Overinfection in Ransomware
Ransomware, the kind of malicious software that prevents users from accessing their data and demands payment of a ransom, in order to give this access back, has become a fast growing problem among computer users. This is why several papers in this field have focused on the ways of detecting it or on describing the infection and encryption processes. Our paper examines the ransomware from another point of view by describing an interesting property of it, namely, the overinfection management, or the way of handling multiple infections on the same target. We show that the overinfection in ransomware can have four levels: Level 0 to ensure that the ransomware is not executed twice at the same time on the same machine, Level 1 to avoid re-encrypting its encrypted files, Level 2 to coordinate between its infections on the same machine and Level 3 to manage the infection between many target machines in the same computer park.
KeywordsRansomware Infection Overinfection Self-reproduction Detection
We thank Dr. Vesselin Bontchev and Dr. Afaf Hamzaoui for their useful remarks and suggestions.
- 1.Sood, A.K., Enbody, R.: Malware design strategies for circumventing detection and prevention controls. Virus Bulletin (2012)Google Scholar
- 3.Cimpanu, C.: Wana decrypt0r ransomware using NSA exploit leaked by shadow brokers is on a rampage (2017). https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokersis-on-a-rampage/. bleepingcomputer blog
- 5.Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, 5–9 December 2016, pp. 336–347 (2016)Google Scholar
- 8.Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, 10–12 August 2016, pp. 757–772 (2016)Google Scholar
- 9.Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1CrossRefGoogle Scholar
- 10.Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, 2–6 April 2017, pp. 599–611 (2017)Google Scholar
- 11.Lemmou, Y., Souidi, E.M.: PrincessLocker analysis. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–10, June 2017Google Scholar
- 13.MSDN: Createmutex function. https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms682411%28v=vs.85%29.aspx
- 14.Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016, Nara, 27–30 June 2016, pp. 303–312 (2016)Google Scholar
- 15.Shivale, S.A.: Cryptovirology: Virus approach. CoRR abs/1108.2482 (2011). http://arxiv.org/abs/1108.2482
- 16.Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996Google Scholar