LockBit 2.0 Ransomware: Analysis of infection, persistence, prevention mechanism

Eliando, Eliando; Purnomo, Yunianto

doi:10.31154/cogito.v8i1.356.232-243

Cited by 10 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…LockBit uses several mechanisms to encrypt files and to evade from detection and other monitoring tools. It has four versions 15 that have different, individual behavior. It encrypts files with random extensions like .d2cE9C214, .kw33XQBp8, etc.…”

Section: Discussion and Surveymentioning

confidence: 99%

Understanding impacts of a ransomware on medical and health facilities by utilizing LockBit as a case study

Khan¹

2023

Security and Privacy

View full text Add to dashboard Cite

All forms of data are meant to be secured. The emergence of a variety of techniques and tactics utilized by malware authors has made recovery difficult. LockBit ransomware has been in the news and the APT behind deployment of this ransomware virus has compromised several organizations. It is important to understand the behavior of such malware, to identify the anti‐analysis stuff it performs and to block it. The APT involved compromised several health and medical facilities including AIIMS in India and Sick Kids Hospital in Canada. Ransomwares are highly impactful family of malware. Impacts may begin from confidential medical information being harvested over a C2 and can go up to rendering medical equipment useless. This article discusses compromised entities and defending strategies that can be used to block LockBit ransomware using any generic SIEM tool. It also explains the need for tools that can survive ransomware encryption, a restart command‐line and can detect the behavioral patterns of such malware. Several samples were collected from various sources; the identities of compromise were collected from strings and behavior of those samples. Several detection mechanisms including YARA, SNORT, and generic HUNT rules have also been discussed.

show abstract

Section: Discussion and Surveymentioning

confidence: 99%

Understanding impacts of a ransomware on medical and health facilities by utilizing LockBit as a case study

Khan¹

2023

Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Malware visualization, automatic feature extraction, and classification were all provided by MalFCS [ 29 ], a malware categorization mechanism. The malware binaries are represented as entropy graphs by the framework, which uses convolutional neural networks with deep layers to extract features.…”

Section: Related Workmentioning

confidence: 99%

“…The use of game theory and multi-tier streaming analytics models has been investigated to enhance the detection of 0-day ransomware attacks using machine learning [ 27 , 28 ]. Likewise, the analysis of ransomware attack behaviors and the development of prevention mechanisms have been crucial in understanding the impact of ransomware, such as the LockBit 2.0 ransomware, and devising strategies to avoid such attacks [ 29 ]. Additionally, the use of predictive analysis and context-aware AI in IoT systems has been proposed to predict and detect ransomware penetration attempts in resource-constrained IoT environments [ 30 ].…”

Section: Introductionmentioning

confidence: 99%

eMIFS: A Normalized Hyperbolic Ransomware Deterrence Model Yielding Greater Accuracy and Overall Performance

Alqahtani,

Sheldon

2024

Sensors

View full text Add to dashboard Cite

Early detection of ransomware attacks is critical for minimizing the potential damage caused by these malicious attacks. Feature selection plays a significant role in the development of an efficient and accurate ransomware early detection model. In this paper, we propose an enhanced Mutual Information Feature Selection (eMIFS) technique that incorporates a normalized hyperbolic function for ransomware early detection models. The normalized hyperbolic function is utilized to address the challenge of perceiving common characteristics among features, particularly when there are insufficient attack patterns contained in the dataset. The Term Frequency–Inverse Document Frequency (TF–IDF) was used to represent the features in numerical form, making it ready for the feature selection and modeling. By integrating the normalized hyperbolic function, we improve the estimation of redundancy coefficients and effectively adapt the MIFS technique for early ransomware detection, i.e., before encryption takes place. Our proposed method, eMIFS, involves evaluating candidate features individually using the hyperbolic tangent function (tanh), which provides a suitable representation of the features’ relevance and redundancy. Our approach enhances the performance of existing MIFS techniques by considering the individual characteristics of features rather than relying solely on their collective properties. The experimental evaluation of the eMIFS method demonstrates its efficacy in detecting ransomware attacks at an early stage, providing a more robust and accurate ransomware detection model compared to traditional MIFS techniques. Moreover, our results indicate that the integration of the normalized hyperbolic function significantly improves the feature selection process and ultimately enhances ransomware early detection performance.

show abstract

“…iv. LockBit [29] is a file-encrypting ransomware that uses a combination of RSA and AES encryption algorithms to encrypt the victim's files. Once the files are encrypted, the ransomware displays a ransom note, demanding payment in exchange for the decryption key.…”

Section: Focused Ransomware Variantsmentioning

confidence: 99%

Securing IoT Devices Running PureOS from Ransomware Attacks: Leveraging Hybrid Machine Learning Techniques

et al. 2023

View full text Add to dashboard Cite

Internet-enabled (IoT) devices are typically small, low-powered devices used for sensing and computing that enable remote monitoring and control of various environments through the Internet. Despite their usefulness in achieving a more connected cyber-physical world, these devices are vulnerable to ransomware attacks due to their limited resources and connectivity. To combat these threats, machine learning (ML) can be leveraged to identify and prevent ransomware attacks on IoT devices before they can cause significant damage. In this research paper, we explore the use of ML techniques to enhance ransomware defense in IoT devices running on the PureOS operating system. We have developed a ransomware detection framework using machine learning, which combines the XGBoost and ElasticNet algorithms in a hybrid approach. The design and implementation of our framework are based on the evaluation of various existing machine learning techniques. Our approach was tested using a dataset of real-world ransomware attacks on IoT devices and achieved high accuracy (90%) and low false-positive rates, demonstrating its effectiveness in detecting and preventing ransomware attacks on IoT devices running PureOS.

show abstract

LockBit 2.0 Ransomware: Analysis of infection, persistence, prevention mechanism

Cited by 10 publications

References 12 publications

Understanding impacts of a ransomware on medical and health facilities by utilizing LockBit as a case study

Understanding impacts of a ransomware on medical and health facilities by utilizing LockBit as a case study

eMIFS: A Normalized Hyperbolic Ransomware Deterrence Model Yielding Greater Accuracy and Overall Performance

Securing IoT Devices Running PureOS from Ransomware Attacks: Leveraging Hybrid Machine Learning Techniques

Contact Info

Product

Resources

About