading such detections. Malvertising vector has little chances to invoke a successful ransomware attack since it depends on the user’s ability to have an unpatched vulnerability in his/her browser; but contrary with cases of malicious attachments in emails, there is no action required by the victim to become susceptible when they are prone to the attack.

Exploit Kits

Fernandes et al., (2014) defines exploit kits as sophisticated software pieces which are put on compromised web sites or malicious. The kits scan any computer which visits the web site for various predetermined vulnerabilities; exploiting any vulnerability found dominating the computer. The exploit kits are rented or sold to other cyber criminals to compromise computers and apply them for particular purposes they may prefer.

Infected File Downloads

Infected file downloads constitute another vector through which cybercriminals propagate ransomware malware to the users. Unsuspecting and unvigilant users are the most prone victims of this particular vector. Ransomware strain can be induced in a movie or music content which is then made accessible to the illegal file-sharing web site. There have been reported cases whereby hackers compromised the web site’s legitimacy application complemented file which visitors download to install the app into a malicious folder made up of ransomware (Spence et al., 2018).

Mobile Application Download

Contaminated file downloads which take a form of application are capable of inducing ransomware to the mobile gadget. Despite Google and Apple’s periodic policing of their requests for malware files; these efforts are not fully guaranteeing protection. Besides, any Android device and jailbroken IOS are subject to a configuration with download applications from various sources which are externally controlled by Google and Apple. The purest form of Android ransomware engages a malicious application which applies a reset Password API to convert the victim’s gadget password to a new value, efficiently blocking the victim out of their gadget. In the latest Android Nougat version of Android, the reset password API is advanced to grant more complexity for malware to alter the password if indeed it already exists (Sgandurra et al., 2016).

Messaging Apps

Cybercriminals at times go further to induce ransomware malware to victims by sending messages over the messaging service to extensive users. The transmitted messages comprise of a Scalable Graphics File format which is integrated with malicious JavaScript. Upon opening the image, the user is directed to the video on a spoofed YouTube site which asks the victim to launch a codec (a malicious Chrome extension) to get able to view the video. After the extension is installed, a Nemucod malware downloader is caused to run which infects the computer with different strains of malware such as Lock ransomware (Liao, 2008).

Mitigation Measures of Ransomware Attacks on Compromised Websites

Ransomware is a rapidly growing security threat which needs to be halted with all means possible. The internet is susceptible with various perils which the above section has looked into concerning ransomware. There are various steps which organizations can enact in place to evade ransomware attacks. In this regard; the Facebook Company can apply the following strategies; Creating awareness about ransomware attacks by providing relevant education to the staff members concerning the perils of clicking on the attachments or links sent via emails is vital in the present and future contexts where ransomware threats are increasing. Training should be periodically done to sensitize the employees of new ransomware dynamics; since the evolution of technology day in day out motivates the development of new ransomware trends (Luo, and Liao, 2007). Besides the induction of awareness on employees, the application of an efficient spam filter can contribute to the basketry of ransomware prevention. Here, Everett, (2016) argues that cybercriminals send many malicious untargeted emails to different organizations; but an efficient spam filter which is continuously updated from a cloud-based threat company can hamper more than 99% of these emails from getting to the employee’s computer systems.

Additionally, the desktops or employees computer gadgets should be configured to display file extensions; and employees trained not to open executable files with an “exe extension” Cabaj, and Mazurczyk, (2016) observed that Windows conceal file extensions by default, which allow a malicious executable like "evil.doc.exe" to look like a Word document known as "evil.doc". Making sure that extensions are continuously displayed can help to counter such sorts of threat. Another approach which can be applied by Facebook Company to counter ransomware attacks is blocking the executables in emails. The art of filtering files with a. exe extension coming from emails is likely to prevent particular malicious files from getting to employees, even though this cannot be a foolproof intervention; based on the proposition that malicious emails can command employees to rename files, and ransomware is again being delivered as JavaScript files (Scaife et al., 2016). Additionally, ransomware attacks can be prevented through prompt patching of software. Al computer software should be periodically updated with the latest security patches. In their research, Schirrmacher, Ondrus, and Tan, (2018) found out that 44% of successful ransomware attacks in the year 2017 were as a result of software which had not been patched for between 2 to4 years. In the year, 2017 WannaCry ransomware strain took advantage of the unpatched Microsoft Windows vulnerability.

According to Brewer, (2016), enterprise security systems are centrally placed to offer a crucial role in preventing ransomware attacks. Security software systems help in preventing users from opening or visiting a vulnerable web site page. The software e-security systems thus ought to unmask URLs so that users can know which page they are visiting and recover risk rating and a preview of the intended page. Identified malicious web sites can consequently be blocked. Preventing ransomware processes, blocking ransomware files, detecting unusual behavior, preventing suspicious activity and monitoring for mass modifications comprise s of significant capabilities by which software developers can provide companies to safeguard their interests concerning ransomware protection. The company should thus endeavor to apply anti-ransomware software especially PhishMe and Wombat Security to combat the frequency of ransomware attacks. According to Azmoodeh et al., (2017), backup and patching are the two significant aspects of administering and operating systems which play a critical role in defending ransomware attacks. Patching of systems helps in closing off probable corridors of attack and can stop ransomware invading into the company, or it can lower the impact it can do. For instance; firms which spontaneously patched the Windows File and Printer Sharing service (SMB) during the Microsoft Security Bulletin MS17-010, were safeguarded from the EternalBlue exploit used applied to propagate WannaCryptor and NotPeyta in organizations.

Conclusion

For a long time, many organizations have strived to alleviate the tragedy of ransomware attacks which are engineered by money-oriented cybercriminals, agenda-driven activists, ethically challenged government agents, and some hoodie-wearing code junkies who Andre, (2017), describes “have not adequately thought things through.” The above work has exemplified various vectors through which ransomware attacks are engineered. The in-depth mastery of understanding of the vectors provides a basis for the permanent solution to the challenges. Ransomware attacks can be very costly and can paralyze the company operations; especially when the files ransomed are crucial for the daily running of the company. There is, therefore, need for constant application of vigilant methodologies to ensure the attacks are counteracted.

References

Azmoodeh, A., Dehghantanha, A., Conti, M. and Choo, K.K.R., 2017. Detecting crypto-ransomware in IoT networks based on energy consumption footprint. Journal of Ambient Intelligence and Humanized Computing, pp.1-12.

Cabaj, K. and Mazurczyk, W., 2016. Using software-defined networking for ransomware mitigation: the case of cryptowall. Ieee Network, 30(6), pp.14-20.

Fernandes, D.A., Soares, L.F., Gomes, J.V., Freire, M.M. and Inácio, P.R., 2014. A quick perspective on the current state in cybersecurity. In Emerging Trends in ICT Security (pp. 423-442). Morgan Kaufmann.

Ganor, I., 2018. Enterprise cyber security risk management and resource planning. U.S. Patent Application 16/015,524.

Kao, D.Y. and Hsiao, S.C., 2018, February. The dynamic analysis of WannaCry ransomware. In 2018 20th International Conference on Advanced Communication Technology (ICACT) (pp. 159-166). IEEE.

Kharaz, A., Arshad, S., Mulliner, C., Robertson, W. and Kirda, E., 2016. {UNVEIL}: A Large-Scale, Automated Approach to Detecting Ransomware. In 25th {USENIX} Security Symposium ({USENIX} Security 16) (pp. 757-772).

Kolodenker, E., Koch, W., Stringhini, G. and Egele, M., 2017, April. PayBreak: defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (pp. 599-611). ACM.

Lau, N., Pastel, R., Chapman, M.R., Minarik, J., Petit, J. and Hale, D., 2018, September. Human Factors in Cybersecurity–Perspectives from Industries. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 62, No. 1, pp. 139-143). Sage CA: Los Angeles, CA: SAGE Publications.

Liao, Q., 2008. Ransomware: a growing threat to SMEs. In Conference Southwest Decision Science Institutes. Awareness education as the key to ransomware prevention. Information Systems Security, 16(4), pp.195-202.

Pascariu, C., BARBU, I.D. and Bacivarov, I.C., 2017. Investigative Analysis and Technical Overview of Ransomware Based Attacks. Case Study: WannaCry. International Journal of Information Security and Cybercrime, 6(1), pp.57-62.

Piper, A., 2018. HELD HOSTAGE: Victim organizations are paying a high price for ransomware attacks. Internal Auditor, 75(4), pp.28-34.

Richardson, R. and North, M.M., 2017. Ransomware: Evolution, mitigation and prevention. International Management Review, 13(1), p.10.

Scaife, N., Carter, H., Traynor, P. and Butler, K.R., 2016, June. Cryptolock (and drop it): stopping ransomware attacks on user data. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS) (pp. 303-312). IEEE.

Sgandurra, D., Muñoz-González, L., Mohsen, R. and Lupu, E.C., 2016. Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020.

Shukla, M., Mondal, S. and Lodha, S., 2016, October. Poster: Locally virtualized environment for mitigating ransomware threat. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1784-1786). ACM.

Spence, N., Niharika Bhardwaj MBBS, M.S. and Paul III, D.P., 2018. Ransomware in Healthcare Facilities: A Harbinger of the Future?. Perspectives in Health Information Management, pp.1-22.

Sittig, D.F. and Singh, H., 2016. A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Applied clinical informatics, 7(02), pp.624-632.

Van Heerden, R., Von Solms, S. and Vorster, J., 2018, May. Major security incidents since 2014: an African perspective. In 2018 IST-Africa Week Conference (IST-Africa) (pp. Page-1). IEEE.

Wolf, D.G. and Goff, D.L., 2018, April. A ransomware research framework: poster. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security (p. 26). ACM.

Zimba, A. and Chishimba, M., 2019. On the Economic Impact of Crypto-ransomware Attacks: The State of the Art on Enterprise Systems. European Journal for Security Research, pp.1-29.