Abstract
Malicious software (malware) has a rich history of causing significant challenges for both users and system developers alike. The development of different malware types is often resulting from criminal opportunity. The monetisation of ransomware, coupled with the continuous growing importance of user data, is resulting in ransomware becoming one of the most prominent forms of malware. Detecting and stopping a ransomware attack is challenging due to the large verity of different types, as well as the speed of new instances being developed. This results in static approaches (e.g. signature-based detection) ineffective at identifying all ransomware instances. This chapter investigates the behavioural characteristics of ransomware, and in particular focusses on interaction with the underlying file system. This study identifies that ransomware instances have unique behavioural patterns, which are significantly different from those of normal user interaction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Moir, R (2003) Defining malware: FAQ. https://technet.microsoft.com/en-us/library/dd632948.aspx
Kharraz A, Robertson W, Balzarotti D, Bilge L, Kirda E (2015) Cutting the gordian knot: a look under the hood of ransomware attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, pp 3–24
Richardson, R., North, M.: Ransomware: evolution, mitigation and prevention. Int Manag Rev 13(1), 10 (2017)
Brenner, B (2017) InfoSec 2017: a look at the family album of ransomware. https://nakedsecurity.sophos.com/2017/06/06/infosec-2017-a-look-at-the-family-album-of-ransomware/
Beek, C (2017) McAfee Labs 2017 Threats Predictions. www.mcafee.com/uk/resources/reports/rp-threats-predictions-2017.pdf
MalwareBytes: cybercrime tactics and techniques (2017). https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
Symantec: internet security threat report (2017). https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
FBI IC3: internet crime report (2016). https://pdf.ic3.gov/2016_IC3Report.pdf
US Department of Justice: How to protect your networks from ransomware. Technical report (2016). https://www.justice.gov/criminal-ccips/file/872771/download
Savage, K., Coogan, P., Lau, H.: The evolution of ransomware. Symantec, Mountain View (2015)
Upadhyaya R, Jain A (2016) Cyber ethics and cyber crime: A deep dwelved study into legality, ransomware, underground web and bitcoin wallet. In: International conference on computing, communication and automation (ICCCA). IEEE, pp 143–148
Fischer, T (2014) Private and public key cryptography and ransomware. Technical report
Trend Micro: Command-and-control (C&C) server (2017). https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-(c-c)-serve
Sophos: Ransomware: How an attack works (2016). https://community.sophos.com/kb/en-us/124699
Beek C, Frosst D, Greve P, Gund Y, Moreno F, Peterson E, Schmugar C, Simon R, Sommer D, Sun B, et al. (2017) Mcafee labs threats report [internet]. McAfee Lab (April 2017). https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017,pdf, p 49
Symantec: ISTR ransomware (2017). https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf
Liao K, Zhao Z, Doupé A, Ahn G-J (2016) Behind closed doors: measurement and analysis of cryptolocker ransoms in bitcoin. In: APWG symposium on electronic crime research (eCrime). IEEE, pp 1–13
Panda Security: cryptolocker: what is and how to avoid it. Panda Security (2015). https://www.pandasecurity.com/mediacenter/malware/cryptolocker/
McGoogan C, Titcomb J, Krol C (2017) What is WannaCry and how does ransomware work?. http://www.telegraph.co.uk/technology/0/ransomware-does-work/
Symantec threat intelligence: what you need to know about the Wannacry ransomware (2017). https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack
Joven, R, Yick Low, C (2017) MacRansom: offered as ransomware as a servive. https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service
Barkly: Ransomware-as-a-service is booming (2017). https://blog.barkly.com/how-ransomware-as-a-service-works
Conner, B (2017) Ransomware-As-A-Service: the next great cyber threat?. https://www.forbes.com/sites/forbestechcouncil/2017/03/17/ransomware-as-a-service-the-next-great-cyber-threat/#648c45d34123
Europol: no more ransom: law enforcement and IT security companies join forces to fight ransomware (2016). https://www.europol.europa.eu/newsroom/news/no-more-ransom-law-enforcement-and-it-security-companies-join-forces-to-fight-ransomware
No more ransom: about the project (2016). https://www.nomoreransom.org/en/about-the-project.html
Osbourne, C. (2017) No more ransom project helps thousands of ransomware victims. http://www.zdnet.com/article/no-more-ransom-project-unlocks-over-28000-devices/
KasperSky: no more ransom: a very productive year (2017). https://www.kaspersky.com/blog/no-more-ransom-first-anniversary/17791/
Cloonan, J (2017) Advanced malware detection - signatures versus behavior analysis (2017). https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/
Nieuwenhuizen D (2017) A behavioural-based approach to ransomware detection. Retrieved from https://labs.mwrinfosecurity.com/assets/resourceFiles/mwri-behavioural-ransomware -detection-2017-04-5.pdf
Ask, K (2006) Automatic malware signature generation. 2006-10-16]. http://citeseerx.ist.psu.edu/viewdoc/download
Hanel, A (2011) An intro to creating anti-virus signatures. http://hooked-on-mnemonics.blogspot.co.uk/2011/01/intro-to-creating-anti-virus-signatures.html
Shosha, AF, Liu, C-C, Gladyshev, P, Matten, M (2012) Evasion-resistant malware signature based on profiling kernel data structure objects. In: 7th international conference on Risk and security of internet and systems (CRiSIS), IEEE, pp 1–8
Kaspersky: Heuristic analysis in Kaspersky Anti-Virus 2012 (2012). https://support.kaspersky.co.uk/6668
Ahmadi, M., Sami, A., Rahimi, H., Yadegari, B.: Malware detection by behavioural sequential patterns. Comput Fraud Secur 2013(8), 11–19 (2013)
Naval S, Laxmi V, Gaur MS, Raja S, Rajarajan M, Conti M (2015) Environment–reactive malware behavior: detection and categorization. In: Data privacy management, autonomous spontaneous security, and security assurance. Springer, Berlin, pp 167–182
Gazet, A.: Comparative analysis of various ransomware virii. J Comput Virol 6(1), 77–90 (2010)
Scaife N, Carter H, Traynor P, Butler KR (2016) Cryptolock (and drop it): stopping ransomware attacks on user data. In: IEEE 36th international conference on distributed computing systems (ICDCS). IEEE, pp 303–312
Sorokin, I.: Comparing files using structural entropy. J Comput Virol 7(4), 259–265 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Grant, L., Parkinson, S. (2018). Identifying File Interaction Patterns in Ransomware Behaviour. In: Parkinson, S., Crampton, A., Hill, R. (eds) Guide to Vulnerability Analysis for Computer Networks and Systems. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-92624-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-92624-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-92623-0
Online ISBN: 978-3-319-92624-7
eBook Packages: Computer ScienceComputer Science (R0)