Skip to main content
SpringerLink
Log in

Identifying File Interaction Patterns in Ransomware Behaviour

  • Chapter
  • First Online:
Guide to Vulnerability Analysis for Computer Networks and Systems

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

Malicious software (malware) has a rich history of causing significant challenges for both users and system developers alike. The development of different malware types is often resulting from criminal opportunity. The monetisation of ransomware, coupled with the continuous growing importance of user data, is resulting in ransomware becoming one of the most prominent forms of malware. Detecting and stopping a ransomware attack is challenging due to the large verity of different types, as well as the speed of new instances being developed. This results in static approaches (e.g. signature-based detection) ineffective at identifying all ransomware instances. This chapter investigates the behavioural characteristics of ransomware, and in particular focusses on interaction with the underlying file system. This study identifies that ransomware instances have unique behavioural patterns, which are significantly different from those of normal user interaction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 59.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Moir, R (2003) Defining malware: FAQ. https://technet.microsoft.com/en-us/library/dd632948.aspx

  2. Kharraz A, Robertson W, Balzarotti D, Bilge L, Kirda E (2015) Cutting the gordian knot: a look under the hood of ransomware attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, pp 3–24

    Google Scholar 

  3. Richardson, R., North, M.: Ransomware: evolution, mitigation and prevention. Int Manag Rev 13(1), 10 (2017)

    Google Scholar 

  4. Brenner, B (2017) InfoSec 2017: a look at the family album of ransomware. https://nakedsecurity.sophos.com/2017/06/06/infosec-2017-a-look-at-the-family-album-of-ransomware/

  5. Beek, C (2017) McAfee Labs 2017 Threats Predictions. www.mcafee.com/uk/resources/reports/rp-threats-predictions-2017.pdf

  6. MalwareBytes: cybercrime tactics and techniques (2017). https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf

  7. Symantec: internet security threat report (2017). https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf

  8. FBI IC3: internet crime report (2016). https://pdf.ic3.gov/2016_IC3Report.pdf

  9. US Department of Justice: How to protect your networks from ransomware. Technical report (2016). https://www.justice.gov/criminal-ccips/file/872771/download

  10. Savage, K., Coogan, P., Lau, H.: The evolution of ransomware. Symantec, Mountain View (2015)

    Google Scholar 

  11. Upadhyaya R, Jain A (2016) Cyber ethics and cyber crime: A deep dwelved study into legality, ransomware, underground web and bitcoin wallet. In: International conference on computing, communication and automation (ICCCA). IEEE, pp 143–148

    Google Scholar 

  12. Fischer, T (2014) Private and public key cryptography and ransomware. Technical report

    Google Scholar 

  13. Trend Micro: Command-and-control (C&C) server (2017). https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-(c-c)-serve

  14. Sophos: Ransomware: How an attack works (2016). https://community.sophos.com/kb/en-us/124699

  15. Beek C, Frosst D, Greve P, Gund Y, Moreno F, Peterson E, Schmugar C, Simon R, Sommer D, Sun B, et al. (2017) Mcafee labs threats report [internet]. McAfee Lab (April 2017). https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017,pdf, p 49

  16. Symantec: ISTR ransomware (2017). https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

  17. Liao K, Zhao Z, Doupé A, Ahn G-J (2016) Behind closed doors: measurement and analysis of cryptolocker ransoms in bitcoin. In: APWG symposium on electronic crime research (eCrime). IEEE, pp 1–13

    Google Scholar 

  18. Panda Security: cryptolocker: what is and how to avoid it. Panda Security (2015). https://www.pandasecurity.com/mediacenter/malware/cryptolocker/

  19. McGoogan C, Titcomb J, Krol C (2017) What is WannaCry and how does ransomware work?. http://www.telegraph.co.uk/technology/0/ransomware-does-work/

  20. Symantec threat intelligence: what you need to know about the Wannacry ransomware (2017). https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack

  21. Joven, R, Yick Low, C (2017) MacRansom: offered as ransomware as a servive. https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service

  22. Barkly: Ransomware-as-a-service is booming (2017). https://blog.barkly.com/how-ransomware-as-a-service-works

  23. Conner, B (2017) Ransomware-As-A-Service: the next great cyber threat?. https://www.forbes.com/sites/forbestechcouncil/2017/03/17/ransomware-as-a-service-the-next-great-cyber-threat/#648c45d34123

  24. Europol: no more ransom: law enforcement and IT security companies join forces to fight ransomware (2016). https://www.europol.europa.eu/newsroom/news/no-more-ransom-law-enforcement-and-it-security-companies-join-forces-to-fight-ransomware

  25. No more ransom: about the project (2016). https://www.nomoreransom.org/en/about-the-project.html

  26. Osbourne, C. (2017) No more ransom project helps thousands of ransomware victims. http://www.zdnet.com/article/no-more-ransom-project-unlocks-over-28000-devices/

  27. KasperSky: no more ransom: a very productive year (2017). https://www.kaspersky.com/blog/no-more-ransom-first-anniversary/17791/

  28. Cloonan, J (2017) Advanced malware detection - signatures versus behavior analysis (2017). https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/

  29. Nieuwenhuizen D (2017) A behavioural-based approach to ransomware detection. Retrieved from https://labs.mwrinfosecurity.com/assets/resourceFiles/mwri-behavioural-ransomware -detection-2017-04-5.pdf

  30. Ask, K (2006) Automatic malware signature generation. 2006-10-16]. http://citeseerx.ist.psu.edu/viewdoc/download

  31. Hanel, A (2011) An intro to creating anti-virus signatures. http://hooked-on-mnemonics.blogspot.co.uk/2011/01/intro-to-creating-anti-virus-signatures.html

  32. Shosha, AF, Liu, C-C, Gladyshev, P, Matten, M (2012) Evasion-resistant malware signature based on profiling kernel data structure objects. In: 7th international conference on Risk and security of internet and systems (CRiSIS), IEEE, pp 1–8

    Google Scholar 

  33. Kaspersky: Heuristic analysis in Kaspersky Anti-Virus 2012 (2012). https://support.kaspersky.co.uk/6668

  34. Ahmadi, M., Sami, A., Rahimi, H., Yadegari, B.: Malware detection by behavioural sequential patterns. Comput Fraud Secur 2013(8), 11–19 (2013)

    Article  Google Scholar 

  35. Naval S, Laxmi V, Gaur MS, Raja S, Rajarajan M, Conti M (2015) Environment–reactive malware behavior: detection and categorization. In: Data privacy management, autonomous spontaneous security, and security assurance. Springer, Berlin, pp 167–182

    Google Scholar 

  36. Gazet, A.: Comparative analysis of various ransomware virii. J Comput Virol 6(1), 77–90 (2010)

    Google Scholar 

  37. Scaife N, Carter H, Traynor P, Butler KR (2016) Cryptolock (and drop it): stopping ransomware attacks on user data. In: IEEE 36th international conference on distributed computing systems (ICDCS). IEEE, pp 303–312

    Google Scholar 

  38. Sorokin, I.: Comparing files using structural entropy. J Comput Virol 7(4), 259–265 (2011)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Universtiy of Huddersfield, Huddersfield, UK

    Liam Grant & Simon Parkinson

Authors
  1. Liam Grant
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Parkinson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Liam Grant .

Editor information

Editors and Affiliations

  1. Department of Computer Science, School of Computing and Engineering, University of Huddersfield, Huddersfield, UK

    Simon Parkinson

  2. Department of Computer Science, School of Computing and Engineering, University of Huddersfield, Huddersfield, UK

    Andrew Crampton

  3. Department of Computer Science, School of Computing and Engineering, University of Huddersfield, Huddersfield, UK

    Richard Hill

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Grant, L., Parkinson, S. (2018). Identifying File Interaction Patterns in Ransomware Behaviour. In: Parkinson, S., Crampton, A., Hill, R. (eds) Guide to Vulnerability Analysis for Computer Networks and Systems. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-92624-7_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-92624-7_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-92623-0

  • Online ISBN: 978-3-319-92624-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation