A Cyber-Kill-Chain based taxonomy of crypto-ransomware features

The fast growth in both number and types made ransomware an imminent threat to our digital data [1]. On May 12, 2017, a ransomware called WannaCry (also known as WannaCrypt) attacked thousands of users worldwide, particularly UK National Health Service (NHS), making a chaos in around 48 hospitals in the UK [2]. Ransomware, in general, is a type of malware that removes authorised users’ access to their data and returns it back only after making a payment (so-called ransom) [3]. Ransomware may meet its objective through encrypting victim’s files (crypto-ransomware) or locking the victim machine (locker-ransomware). Either way, ransomware would request the victims to pay the ransom to (possibly) retrieve their access to encrypted files or locked systems.

The first ransomware, named AIDS Trojan, was introduced in 1989. It was encrypting the victim’s files and asking for money to decrypt the files [4]. Afterwards, there were reports of occasional ransomware infections such as scareware, GPCode and Reveton, which were trying to extort money from their victims [4]. However, lack of an untraceable payment method was the main barrier for attackers to anonymously receive ransom payment. Introduction and wide adoption of cryto-currencies was the game changer. Crypto-currency is a peer-to-peer electronic currency, where the transactions are secured using cryptographic algorithms [5]. Bitcoin is the main representative of crypto-currency [6].

Recently, ransomware has been one of the main areas of research and several researchers proposed different ransomware detection methods (such as [7‐13]). Meantime, some researchers briefly discussed ransomware structure, specification of some of the ransomware families and timeline (such as [14‐18]). However, specific features and behaviour of the ransomware is not well-investigated and well-documented yet. Though some phases of a ransomware attack (e.g., delivery) is similar to other malware samples, some other phases (such as its installation, propagation and persistence) are different. We believe that, lack of a systematized and comprehensive reference detailing specific features of ransomware is among important barriers in introduction of effective preventive and detective methods. This is due to the fact that security analysts would be able to detect a ransomware attack in its early stages only if they are aware of the specific features (e.g., weaponization, exploitation or installation methods) of ransomware. A comprehensive taxonomy would help in differentiating between a ransomware and other malware samples, classifying different ransomware families based on their known features and providing dedicated course of actions to each category.

This motivated us to provide, to the best of our knowledge, the first taxonomy of ransomware features. To this end, we provide the reader with detailed information about ransomware lifecycle; enabling researchers to figure out how a criminal delivers a ransomware (considering different families) and infects a victim, how ransomware hides itself, as well as the actions that ransomware performs on the victim’s machine. In order to provide such information in a more understandable and systematized manner, we have adapted the Lockheed Martin Cyber Kill Chain (CKC) [19] model to our ransomware feature taxonomy. CKC is a popular defence model that was originally proposed as Intrusion Kill Chain (IKC) [20] to describe phases of computer network intrusions and later on adapted for defining the steps of a cyber attack. Our motivation behind aligning our proposed taxonomy with CKC model is to provide fine-grained information about each step that the attacker must complete in order to achieve the goal, as otherwise the attack would be failed. Our extracted features in each step would enhance the security analyst’s understanding about the evidences that he needs to look for in order to detect the attack.

In order to provide the reader with a high level overview of a ransomware lifecycle, Fig. 1 shows an example anatomy of a Locky crypto-ransomware attack through a phishing email (we follow the attack phases as explained in [21]). In the first stage, the victim receives a legitimate looking email (e.g., from a tax company, or a billing company), which contains a URL to a legitimate-looking web site which hosts attacker’s malicious payload, i.e., an exploit kit or a weaponised Word document, etc. The attacker payload downloads the ransomware (delivery phase) and either launches the ransomware or scans victim machine for possible vulnerabilities, e.g., an out-dated unpatched software that can be exploited to achieve required privilege to run the ransomware (in the form of an \(\mathtt {.exe}\) file in our example). Upon execution on the victim machine, ransomware deletes the Windows Shadow copies on the victim machine in order to deny user’s access to the system backup files. Ransomware also propagates itself in the file system and searches for files with specific extensions, e.g., \(\mathtt {.jpg}\), \(\mathtt {.mpg}\), \(\mathtt {.zip}\), \(\mathtt {.bak}\), \(\mathtt {.pptx}\), \(\mathtt {.doc}\), \(\mathtt {.pdf}\), \(\mathtt {.xls}\), etc., and starts encrypting files on the victim machine. Once the encryption process is completed successfully, ransomware connects to a Command and Control server (C&C, also named C2)¹ to upload the encryption key and host-specific information and to receive ransom payment instructions. Afterwards, the attacker notifies the victim with the payment information, and in most cases activates a countdown clock. If the victim decides to make the ransom payment, occasionally ransomware continues with downloading the decryption key from the C&C server and decrypts the victim data (although in the absence of follow-up security improvements it is just matter of time that the same or different ransomware infects the machine again). If the victim decides not to pay the ransom, then ransomware deletes the decryption key and makes the recovery of data close to impossible! It is notable that different families of ransomware may offer different features, hence not exactly following all stages described in the above example. This further underlines the need for a systematized taxonomy of the ransomware features.

Contribution In this paper, in order to help researchers and security analysts in understanding the architecture of crypto-ransomware and finding efficient detection mechanisms, we provide a systematized analysis and taxonomy of crypto-ransomware features. It is notable that our focus in this paper is only on the ransomware families that target personal computers. Although, some features of ransomware families targeting mobile phones and IoT devices are different from those that target personal computers, there are some similarities; we leave this discussion as a future work. As a systematization methodology, we consider Lockheed Martin Cyber Kill Chain (CKC) framework [19, 20] and align the behaviour of crypto-ransomware with the offensive steps of a cyber intrusion as described in CKC framework (which we explain in Sect. 2). Our proposed taxonomy could be used by many organizations which are using CKC in their day-by-day cyber defence planning to address risk of ransomware attacks by finding out what are the points of attacks and features of the ransomware that they should look for in their analysis. After obtaining such information about the structure of the intrusion, the reader needs to know how to defend against each phase of the intrusion attempt. In line with Lockheed Martin Course of Action (CoA) matrix [20], we provide required information for the defenders in taking appropriate actions.

It is worth mentioning that the fragmentation of scientific research on ransomware and lack of coherent investigation methodology on ransomware was our main challenge in this research, which led to relying more on the industrial references, along with scientific research papers.

Organization The remaining of the paper is organized as follows: In Sect. 2 we provide the required background knowledge on the CKC framework, which we used as and CoA defence model. We present our taxonomy of crypto-ransomware features in Sect. 3. We provide the ransomware defence overview in Sect. 4 which briefly overviews the existing solutions to prevent/detect the ransomware attacks, as well as show casing course of action for some well-known ransomware families. In Sect. 5, we survey the most related research studies to our work. Finally, Sect. 6 highlights possible future research directions.

Intrusion Kill Chain (IKC), also known as Cyber Kill Chain (CKC), is suggested in 2011 by Lockheed Martin and then widely accepted in the industry for modeling intrusion attempts from attackers prospective [22]. The CKC model is used to develop (threat) intelligence about attackers’ Tactics, Techniques and Procedures (TTPs) and attack attribution [20]. Many researchers have adopted the original CKC model [20] to identify, protect and mitigate against intrusions and malware samples, such as [22]. However, some other researchers [23] adapted the original definition of CKC model to their own requirements and proposed different steps in cyber attack chain model.

CKC devises seven steps for attackers to achieve their objectives (see Fig. 2), namely (1) Reconnaissance, (2) Weaponization, (3) Delivery, (4) Exploitation, (5) Installation, (6) Command and Control, and (7) Actions on Objectives.Based on all the information obtained about the intrusion and the phases that the intrusion undertakes to infect the victim, Courses of Action (CoA) Matrix provides the defenders with a model for intelligent actions against each of these phases [20]. In particular, by mapping each of the seven phases of the CKC to corresponding actions, i.e., detect, deny, disrupt, degrade, deceive and destroy (see Fig. 3), a security analyst can define, in each cell, which security measures should be considered in order to defend against each phase of the CKC.

In this paper, we take advantage of the CKC model and CoA matrix to provide a systematic analysis of ransomware features and possible defence methods. As highlighted in the literature [23, 26], all of the seven steps of the CKC model are not applicable to all attack scenarios, so we adapt only those steps that are applicable to the ransomware context. Specifically reconnaissance is a pre-attack step in which the attacker identifies the victim or possible vulnerabilities, hence, is not applicable to ransomware; we skip this step and start our analysis from weaponization and go through delivery, exploitation, installation, C2 and actions on objectives. In ransomware intrusions, similar to any other attacks, intruders spend significant amount of time on collecting information about their targets (especially in the case of targeted ransomware) to develop an effective ransomware [27]. However, majority of reconnaissance activities are conducted prior to a ransomware release, hence there is not a feature in the ransomware samples corresponding to reconnaissance activities.

This section provides a taxonomy of ransomware features based on the CKC model starting from the weaponization step. Figure 4 shows our proposed taxonomy of ransomware features and the specific methods adopted by attackers in each step of a ransomware attack. We discuss all the details in this section. To further highlight the benefit of having such a taxonomy, we consider 12 well-known families of ransomware (based on the Ransomware Tracker portal³) and provide a mapping between our proposed taxonomy and features of those 12 ransomware families in Table 1.

Even if some ransomware “brands” have built a reputation of maintaining the promise of giving back a decryption key, obviously there is no guarantee that this happens in general. Indeed, FBI [165] reports several cases in which no decryption key was provided even after a payment. Moreover, paying the ransom has a further drawback: as discussed in [165], it fosters more criminals to get involved in such a “business”. Therefore, being aware of possible protection techniques and adopting them in action becomes the first and most important step to confine ransomware attacks. Since there is not a method which protects 100% against ransomware, detection of suspicious activities on the system and then awareness of remedial methods are of importance.

In this section, we provide a mapping between our behavioural taxonomy and existing defensive models, e.g., CoA Matrix [20], to provide a ransomware defence reference for practitioners and security analysts to adopt it in practice. We highlight possible methods for detecting, denying, disrupting, degrading, and deceiving a ransomware attack in each phase of the CKC (rows of the CoA matrix in Table 2). For example, a defender could take several actions, such as using machine learning algorithms or static analysis of the source code, to detect ransomware while considering different weaponization techniques that we explained in the previous section. In order to showcase the mapping of our ransomware features taxonomy with the most suitable countermeasures against ransomware, we provide three CoA matrix for three ransomware families, i.e., Locky, PayCrypt and TeslaCryp, in Tables 3, 4 and 5, respectively. As it can be seen there are many similarities in the type of countermeasure that could be taken for each step. However, in some steps, due to differences in features of each ransomware family (refer to Table 1) different actions could be taken, e.g., degrading weaponization techniques in Locky and PayCrypt could be different from TeslaCrypt.

In the remainder of this section, we provide an overview of the existing prevention, detection and mitigation methods in the literature. In the category of “denying/preventing” ransomware, Luo and Liao [166] conducted one of the first studies on the ransomware attack prevention. Their research study basically consists of awareness and educational information, such as defining policies and guidelines for users, access control and management, as well as system analysis and reports. Similar research studies, e.g., [16, 85, 167], have also highlighted preventive solutions for ransomware that are more or less the same for almost all of the malware samples, e.g., mail security, proper firewall configuration, etc.

Compared to the first category, several research studies in the literature are dedicated to “detecting / deceiving” ransomware, which we briefly survey in the following. As highlighted in [7], due to the increasing number of ransomware families and their various features (as we explained in Sect. 3), it takes some time for signature-based anti-malware/anti-virus products to detect new variants of ransomware. This is because anti-malware vendors need to collect and analyse new families of ransomware continuously and update their products with new signatures correspondingly. Moreover, simply looking for a list of file names, file extensions and file hashes would be of limited use in detection of a ransomware. Therefore, researchers advocate for better methods to detect and disrupt ransomware activities.

Several researchers concentrated on detecting ransomware by monitoring file system activities. In [14], Kharraz et al. suggest monitoring of API calls, monitoring of file system activities, and usage of decoy resources/files in order to detect ransomware attacks. In particular, they proposed to monitor changes in Master File Table (MFT) and type of I/O requests in the NTFS file system to recognize suspicious/known sequence of file system activities that illustrates a ransomware attack. The paper also underlines that recovery of the deleted files or the encryption keys would be possible in some cases. For example, for those families of ransomware that produce encryption keys locally on the victim machine, the key could be extracted by inspecting the memory. Moreover, in some cases it is possible to recover the deleted data by inspecting the MFT content. Similarly, Unveil [7], provides a dynamic analysis solution for Windows systems, which monitors the file system I/O activities and I/O data buffer entropy. Unveil considers several common activities between ransomware samples (e.g., displaying a persistent desktop message, random/selective encryption and deletion of user files), and deploys an artificial, yet realistic, user environment to monitor the interaction of the ransomware with the file system. Moreover, it monitors the user desktop in order to detect ransom note displaying, desktop-locking or other similar ransomware-related behaviours.

In the same line of study, CryptoDrop [8] provides an early-warning detection system by monitoring the changes on the user data. This study proposes a ransomware detection method based on the following file modification indicators: large number of changes in the file type, dissimilarity measure of the same file, high Shannon entropy, high number of file deletion, and the difference between the number of file type a process has read and written. Similarly, [168] provides an early detection framework utilizing behavioural and data-centric analysis. ShieldFs [169] also proposes a Windows kernel module in order to detect the ransomware attack, and degrade the attack effect by recovering the original files. Focus of the ShieldFs is on the I/O operations, and the detection is based on entropy of write operations, frequency of read, write, folder-listing, and renaming operations, dispersion of write operation per-file, and the file-type access statistics. ShieldFs also detects the usage of known cryptographic methods and injected malicious codes into a benign process. The proposed recovery method in ShieldFs is shadowing all the write operations, and reverting this action as soon as detecting a malicious process. Redemption [137], similar to previous approaches, proposes a real-time behavioural analysis of application’s interactions with the file system. Redemption provides an end-point framework as well as a remedial approach (by buffering all the files that have “write” access request). In fact, in order to meet the data consistency requirement of benign applications, it uses two-phase commit method for write operation on the files. The considered detection metrics include file entropy, file overwrite, delete, and renaming operations, folder-listing, and write access request frequency.

Compared to the previous detection methods, [170] monitors network traffic to detect a ransomware attack. In particular the proposed scheme distinguishes those ransomware samples that use DGA for C2 connection. The authors suggest the use of address verification through CA (Certificate Authority) for outgoing connections, as well as whitelisting and blacklisting. Moreover, some researchers adopt artificial intelligence methods in detecting ransomware attack. In [10] the authors utilize sequence pattern mining technique in order to extract ransomware features, which are then fed to several machine learning (ML) classifiers to detect ransomware. This work analyses file system, registry key and \(\mathtt {DLL}\) activities. Similarly, EldeRan [171] provides a dynamic analysis framework using ML algorithms in order to extract ransomware dynamic features. The extracted features (i.e., API calls, registry key operations, file system operations, directory operations, dropped files during installation, and strings embedded to the binary) are used later on for classification of applications in distinguishing between ransomware and benign application. Instead, CloudRps [172] proposes a cloud-based ransomware prevention and detection method relying on several monitoring components (i.e., server, network, and file monitoring). Each of the monitoring components perform static and dynamic analysis considering several behavioural features. Moreover, CloudRps provides an independent cloud-based information backup system to be used for file recovery in case of ransomware attack.

In contrary to the explained ransomware detection methods, some researchers focused on “deceiving” attackers by using Honeypot [173]. Honeypots are decoy resources/files that are deployed by the admin of a system to draw attention of attackers, and are generally used for monitoring and detecting unauthorised access to a network or system. The usage of honeypot could be a complement for regular network monitoring solutions, not a detection method per se.

Finally, some researchers also concentrated on providing solutions to “degrade / mitigate” ransomware attacks’ effect. The first and most important solution for data recovery is having proper backups, i.e., “multiple automatic regular properly protected backups that are not continuously addressable through operating system calls” as reported by ETSI [174]. Other solutions include memory investigation to extract encryption keys [14], MFT content check to extract the unencrypted data [14], and shadowing write operations to undo suspicious write operations [137, 169] as we explained earlier. Furthermore, PayBreak [175] proactively mitigates ransomware attack by securely storing all the symmetric encryption keys in an encrypted vault (using the user’s public key). As soon as detecting a ransomware attack, the victim is able to decrypt the vault with her private key and restore the encrypted files. Such a solution is efficient for those families of ransomware that adopt hybrid encryption methods (see Sect. 3.1.4). In [176], authors proposed the usage of software-defined networking (SDN) to mitigate ransomware attacks. The method basically focuses on those families of ransomware that adopt asymmetric encryption method, and proposes an SDN-based traffic monitoring solution to detect suspicious network traffic and block C2 communications, which leads to interruption in data encryption. This method requires pre-populated list of blaklisted proxy servers. Two other mitigation approaches proposed in [38] for scenarios that ransomware uses specific encryption methods: (i) if ransomware uses a weak chaining mode with the cipher algorithm (i.e., uses a unique key for encrypting all the files, and also encrypts all the newly added files with the same key), the encrypted data could be recovered; (ii) in case ransomware uses the standard CryptoAPI, integration of a patched \(\mathtt {DLL}\) in order to monitor and store the secrets will mitigate ransomware attack.

We recall that our focus in this paper is only on ransomware samples that target personal computers. Several research studies propose ransomware detection methods for mobile devices (such as [44, 177‐181]) and IoT devices (such as [9, 15]) that are out of the scope of this paper.

In this section we provide an overview of the existing survey/taxonomy papers both in the context of ransomware and malware in general.

During the final steps of preparing this paper we found a survey/taxonomy research paper on success factors of ransomware threat [182]. However, the research methodology considered in [182] is completely different from ours in several aspects: (1) we provide a dedicated analysis on crypto-ransomware families attacking personal computers, while [182] provides a general view of all kinds of ransomware families; (2) we provide an in-depth ransomware feature and behaviour taxonomy explaining different phases of a ransomware attack from an intruder point of view (based on the CKC model), while in [182] the authors consider a taxonomy based on severity, platform and target of ransomware attack, which provides a high level overview of the existing ransomware families, but not their malicious features; and (3) our last but not least difference with [182] is that we actually provide a systematized ransomware features taxonomy that was proposed as a future research direction in [182]. Other than that, several ad-hoc industrial security reports (such as [3, 21, 132, 183]) and a few scientific papers (such as [14, 16‐18, 170, 172, 184, 185]) provide ransomware timeline, a brief overview of ransomware structure, specification of some of the ransomware families, and some of the existing preventive/defensive methods.

Khattak et al. [127] present a taxonomy on Botnet behaviour and detection. In the behaviour taxonomy of [127], which is the most related literature study to our proposal, the authors categorised the Botnet behaviour in five categories, i.e., propagation, rallying, C&C, purpose, and evasion. Since the work in [127] is a comprehensive taxonomy in the field of Botnet, and it discusses also related work in the Botnet context, we omit inclusion of related work prior to 2014. Moreover, other survey papers related to Botnet, such as [186, 187], do not provide any feature taxonomy. Several survey papers exist in different domains of malware (excluding ransomware), such as malware interaction with operating systems [188], behavioural detection methods of malware samples [189], behaviours of the banking malware [190], mobile malware detection [191], and so on. While there are some similarities between these related work and our features taxonomy, there are two main differences: (i) as ransomware has specific objective (i.e., gaining money by encrypting/locking the victim data/system), we distinguish and provide features dedicated to ransomware (mostly in the weaponization, exploitation, installation and actions on objectives sections of our taxonomy); and (ii) our taxonomy is systematized based on CKC framework which makes it easier for cyber defenders to use it as a reference for standard defensive and process models, e.g., Courses of Action (CoA) Matrix [20], that are well-known and well-established within the operations of many organizations.

As it can be seen, compared to the state-of-the-art research papers, our proposed taxonomy provides an extensive overview of the crypto-ransomware behavioural aspects (those that are attacking personal computers), such that most of the past, present and (possibly) future ransomware families can be categorised based on this taxonomy.

Ransomware attack is on the rise, and we observe a large amount of data that are encrypted by ransomware everyday. We believe the main barrier in defending against ransomware is unstructured and comprehensive information about attack vectors and vulnerabilities, as well as ransomware behavioural understanding. In order to shed a light on this challenge, we proposed, to the best of our knowledge, the first taxonomy of ransomware features. Our provided taxonomy offers the ability to model ransomware attack methods and allows the assessment of malicious behaviours on as end-point devices. Such modeling could provide the basis for subsequent attack analysis and implementation of intrusion detection solutions and contribute in building and implementing secure systems. Security experts envision Supervisory Control and Data Acquisition (SCADA) infrastructure to be the near future target of the ransomware attackers [192], and suggest to take strict security measure in order to prevent a hazard [193]. Moreover, attacking Internet of Things (IoT) has been already started and there are several samples of ransomware threatening smart IoT devices, such as Flocker that infects smart TVs [194].

We envisage several interesting future research directions, as follows. A valuable future research direction would be adapting our features taxonomy with other ransomware samples, e.g., mobile ransomware or IoT ransomware, that we did not consider in this paper. Though we anticipate that their behavioural features would be more or less similar to what we provide in this work. Moreover, one may try to map the behavioural features that we extracted in this work to different families of ransomware (similar to what we provided in Table 1 in small scale) in order to categorise unseen samples. However, the main challenge will be analysing different versions of the same ransomware family, i.e., several families (such as Locky ransomware) have different versions that are emerging day by day and change their attack methods and features; though we would consider them belonging to the same family!