Skip to main content
SpringerLink
Log in

Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks

  • Conference paper
  • First Online:
Book cover Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9148))

Abstract

In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim’s computer desktop or attempts to encrypt or delete the victim’s files using only superficial techniques. Our analysis also suggests that stopping advanced ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Minotaur Analysis - Malware Repository. http://minotauranalysis.com

  2. VX Vault - Online Repository of Malware Samples. http://vxvault.siri-urz.net

  3. Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.104/

  4. MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.com

  5. Police ransomware threat assessment. Europol Public Information (2014)

    Google Scholar 

  6. Ajjan, A.: Ransomware: Next-Generation Fake Antivirus (2013). http://www.sophos.com/en-us/medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf

  7. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, April 2006

    Google Scholar 

  8. Blockchain.info. Bitcoin Block Explorer. https://blockchain.info

  9. Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. Springer (2009)

    Google Scholar 

  10. Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional (2005)

    Google Scholar 

  11. Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of WWW 2013, May 2013

    Google Scholar 

  12. Cisco, Inc., Ransomware on Steroids: Cryptowall 2.0. (2015). http://blogs.cisco.com/security/talos/cryptowall-2

  13. Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  14. Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis (2014). http://www.cuckoosandbox.org

  15. Dell SecureWorks. Cryptolocker Ransomware (2014). http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

  16. Donohue, B.: Reveton Ransomware Adds Password Purloining Function (2013). http://threatpost.com/reveton-ransomeware-adds-password-purloining-function/100712

  17. Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2012)

    Google Scholar 

  18. Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)

    Article  Google Scholar 

  19. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional (2005)

    Google Scholar 

  20. Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 145–160. ACM (2013)

    Google Scholar 

  21. Krebs, B.: Inside a Reveton Ransomware Operation (2012). http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

  22. Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 399–412. ACM (2010)

    Google Scholar 

  23. Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. (2015). http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

  24. Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., Savage, S.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)

    Google Scholar 

  25. Microsoft, Inc. Microsoft Security Intelegence Report, vol. 16 (2013). http://www.microsoft.com/security/sir/default.aspx

  26. Microsoft, Inc. File System Minifilter Drivers (2014). https://msdn.microsoft.com/en-us/library/windows/hardware/ff540402

  27. Möser, M.: Anonymity of bitcoin transactions: an analysis of mixing services. In: Proceedings of Monster Bitcoin Conference (2013)

    Google Scholar 

  28. Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2011 (2011)

    Google Scholar 

  29. O’Gorman, G., McDonald, G.: Ransomware: A Growing Menance (2012). http://www.symantec.com/connect/blogs/ransomware-growing-menace

  30. Prince, B.: CryptoLocker Could Herald Rise of More Sophisticated Ransomware (2013). http://www.darkreading.com/attacks-breaches/cryptolocker-could-herald-rise-of-more-sophisticated-ransomware

  31. QuickBT. Disturbing Bitcoin Virus, October 2013. http://www.reddit.com/r/Bitcoin/comments/1o53hl/

  32. Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  33. Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 65–79. IEEE (2012)

    Google Scholar 

  34. Sophos, Inc. Security Threat Report 2014, Smarter, Shadier, Stealthier Malware (2014). http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf

  35. Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 452–463. Springer, Heidelberg (2014)

    Google Scholar 

  36. Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 55–78. Springer, New York (2013)

    Chapter  Google Scholar 

  37. Symantec, Inc. Internet Security Threat Report (2014). http://www.symantec.com/security_response/publications/threatreport.jsp

  38. Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 129–140. IEEE (1996)

    Google Scholar 

  39. Young, A.L.: Building a cryptovirus using microsoft’s cryptographic API. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 389–401. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  40. Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122. IEEE (2004)

    Google Scholar 

Download references

Acknowledgements

This work is supported by the National Science Foundation (NSF) under grant CNS-1116777, and Secure Business Austria.

Author information

Authors and Affiliations

  1. Northeastern University, Boston, USA

    Amin Kharraz, William Robertson & Engin Kirda

  2. Lastline Labs, Santa Barbara, CA, USA

    Engin Kirda

  3. Institut Eurecom, Sophia Antipolis, France

    Davide Balzarotti

  4. Symantec Research Labs, Sophia Antipolis, France

    Leyla Bilge

Authors
  1. Amin Kharraz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. William Robertson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Davide Balzarotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Leyla Bilge
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amin Kharraz .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

  2. Chalmers University of Technology, Gothenburg, Sweden

    Vincenzo Gulisano

  3. Politecnico di Milano, Milan, Italy

    Federico Maggi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E. (2015). Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20550-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20549-6

  • Online ISBN: 978-3-319-20550-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation