A Cyber-Kill-Chain based taxonomy of crypto-ransomware features

In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to be simple, security specialists ranked ransomware as a sophisticated attack vector with many variations and families. Wide range of features which are available in different families and versions of ransomware further complicates their detection and analysis. Though the existing body of research provides significant discussions about ransomware details and capabilities, the all research body is fragmented. Therefore, a ransomware feature taxonomy would advance cyber defenders’ understanding of associated risks of ransomware. In this paper we provide, to the best of our knowledge, the first scientific taxonomy of ransomware features, aligned with Lockheed Martin Cyber Kill Chain (CKC) model. CKC is a well-established model in industry that describes stages of cyber intrusion attempts. To ease the challenge of applying our taxonomy in real world, we also provide the corresponding ransomware defence taxonomy aligned with Courses of Action matrix (an intelligence-driven defence model). We believe that this research study is of high value for the cyber security research community, as it provides the researchers with a means of assessing the vulnerabilities and attack vectors towards the intended victims.


Introduction
The fast growth in both number and types made ransomware an imminent threat to our digital data [1].On May 12, 2017, a ransomware called WannaCry (also known as Wan-naCrypt) attacked thousands of users worldwide, particularly UK National Health Service (NHS), making a chaos in around 48 hospitals in the UK [2].Ransomware, in general, is a type of malware that removes authorised users' access to their data and returns it back only after making a payment (so-called ransom) [3].Ransomware may meet its objective through encrypting victim's files (crypto-ransomware) or locking the victim machine (locker-ransomware).Either way, ransomware would request the victims to pay the ransom to (possibly) retrieve their access to encrypted files or locked systems.
The first ransomware, named AIDS Trojan, was introduced in 1989.It was encrypting the victim's files and asking for money to decrypt the files [4].Afterwards, there were reports of occasional ransomware infections such as scareware, GPCode and Reveton, which were trying to extort money from their victims [4].However, lack of an untraceable payment method was the main barrier for attackers to anonymously receive ransom payment.Introduction and wide adoption of cryto-currencies was the game changer.Cryptocurrency is a peer-to-peer electronic currency, where the transactions are secured using cryptographic algorithms [5].Bitcoin is the main representative of crypto-currency [6].
In 2013, CryptoLocker was probably the first family of ransomware which efficiently leveraged a crypto-currency (Bitcoin in this case) to receive ransom payment and became a role model for future ransomware families.Having an anonymous, untraceable payment system and a proved working business model, exploded the digital world with tons of different ransomware families.Each of the ransomware families adopt variety of infection methods and payment techniques!Recently, ransomware has been one of the main areas of research and several researchers proposed different ransomware detection methods (such as [7][8][9][10][11][12][13]).Meantime, some researchers briefly discussed ransomware structure, specification of some of the ransomware families and timeline (such as [14][15][16][17][18]).However, specific features and behaviour of the ransomware is not well-investigated and well-documented yet.Though some phases of a ransomware attack (e.g., delivery) is similar to other malware samples, some other phases (such as its installation, propagation and persistence) are different.We believe that, lack of a systematized and comprehensive reference detailing specific features of ransomware is among important barriers in introduction of effective preventive and detective methods.This is due to the fact that security analysts would be able to detect a ransomware attack in its early stages only if they are aware of the specific features (e.g., weaponization, exploitation or installation methods) of ransomware.A comprehensive taxonomy would help in differentiating between a ransomware and other malware samples, classifying different ransomware families based on their known features and providing dedicated course of actions to each category.
This motivated us to provide, to the best of our knowledge, the first taxonomy of ransomware features.To this end, we provide the reader with detailed information about ransomware lifecycle; enabling researchers to figure out how a criminal delivers a ransomware (considering different families) and infects a victim, how ransomware hides itself, as well as the actions that ransomware performs on the victim's machine.In order to provide such information in a more understandable and systematized manner, we have adapted the Lockheed Martin Cyber Kill Chain (CKC) [19] model to our ransomware feature taxonomy.CKC is a popular defence model that was originally proposed as Intrusion Kill Chain (IKC) [20] to describe phases of computer network intrusions and later on adapted for defining the steps of a cyber attack.Our motivation behind aligning our proposed taxonomy with CKC model is to provide fine-grained information about each step that the attacker must complete in order to achieve the goal, as otherwise the attack would be failed.Our extracted features in each step would enhance the security analyst's understanding about the evidences that he needs to look for in order to detect the attack.
In order to provide the reader with a high level overview of a ransomware lifecycle, Fig. 1 shows an example anatomy of a Locky crypto-ransomware attack through a phishing email (we follow the attack phases as explained in [21]).

Contribution
In this paper, in order to help researchers and security analysts in understanding the architecture of crypto-ransomware and finding efficient detection mechanisms, we provide a systematized analysis and taxonomy of crypto-ransomware features.It is notable that our focus in this paper is only on the ransomware families that target personal computers.Although, some features of ransomware families targeting mobile phones and IoT devices are different from those that target personal computers, there are some similarities; we leave this discussion as a future work.As a systematization methodology, we consider Lockheed Martin Cyber Kill Chain (CKC) framework [19,20] and align the behaviour of crypto-ransomware with the offensive steps of a cyber intrusion as described in CKC framework (which we explain in Sect.2).Our proposed taxonomy could be used by many organizations which are using CKC in their day-by-day cyber defence planning to address risk of ransomware attacks by finding out what are the points of attacks and features of the ransomware that they should look for in their analysis.After obtaining such information about the structure of the intrusion, the reader needs to know how to defend against each phase of the intrusion attempt.In line with Lockheed Martin Course of Action (CoA) matrix [20], we provide required information for the defenders in taking appropriate actions.
It is worth mentioning that the fragmentation of scientific research on ransomware and lack of coherent investigation methodology on ransomware was our main challenge in this research, which led to relying more on the industrial references, along with scientific research papers.

Organization
The remaining of the paper is organized as follows: In Sect. 2 we provide the required background knowledge on the CKC framework, which we used as and CoA defence model.We present our taxonomy of cryptoransomware features in Sect.3. We provide the ransomware defence overview in Sect. 4 which briefly overviews the existing solutions to prevent/detect the ransomware attacks, as well as show casing course of action for some well-known ransomware families.In Sect.5, we survey the most related research studies to our work.Finally, Sect.6 highlights possible future research directions.

Background on Cyber Kill Chain and Courses of Actions Matrix
Intrusion Kill Chain (IKC), also known as Cyber Kill Chain (CKC), is suggested in 2011 by Lockheed Martin and then widely accepted in the industry for modeling intrusion attempts from attackers prospective [22].The CKC model is used to develop (threat) intelligence about attackers' Tactics, Techniques and Procedures (TTPs) and attack attribution [20].Many researchers have adopted the original CKC model [20] to identify, protect and mitigate against intrusions and malware samples, such as [22].However, some other researchers [23] adapted the original definition of CKC model to their own requirements and proposed different steps in cyber attack chain model.CKC devises seven steps for attackers to achieve their objectives (see Fig. 2), namely (1) Reconnaissance, (2) Weaponization, (3) Delivery, (4) Exploitation, (5) Installation, (6) Command and Control, and (7) Actions on Objectives.
1. Reconnaissance In this step attackers try to collect as much information as possible about their targets to devise a robust attack.During reconnaissance, attackers may 2 O-day vulnerability, also known as zero-day vulnerability, refers to a security vulnerability in a software that is still unpatched by the software vendor which can be exploited by the criminals in order to get access to the target system [24].6. Command and Control (C&C, or C2) After being installed on the victim machine(s), it is time for attackers to have their (virtual) hands on the target keyboards through setting up a remote Command and Control (C&C, also known as C2).The C2 channels can be used to deliver attackers commands to the malware or exfiltrate data from the target environment.7. Actions on Objectives Finally, after successful installation, and C&C establishment, it is time to perform desired action(s) to meet the attack objectives.Attackers could have different objectives from just accessing and exfiltrating private information to encrypting files and denying custodians access to their data [20].
Based on all the information obtained about the intrusion and the phases that the intrusion undertakes to infect the victim, Courses of Action (CoA) Matrix provides the defenders with a model for intelligent actions against each of these phases [20].In particular, by mapping each of the seven phases of the CKC to corresponding actions, i.e., detect, deny, disrupt, degrade, deceive and destroy (see Fig. 3), a security analyst can define, in each cell, which security measures should be considered in order to defend against each phase of the CKC.
In this paper, we take advantage of the CKC model and CoA matrix to provide a systematic analysis of ransomware  features and possible defence methods.As highlighted in the literature [23,26], all of the seven steps of the CKC model are not applicable to all attack scenarios, so we adapt only those steps that are applicable to the ransomware context.Specifically reconnaissance is a pre-attack step in which the attacker identifies the victim or possible vulnerabilities, hence, is not applicable to ransomware; we skip this step and start our analysis from weaponization and go through delivery, exploitation, installation, C2 and actions on objectives.In ransomware intrusions, similar to any other attacks, intruders spend significant amount of time on collecting information about their targets (especially in the case of targeted ransomware) to develop an effective ransomware [27].However, majority of reconnaissance activities are conducted prior to a ransomware release, hence there is not a feature in the ransomware samples corresponding to reconnaissance activities.

Ransomware features taxonomy
This section provides a taxonomy of ransomware features based on the CKC model starting from the weaponization step.Figure 4 shows our proposed taxonomy of ransomware features and the specific methods adopted by attackers in each step of a ransomware attack.We discuss all the details in this section.To further highlight the benefit of having such a taxonomy, we consider 12 well-known families of ransomware (based on the Ransomware Tracker portal 3 ) and provide a 3 https://ransomwaretracker.abuse.ch/tracker.mapping between our proposed taxonomy and features of those 12 ransomware families in Table 1.

Weaponization
Ransomware developers employ a variety of techniques to weaponize their samples and evade memory-based, filebased and network-based cyber defence mechanisms.We extracted five main weaponization techniques, i.e., embedding commands within a script, delivery payload diversifying, file access pattern diversifying, encryption method diversifying, and using different evasion techniques (timebased, data-based, code-based, and network-based).We detail all these techniques in the following.

Script-based ransomware
Script-based ransomware encrypts victim's data through executing commands embedded within a script.Script-based ransomware usually removes the original script file upon completing the encryption process and the malware opcodes would only resists in-memory.These kind of malware samples are also known as file-less or in-memory-only malware [28].Fewer residual evidences of script-based malware make them a more stealthier option for attackers targeting high profile victims [29,30].Moreover, as script-based ransomware samples do not require installation, it is easier for them to bypass host-level control and infect limited privileged users.Majority of script-based ransomware samples are written in JavaScript (JS), PHP, PowerShell, and Python [31].As listed in

Delivery payload diversification
With increasing deployment of web-based anti-malware solutions and users' security awareness, it is becoming very difficult for malicious actors to successfully infect a victim by directly sending an executable file.Most of the malicious files are now embedding themselves within benign looking payloads, such as MS Word or Video files, to fool the anti-malware products.Ransomware leverages a variety of different delivery payloads to bypass anti-malware protections and convince users to run the malicious code.For example, CryptoWall [32] ransomware samples use SVG (Scalable Vector Graphic) files as their delivery payload, Marlboro [33] uses Microsoft Word files, Spora uses ZIP file including HTA (HTML Application) files [34] and Cerber v6 uses SFX (self-extracting archives) files as deliverable containing VBS and DLL (Dynamic Link Library) files [35].More interestingly, different versions of Locky use a variety of delivery payloads ranging from weaponized Microsoft Word files to nested Word documents which are dropped by opening a PDF file or DLL or HTA files [36].Diversified delivery payloads that are used in Locky samples, made Locky as one of the most successful ransomware families.

Diversifying file access patterns
Various ransomware families have a very similar pattern of interactions with the file system.They usually open a file and load its content first, then start encrypting.Such a predictable pattern has been used by different anti-malware solutions to thwart ransomware attacks.Therefore, ransomware developers tried to diversify their ransomware file access and file system interaction patterns.Cryptolocker and CryptoWall ransomware families directly overwrite the encrypted data on the same data buffer [14].While, Reveton, Gpcode, Urausy, and Filecoder ransomware families delete the original files by removing their entries from MFT (Master File Table ).Some Locky samples change file extensions to .locky, while Cryp-toWall changes the file extension to .crypt, and TeslaCrypt changes the encrypted file extension to .ecc,.ezz,.exx,.xyz,.zzz.As listed in Table 1 TeslaCrypt, CryptoWall, TorrentLocker, PadCrypt, Locky, CTB-Locker, FAKBEN, Pay-Crypt, Sage and GlobeImposter use this weaponization method.

Diversifying data encryption methods
Ransomware families are either using a standard encryption module or their own customized encryption method to encrypt the victim's data.Majority of those ransomware sam-ples that use standard encryption algorithms utilise built-in operating system features or an API (Application Programming Interface) for encryption [7].For example, Cerber v6 takes advantage of Windows CryptoAPI, while Petya uses CryptGenRandom API to generate data encryption key [37].The standard encryption modules that are used by ransomware families could be divided into the following three categories [4,7]: -Asymmetric Encryption: Some ransomware families use public/private key cryptography to encrypt victim's data, such as CryptoWall that uses RSA [38].In these families, the encryption keys are either generated directly on the victim's machine, as used by WannaCry ransomware, or delivered through C&C channel, as used by Locky ransomware, or embedded in the binary, as used by Tes-laCrypt ransomware [38]; -Symmetric Encryption: This method is mostly used with the encryption key embedded in the malware.Different families of ransomware adopt different symmetric encryption methods as well as patterns, e.g., UIWIX first encrypts data with AES-256 in Cipher Block Chaining (CBC) followed by an RC4 encryption [39], and Bucbi ransomware uses a less-known encryption method named GOST [40]; -Hybrid Techniques: Such methods first use symmetric key algorithms, e.g., AES-256 and CBC, to encrypt the victim's files/system.Then, they use asymmetric encryption methods, e.g., RSA-1024, RSA-2048, or ECC, to encrypt the symmetric key.These techniques are used by several ransomware families such as CryptoLocker and Spora [34].In hybrid techniques, usually the criminals embed the RSA public key inside the malicious binary payload and so they do not need to communicate with C2 in order to retrieve the encryption key.Therefore, when the victim pays the ransom, the criminals use the corresponding RSA private key in order to decrypt user files/system.
Usage of standard cryptographic algorithms and APIs is a convenient way for the attackers to encrypt victim's data; however, execution of too many APIs for a large amount of data requires admin privilege which is not always the case for a ransomware attack.This limits the number of machines/files that a ransomware could target.Moreover, it is trivial for anti-malware systems to monitor or limit privileged users' access to Crypto APIs, which leads to failure of ransomware execution.Therefore, some families of ransomware use a customized ecnryption mechanism.For example, Mischa uses a randomly generated key as a seed for an XOR operation to encrypt victim's data [37].Diversifying encryption techniques and limiting the usage of standard cryptographic APIs could be considered as evasion technique for those anti-malware products that rely on detection of standard crypto API activities.

Evasion techniques
Evasion techniques enable a malicious program to bypass security controls such as network border defence mechanisms and host-level protections.We consider evasion techniques under weaponization category as they extend offensive capabilities of malicious programs.Evasion techniques that are commonly adopted by ransomware can be divided into four categories: (a) Timing-based evasion techniques, (b) Data evasion techniques, (c) Code evasion techniques, and (d) Network evasion techniques.In what follows, we first explain the main idea behind each of these categories and then discuss how they have been used by different families of ransomware.

1-Timing-based Evasion Techniques
One of the most common evasion techniques used by malware samples to evade detection is timing-based evasion, which refers to running at a specific time/date.Also some malware samples measure the time it takes to run the code, which helps them to undesrtand if they are run inside a debugger [41].Similar to the other malware samples, some of the ransomware families also adopt timing-based evasion techniques [42].We divide the techniques used by ransomware in two categories as follows.
-Delayed Execution: Several researchers have extensively considered "continuous profile of conducting a malicious activity" as a method for malware detection [43].In the case of ransomware, the fact that almost all ransomware applications encrypt users' data can be considered as a behavioural factor to detect their execution [9].Majority of ransomware families, such as Locky, CryptoWall, TeslaCrypt, TorrentLocker, and CTB-Locker, encrypt intended contents in one go.Therefore, researchers considered user continuous file encryption activities as an element to detect and stop ransomware attacks [44].However, several ransomware families such as KeRanger, Reveton, CryptXXX, or Cerber include some delays of few minutes to even a few days between their encryption attempts in order to evade detection [45,46].-Event-based Execution: Some ransomware families remain dormant on the system to find the most vulnerable moment (i.e., being idle for a longtime) or for a specific event on the system (i.e., an admin user logon or a system reboot) to start their attack.For example, versions of KeRanger ransomware are triggered upon execution of OS X Time Machine backup in an attempt to encrypt backup data as well [47].

2-Data Evasion Techniques
Basically, malware data evasion techniques focus on removing remnants of malicious activities; hence making it more difficult to trace a malware or detect its presence on a machine.Different ransomware families use variety of data evasion techniques, out of which we explain the representative ones in the following.
-Self-deleting/Self-destruction: Some malware samples are armored with self-deleting features to delete their traces on an infected machine [48].By removing the traces of its existence, a malware evades detection by anti-malware products and further complicates forensics investigation tasks.Some ransomware families such as Cerber v6, Locky, CryptoWall, and TeslaCrypt are equipped with self-deleting features and remove malicious executable files from infected machines [46].-Anti-dump Techniques: Generally, malware codes are weaponized (e.g., packed) in such a way that makes it difficult for security analysts to reverse the compiled code.Even the most armored codes should be decrypted/unpacked in the memory, so the instructions (op codes) can be executed by the CPU [49].One method to analyse an armored malware is to dump the process from the memory and then analyse the malware code [48,50].Usually, in order to mislead such an analysis, cybercriminals utilize anti-dump techniques such as modifying/erasing the PE (Portable Executable) header, or loading different parts of a binary on different memory locations (this technique is called "stolen bytes") [50].It might be even possible to find decryption key of a ransomware by dumping its process memory as reported in [51] for Chimera ransomware investigation.Hence, several families of ransomware such as TeslaCrypt and CTB Locker are weaponized by anti-dump features to evade any forensics attempt.-Creating Alternate Data Streams: Alternate Data Streams (ADS) introduced into the Windows XP SP2 NTFS in order to provide compatibility between the file system of Mac and Windows.Basically, ADS provides information for the operating system about the attributes of a file and how associated data to the ADS should be used [52,53].However, several malware authors have used ADS in order to associate a hidden malicious executable to a legitimate file in order to infect a target system, while evading detection by anti-malware products and analysts [52,53].For example a .txtfile can be associated with a malicious .exeADS file which can be executed directly without the need to have a starter code in the main data stream [54].Some of the ransomware families such as TeslaCrypt [55] have used ADS in order to bypass detection.-Deleting Zone Identifier: The "zone identifier" is a special ADS for files stored on an NTFS partition which specifies the origin of a file [56].For example, Windows Internet Explorer uses Zone.Identifier "local Intranet", "trusted sites", "Internet", "restricted sites", or "local machine" as zone identifiers [57,58].This Zone.Identifier information helps malware analysts to speculate about the origin of a malware.Therefore, malware developers are commonly changing the Zone.Identifier allocated to their files, i.e., from "Internet" to "trusted", to further complicate malware tracing activities [58].Similarly, some ransomware families, such as TeslaCrypt [59] and Locky [60], delete the Zone.Identifier to make it more difficult for an analyst to detect the origin of a ransomware.

3-Code Evasion Techniques
Cybercriminals adopt several techniques in order to armor their malicious codes against reverse engineering to further complicate malware analysis task [48].In what follows, we explain different code evasion techniques that are used by ransomware families.
-Anti-debugging Techniques: Debugger is a tool or a program that inspects other programs interactions with CPU while they are being executed and loaded in memory.
There are several anti-debugging techniques (e.g., using HEAP flags, or winAPI [61]) that usually ransomware uses to detect if a debugger is attached or injected to its code [62,63].Moreover, mere detection of execution of a known debugger, such as OllyDBG [64], or a debugging related process (such as procexp.exe,regedit, or msconfig) may cause some ransomware samples to avoid execution or to kill the debugging process prior to launching their malicious binary payload [65].Majority of ransomware families, such as JIGSAW [66], TeslaCrypt, CTB-Locker, Locky, CryptoWall, and Tor-rentLocker, leverage anti-debugging techniques.-Anti-disassembly Techniques: One of the malware analysis methods is reverse engineering the malware code by loading the malware into a disassembler [48].Malware authors adopt several anti-disassembling methods (such as junk/dead code insertion or payload obfuscation and encryption) in order to defeat reverse engineers [48,67].
In a method called "dead code insertion", several simple or complex code sequences and branches with no execution effects are included in several parts of the code [68].Moreover, packing a malware by encrypting or obfuscating its executable payload may significantly increase its analysis time [69,70].Ransomware authors use anti-disassembly techniques to complicate static analysis and reversing tasks.For example, CryptoWall v3, CrypVault, Cerber, and Petya insert junk code in between the real code stream in order to make reverse engineering difficult [37,55,71,72 [79].While, in the artifact-based techniques, a malware recognizes if it is running in a virtual environment by checking the MAC address of the host machine from the registry, or checking the running processes on the host machine [67].-Polymorphism and Metamorphism: Malware authors utilize these two features to evade signature-based malware detection by making small and interim changes in characteristics of the malware (usually within a specific malware family).The "polymorphic" behaviour is the capability of self-mutation by the usage of encryption (i.e., in each execution of the file, the malware mutates its static binary code using a different encryption key), leading to variety of signatures for the same malware [69].The "metamorphic" behaviour refers to continuous reprogramming of the malware in every execution iteration/distribution in order to change the malware signature [69,80].Several families of ransomware, such as Reveton, Winlock, and Urausy, adopt polymorphic techniques to evade detection [14].techniques are pretty efficient against known attacks detection, but incapable of detecting unseen attacks.Anomalybased detection techniques are having a very high falsepositive, while they might be able to detect unforeseen attacks as well [82].Ransomware developers utilize different techniques to deceive network-based defence mechanisms [83] as we discuss in the following.

4-Network Evasion Techniques
-Network Traffic Encryption: Encrypting network traffic would blind majority of network defence solutions and allows communication between the victim device and the C&C server to remain undetected.Several families of ransomware adopt such methods to evade detection.For example, CryptoWall (which encrypts the communication with RC4 encryption algorithm) [55] and Locky ransomware [60].-Utilizing Traffic Anonymizers: Traffic anonymizers, such as TOR, encrypt the communication between two endpoints and forward the traffic through several relay nodes in order to evade attempts for detecting an attack origin.Some families of ransomware, such as CTBLocker and Onion ransomware, communicate with the C2 server through TOR anonymous networks [84,85].CryptoWall v3 ransomware uses I2P network proxies to communicate with the C2 server and uses Tor network for ransom payments [86], while Locky ransomware uses TOR for the payment [60].-Domain Shadowing: Cybercriminals may steal credentials of legitimate registered domains, e.g., GoDaddy, in order to create a large number of sub-domains, which are mapped to their malicious server(s) [87].Domain shadowing evades detection by rotating sub-domains associated with a malicious server hosting attackers' content [87].Especially those families of ransomware that are delivered through exploit kits (EK) utilize domain shadowing technique, e.g., Cryptowall v3 and TeslaCrypt v2 ransomware, that are delivered by the Angler EK [88].-Fast Flux: In this evasion method, the IP address associated with a single domain or DNS record mapped to the domain rotates in a list of IP addresses to protect against detecting live malicious IP tied to a specific malware campaign at a given time [87].This technique evades IP black listing defence mechanisms and has been utilized in several ransomware campaigns, such as versions of WannaCry ransomware hosted on Avalanche's infrastructure [89].

Delivery
Even the best weaponised malware should find a way to be delivered to the intended targets.Ransomware uses a variety of delivery techniques as we will discuss in this section.

Social engineering
Social engineering is a technique used by attackers to motivate a human being to trust the attacker and take attackers' desired actions, such as clicking on a link or revealing sensitive information.Though, there are several definitions for social engineering [90][91][92], all of them, more or less, express the same message that the attackers adopt different psychological (e.g., impersonation, or friendship) or physical (e.g., workplace, phone, or on-line) tricks to obtain sensitive information (e.g., password) [90].Social engineering is one of the most common delivery methods used by malware samples and well adopted by ransomware as well.Ransomware attackers adopt different methods of social engineering in order to deliver the malware to the victim and conduct planned malicious actions as described in the following [4].
Phising Phishing, in general, is an attempt to convince the victims to share their sensitive information, such as user name and password, or credit card information.Phishing can be performed through several ways, such as spam emails, instant messaging, or even phone calls [93,94].Phishing messages are claimed to be from a trusted organization, such as a bank or a shipping company and are not targeted to a specific group of people.Several families of ransomware use phishing methods in order to encourage victims to visit an infected website or download an attachment through which a malicious payload containing ransomware will be delivered to the victim device.
Trend Micro [36] reported that around 71% of ransomware families are delivered to victims through spam emails.The criminals use a variety of email subjects in order to convince the victim to open the email, such as banking notification, invoices, item delivery and so on [36].An example of ransomware delivered through phishing is Locky.This ransomware was sending phishing emails pretending to be sent from the government tax companies, such as British HMRC, French Impots, and Australian MyGov [95].Other examples of ransomware delivered by phishing are, but not limited to, SamSam, Cryptolocker, TeslaCrypt, Cerber, and Marlboro [33,[96][97][98][99].
Spear-phishing Compared to the phishing method, spearphishing is a targeted phishing attack by which the cybercriminals attempt to gain access to sensitive information of a specific group of users, e.g., employees of a critical organization [94].In order to perform a successful spear-phishing, the attacker generally performs careful reconnaissance and gathers as much information as possible about the victim, for example, through social networks (e.g., Facebook, LinkedIn, etc.) [100].
The most popular ransomware delivery method is spearphishing where a criminal: (i) uses emails to send ran-somware as an attachment (e.g., Spora [34]), (ii) posts web-links to infected websites hosting the ransomware (e.g., TeslaCrypt [38]), or (iii) uses links to a cloud storage hosting ransomware, e.g., "Dropbox" links used to deliver Petya [101], and Cerber [102] ransomwares, and "1fichier" cloud storage used to deliver JIGSAW ransomware [66].When user downloads an attachment or clicks on the link, the ransomware drops itself to the machine and usually surrounding story crafted as part of spear-phishing encourages users to open the attachment or attackers' reconnaissance knowledge already provides means to auto-start the ransomware at the background.

Malvertisement
In this method, criminals run an advertisement campaign on a (legitimate) website which redirects users to attackers owned domains by clicking on the advert link, where a ransomware will be dropped to the victim machine.Malvertisement campaigns infected many famous websites including New York Times and BBC [103].In case of ransomware, upon clicking, the victim is redirected to an infected website hosting ransomware or an exploit kit that finds vulnerabilities in the victim system and installs the ransomware.For example, Cerber ransomware malvertisement campaign redirects users to Manitude, Rig, Neutrino, and Sundown exploit kits [46].

Traffic distribution system
Traffic Distribution System (TDS) redirects web traffic of a legitimate web site to a malicious web site which is hosting attackers' contents (an exploit kit, malware, or ransomware) [104].In this method of delivery, instead of infecting a web site or purchasing an infected web server, an attacker buys redirected traffic of a legitimate web site (which usually hosts adult content, video streaming or gaming services) from a TDS vendor and redirects it to his malicious web sites [105].This web site usually hosts a drive-by-download ransomware that will be delivered to the victim machine later on [105].Several ransomware campaigns deliver their malicious payload using TDS, e.g., Locky ransomware that is distributed through Nuclear exploit kit [106].In this example, when the victim visits a compromised website, he/she is redirected to a TDS, which accordingly redirects the user to the attacker's exploit kit landing page.

Exploitation
After delivering the malicious payload, ransomware needs to find a way to launch itself on the victim machine.This usually happens through exploiting a vulnerability on the target environment by utilizing an exploit kit or launching a targeted exploit.

Exploit kits
Exploit Kit (EK) refers to a hacking software toolkit that cybercriminals use in order to scan a target machine for possible vulnerabilities (e.g., unpatched software) and exploit those vulnerabilities in order to launch a malware and infect the victim machine [107].Attackers lure or redirect victims to domains that host their EKs where the victim machine's existing vulnerabilities (e.g., unpatched Adobe Flash) are detected and exploited to provide a foothold on the compromised machine.Gained foothold can be used to launch intended malicious payload [108].Growing trend in providing exploit-as-a-service in black market enables criminals to easily purchase an EK and equip it with their desired ransomware payload [3,109].
Exploit kits are among the most common methods for launching a ransomware on the victim machines.The Angler EK, which exploits unpatched Adobe Flash and Microsoft Silverlight, has been used by several ransomware families such as CrypWall, TeslaCrypt, Crilock, and Waltrix [107,109].The Neutrino and Magnitude EKs that target unpatched Adobe Flash are used to execute CrypWall and Cerber ransomwares [107].The Rig and Sundown EKs, which target vulnerable Microsoft Silverlight versions, are used to launch TeslaCrypt, Cerber, and CryptoShocker [107].The Nuclear EK, which compromises vulnerable installation of Adobe Flash, is used to drop and run TeslaCrypt, Locky, CRYPCTB, and CRYPSHED ransomwares [107,109].The Blackhole EK, which targets vulnerabilities of Adobe Reader, Adobe Flash and Java, is leveraged to deliver CryptoLocker and Reveton ransomwares [107,110,111].

Targeted exploitation
While EKs mainly target mass users, many of successful ransomware attacks are on the basis of attackers' previous reconnaissance of the victim environment and development of a customized targeted exploit that runs on the intended victims' machine and launches the ransomware.Targeted ransomware attacks are rising very quickly and become an imminent threat to enterprises [27].The SamSam ransomware was probably the most widely known targeted ransomware [112].More recently, Petya ransomware (later on announced as a wiper) also targeted specific vulnerabilties on its initial launch [113].

Installation
After being successfully launched on the victim machine during the "exploitation" step, the next phase in the life-cycle of a ransomware attack is installation of the malicious binary payload on the victim environment.As part of installation, some families of ransomware connect to C2 server and receive encryption instructions (such as CryptoWall ransomware), while others may start encryption without a C2 connection (such as SamSam ransomware).Moreover, some families of ransomware, such as WannaCry, may act as a worm and start distributing themselves on the other nodes available on the local network.Hence, installation of a ransomware can be divided into two phases which may perform concurrently: (1) Installation on the infected host, and (2) Installation on the target network.

Installation on the infected host
In this phase, ransomware launches its malicious binary payload on the infected host and not only encrypts residual files on the victim machine but also installs itself on any accessible backup version and encrypts them as well.
Making Files Unavailable Different ransomware samples take different approaches for making users' files unavailable.Some ransomware families only encrypt user's data and deny user's access to his/her files.Encryption could be limited to specific files on the target, or specific file types (such as images, videos, Office files, or PDF files) or even files with specific properties (i.e., with specific size or creation date) [7].Other ransomware families, such as Bart, may just archive a user's files to a password protected repository during installation [114].However, in all aforementioned cases, victim is still able to use the infected machine, e.g., for paying the ransom.On the other side, some ransomware families, such as HDDCryptor [115], Mamba [116], Santa [117] and Petya [101], take a more intrusive approach and encrypt the whole hard disk of the victim machine and make the system completely unavailable.As these ransomware families encrypt Master Boot Record (MBR), they are known as "boot lockers" as well.

Encryption of Backup or Recovery Data
During installation, majority of ransomware families try to infect any accessible backup storage (e.g., USB drive, external hard drive and cloud storage [97]), remove available restore files and delete all the VSCs (Volume Shadow Copies) 4 .For example, CryptoLocker, Locky, and PadCrypt ransomwares adopt this method [118].Some other variants of ransomware disable Windows Startup Repair, and change Boot Status Policy, such as Spora ransomware [34].In fact, criminals behind ransomware try to maximize their gain while reducing user's opportunities to recover the data without making payment.
Most families of ransomware, such as Cerber, delete all the backup files on the victim machine [35].

Installation on the infected network
Some of the ransomware families, not only infect a single host on which they are delivered, but also distribute themselves to all the connected drives and target network, in order to infect as many machines as possible.In particular, some ransomware families have worm-like behaviour, i.e., once dropped on a system they are able to move laterally in the network and propagate themselves to other systems without user intervention, e.g., through file transfer protocols, network shares, etc. [119].There are two main methods that ransomware families adopt in order to spread through a network, as we explain in the following.
Using Remote Desktop -Terminal Service Remote Desktop Protocol (RDP) is often used for host to host communication over a network [120].However, RDP is known to suffer from many vulnerabilities (such as MS15-067 and MS15-030), which are widely misused by attackers for remote code execution and malicious binary payload distribution [121].Some ransomware samples, such as Crysis, are known for their capabilities of exploiting RDP vulnerabilities to install themselves on the target network [122].Another example is Bucbi ransomware which spreads through brute force attack on RDP [40].

Using Server Message Block (SMB) Protocol
The SMB protocol is a client-server protocol used by Windows operating system in order to share files, printers, and serial ports.Attackers reportedly have misused SMB vulnerabilities to remotely execute their malicious codes and get their malware spread across the network [123].The SMB protocol has been exploited by ransomware developers as well.For example, HDDCryptor ransomware targets all the network shares (e.g., files, and serial ports) using SMB [115].The WannaCry ransomware exploited the "EternalBlue" SMB vulnerability to compromise Windows machines [124].Moreover, Petyabased ransomware (also called NotPetya) exploits two SMB vulnerabilities, i.e., "EternalBlue" and "EternalRomance" to infect the target network (while it also extracts victim's credentials from memory or file system in order to spread via Windows network shares) [125].

Command and Control (C2)
Communication with the C2 server to receive encryption key or ransom payment details is a vital stage of a ransomware lifecycle.In spite of differences between ransomware families in accessing their C2 server, following two phases are distinguishable: (1) C2 connection before starting the encryp-tion in order to receive the encryption key; (2) C2 connection after performing the encryption in order to receive ransom payment information which should be shown to the victim.
The first phase of C2 communication is quite crucial for those ransomware samples that use "asymmetric encryption" and require the C2 server to generate public and private key pairs and transfer the public key back to the victim machine for encryption [4].For example, the first message that Cryp-toWall v3 receives from the C2 sever contains: (i) the payment information uniquely generated for the victim, and (ii) a unique public key for encrypting victim files [55].However, some ransomware families, such as Petya and Mischa [37], Spora [34], and SamSam [85] locally generate symmetric encryption keys on the infected host without communicating with their C2 server, and use hard-coded public keys in the malicious binary payload.
Ransomware samples leverage a variety of techniques to find the address of the C2 server that they require to connect to.These techniques include: 1. Hard-coded C2 IP Addresses [55]: Some ransomware families, such as Locky [60], have a list of C2 IP addresses hard-coded within the ransomware binary file.These ransomware samples are able to find and bind themselves to their C2 servers without performing any domain search or sending DNS queries.While hard-coding C2 IP addresses makes these ransomware samples less noisy in terms of generated network traffic (and so make it easier to evade network-based ransomware detection methods), it is trivial for a reverse engineer to reverse the code, find the C2 IP addresses and block them on the network gateway.

Using Domain Generation Algorithm (DGA):
Basically domain generation algorithms periodically and (usually) randomly generate domain names.They use a variety of randomization algorithms, such as pseudo-random number generators [126].Several ransomware families, such as Locky and GPCode, use DGAs to generate random domain names associated with a ransomware live C2 at a given time [4].Periodic generation of random domain names would make it difficult for security defenders trace the domains and blacklist them in a timely manner.However, observation of random and unseen DNS requests could be an evidence of a compromised host existence.

Using Existing Botnets:
A botnet is a network of compromised machines (i.e., bots) that are controlled remotely by a C2 server [127].Cybercriminals take advantage of botnet in order to perform different malicious activities, such as information theft, malware (also ransomware) spreading, and phishing [127,128].The C2 server of some families of ransomware is placed on known botnets.For example, Locky and Jaff ransomwares are delivered on Necurs botnet [129,130], and Troldesh ransomware is distributed through Kelihos botnet [131].

Actions on objectives
As it might be obvious, the main objective of ransomware attacks is to receive ransom payment from the victim.Usually, upon successfully encrypting victims' data, ransowmare shows a message on the victim machine's screen announcing the infection, and providing guidelines to the victim on how to complete the payment to recover data.However, some ransomware families, such as CryptXXX [45], steal users' credentials in addition to encrypting data.The very first versions of ransomware were demanding the ransom payment in traditional money transfer methods.For example, GPCode ransomware asked payment via egold and Liberty Reserve account [132], the Trj/SMSlock.A ransomware demanded a premium SMS contact [133], and TeslaCrypt ransomware (in some cases) requested ransom payment through PayPal, or My Cash cards [134].While, almost all newer families of ransomware ask for ransom payments in Bitcoin.Some ransomware families provide facilities for the victims to pay the ransom and help the victim in payment procedure.For example, PadCrypt ransomware provides the victims with live support [118], Locky and Bart ransomware families urge users to perform the ransom payment through a "payment portal" [114], and Spora ransomware provides the victim with a professional "decryption portal" (a TOR site), in which victims are needed to provide the unique infection ID that is shown in the ransomware payment information note on the screen [34].
Majority of ransomware campaigns try to keep their promise and recover back the data upon receiving ransom payment for the sake of good reputation.However, there were cases, such as boneidleware [135], or NotPetya ransomware that the attackers failed to retrieve users' access even after ransom payment made by the victim.In order to get paid faster, different samples of ransomware adopt various methods.For example, JIGSAW ransomware not only exponentially increases the ransom amount as time passes by, but also deletes users' files permanently, and increases the number of files that can not be recovered exponentially [66].As another example, French Locker ransomware permanently deletes one encrypted file every 10 minutes up until the victim settles ransom payment [136].
We believe that the ransomware features taxonomy provided in this section, provides valuable information for researchers and developers in understanding the lifecycle of ransomware from an intruder point of view, and correspondingly proposing new defensive mechanisms against this obtrusive malware.

Ransomware defence overview
Even if some ransomware "brands" have built a reputation of maintaining the promise of giving back a decryption key, obviously there is no guarantee that this happens in general.Indeed, FBI [165] reports several cases in which no decryption key was provided even after a payment.Moreover, paying the ransom has a further drawback: as discussed in [165], it fosters more criminals to get involved in such a "business".Therefore, being aware of possible protection techniques and adopting them in action becomes the first and most important step to confine ransomware attacks.Since there is not a method which protects 100% against ransomware, detection of suspicious activities on the system and then awareness of remedial methods are of importance.
In this section, we provide a mapping between our behavioural taxonomy and existing defensive models, e.g., CoA Matrix [20], to provide a ransomware defence reference for practitioners and security analysts to adopt it in practice.We highlight possible methods for detecting, denying, disrupting, degrading, and deceiving a ransomware attack in each phase of the CKC (rows of the CoA matrix in Table 2).For example, a defender could take several actions, such as using machine learning algorithms or static analysis of the source code, to detect ransomware while considering different weaponization techniques that we explained in the previous section.In order to showcase the mapping of our ransomware features taxonomy with the most suitable countermeasures against ransomware, we provide three CoA matrix for three ransomware families, i.e., Locky, PayCrypt and TeslaCryp, in Tables 3, 4 and 5, respectively.As it can be seen there are many similarities in the type of countermeasure that could be taken for each step.However, in some steps, due to differences in features of each ransomware family (refer to Table 1) different actions could be taken, e.g., degrading weaponization techniques in Locky and PayCrypt could be different from TeslaCrypt.
In the remainder of this section, we provide an overview of the existing prevention, detection and mitigation methods in the literature.In the category of "denying/preventing" ransomware, Luo and Liao [166] conducted one of the first studies on the ransomware attack prevention.Their research study basically consists of awareness and educational information, such as defining policies and guidelines for users, access control and management, as well as system analysis and reports.Similar research studies, e.g., [16,85,167], have also highlighted preventive solutions for ransomware that are more or less the same for almost all of the malware samples, e.g., mail security, proper firewall configuration, etc.
Compared to the first category, several research studies in the literature are dedicated to "detecting / deceiving" ransomware, which we briefly survey in the following.As highlighted in [7], due to the increasing number of ransomware families and their various features (as we explained in Sect.3), it takes some time for signature-based antimalware/anti-virus products to detect new variants of ransomware.This is because anti-malware vendors need to collect and analyse new families of ransomware continuously and update their products with new signatures correspondingly.Moreover, simply looking for a list of file names, file extensions and file hashes would be of limited use in detection of a ransomware.Therefore, researchers advocate for better methods to detect and disrupt ransomware activities.
Several researchers concentrated on detecting ransomware by monitoring file system activities.In [14], Kharraz et al. suggest monitoring of API calls, monitoring of file system activities, and usage of decoy resources/files in order to detect ransomware attacks.In particular, they proposed to monitor changes in Master File Table (MFT) and type of I/O requests in the NTFS file system to recognize suspicious/known sequence of file system activities that illustrates a ransomware attack.The paper also underlines that recovery of the deleted files or the encryption keys would be possible in some cases.For example, for those families of ransomware that produce encryption keys locally on the victim machine, the key could be extracted by inspecting the memory.Moreover, in some cases it is possible to recover the deleted data by inspecting the MFT content.Similarly, Unveil [7], provides a dynamic analysis solution for Windows systems, which monitors the file system I/O activities and I/O data buffer entropy.Unveil considers several common activities between ransomware samples (e.g., displaying a persistent desktop message, random/selective encryption and deletion of user files), and deploys an artificial, yet realistic, user environment to monitor the interaction of the ransomware with the file system.Moreover, it monitors the user desktop in order to detect ransom note displaying, desktop-locking or other similar ransomware-related behaviours.
In the same line of study, CryptoDrop [8] provides an early-warning detection system by monitoring the changes on the user data.This study proposes a ransomware detection method based on the following file modification indicators: large number of changes in the file type, dissimilarity measure of the same file, high Shannon entropy, high number of file deletion, and the difference between the number of file type a process has read and written.Similarly, [168] provides an early detection framework utilizing behavioural and data-centric analysis.ShieldFs [169] also proposes a Windows kernel module in order to detect the ransomware attack, and degrade the attack effect by recovering the original files.Focus of the ShieldFs is on the I/O operations, and the detection is based on entropy of write operations, frequency of read, write, folder-listing, and renaming operations, dispersion of write operation per-file, and the file-type access statistics.ShieldFs also detects the usage of known cryptographic methods and injected malicious codes into a benign process.The proposed recovery method in ShieldFs is shadowing all the write operations, and reverting this action as soon as detecting a malicious process.Redemption [137], similar to previous approaches, proposes a  +MFT content check to extract the data [137] ++Securely storing all the symmetric keys used in the system for any encryption operation [39] +++Instruction Trace Pattern Matching (ITPM) [4] ˆEncrypted Traffic Analytics (ETA) [4] 123  +MFT content check to extract the data [137] ++Securely storing all the symmetric keys used in the system for any encryption operation [39] +++Instruction Trace Pattern Matching (ITPM) [4] ˆEncrypted Traffic Analytics (ETA) [4] Table 4 CoA +MFT content check to extract the data [137] ++Securely storing all the symmetric keys used in the system for any encryption operation [39] +++Instruction Trace Pattern Matching (ITPM) [4] ˆEncrypted Traffic Analytics (ETA) [4]  real-time behavioural analysis of application's interactions with the file system.Redemption provides an end-point framework as well as a remedial approach (by buffering all the files that have "write" access request).In fact, in order to meet the data consistency requirement of benign applications, it uses two-phase commit method for write operation on the files.The considered detection metrics include file entropy, file overwrite, delete, and renaming operations, folder-listing, and write access request frequency.Compared to the previous detection methods, [170] monitors network traffic to detect a ransomware attack.In particular the proposed scheme distinguishes those ransomware samples that use DGA for C2 connection.The authors suggest the use of address verification through CA (Certificate Authority) for outgoing connections, as well as whitelisting and blacklisting.Moreover, some researchers adopt artificial intelligence methods in detecting ransomware attack.In [10] the authors utilize sequence pattern mining technique in order to extract ransomware features, which are then fed to several machine learning (ML) classifiers to detect ransomware.This work analyses file system, registry key and DLL activities.Similarly, EldeRan [171] provides a dynamic analysis framework using ML algorithms in order to extract ransomware dynamic features.The extracted features (i.e., API calls, registry key operations, file system operations, directory operations, dropped files during installation, and strings embedded to the binary) are used later on for classification of applications in distinguishing between ransomware and benign application.Instead, CloudRps [172] proposes a cloud-based ransomware prevention and detection method relying on several monitoring components (i.e., server, network, and file monitoring).Each of the monitoring components perform static and dynamic analysis considering several behavioural features.Moreover, CloudRps provides an independent cloud-based information backup system to be used for file recovery in case of ransomware attack.
In contrary to the explained ransomware detection methods, some researchers focused on "deceiving" attackers by using Honeypot [173].Honeypots are decoy resources/files that are deployed by the admin of a system to draw attention of attackers, and are generally used for monitoring and detecting unauthorised access to a network or system.The usage of honeypot could be a complement for regular network monitoring solutions, not a detection method per se.
Finally, some researchers also concentrated on providing solutions to "degrade / mitigate" ransomware attacks' effect.The first and most important solution for data recovery is having proper backups, i.e., "multiple automatic regular properly protected backups that are not continuously addressable through operating system calls" as reported by ETSI [174].Other solutions include memory investigation to extract encryption keys [14], MFT content check to extract the unencrypted data [14], and shadowing write operations to undo suspicious write operations [137,169] as we explained earlier.Furthermore, PayBreak [175] proactively mitigates ransomware attack by securely storing all the symmetric encryption keys in an encrypted vault (using the user's public key).As soon as detecting a ransomware attack, the victim is able to decrypt the vault with her private key and restore the encrypted files.Such a solution is efficient for those families of ransomware that adopt hybrid encryption methods (see Sect. 3.1.4).In [176], authors proposed the usage of software-defined networking (SDN) to mitigate ransomware attacks.The method basically focuses on those families of ransomware that adopt asymmetric encryption method, and proposes an SDN-based traffic monitoring solution to detect suspicious network traffic and block C2 communications, which leads to interruption in data encryption.This method requires pre-populated list of blaklisted proxy servers.Two other mitigation approaches proposed in [38] for scenarios that ransomware uses specific encryption methods: (i) if ransomware uses a weak chaining mode with the cipher algorithm (i.e., uses a unique key for encrypting all the files, and also encrypts all the newly added files with the same key), the encrypted data could be recovered; (ii) in case ransomware uses the standard CryptoAPI, integration of a patched DLL in order to monitor and store the secrets will mitigate ransomware attack.
We recall that our focus in this paper is only on ransomware samples that target personal computers.Several research studies propose ransomware detection methods for mobile devices (such as [44,[177][178][179][180][181]) and IoT devices (such as [9,15]) that are out of the scope of this paper.

Related work
In this section we provide an overview of the existing survey/taxonomy papers both in the context of ransomware and malware in general.
During the final steps of preparing this paper we found a survey/taxonomy research paper on success factors of ransomware threat [182].However, the research methodology considered in [182] is completely different from ours in several aspects: (1) we provide a dedicated analysis on crypto-ransomware families attacking personal computers, while [182] provides a general view of all kinds of ransomware families; (2) we provide an in-depth ransomware feature and behaviour taxonomy explaining different phases of a ransomware attack from an intruder point of view (based on the CKC model), while in [182] the authors consider a taxonomy based on severity, platform and target of ransomware attack, which provides a high level overview of the existing ransomware families, but not their malicious features; and (3) our last but not least difference with [182] is that we actually provide a systematized ransomware features taxonomy that was proposed as a future research direction in [182].Other than that, several ad-hoc industrial security reports (such as [3,21,132,183]) and a few scientific papers (such as [14,[16][17][18]170,172,184,185]) provide ransomware timeline, a brief overview of ransomware structure, specification of some of the ransomware families, and some of the existing preventive/defensive methods.
Khattak et al. [127] present a taxonomy on Botnet behaviour and detection.In the behaviour taxonomy of [127], which is the most related literature study to our proposal, the authors categorised the Botnet behaviour in five categories, i.e., propagation, rallying, C&C, purpose, and evasion.Since the work in [127] is a comprehensive taxonomy in the field of Botnet, and it discusses also related work in the Botnet context, we omit inclusion of related work prior to 2014.Moreover, other survey papers related to Botnet, such as [186,187], do not provide any feature taxonomy.Several survey papers exist in different domains of malware (excluding ransomware), such as malware interaction with operating systems [188], behavioural detection methods of malware samples [189], behaviours of the banking malware [190], mobile malware detection [191], and so on.While there are some similarities between these related work and our features taxonomy, there are two main differences: (i) as ransomware has specific objective (i.e., gaining money by encrypting/locking the victim data/system), we distinguish and provide features dedicated to ransomware (mostly in the weaponization, exploitation, installation and actions on objectives sections of our taxonomy); and (ii) our taxonomy is systematized based on CKC framework which makes it easier for cyber defenders to use it as a reference for standard defensive and process models, e.g., Courses of Action (CoA) Matrix [20], that are well-known and well-established within the operations of many organizations.
As it can be seen, compared to the state-of-the-art research papers, our proposed taxonomy provides an extensive overview of the crypto-ransomware behavioural aspects (those that are attacking personal computers), such that most of the past, present and (possibly) future ransomware families can be categorised based on this taxonomy.

Conclusion and future work
Ransomware attack is on the rise, and we observe a large amount of data that are encrypted by ransomware everyday.We believe the main barrier in defending against ransomware is unstructured and comprehensive information about attack vectors and vulnerabilities, as well as ransomware behavioural understanding.In order to shed a light on this challenge, we proposed, to the best of our knowledge, the first taxonomy of ransomware features.Our provided taxonomy offers the ability to model ransomware attack methods and allows the assessment of malicious behaviours on as end-point devices.Such modeling could provide the basis for subsequent attack analysis and implementation of intrusion detection solutions and contribute in building and implementing secure systems.Security experts envision Supervisory Control and Data Acquisition (SCADA) infrastructure to be the near future target of the ransomware attackers [192], and suggest to take strict security measure in order to prevent a hazard [193].Moreover, attacking Internet of Things (IoT) has been already started and there are several samples of ransomware threatening smart IoT devices, such as Flocker that infects smart TVs [194].
We envisage several interesting future research directions, as follows.A valuable future research direction would be adapting our features taxonomy with other ransomware samples, e.g., mobile ransomware or IoT ransomware, that we did not consider in this paper.Though we anticipate that their behavioural features would be more or less similar to what we provide in this work.Moreover, one may try to map the behavioural features that we extracted in this work to different families of ransomware (similar to what we provided in Table 1 in small scale) in order to categorise unseen samples.However, the main challenge will be analysing different versions of the same ransomware family, i.e., several families (such as Locky ransomware) have different versions that are emerging day by day and change their attack methods and features; though we would consider them belonging to the same family!Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecomm ons.org/licenses/by/4.0/),which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Fig. 2
Fig. 2 Lockheed Martin Cyber Kill Chain (CKC) [22] seven steps.The part that is specified with the red rectangle highlights six steps that we considered in our ransomware feature taxonomy

Fig. 3
Fig. 3 Lockheed Martin course of actions matrix [22].The rows specify the CKC seven steps, while the columns specify the corresponding defensive actions

Fig. 4
Fig. 4 Our proposed CKC-based taxonomy diagram of the ransomware features Network defence tools, such as Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), rely on either signature-based or anomaly-based techniques to detect malicious programs[81].Signaturebased detection techniques rely on predefined patterns (signatures) of known attack traffic, while anomaly-based detection techniques look for out-of-norm network traffic for detecting malicious activities.Signature-based detection

Table 1
Mapping between the collected Ransomware features and the proposed taxonomy

Table 2
An example course of Actions Matrix CKC Phases

Table 3
CoA matrix for Locky ransomware CKC Phases