Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks

  • Amin KharrazEmail author
  • William Robertson
  • Davide Balzarotti
  • Leyla Bilge
  • Engin Kirda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9148)


In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim’s computer desktop or attempts to encrypt or delete the victim’s files using only superficial techniques. Our analysis also suggests that stopping advanced ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.


Malware Ransomware Malicious activities Underground economy Bitcoin 



This work is supported by the National Science Foundation (NSF) under grant CNS-1116777, and Secure Business Austria.


  1. 1.
    Minotaur Analysis - Malware Repository.
  2. 2.
    VX Vault - Online Repository of Malware Samples.
  3. 3.
    Malware Tips - Your Security Advisor.
  4. 4.
    MalwareBlackList - Online Repository of Malicious URLs.
  5. 5.
    Police ransomware threat assessment. Europol Public Information (2014)Google Scholar
  6. 6.
  7. 7.
    Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, April 2006Google Scholar
  8. 8. Bitcoin Block Explorer.
  9. 9.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. Springer (2009)Google Scholar
  10. 10.
    Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional (2005)Google Scholar
  11. 11.
    Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of WWW 2013, May 2013Google Scholar
  12. 12.
    Cisco, Inc., Ransomware on Steroids: Cryptowall 2.0. (2015).
  13. 13.
    Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  14. 14.
    Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis (2014).
  15. 15.
  16. 16.
    Donohue, B.: Reveton Ransomware Adds Password Purloining Function (2013).
  17. 17.
    Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2012)Google Scholar
  18. 18.
    Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRefGoogle Scholar
  19. 19.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional (2005)Google Scholar
  20. 20.
    Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 145–160. ACM (2013)Google Scholar
  21. 21.
    Krebs, B.: Inside a Reveton Ransomware Operation (2012).
  22. 22.
    Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 399–412. ACM (2010)Google Scholar
  23. 23.
    Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. (2015).
  24. 24.
    Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., Savage, S.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)Google Scholar
  25. 25.
    Microsoft, Inc. Microsoft Security Intelegence Report, vol. 16 (2013).
  26. 26.
    Microsoft, Inc. File System Minifilter Drivers (2014).
  27. 27.
    Möser, M.: Anonymity of bitcoin transactions: an analysis of mixing services. In: Proceedings of Monster Bitcoin Conference (2013)Google Scholar
  28. 28.
    Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2011 (2011)Google Scholar
  29. 29.
    O’Gorman, G., McDonald, G.: Ransomware: A Growing Menance (2012).
  30. 30.
    Prince, B.: CryptoLocker Could Herald Rise of More Sophisticated Ransomware (2013).
  31. 31.
    QuickBT. Disturbing Bitcoin Virus, October 2013.
  32. 32.
    Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  33. 33.
    Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 65–79. IEEE (2012)Google Scholar
  34. 34.
    Sophos, Inc. Security Threat Report 2014, Smarter, Shadier, Stealthier Malware (2014).
  35. 35.
    Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 452–463. Springer, Heidelberg (2014) Google Scholar
  36. 36.
    Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 55–78. Springer, New York (2013)CrossRefGoogle Scholar
  37. 37.
    Symantec, Inc. Internet Security Threat Report (2014).
  38. 38.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 129–140. IEEE (1996)Google Scholar
  39. 39.
    Young, A.L.: Building a cryptovirus using microsoft’s cryptographic API. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 389–401. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  40. 40.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122. IEEE (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Amin Kharraz
    • 1
    Email author
  • William Robertson
    • 1
  • Davide Balzarotti
    • 3
  • Leyla Bilge
    • 4
  • Engin Kirda
    • 1
    • 2
  1. 1.Northeastern UniversityBostonUSA
  2. 2.Lastline LabsSanta BarbaraUSA
  3. 3.Institut EurecomSophia AntipolisFrance
  4. 4.Symantec Research LabsSophia AntipolisFrance

Personalised recommendations