Top

Published in:

2018 | OriginalPaper | Chapter

Identifying File Interaction Patterns in Ransomware Behaviour

Authors : Liam Grant, Simon Parkinson

Published in: Guide to Vulnerability Analysis for Computer Networks and Systems

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Malicious software (malware) has a rich history of causing significant challenges for both users and system developers alike. The development of different malware types is often resulting from criminal opportunity. The monetisation of ransomware, coupled with the continuous growing importance of user data, is resulting in ransomware becoming one of the most prominent forms of malware. Detecting and stopping a ransomware attack is challenging due to the large verity of different types, as well as the speed of new instances being developed. This results in static approaches (e.g. signature-based detection) ineffective at identifying all ransomware instances. This chapter investigates the behavioural characteristics of ransomware, and in particular focusses on interaction with the underlying file system. This study identifies that ransomware instances have unique behavioural patterns, which are significantly different from those of normal user interaction.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Masquerade Detection on Mobile Devices

next chapter A Framework for the Visualisation of Cyber Security Requirements and Its Application in BPMN

Moir, R (2003) Defining malware: FAQ. https://technet.microsoft.com/en-us/library/dd632948.aspx

Kharraz A, Robertson W, Balzarotti D, Bilge L, Kirda E (2015) Cutting the gordian knot: a look under the hood of ransomware attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, pp 3–24

Richardson, R., North, M.: Ransomware: evolution, mitigation and prevention. Int Manag Rev 13(1), 10 (2017)

Brenner, B (2017) InfoSec 2017: a look at the family album of ransomware. https://nakedsecurity.sophos.com/2017/06/06/infosec-2017-a-look-at-the-family-album-of-ransomware/

Beek, C (2017) McAfee Labs 2017 Threats Predictions. www.mcafee.com/uk/resources/reports/rp-threats-predictions-2017.pdf

MalwareBytes: cybercrime tactics and techniques (2017). https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf

Symantec: internet security threat report (2017). https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf

FBI IC3: internet crime report (2016). https://pdf.ic3.gov/2016_IC3Report.pdf

US Department of Justice: How to protect your networks from ransomware. Technical report (2016). https://www.justice.gov/criminal-ccips/file/872771/download

10.

Savage, K., Coogan, P., Lau, H.: The evolution of ransomware. Symantec, Mountain View (2015)

11.

Upadhyaya R, Jain A (2016) Cyber ethics and cyber crime: A deep dwelved study into legality, ransomware, underground web and bitcoin wallet. In: International conference on computing, communication and automation (ICCCA). IEEE, pp 143–148

12.

Fischer, T (2014) Private and public key cryptography and ransomware. Technical report

13.

Trend Micro: Command-and-control (C&C) server (2017). https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-(c-c)-serve

14.

Sophos: Ransomware: How an attack works (2016). https://community.sophos.com/kb/en-us/124699

15.

Beek C, Frosst D, Greve P, Gund Y, Moreno F, Peterson E, Schmugar C, Simon R, Sommer D, Sun B, et al. (2017) Mcafee labs threats report [internet]. McAfee Lab (April 2017). https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017,pdf, p 49

16.

Symantec: ISTR ransomware (2017). https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

17.

Liao K, Zhao Z, Doupé A, Ahn G-J (2016) Behind closed doors: measurement and analysis of cryptolocker ransoms in bitcoin. In: APWG symposium on electronic crime research (eCrime). IEEE, pp 1–13

18.

Panda Security: cryptolocker: what is and how to avoid it. Panda Security (2015). https://www.pandasecurity.com/mediacenter/malware/cryptolocker/

19.

McGoogan C, Titcomb J, Krol C (2017) What is WannaCry and how does ransomware work?. http://www.telegraph.co.uk/technology/0/ransomware-does-work/

20.

Symantec threat intelligence: what you need to know about the Wannacry ransomware (2017). https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack

21.

Joven, R, Yick Low, C (2017) MacRansom: offered as ransomware as a servive. https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service

22.

Barkly: Ransomware-as-a-service is booming (2017). https://blog.barkly.com/how-ransomware-as-a-service-works

23.

Conner, B (2017) Ransomware-As-A-Service: the next great cyber threat?. https://www.forbes.com/sites/forbestechcouncil/2017/03/17/ransomware-as-a-service-the-next-great-cyber-threat/#648c45d34123

24.

Europol: no more ransom: law enforcement and IT security companies join forces to fight ransomware (2016). https://www.europol.europa.eu/newsroom/news/no-more-ransom-law-enforcement-and-it-security-companies-join-forces-to-fight-ransomware

25.

No more ransom: about the project (2016). https://www.nomoreransom.org/en/about-the-project.html

26.

Osbourne, C. (2017) No more ransom project helps thousands of ransomware victims. http://www.zdnet.com/article/no-more-ransom-project-unlocks-over-28000-devices/

27.

KasperSky: no more ransom: a very productive year (2017). https://www.kaspersky.com/blog/no-more-ransom-first-anniversary/17791/

28.

Cloonan, J (2017) Advanced malware detection - signatures versus behavior analysis (2017). https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/

29.

Nieuwenhuizen D (2017) A behavioural-based approach to ransomware detection. Retrieved from https://labs.mwrinfosecurity.com/assets/resourceFiles/mwri-behavioural-ransomware -detection-2017-04-5.pdf

30.

Ask, K (2006) Automatic malware signature generation. 2006-10-16]. http://citeseerx.ist.psu.edu/viewdoc/download

31.

Hanel, A (2011) An intro to creating anti-virus signatures. http://hooked-on-mnemonics.blogspot.co.uk/2011/01/intro-to-creating-anti-virus-signatures.html

32.

Shosha, AF, Liu, C-C, Gladyshev, P, Matten, M (2012) Evasion-resistant malware signature based on profiling kernel data structure objects. In: 7th international conference on Risk and security of internet and systems (CRiSIS), IEEE, pp 1–8

33.

Kaspersky: Heuristic analysis in Kaspersky Anti-Virus 2012 (2012). https://support.kaspersky.co.uk/6668

34.

Ahmadi, M., Sami, A., Rahimi, H., Yadegari, B.: Malware detection by behavioural sequential patterns. Comput Fraud Secur 2013(8), 11–19 (2013)CrossRef

35.

Naval S, Laxmi V, Gaur MS, Raja S, Rajarajan M, Conti M (2015) Environment–reactive malware behavior: detection and categorization. In: Data privacy management, autonomous spontaneous security, and security assurance. Springer, Berlin, pp 167–182

36.

Gazet, A.: Comparative analysis of various ransomware virii. J Comput Virol 6(1), 77–90 (2010)

37.

Scaife N, Carter H, Traynor P, Butler KR (2016) Cryptolock (and drop it): stopping ransomware attacks on user data. In: IEEE 36th international conference on distributed computing systems (ICDCS). IEEE, pp 303–312

38.

Sorokin, I.: Comparing files using structural entropy. J Comput Virol 7(4), 259–265 (2011)MathSciNetCrossRef

Title: Identifying File Interaction Patterns in Ransomware Behaviour
Authors: Liam Grant
Simon Parkinson
Publisher: Springer International Publishing
Book: Guide to Vulnerability Analysis for Computer Networks and Systems
Print ISBN: 978-3-319-92623-0

Electronic ISBN: 978-3-319-92624-7

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-92624-7_14

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner