Overinfection in Ransomware

  • Yassine LemmouEmail author
  • El Mamoun Souidi
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 969)


Ransomware, the kind of malicious software that prevents users from accessing their data and demands payment of a ransom, in order to give this access back, has become a fast growing problem among computer users. This is why several papers in this field have focused on the ways of detecting it or on describing the infection and encryption processes. Our paper examines the ransomware from another point of view by describing an interesting property of it, namely, the overinfection management, or the way of handling multiple infections on the same target. We show that the overinfection in ransomware can have four levels: Level 0 to ensure that the ransomware is not executed twice at the same time on the same machine, Level 1 to avoid re-encrypting its encrypted files, Level 2 to coordinate between its infections on the same machine and Level 3 to manage the infection between many target machines in the same computer park.


Ransomware Infection Overinfection Self-reproduction Detection 



We thank Dr. Vesselin Bontchev and Dr. Afaf Hamzaoui for their useful remarks and suggestions.


  1. 1.
    Sood, A.K., Enbody, R.: Malware design strategies for circumventing detection and prevention controls. Virus Bulletin (2012)Google Scholar
  2. 2.
    Adleman, L.M.: An abstract theory of computer viruses. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 354–374. Springer, New York (1990). Scholar
  3. 3.
    Cimpanu, C.: Wana decrypt0r ransomware using NSA exploit leaked by shadow brokers is on a rampage (2017). bleepingcomputer blog
  4. 4.
    Cohen, F.: Computer viruses. Comput. Secur. 6(1), 22–35 (1987)CrossRefGoogle Scholar
  5. 5.
    Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, 5–9 December 2016, pp. 336–347 (2016)Google Scholar
  6. 6.
    Filiol, E.: Formalisation and implementation aspects of k-ary (malicious) codes. J. Comput. Virol. 3(2), 75–86 (2007)CrossRefGoogle Scholar
  7. 7.
    Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRefGoogle Scholar
  8. 8.
    Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, 10–12 August 2016, pp. 757–772 (2016)Google Scholar
  9. 9.
    Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). Scholar
  10. 10.
    Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, 2–6 April 2017, pp. 599–611 (2017)Google Scholar
  11. 11.
    Lemmou, Y., Souidi, E.M.: PrincessLocker analysis. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–10, June 2017Google Scholar
  12. 12.
    Lemmou, Y., Souidi, E.M.: An overview on Spora ransomware. In: Thampi, S.M., Martínez Pérez, G., Westphall, C.B., Hu, J., Fan, C.I., Gómez Mármol, F. (eds.) SSCC 2017. CCIS, vol. 746, pp. 259–275. Springer, Singapore (2017). Scholar
  13. 13.
  14. 14.
    Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016, Nara, 27–30 June 2016, pp. 303–312 (2016)Google Scholar
  15. 15.
    Shivale, S.A.: Cryptovirology: Virus approach. CoRR abs/1108.2482 (2011).
  16. 16.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996Google Scholar
  17. 17.
    Young, A.L.: Cryptoviral extortion using Microsoft’s crypto API. Int. J. Inf. Secur. 5(2), 67–76 (2006)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Mohammed V University in Rabat, Faculty of Sciences, Laboratory of Mathematics, Computer Science, Applications and Information SecurityRabatMorocco

Personalised recommendations