Keywords

Ransomware; Social engineering; Security policies; Payment methods; Law enforcement

Introduction

Ransomware is a type of malware that comes from “ransom” which means payment and “ware” means a type of malware attack. Thus, ransomware is a malicious software that attacks infecting a computer, and then asks for ransom. In other words, the files are encrypted on the computer and the criminals demand a ransom for the private key to decrypt the files [1,2]. The ransomware program displays a message that demands payment to restore functionality. Ransomware can be defined as an extorsion in which paying a ransom could be the only option to recover access to files. In other words, this game involves two players, a criminal and a victim. Throughout recent years, the estimation on the amount of ransom received by the criminals range from $300 to over $1000 per victim (with fluctuations in bitcoin making valuation volatile) [3]. As far as we know, there are many ways of ransomware attacks as social engineering where the victims do not have more choice but to pay a ransom. One of the known operations made by those cybercriminals are the crypto locker which revenue reached approximately 12 million in 2014, and in which victims could only recover 50% of their data [4]. A survey revealed that various industrial sectors in Europe and the United States had been greatly affected and about 40% of these victims paid to attackers. A new report generated by Virus Total (ppen Source statistics service) demonstrated a new sample of approximately 1.3 million of cyber ransomware attacks were submitted by February 16, 2021 in the USA.

Cybercriminals that use ransomware utilize numbers of strategies to avoid detection, propagate, and attack users through social engineering techniques that comes in different known ways of around thirty six families of ransomware attacks among them are: CrytpoWall3.0 that made highlines around the world as a highly profitable ransomware family, causing an estimated $325 millons in damages [5], dirty decrypt, cerber, crypto locker, crypto wall, crysis, ctb locker, goldeneye, torrent, locker, backdoor. Alie, python wall, ransonware as a software, reveton, tesla crypt, wannacry, among others. Criminals encrypt their files or sensitive information in exchange of financial gain finding reliable and untraceable payment methods as bitcoin, premium method, among others [6].

Ransomware is one of the most difficult securities cyber threats to detect and prevent because they are difficult to track, that is why federal government is particularly concerned about the impact of ransomware of the networks at state, local, tribal, territorial governments, municipalities, hospitals, and other critical infrastructure levels. Those ransomware attacks can delay assistance to the police station or fire’s department’s response to an emergency or even prevent a hospital from accessing lifesaving equipment. To combat this threat, the National Cyber Investigate Joint Task Force (NCIJTF) has convened experts to educate the public on many ways to prevent ransomware attacks, to improve law enforcement coordination and response. Many organizations as Cybersecurity and Infrastructure Security Agency (CISA) Essentials and CISA insights are working to assist small and large entities in improving their security policies and protecting effectively from different cyber incidents as ransomware attacks [7]. Due to the negative impact that ransomware is causing around the world, this article provides a better understanding of the strategies and known signatures utilized by ransomware attackers. This article depicts the latest efforts made by researchers to detect ransomware attacks and help to underscore the necessity to secure protocols in any organization, giving insightful recommendations to avoid being a victim.

Research and Literature

As already mentioned, a ransomware is a type of malicious software, or malware that encrypts data on a computer and demands for the key to decrypt that data. In most of the cases, victims are given a set of time, typically 72 hours, to pay a ransom which is generally around $100 to $1000 for individuals, and much more from organizations and firms [8]. There is some pattern of ransomware attacks such as gaining an administrative privilege by simply asking for it or using any social engineering tactics. Some of those cybercriminals try to get access to ask the user to install software or adding any patches on their installation or requesting fake updates or antivirus updates. In most of the cases, ransomware perpetrators ask for app level permissions to perform their tasks.

It is important to be aware of Android ransomware and Windows ransomware. The first one uses a zombie machine or network commonly named bonet, which is sort of backdoor channel open for the attacker to get access to the infected system. These botnets are used for hackers to control systems and lunch a Distributed Denial of Service (DDoS) attacks so the ransomware attacker can steal passwords and banking account details. Thereby, all the permission of victim’s devices and administrative access of the attacker are gathered and sent to Command-and- Control Server (C&Cs), which contains all the stolen information obtained from zombies using encrypted Transport Layer Security mechanism to secure their stolen data [9]. On windows platform, a ransomware attacks the victim through malicious website, by email attachments, any malicious web-link or request one of several payment methods. Subsequently, when the system is infected, it contacts C&C server as an ordinary android application and, at that same time, the C&C server generates symmetric key and then, starts the encryption of data using an asymmetric encryption (RSA) preventing that the key cannot be used for decryption. This asymmetric algorithm uses two different keys, one public key for encryption of data and one private key for decryption [10].

Among the main types of ransomware are the crypto ransomware which obtains a private key from C&Cs to encrypt all the victims’ files and after that the crypto sends the threatening messages asking for a ransom through a Bitcoin payment to exchange the private key to decrypt their data [11]. On the other hands, we have the locker ransomware which works differently compared to crypto, it resets the device PIN using all types of social engineering tactics (explained below) to restrict user access to device and system functionalities and then asks for a ransom. Therefore, a locker of ransomware is considered more detrimental than a crypto ransomware causing inactivation of systems by Denial of Service (DoS) until the victim pays for a ransom [12]. Typical signatures or characteristics of all ransomware families attack is schemed by device locking, data encryption, data deletion, data stealing, and sending threatening messages [13]. Table 1 portrays a list of notable features of some ransomware families are mentioned from column 2 to 11.

According to investigations one of the best techniques used by ransomware attackers is the social engineering tactic which is based on deceiving users or persuading people to perform certain actions by using physical or digital access to an organization’s system information with the goal of encrypting the data and consequently, asking for a ransom [14,15]. concluded that social engineering can be categorized into two groups humanbased social engineering attack and technology-based social engineering attack. In other words, the first group human based social engineering attacks uses person to person sometimes third-party authorization such as: dumpster diving, shoulder surfing, creating a sense of urgency using psychological tricks, lies, bribes, and even extorsion, impersonation. The second group technology based social engineering attack is characterized by using digital technology as basis for email phishing, online scam, pop up advertisement by installing of software and other threats to accomplish cybercrimes (Figure 1).

Henceforth, this article’s also passage aims the variety of attack techniques that social engineering tactics computer technologies use as a to tool to infect systems with ransomware (Table 2).

Table 2: List of ransomware families with their notable features, payments methods, type, and platform.

Email phishing

AWhen the cybercriminals send a spam email that contains malicious file or link, which deploys malware when it is clicked. That is what commonly is known as email spams that uses social engineering themes to trick users into installing a ransomware under the following known themes such as: Mail delivery notification, energy bills, job seeker resume, tax returns and invoices, police traffic offense notifications.

Remote desktop control vulnerabilities

Network protocol that allows individuals to control the resources and data of computer over the internet.

Software vulnerable

Cybercriminals usually take advantage of security weakness in software programs to gain control of victim’s systems and deploy ransomware. For instance, on Android app, there are some special features not only for encrypting files or locking devices but employing capabilities to spread to all contacts within the device’s address book by sending social engineering SMS messages. For instance, Android. Lock droid E is an illegal software that plays pirated videos and as soon as it displays videos on that software, it takes a snap of the victim using the device’s camera and then, the cybercriminal asks for a ransom.

Brute Force passwords

This technique consists in acquiring login credentials for spreading ransomware through an exhaustive number of successive guesses of passwords to break the cipher of the encrypted data keys [16].

Drive-by-Downloads

Many legitimate websites contain malicious code injected in their host to compromise sensitive information by cross-site scripting attacks where most of the time victims cannot spot on their own [17].

Ransomware is a cybercrime business where the payment systems are accessible to make an easy path to the victims to pay. Cybercriminals always keep improving their source of payment by discovering new ways to causes difficulty in tracing the identification of the payments’ receipts. Among the most known methods of payments are:

Bitcoin

Bitcoin is one of the most used payment methods, characterized by its untraceable nature.

Premium method

They ask to send SMS to a particular number to decrypt files using social engineering tactics and requires the least amount of technical background and when it is propagated in a large scale the revenue could be significant.

Other untraceable methods

Some ransomwares instead of asking for bitcoin payments, they ask for iTunes gift cards worth of 200 USD. Other ransomware payments include paypal, ukash cards, moneypak, paysafe card.

Recommendations

A report generated by The Unites States of Department of Justice demonstrates that 4000 ransomware attacks occur daily [18]. Likewise, in the healthcare industry, it has been revealed that approximately 88% percentage of the cybercrimes are generated by ransomware attack as reported by cyber security provider solutions [19]. Thereby, some preventative measures of ransomware attacks are recommended by the United States Office for Civil Rights (OCR), Federal Bureau of Investigation (FBI), and Federal Trade Commission (FTC) such as: There are some solutions for non- technical personnel such as: making sure that all the employees can receive a specialized ransomware training such as: never open an email attachment unless it is a trust sender source. In general, we need to take into consideration to block email messages with the following extensions: *.exe, *.zip, *.rar, *.7z, *.js, *.wsf, *.docm, *.xlsm, *.pptm, *.rtf, *.msi, *.bat, *.com, *.cmd, *.hta, *.scr, *.pif, *.reg, *.vbs, *.cpl, and *.jar from suspicious sources [20]. Furthermore, users are advised to immediately delete any suspicious activity on monitors, scan computer system regularly and Run USB’s only if it is from trustable sources. Likewise, remaining alert of significant increase of renames files on your network could be a symptom that you are being stroked by a ransomware attack.

Another important measure is making a weekly basis on backup and storage data offline are important steps that will help to restore and recover data from a ransomware attack. Maintaining backup offline and unavailable from their networks will reinforce the security against ransomware attackers [21].

On the technical solutions side, avoid staying logged as administrator any longer than needed. Inadequate IT support or lack of security protocols open backdoors to cybercriminals. For instance, a bad placing of anti-virus or anti malware programs can prove an easy prey by ransomware attackers. In addition, it is required to encrypt sensitive data through protection with strong password. In recent years, ransomware attackers are breaching health privacy information, becoming a big threat to the Health Insurance Portability and Accountability Act (HIPAA), which is a health database act that actively encrypted and indecipherable health data can block attempts by ransomware attack if they are properly followed by the organization’s members. To reinforce this breach of HIPPA act, the Civil Rights (OCR’s) ransomware fact sheet has been created to provide guidance against ransomware attacks and establish adequate notification of breaches, in case of attacks [22].

Likewise, ensuring basic technical procedures will help to avoid ransomware attacks such as: enabling automated patches for operating systems and web browsers, complex and strong passwords, pop-up blockers, assuring that the firewalls are duly configured, keeping operating systems updates and maintaining the latest versions of the software, adjusting protection to browsers, and using web-filtering and gateway filter technologies. In addition, installing spam filtering and email filtering services are essential to prevent infected systems; for instance, a good email filter used is Symantec Email Security Cloud to avoid being targeted by hackers as well as stop malicious emails. According to Sophos threat report the breach between highly skilled ransomware operators who target wealthy organizations and the script kiddie attackers who are looking for capturing smaller pretty companies has broadened significantly in the last few years.

The United States government provides resources to protect against the threat of ransomware. For instance, signing up for the OCR’s Security Listener to receive ransomware updates and guidance [23]. Due to the complexity of detection ransomware attacks, various researchers strongly suggest monitoring those attacks with other sophisticated techniques as Machine Learning Algorithms and Artificial Intelligence (AI) systems. Machine Learning (ML) approaches models to recognize ransomware’s behavioral pattern rather than a specific signature in theirs attack. As far as it is known, signature can be changed easily each period of time, but the attacking pattern is more difficult to change. However, choosing the right Machine Learning (ML) algorithm to match with the right data and provide accuracy in its prediction is a dilemma at this time. Indeed, sometimes it is highly recommended to pay the ransom to avoid significant financial loss [24,25].

Results and Discussion

This article portrayed that ransomware malware has become in one of the most dangerous threats over the world. Although, the discovering of the ransomware has thirty years in the cyberspace, it has not been treated with the proper security measurements for many organizations. As a result of this lack of security protocols, ransomware attacks trigger financial loss and cessation of organization’s functionalities with more severity compared to a few years ago. Even, the rise in attack numbers has been reflected tremendously since we are being affected by this pandemic COVID-19 where all the work is being performed remotely.

This whole article depicts basic core concepts of the highest vector of the cyberthreat ransomware, identifying its symptoms and the ransomware families. Combating the several security threats of this attack requires a deep understanding of these techniques and strategies adopted by this malicious malware over the network. New research efforts have been developing new algorithms applied in machine learning and artificial intelligence to achieve early detection of ransomware attacks but unfortunately without much success yet.

Indeed, sometimes it is recommendable to pay for a ransom rather than being locked or to cease organizational operations to mitigate financial loss. Cybersecurity communities and law enforcement are making efforts to hunt these ransomwares attackers in their early stages of attacks.

Conclusion

Although, this ransomware malware has been created and disseminated thirty years ago, it does not alleviate ransomware attacks predicting an expectation of financial loss approximately 6 trillion dollars by the end of 2021. There is a such a concern that many organizations are still using basic security protections against those threats. According to the crowdstrike report (November 2020), approximately 56% in a survey of 2200 organizations in 2020 have been infected by ransomware attacks with an average ransom in the USA of $1.3 million dollars and the estimation of the whole world easily can reach more than billions of dollars and the threats become worse with the COVID-19 situation For that reason, the purpose of this article is mainly to identify symptoms of ransomware attacks, the known ransomware families of attacks and to encourage individuals and businesses to follow the proper recommendations mentioned earlier to avoid becoming a victim. In other words, every company should be actively involved in the security protocols given by law enforcement or any certified cyber security company which needs to be followed by everyone from the simple employee (user) to the IT technical support to mitigate ransomware attacks by executing basic security practices; for simple users, this means handling the phishing menace by labelling emails that come in from external sources or making offline backups; for IT personnel, this means patching software and protect data by encryption. However, this might not be the solution to stop advanced skilled ransomware attackers due to the complexity to trace their dynamic attacks over the network as even sophisticated ML techniques used by cyber threat experts cannot unveil ransomware detections, but it will help to reduce the threats in terms of real time of the ransomware attack execution and stop most of the entry level ransomware attackers that are widening the number of the small companies’ victims.

Acknowledgements

We would also like to thank my brother Dante Daniel Barreto Bermudez who has been such an emotional support for me, and all the academic support received by my professors from the cyber forensics master program from University of Baltimore.

References

1. Hu Y, Zhang X, Sun X, Zhang J, Du J et al (2010) A unified intelligent model for software project risk analysis and planning. In 2010 3rd International conference on information management, innovation management and industrial engineering 4: 110-113.
2. Mansfield-Devine S (2016) Ransomware: taking businesses hostage. Netw Sec 10: 8-17.
3. Kalaimannan E, John SK, DuBose T, Pinto A (2017) Influences on ransomware’s evolution and predictions for the future challenges. J Cyb Sec Technol 1: 23-31.
4. Liao K, Zhao Z, Doupe A, Ahn GJ (2016) Behind closed doors: measurement and analysis of crypto locker ransoms in bitcoin. In 2016 APWG symposium on electronic crime research 1-13.
5. Tuttle H (2018) Only half of ransomware payouts result in data recovery. Risk Manag 65: 52-53.
6.  Luo X, Liao Q (2007) Awareness education as the key to ransomware prevention. Inf Sys Sec 16: 195-202.
7. Kharaz A, Arshad S, Mulliner C, Robertson W, Kirda E (2016) A large-scale, automated approach to detecting ransomware. In 25th security symposium security 21: 757-772.
8. Alliance CT (2015) Lucrative ransomware attacks: analysis of the cryptowall version 3 threat. Retri Nov 3: 201-206.
9. Hernandez-Castro J, Cartwright A, Cartwright E (2020) An economic analysis of ransomware and its welfare consequences. Royal Soc. Open Sci 7: 190023.
10. Aurangzeb S, Aleem M, Iqbal MA, Islam MA (2017) Ransomware: a survey and trends. J Inf Assuran Sec 6: 48-58.
11. Barbulescu M, Stratulat A, Traista-Popescu V, Simion E (2016) Rsa weak public keys available on the internet. In international conference for information technology and communications 12: 92-102.
12. Zavarsky P, Lindskog D (2016) Experimental analysis of ransomware on windows and android platforms: evolution and characterization. Procedia Comput Sci 94: 465-472.
13. Yaqoob I, Ahmed E, ur Rehman MH, Ahmed AI, Al-garadi MA (2017). The rise of ransomware and emerging security challenges in the internet of things. Com Net 129: 444-458.
14. Andronio N (2010) Heldroid: Fast and efficient linguistic-based ransomware detection.
15. Peltier TR (2006) Social engineering: concepts and solutions. Inf Sec J 15: 13-14.
16. Abraham S, Chengalur-Smith I (2010) An overview of social engineering malware: trends, tactics, and implications. Tech Socie 32: 183-96.
17. Raza M, Iqbal M, Sharif M, Haider W (2012) A survey of password attacks and comparative analysis on methods for secure authentication. World Appl Sci J 19: 439-444.
18. Ali A, Murthy R, Kohun F (2016) Recovering from the nightmare of ransomware-how savvy users get hit with viruses and malware: a personal case study. Issues Inf Sys 7: 1-5.
19. Lallie HS, Shepherd LA, Nurse JR, Erola A, Epiphaniou G, Maple C, Bellekens X. Cyber security in the age of covid-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Com Sec 105: 102248-102251.
20. Konnoth C (2016) Governing health information.
21. Sittig DF, Singh H (2016) A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. App Clin Inf 7: 624-625.
22. Pope J (2016) Ransomware: minimizing the risks. Innov Clin Neurosci 13: 37-38.
23. Hoffman DA (2010) Increasing access to care: telehealth during COVID-19. J Law Biosci 7: 43-44.
24. Aurangzeb S, Aleem M, Iqbal MA, Islam MA (2017) Ransomware: a survey and trends. J Inf Secur 6: 48-58.
25. Cartwright E, Hernandez Castro J, Cartwright A (2019) To pay or not: game theoretic models of ransomware. J Cybersec 5: 9-11.