nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks

verfasst von : Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, Engin Kirda

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim’s computer desktop or attempts to encrypt or delete the victim’s files using only superficial techniques. Our analysis also suggests that stopping advanced ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel “Nice Boots!” - A Large-Scale Analysis of Bootkits and New Ways to Stop Them

Minotaur Analysis - Malware Repository. http://minotauranalysis.com

VX Vault - Online Repository of Malware Samples. http://vxvault.siri-urz.net

Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.104/

MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.com

Police ransomware threat assessment. Europol Public Information (2014)

Ajjan, A.: Ransomware: Next-Generation Fake Antivirus (2013). http://www.sophos.com/en-us/medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf

Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, April 2006

Blockchain.info. Bitcoin Block Explorer. https://blockchain.info

Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. Springer (2009)

10.

Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional (2005)

11.

Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of WWW 2013, May 2013

12.

Cisco, Inc., Ransomware on Steroids: Cryptowall 2.0. (2015). http://blogs.cisco.com/security/talos/cryptowall-2

13.

Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010) CrossRef

14.

Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis (2014). http://www.cuckoosandbox.org

15.

Dell SecureWorks. Cryptolocker Ransomware (2014). http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

16.

Donohue, B.: Reveton Ransomware Adds Password Purloining Function (2013). http://threatpost.com/reveton-ransomeware-adds-password-purloining-function/100712

17.

Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2012)

18.

Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRef

19.

Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional (2005)

20.

Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 145–160. ACM (2013)

21.

Krebs, B.: Inside a Reveton Ransomware Operation (2012). http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

22.

Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 399–412. ACM (2010)

23.

Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. (2015). http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

24.

Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., Savage, S.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)

25.

Microsoft, Inc. Microsoft Security Intelegence Report, vol. 16 (2013). http://www.microsoft.com/security/sir/default.aspx

26.

Microsoft, Inc. File System Minifilter Drivers (2014). https://msdn.microsoft.com/en-us/library/windows/hardware/ff540402

27.

Möser, M.: Anonymity of bitcoin transactions: an analysis of mixing services. In: Proceedings of Monster Bitcoin Conference (2013)

28.

Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2011 (2011)

29.

O’Gorman, G., McDonald, G.: Ransomware: A Growing Menance (2012). http://www.symantec.com/connect/blogs/ransomware-growing-menace

30.

Prince, B.: CryptoLocker Could Herald Rise of More Sophisticated Ransomware (2013). http://www.darkreading.com/attacks-breaches/cryptolocker-could-herald-rise-of-more-sophisticated-ransomware

31.

QuickBT. Disturbing Bitcoin Virus, October 2013. http://www.reddit.com/r/Bitcoin/comments/1o53hl/

32.

Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013) CrossRef

33.

Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 65–79. IEEE (2012)

34.

Sophos, Inc. Security Threat Report 2014, Smarter, Shadier, Stealthier Malware (2014). http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf

35.

Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 452–463. Springer, Heidelberg (2014)

36.

Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 55–78. Springer, New York (2013)CrossRef

37.

Symantec, Inc. Internet Security Threat Report (2014). http://www.symantec.com/security_response/publications/threatreport.jsp

38.

Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 129–140. IEEE (1996)

39.

Young, A.L.: Building a cryptovirus using microsoft’s cryptographic API. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 389–401. Springer, Heidelberg (2005) CrossRef

40.

Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122. IEEE (2004)

Titel: Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks
verfasst von: Amin Kharraz
William Robertson
Davide Balzarotti
Leyla Bilge
Engin Kirda
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-20549-6

Electronic ISBN: 978-3-319-20550-2

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-20550-2_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"