Techniques and solutions for addressing ransomware attacks

Kharraz, Amin

doi:10.17760/d20289366

Cited by 5 publications

(5 citation statements)

References 27 publications

(41 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the second approach, which uses dynamic analysis, one method was to capture all the processes performed by the ransomware in a sandbox. One of the most notable actions of crypto-ransomware was the encryption operation, which generated a high repetition of file system activities that can be tracked by the monitoring I/O operation [16][17][18][19].…”

Section: Literature Reviewmentioning

confidence: 99%

Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm

et al. 2019

View full text Add to dashboard Cite

Ransomware is a relatively new type of intrusion attack, and is made with the objective of extorting a ransom from its victim. There are several types of ransomware attacks, but the present paper focuses only upon the crypto-ransomware, because it makes data unrecoverable once the victim’s files have been encrypted. Therefore, in this research, it was proposed that machine learning is used to detect crypto-ransomware before it starts its encryption function, or at the pre-encryption stage. Successful detection at this stage is crucial to enable the attack to be stopped from achieving its objective. Once the victim was aware of the presence of crypto-ransomware, valuable data and files can be backed up to another location, and then an attempt can be made to clean the ransomware with minimum risk. Therefore we proposed a pre-encryption detection algorithm (PEDA) that consisted of two phases. In, PEDA-Phase-I, a Windows application programming interface (API) generated by a suspicious program would be captured and analyzed using the learning algorithm (LA). The LA can determine whether the suspicious program was a crypto-ransomware or not, through API pattern recognition. This approach was used to ensure the most comprehensive detection of both known and unknown crypto-ransomware, but it may have a high false positive rate (FPR). If the prediction was a crypto-ransomware, PEDA would generate a signature of the suspicious program, and store it in the signature repository, which was in Phase-II. In PEDA-Phase-II, the signature repository allows the detection of crypto-ransomware at a much earlier stage, which was at the pre-execution stage through the signature matching method. This method can only detect known crypto-ransomware, and although very rigid, it was accurate and fast. The two phases in PEDA formed two layers of early detection for crypto-ransomware to ensure zero files lost to the user. However in this research, we focused upon Phase-I, which was the LA. Based on our results, the LA had the lowest FPR of 1.56% compared to Naive Bayes (NB), Random Forest (RF), Ensemble (NB and RF) and EldeRan (a machine learning approach to analyze and classify ransomware). Low FPR indicates that LA has a low probability of predicting goodware wrongly.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm

et al. 2019

View full text Add to dashboard Cite

show abstract

“…These includes Eternal Blue, default admin password on web server, and vulnerabilities in restful web service, Modbus serial and TCP, objective C program that speaks NI-PSP and custom VI that interacts with a python script. Eternal Blue: [15,16] This is an exploit that focuses on Microsoft Windows and used for the wannacry ransomware attack in 2017. EternalBlue [17] is vulnerability in server message block (SMB) protocol.…”

Section: Vulnerability Assessment In Wadimentioning

confidence: 99%

Investigation of Cyber Attacks on a Water Distribution System

Adepu¹,

Palleti²,

Mishra³

et al. 2019

Preprint

View full text Add to dashboard Cite

A Cyber Physical System (CPS) consists of cyber components for computation and communication, and physical components such as sensors and actuators for process control. These components are networked and interact in a feedback loop. CPS are found in critical infrastructure such as water distribution, power grid, and mass transportation. Often these systems are vulnerable to attacks as the cyber components such as Supervisory Control and Data Acquisition workstations, Human Machine Interface and Programmable Logic Controllers are potential targets for attackers. In this work, we report a study to investigate the impact of cyber attacks on a water distribution (WADI) system. Attacks were designed to meet attacker objectives and launched on WADI using a specially designed tool. This tool enables the launch of single and multi-point attacks where the latter are designed to specifically hide one or more attacks. The outcome of the experiments led to a better understanding of attack propagation and behavior of WADI in response to the attacks as well as to the design of an attack detection mechanism for water distribution system.

show abstract

“…An investigation of common characteristics of ransomware attacks was done by Kharraz [8] to detail its interaction with the file system. A monitoring tool to capture input/output (I/O) requests was developed to describe how malicious process interacts with file systems.…”

Section: Monitoring Ransomwarementioning

confidence: 99%

A Three-Level Ransomware Detection and Prevention Mechanism

Ren¹,

Liang²,

Hyug³

et al. 2018

EAI Endorsed Transactions on Energy Web

View full text Add to dashboard Cite

Ransomware encrypts victim's files or locks users out of the system. Victims will have to pay the attacker a ransom to decrypt and regain access to the user files. Petya targets individuals and companies through email attachments and download links. NotPetya has worm-like capabilities and exploits EternalBlue and EternalRomance vulnerabilities. Protection methods include vaccination, applying patches, et cetera. Challenges faced to combat ransomware include social engineering, outdated infrastructures, technological advancements, backup issues, and conflicts of standards. Three-Level Security (3LS) is a solution to ransomware that utilizes virtual machines along with browser extensions to perform a scan, on any files that the user wishes to download from the Internet. The downloaded files would be sent over a cloud server relay to a virtual machine by a browser extension. Any changes to the virtual machine after downloading the file would be observed, and if there were a malfunction in the virtual machine, the file would not be retrieved to the user's system.

show abstract

Techniques and solutions for addressing ransomware attacks

Cited by 5 publications

References 27 publications

Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm

Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm

Investigation of Cyber Attacks on a Water Distribution System

A Three-Level Ransomware Detection and Prevention Mechanism

Contact Info

Product

Resources

About