A Seminar On

“Ransomware Detection and Mitigation”

For the Partial Fulfilment of the Award of the Degree of Bachelor of

Computer Application of Veer Narmad South Gujarat University, Surat

Bachelor of Computer Application [B.C.A] Semester – VI

By
Ankit Jaiswal
Exam No[]

Guided By
Dr. Priyanka Mehta

DEVIBA INSTITUTE OF COMPUTER APPLICATON, SABARGAM

Year : 2024-2025
 AMBABA COMMERCE COLLEGE,MANIBA
INSTITUTE OF BUSINESS MANAGEMENT &
DEVIBA INSTITUTE OF COMPUTER APPLICATION,
SABARGAM (Self Finance)
At. Sabargam, Po.Niyol, Tal. Choryasi, Surat-394 325.
Managed By Shree Dakshin Gujarat Shikshan Samaj, Kumbharia

Certificate

This is to certify that Ankit Vinod bhai Jaiswal Exam Seat Number:

_ have/has satisfactorily presented their seminar work

Entitled “Ransomware Detection and Mitigation” as a partial fulfillment of

requirements for

6th Semester – B.C.A., during the academic Year 2024-2025.

Guide Name: Dr. Priyanka Mehta

Dr. Falguni M Thakkar

Principal
Ambaba Commerce College, MIBM &
Deviba Institute of Computer Aplication, Sabargam
Date :
Place : Sabargam, Surat
 Acknowledgement

I would like to express my deepest gratitude to everyone who supported me throughout the
course of this project on ransomware detection and mitigation.
First and foremost, I am thankful to Sabargam College for providing the resources and
facilities required to carry out this research.
I am sincerely grateful to Dr. Priyanka Mehta Ma’am, whose guidance, expertise, and
constructive feedback were invaluable in shaping this work. Their insights into cybersecurity
and ransomware prevention strategies significantly contributed to the depth and quality of
this study.
Finally, I extend my heartfelt appreciation to my family and friends for their unwavering
encouragement and understanding, which gave me the strength to complete this work.
This endeavor would not have been possible without the contributions, advice, and
encouragement from all these individuals and entities.
Thank you all for your invaluable support.

4
INDEX

5
Sr Description Page no
No
1 Introduction 6
1.1 Motivation of the Study 7

2 Background 8
2.1 How Deadly the Ransomware Is? 8
2.2 Ransomware Sources 9
2.3 Ransomware Types 10
2.4 Ransomware Operation 11
2.5 The Role of Cryptocurrencies 13

3 State-of-the-Art 14

4 The DAM Framework for Ransomware Defense 16

5.1 Detection Techniques 17
4.2. Ransomware Avoidance Techniques 20
4.3. Ransomware Mitigation Techniques 22

5 Future Directions in Ransomware Protection 23

6 Conclusions 26

7 References 27

6
Abstract

Ransomware attacks have emerged as a major cyber-security threat wherein user data is
encrypted upon system infection. Latest Ransomware strands using advanced obfuscation
techniques along with offline C2 Server capabilities are hitting Individual users and big
corporations alike. This problem has caused business disruption and, of course, financial loss.
Since there is no such consolidated framework that can classify, detect and mitigate
Ransomware attacks in one go, we are motivated to present Detection Avoidance Mitigation
(DAM), a theoretical framework to review and classify techniques, tools, and strategies to
detect, avoid and mitigate Ransomware. We have thoroughly investigated different scenarios
and compared already existing state of the art review research against ours.

Keywords: Ransomware; cryptography; WannaCry; malware; Ransomware detection.

1. Introduction
7
Increased connectivity and digitization have facilitated cyber-criminals in designing and
launching large-scale cyber-attacks targeting individuals and corporations worldwide.
While individual naivete and lack of awareness enable these attacks to bypass basic
security mechanisms, security vulnerabilities in the IT systems of small and large
corporations are increasingly being exploited to cause business disruptions. The cyber-
attack canvas keeps expanding rapidly as cyber-criminals consistently circumvent
security provisions designed and deployed by organizations. Increasingly, the target of
the attacks is data that is critical to individuals and organizations alike. Threat actors are
cashing in on opportunities that can help them seize control of valuable data to demand a
ransom from the data owner. Ransomware is a form of malware that infects a computer or
multiple computers over a network, encrypting files and folders, rendering them unusable.
Users are then prompted for a ransom typically to be paid in cryptocurrency. Ransomware
is not a new threat, but its use is surging and causing heavy financial losses all over the
world . It is a major challenge for cyber-security analysts and Reverse Engineers as
typical Ransomware is not detected by anti-virus software due to its polymorphic nature.
According to book, almost 51% of the organizations worldwide were hit by highly
sophisticated Ransomware attacks in 2020. These attacks were using advanced command
and control servers, making them challenging to reverse engineer. Among all the
countries studied in the report, India was affected the most by the deadly Ransomware
attacks, with almost eighty-two percent of organizations being hit by Ransomware.
Netwalker is one of the newest and dangerous Ransomware strands . Its popularity is the
method of propagation, using phishing emails related to COVID-19, thus luring the
victim to download the attachments resulting in the execution of the portable binaries and
system infection. In February 2021, the latest Ransomware strand, Zeoticus 2.0, successor
to the infamous strand Zeoticus was released. Zeoticus 2.0 has raised the stakes since it is
now proving extremely hard to control and mitigate. It can execute completely offline
without requiring any command and control server. For receiving the Ransom payment,
Zeoticus uses highly secure and encrypted Proton mail accounts to evade tracing.
The history of Ransomware dates back to the late 1980s. The first Ransomware named
Acquired Immunodeficiency Syndrome (AIDS) Trojan, was released via a floppy disk.
The AIDSTrojan contained a program that would count the number of times a computer
system was started, and once this count reached the number 90, all of the files would be
encrypted. The only way to be able to use them again was to pay a ransom amount of
$189 . During the early days, Ransomware authors attacked victims to showcase their
technical prowess. It was not until the early 2000s when cyber-criminals began to exploit
users for financial gains as data gained primacy. In 2004, a Ransomware strand named
GPCode was released. GPCode infected Windows Machines via e-mail attachments. It
used a 660-Bit RSA key to encrypt files and folders . Since then, Ransomware families
like WannaCry, Cerber, Petya, etc., have evolved and caused monetary damage worth
billions of dollars. Figure 1 depicts a timeline of the prevalence of Ransomware families.

8
 Figure 1. Ransomware timeline and trends.

1.1. Motivation of the Study

The motivation of this study is as follows:
 There is a sudden surge in extremely dangerous Ransomware attacks that have
crippled most businesses and individuals alike. Ransomware poses a high threat
and needs to be tackled at a global level.
 The existing literature contains solutions for mitigating either specific
Ransomware or proposes generic solutions. A comprehensive analysis
encompassing issues in securing individual users and corporations is lacking.
 Ransomware avoidance techniques are the most effective and need specialized
focus as mitigation and recovery from Ransomware is increasingly complex.

9
2. Background

2.1. How Deadly the Ransomware Is?

Ransomware is considered one of the most dangerous variants of malware. This is

primarily because it doesn’t even require much user interaction for privilege escalation.
Even the usage of industry-standard tools and technologies have not been able to contain
the wrath of Ransomware. Once Ransomware infects the device, it becomes impossible
for the victim to access the files. Due to the ransom being paid using cryptocurrency,
there is no way to track the perpetrators of the Ransomware attacks. Figure 2 illustrates
the monetary damage caused by Ransomware in the year 2020 as compared to its
predecessors .

Figure 2. Ransomware damage over the recent years.

10
2.2. Ransomware Sources

Ransomware propagates primarily due to a lack of Cyber-hygiene at the individual level.

Cyber-hygiene refers to all aspects of online safety including browsing behavior,
availability and consistent updating of antivirus software, installing third-party software,
and user awareness. Cyber-hygiene must be practiced for keeping Ransomware and other
strands of malware away. Despite improving security standards and protocols,
Ransomware families have managed to penetrate the defense systems of organizations,
governments, and individual users. Some of the main sources of Ransomware include:

2.2.1. Email Attachments

Email attachments usually contain Portable Document Format (PDF) documents,
voicemails, images, e-invites, etc. These attachments using various steganographic tech
niques contain embedded malicious files. Ransomware perpetrators use techniques that
make an email look like it was sent from a trusted and known sender. There are various
tools available through which attackers with no technical knowledge can craft malicious
emails.

2.2.2. Removable Media

Removable Media is not considered as an entry portal for Ransomware by many.
However, Tischer et al. conducted a survey, revealing that people are really intrigued by
what might be there in a random Universal Serial Bus (USB) drives lying at a public
place. A lot of Organizations that did not disable USB ports have been hit by
Ransomware via this mode .

2.2.3. Malvertising
Malvertising is the organized practice of infecting the advertising infrastructure that
websites use for displaying online advertisements. Malvertising has proved to be another
popular technique for infecting systems with Ransomware. It has infected systems even
via browsing trusted sites like British Broadcasting Corporation (BBC) News, America
Online (AOL) and Microsoft Network (MSN) . It tricks the browser into downloading
malicious file extensions automatically. Exploit rootkits like Angler, Magnitude and
Nuclear are then able to help the attacker gain access to the victim’s device .

2.2.4. Social Media & SMS

This type of Ransomware propagation falls under the category of Social Engineering,
where the victim is lured into clicking links that they should not. Attackers use the
technique of Uniform Resource Locator (URL) shortening in order to add obscurity to the
original link. Users with poor Cyber-hygiene are lured into clicking these links.
Sometimes, users also receive SMS messages that depict urgency and force them into
clicking those links .
11
2.2.5. Ransomware as a Service
Like other hosting services on the Dark Web that offer anonymity, Ransomware-as a-
Service (RaaS) has emerged as a marketplace exclusively for attackers with insufficient
programming skills to easily propagate Ransomware. The RaaS service providers either
take a cut from the buyer or charge service usage fees.

2.3 Ransomware Types

There are mainly two prevalent types of Ransomware, known as Crypto Ransomware and
Locker Ransomware.

2.3.1. Crypto Ransomware

Crypto Ransomware uses encryption algorithms to encrypt the victims’ data using
two approaches. In case of a Symmetric Algorithm, there is just one key that is used for
both encryption and decryption. The second algorithm which is more prevalent is the
Asymmetric Algorithm through which the data is encrypted using a public key and the
victim can only get their data back when they pay for the decryption key . Over the years,
attackers have made it difficult for reverse engineers trying to decrypt the data without
paying the ransom. Attackers now use a combination of both symmetric and asymmetric
algorithms to make the decryption process more challenging. Victim’s data is encrypted
using a symmetric algorithm due to its speed . Then, the key used is encrypted using the
public key possessed by the malicious actor .

2.3.2. Locker Ransomware

As the name indicates, Locker Ransomware locks the device instead of encrypting
the files and folders. Upon being infected, the victim’s device is prevented from bring
accessed. The data inside is untouched. This type of Ransomware is less effective than
Crypto Ransomware, because the data can still be accessed by moving the storage device
to another computer .

12
2.4 Ransomware Operation
The various phases of Ransomware operation as shown in Figure 4 are detailed below:

2.4.1.Infection
The first stage is the spread of the Ransomware to the victim’s device. As discussed in
the earlier section, there are multiple sources through which Ransomware finds an
infection vector. In this stage, the strategy of the Attacker is to get their Ransomware
downloaded on the victim’s machine. This stage is heavily dependent on the victim’s
activities and overall Cyber-hygiene. If the potential victim is cyber-aware , then it is
highly possible that the Ransomware won’t be able to infect the system.

2.4.2. Encryption/Locking
Upon infection, the Ransomware starts performing its programmed sequence of
actions depending on its type. A very strong property of recent Ransomware strands is
that it contacts a central command-and-control (C2C) server through which process of
automation for the attacker becomes simple. The C2C Server also acts as a repository
through which different victims can download their decryption keys after making the
payment. After the first stage, the cryptographic keys are generated on either the victim’s
Personal Computer (PC) or in the C2C server. The attacker then proceeds to lock the files
and folders or can straight away alter the master boot record so that the victim is unable to
access their device.

2.4.3.Demand
During the third stage, a message starts getting displayed on the screen, which
demands a ransom amount from the victim, so that they can get the access back to their
system. The attacker provides a Bitcoin address for the payment of ransom. This
increases the difficulty for law enforcement agencies to trace the payment back to the
attacker.

13
2.4.4.Result
After the third stage, it is up to the user to either pay the ransom amount or not.
There are three outcomes that result at this stage. If the victim decides to pay the ransom,
then they will be provided with a decryption key to unlock access back to their devices.
Another outcome can result when the victim has strong technical skills or can take the
help of reverse engineers to reverse the Ransomware operations and get the files back.
The third outcome results from the situation when the victim is unable to pay the ransom.
This results in permanent damage and complete loss of data.

Figure 3. Typical Ransomware sequence of operations.

14
2.5. The Role of Cryptocurrencies
In the early days of Ransomware, attackers would demand money in the form of
direct bank deposit or via money transfer agencies. These methods of payment could
be traced back to the attacker. Since emergence of cryptocurrencies, Ransomware
attacks have exploded. This is majorly due to the fact that cryptocurrencies introduce
the concept of anonymity. Cryptocurrencies facilitate the creation of strong
Ransomware which, instead of deploying a direct one-to-one payment method, used a
third-party payment gateway so that the risk of being traced is minimized. The first
ever Ransomware that proved to be really strong in terms of maintaining anonymity
& use of a well-built encryption algorithm was CTB Locker. CTB locker stood for
Curve, The Onion Routing (TOR) and Bitcoin locker. It used elliptic curve
cryptography to encrypt the data, TOR Protocol for anonymous means of
communication between the victim and the attacker and Bitcoin as a payment method
for paying the ransom in a way that the transfer wouldn’t be traced . Usually, when a
crypto currency is set up as a payment method, an attacker passively watches the
blockchain, an enabler for cryptocurrencies to check if the ransom amount has been
paid or not. Once, the payment is made, the process of sending the decryption key to
the victim can be initiated via automation. This puts the theory of anonymity and un-
traceability into practice. Cryptocurrencies also play a very important role in
distribution of Ransomware via the dark web. Script Kiddies make use of platforms
like RaaS to buy customized strands from exploit developers. Evidence suggests that
most of the Ransomware families such as WannaCry have been successful because of
the un-traceability provided to cyber-criminals by cryptocurrencies.

15
3.State-of-the-Art

Researchers, cyber-security firms and government agencies have researched all as

pects of Ransomware propagation, operation and devising effective combat
techniques. Although, a few of them were adopted by organizations and governments;
most of the frameworks have not proved successful in practice. This is due to the fact
that security is multi-dimensional encompassing network security, data security,
application security and finally individual Cyber-hygiene practices . It is therefore
extremely challenging to design blanket security solutions. Several works have
reviewed the impact of Ransomware and summarized techniques to counter its threat.
Since, our work is focused on summarizing the existing detection, avoidance and
mitigation techniques while providing insights to improve countermeasures, a
comparative analysis with existing review papers is provided in Table 1.

16
 Table 1. Comparative analysis of the proposed survey with the state-of-the-art surveys on Ransomware detection,
avoidance, and mitigation.

Researcher Contribution Pros Cons

The authors discussed all
Evaluated attack methodologies They did not specifically propose
Aurangzeb possible exploit vectors and kits
for Windows Based Ransomware any technical solutions required
et al. used in creation of Windows
families. to counter Ransomware.
based Ransomware families.
Analyzed different encryption The authors presented a Techniques proposed by the
techniques used by modern comprehensive overview of authors could include some
Tailor et al. Ransomware strands so as to different encryption techniques implementation based details for
develop better detection used by both Locker and Crypto effective detection of
strategies. Ransomware families. Ransomware.
The authors gave a detailed Discussions are presented in the
Explained the modus-operandi view of MS-017 exploit and how context of a single Ransomware.
Tandonetal. and architecture of typical it eventually used Double Pulsar Broadbased countermeasure
Ransomware attacks. to cause the spread of strategies not provided.
WannaCry.
The authors explained the latest
Discussed the current
ransomware strands which can Novel mitigation strategies for
Ransomware mitigation
Genç et al. be generated using rootkits in obfuscated Ransomware strands
strategies and evaluated their
addition to Ransomware of not suggested.
effectiveness.
things.
The tables and the summaries
The authors summarized all the The authors did not discuss the
presented by the authors can
different Ransomware families solutions with respect to the
Oz et al. be adopted by researchers to
based on the exploits that helped latest families that use offline
create new mitigation
them propagate. encryption techniques.
frameworks.
The authors’ research was
focused on finding out the The authors explained the The authors outlined an ML
effectiveness of preexisting Ransomware lifecycle in a novel based solution using linear
Kok et al. detection techniques and thus manner and mapped it to the regression but did not technically
highlighted the requirement of different techniques to find out explain its effectiveness over
an ML based solution to create their effectiveness. existing solutions.
better detection techniques.
The authors presented a good
The authors discuss all possible
overview of the adversary
Ransomware propagation
methodologies and performed a
techniques and put forth a
The proposed case study of one of the recent
Ransomware avoidance -
survey Ransomware strands, Djvu.
Continuum that can be adopted
Novel suggestions are put forth
by organizations and individuals
to contain the spread of
alike.
Ransomware.

17
4.The DAM Framework for Ransomware Defense
We propose the DAM framework to classify potential defense techniques, tools and
strategies for countering the menace of Ransomware.

4.1. Detection Techniques

Various Ransomware detection techniques have been proposed by both academic
researchers and industrial security experts. Some of them are currently in use as well.
These techniques mostly work via static or dynamic analysis of the executable suspected
to be Ransomware. Static analysis of an executable is performed through examination of
the code without actually running the executable. Static analysis of a binary consists of
static linking, locating American Source Code Information Interchange (ASCII) strings,
packer detection and memory relocation. Dynamic analysis is performed after execution
of the suspected Ransomware. During its execution, the actions and system calls made by
the suspected file are recorded and based on this information, a final report is generated.

4.1.1. Static Analysis

Subedi et al. proposed a methodology that would utilize static analysis as an
approach to detect Ransomware. The approach followed by the researchers contained a
framework that would first reverse engineer the PE file using assembly language and then
subsequently apply Dynamic Linkable Library (DLL) and function call extraction on the
PE file. The Framework was developed as a tool called CRSTATIC. They analyzed forty
three Ransomware Samples with CRSTATIC using different parameters. This work was
able to differentiate between Ransomware and Normal Programs via a Cosine similarity
graph based on assembly instructions. Although, relatively new, CRSTATIC cannot
detect the latest ransomware families which deploy signature evasion techniques. Despite
its drawbacks, CRSTATIC used pre-parse, a lightweight parser that could detect
malicious PE files with respect to different parameters like relocations and byte read
operations. CRSTATIC was not able to detect Locker Ransomware families.
Zheng et al. devised a tool called GreatEatlon for detecting Android Ransomware. This
tool was created by combining the features present in Heldroid , APKTool and other open
source analysis tools. GreatEatlon used four stages to identify the presence of
Ransomware on an Android Device. The first stage was to follow the code flows of an
executable suspected to be a Ransomware. Any Ransomware’s first line of action is to
find the files it wants to encrypt. GreatEatlon was easily able to identify the path of
Ransomware by utilizing an extension of FlowDroid , a state-of-the-art technique used for
analyzing code flows of Android applications. GreatEatlon then passed the Executable
through the second stage in which DeviceAdmin APIs were inspected when the
executable was allowed to run. If the APIs were misused by the executable to escalate its
privileges, then it would be flagged as malicious. Last two stages deployed static and
manual analysis techniques to finally identify the behavior of the suspected executable
18
file.
Hsiao et al. conducted reverse engineering experiments on the infamous WannaCry
Ransomware to understand how the malicious binary works. The mode of analysis used
by the authors was Static analysis. IDA Pro was used for reverse engineering to
understand the inner working of the Ransomware. The PE file which was initially used
for the first stage of Ransomware operation converted itself into different formats in the
subsequent stages. First, the PE file is delivered through the Eternal Blue exploit which
then uses a Windows API to embed itself. In the next phase, two services, mssecsvc.exe
and tasksche.exe are responsible for further propagation by altering the environment set
tings. The third stage is responsible for the overall encryption of the victim’s data where
taskche.exe loads the encryption .dll in the device’s memory. The last stage is maintained
by C2Cservers for tracing the payments and the course of infection.

4.1.2. Dynamic Analysis

Sgandurra et al. tested 542 different samples of Ransomware families through
EldeRan, a hybrid approach comprising of machine learning techniques and dynamic
code analysis. EldeRan tested application samples against a set of parameters that would
be able to identify if the sample is a Ransomware during the infection phase. EldeRan
successfully analyzed Windows API calls, Registry Key operations, file and directory
operations, dropped files and embedded strings. The next component of EldeRan
involved the Machine Learning approach that comprised of feature selection that could
distinguish Ransomware from a regular software via Mutual information criteria and
classification that used Regularized logistic regression. Overall, EldeRan achieved a great
success rate in detection of new Ransomware families.
Maimó et al. were the first authors to discuss the impact of Ransomware on Clinical
environments. The first ever Ransomware to target the medical industry was WannaCry.
Upon its outbreak, all the NHS operations were put to a halt and most of the appointments
and surgeries were canceled. They devised a ML based technique compatible with
Integrated Clinical Environment (ICE) architecture that could detect the presence of a
Ransomware before it could even start propagating. Their technique was able to detect the
changes in network traffic when the Ransomware was being run. These patterns were
then fed to a probabilistic supervised Ransomware classifier to finally extract complex
features of the sample being run. The solution proposed had four main components. The
first module monitored traffic patterns resulting from a live sample. The next module
required human supervision for generating a suitable dataset that would be fed to the ML
algorithms for detection and classification of Ransomware. The third module identified
the anomalous patterns and labeled them. The last module focused on mitigation
techniques through the aid of Rule based ML models.
Kao et al. conducted another reverse engineering experiment on WannaCry
Ransomware through Dynamic mode of analysis. In this case, WannaCry sample was run
on the system and its interactions with processes, file system, registry and network
activity were recorded. The authors used a tool named YARA to record the signature of

19
the sample. To carry out behavioral analysis dynamically, SysInternals Suite and
Wireshark were made use of. WannaCry being a multi-stage Ransomware uses a process
to load the tasksche.exe f ile that in turn launches different processes. When a
ransomware attack occurs, it is really important to detect it as early as possible because in
this case, every second is significant as early detection results in a lesser degree of
damage.
Moratoetal. devised an algorithm called REDFISH which claimed to detect the
presence of ransomware in an organizational setting way before all the frameworks till
date through analysis of network traffic. The authors used around 19 ransomware families
to test their algorithm. This algorithm was designed to tackle ransomware strands that
were created to encrypt files and folders present in shared networking drives in Network
Attached Storage. After carefully evaluating all the environments where Ransomware can
persist, the authors found out that existence of SMB in a network indicated a possible
habitat where Ransomware can dwell in. They used a network traffic inspection device to
analyse the behaviour of incoming and outgoing traffic. They analysed the usage of SMB
based commands very closely to look for anomalies in the traffic. The authors ran several
tests on the algorithm and reported that REDFISH can detect ransomware within 20 s.
The authors stated that although REDFISH proved to be fast but the strands were still
able to lock 10 to 15 files before being detected. We believe REDFISH is a feasible
algorithm for organizational settings and can be easily deployed because of its minimal
impact on the server resources. Also, the network inspection device used by REDFISH
stays out of the production network, so any malware which also has the ability to launch
reverse shells for an attacker would not be able to deactivate the detection mechanism .
However, in the modern scenarios where ransomware is highly stealthy in nature, this
algorithm can fail. Recently, there is a surge of Ransomware strands that use Microsoft
Word and Excel based documents to deliver themselves onto the victims’ machines. VBA
and Excel macros can obfuscate PowerShell code within their streams so that when they
are passed through antivirus scans, they are deemed to be benign. We strongly believe
that in cases like these, REDFISH will not be able to detect the ransomware strands
within the stipulated time frame.
Chen et al. created an automated early detection tool with a novel feature of pattern
extraction. Their tool was able to capture new strands and samples through the sandbox
and was able to prepare an automated analytic report. The report was able to present the
most unique patterns and behavioural paths followed by different ransomware families.
For experimentation and validation, the authors used seven ransomware families.
Through the results of experimentation, the authors were able to find out the efficiency of
each of the algorithms used for pattern extraction. In order to unsheathe the features of
different ransomware families, they used TF-IDF, ET and LDA to automate the whole
process. The tool developed by the authors can be used in medium to large enterprises as
it can easily handle large log data and detect ransomware before other industry standard
solutions. The approach used by the authors focused on calculating the time efficiency of
different algorithms but they did not compare their tool with other frameworks and algo
rithms in effect. Also, the algorithms used require training before they can make

20
intelligent decisions. The algorithms will not work well for the latest strands like
Darkside .
Imtiaz et al. approached the problem of Android Ransomware by using a novel
methodology called DeepAMD. DeepAMD used deep ANNsfor detecting ransomware
before it could exploit other applications on the smartphone. DeepAMD used a dataset to
extract features initially for feature selection. The cleansed data resulting from feature
extraction was analysed both statically and dynamically to deem the nature of an
application. Overall, DeepAMD proved to be a novel and effective approach for early
detection of the most advanced ransomware families. This is because of a good rate of
validation of DeepAMD using the latest and updated Android Malware dataset . In
addition to detection of Ransomware, DeepAMD can also detect scareware and adware
families. Kok et al. developed a new algorithm called Pre-Encryption Detection
Algorithm (PEDA) that was able to detect Crypto Ransomware which is the most
dominant type of Ransomware. According to the authors, PEDA could detect almost all
crypto Ransomware strands in their pre-encryption stage . PEDA is a hybrid algorithm
that first examines a suspicious binary via static analysis through checksum comparison
and then dynamically via the usage of an algorithm that monitor pre-encryption APIs.
Along with this, PEDA also identified 3 APIs that could locate the presence of
Ransomware. The algorithm’s success held true for most of the Crypto strands. The only
limitation of PEDA is its high dependence on Windows API. So, if PEDA is deployed as
the only detection mechanism, it might not be able to detect the latest families.
Al-rimy et al. also created a model for early detection of Crypto Ransomware but
through a different approach. The model used two detection modules, one for analysing
the behaviour and the second for estimation of anomalies. Fusion of both the results
would then give a proper decision on whether the binary is malicious or benign. The
authors claimed that this model would certainly be able to detect zero day attacks and
advanced persistent threats. Through the results shown in the work, the model performed
extremely well in detecting the ransomware strands from a dataset of 12,000 applications.
One benefit of using this solution is that it can be used for other ecosystems too because
of the extremely low false positive rate.

21
4.2. Ransomware Avoidance Techniques
Ransomware attacks have been successful mostly because of poor Cyber-hygiene
practices. The avoidance techniques available for the masses to protect their devices from
the deadly Ransomware are very few in number and are generalized in nature.
Researchers have proposed a few advanced techniques for Ransomware avoidance, but
they are limited to specific environments and specific strands of Ransomware and hence
do not qualify as one-for-all solution.
General techniques that can be followed by users to protect their devices from
Ransomware are:

4.2.1. Regular Patches and Updates

When the WannaCry Ransomware hit the world in 2017, it created a chaos
everywhere and rendered all the ICE computers useless, bringing the operations at most
of the hospitals and clinics in UK to a halt. WannaCry caused infection of devices
through the exploitation of a vulnerability in the SMB protocol. SMB is a Windows based
protocol that allows the computers to share files when they are on the same domain. An
exploit kit named as Eternal Blue was used to exploit the vulnerability and this is how
WannaCry after entering one device, infected the whole network. Computing Platforms
which are regularly patched and updated have an extremely low chance of being infected
with a Ransomware as most of the attackers’ prey upon vulnerabilities that have not been
patched. Updating and Patching is not just limited to Operating Systems. Browsers and
other applications that are live on the network should be updated and patched regularly.

4.2.2. Avoid e-Mails from Unknown Sources and Attachments

Emails from unknown senders should not be opened as they can carry links and
attachments which if opened can install Ransomware on the devices. Emails meant for
delivering Ransomware are usually very compelling and entice the recipient to click on
the links or download the attachments. Organizations should conduct a training for
employees to help them identify phishing emails. Attackers can attack a specific
department of the organization. For example, the Inventory Department can receive an
email with a billing attachment from an attacker posing to be a legitimate dealer . Use of
email filters and spam detection extensions should be deployed for all email services.

4.2.3. Disable JavaScript and Java for Browsers

Another important technique to prevent Ransomware spread is to disable JavaScript
and Java on Browsers. Malvertising, as discussed in Section 2, tricks the browsers to
download executable files which can then infect the whole system. Malvertising uses
22
JavaScript for execution of the malicious code, so disabling it would prove beneficial in
preventing Ransomware attacks. The disablement restricts scripting attacks that can lead
to open redirects to Ransomware distribution websites.

4.2.4. Controlled Folder Access

This technique works best for organizational environments that deploy Windows
based devices for work purposes. It enables the trusted applications to access the
designated folders. Designated folders are mapped to different applications when
Controlled Folder Access is configured initially. This technique works with a database of
trusted applications maintained from time to time. If an application or an executable is not
present in the trusted application database, it is barred from modifying the contents of the
designated controlled folders. Controlled Folder Access is an excellent avoidance
measure as it can protect boot sectors as well which are targeted by the latest
Ransomware families. Controlled Folder Access also utilizes an audit mode that can
further create a honeypot for the executables that are not present in the trusted application
database trying to access protected folders.

23
4.3. Ransomware Mitigation Techniques
Ever since the advent of Ransomware, cyber-defenders have been trying to come up with
advanced security solutions that would counteract different Ransomware strands. On the
other hand, Ransomware designers have exploited new vulnerabilities, preying on lack of
cyber-security awareness of a vast majority of the population to wreak havoc. Mitigation
of Ransomware attacks involve recovering encrypted data most likely through reverse
engineering or not allowing the Ransomware to complete the encryption process.
However, in the real-world mitigation techniques have had limited success. A vast
majority of individual victims of Ransomware typically end up paying the ransom
demand or losing their data permanently. Still several mitigation techniques that can
enable removal of Ransomware and recovery of devices in an efficient manner have been
proposed.

Figure 4 sums up the main mitigation methodologies based on the techniques they use.

24
5. Future Directions in Ransomware Protection

The DAM framework evaluates different combat strategies for preventing ransomware
attacks and widespread financial losses. Out of all the combat strategies, avoidance
techniques are the most desirable in protecting users and organizations from ransomware.
However, effective avoidance techniques at an organizational level entail significant cost,
large IT teams, multiple levels of security and some restricted user access privileges. At the
individual level practicing Cyber-hygiene is the only effective avoidance strategy. Since
avoidance is the holy grail for ransomware security, detection and mitigation are more viable
real-world strategies. Early and fool-proof detection of ransomware attacks is desirable if
effective mitigation strategies are to be implemented. Even though, most of the techniques
discussed above detect ransomware within a timeframe of 50 to 60 s of their initial spread,
advanced strands can perform DLL hijacking and UAC bypassing within five to ten seconds
and are able to encrypt the files within fifteen seconds. Once the files are encrypted, it is
extremely difficult to reverse engineer the operations performed. Thus, mitigation techniques
can be deployed only if detection is extremely fast and that is always a challenge as early
inferencing can lead to false positives.
It is safe to say that current technology does not offer an end-to-end security blanket
protecting individuals and large organizations from the threat of ransomware. Therefore,
organizations need to consistently invest in legal penetration testing services in addition to
purchase of cyber insurance policies. The former leads to rigorously testing the defense
perimeter and constantly upgrading and tuning the security policies to cater to new security
threats. Future directions in the evolution of ransomware protection are outlined below:

5.1. Browsers as the First Line on Defense

Files downloaded from the internet through the Internet Browser are primarily re
sponsible for ransomware infection. Little to no research has been conducted till now to
detect ransomware inside the browser or even have the capability to warn the users. Ren et al.
designed a three-layer-security solution that in its first stage used a browser extension that
could identify malicious websites and also kept track of unauthorized down loads that
occurred through these websites. A major downside of this extension is that it can only block
websites that are already residing in a predefined list. Malvertising is known to occur through
trusted websites as well. It utilizes the JavaScript execution capabilities of the browser to
trick it to download the malicious file. That is why the browser should be equipped with
security features so that as soon as an executable is downloaded, it should be moved into a
sandbox so that its behavior can be analyzed. Hence, extensive research needs to be carried
25
out for building ransomware detection and isolation features inside the browser.

5.2. Trusted and Non Trusted Sources

Although this counts as a preventive measure, maintaining a database of trusted and
non-trusted sources through a global collaboration/crowdsourcing between credible entities
will help in improving alert systems for potentially malicious sites and internet sources. The
database can be created by incorporating Qualys’ SSL Labs APIs which will ensure the
trustworthiness of a website. This database can be similar to the one created by Alexa that
ranks websites based on different parameters. Then, this database can be used by web-
browsers and anti-malware extensions that will monitor the activities of a user and issue an
alert when a potentially dangerous website is browsed.

5.3. Avoiding Privilege Escalation in Windows Based Platforms

Traditionally Windows based devices are the most susceptible to ransomware attacks
due to weak authorization and authentication policies which can be abused by malicious
users. One of the techniques used by malicious executables to gain unauthorized access into
the systems is privilege escalation. DLL Hijacking and bypassing UAC mechanism are the
two main ways by which Windows Privilege Escalation is carried out to gain folder and
registry access in order to encrypt them. Despite the existence of avoidance strategies like
Controlled Folder Access and cloud powered Windows Defender AV , malicious portable
executables can use extremely advanced techniques like Anti-Analysis mechanisms, API
hooking and Process Injections to infect the system. Also, the concept of secure registry
needs to be looked into so as to develop better prevention strategies. The notion of hierarchy-
based file-system standard needs to be incorporated into such platforms so that role-based
access control and privilege based access control can be defined and enforced.

5.4. Adoption of AI Based Chat-Bot Assistants for Ensuring Cyber-Hygiene

among Users
When it comes to dangerous attacks like Ransomware in cyberspace, prevention is the
best cure. Prevention of Ransomware attacks is highly dependent on the behavior of the users
on the Internet. This, in turn is governed by Cyber-hygiene practices. In this context, AI-
based chat-bot assistants that can warn users against the repercussions of downloading files
from untrusted sources can be useful. Such tools will be able to monitor the web activity of
the user and help improve their Cyber-hygiene. Educating users and preventing them from
performing actions leading to cyber-attacks will probably be one of the most effective
avoidance solutions.

26
5.5. Use of a Sanitized Software Download Service
A repository of sanitized open-source software packages available for download as a
service can be designed which users can use to download popular software packages without
the fear of malware infection. The repository may employ a list of File Lock PEA trusted
keys. For verification purposes, each package can be matched against the stored keys and
checksums.

5.6. Backup and Restore

It is very common for mobile devices to be backed up completely and to restore new
devices with the data and applications from the backed-up image of the device. We believe
that such a service is viable for individual laptops/desktops as well. Users shall be able to
quickly recover their data in case their system is compromised by reformatting the hard disk
and performing a restore from the last backup. Microsoft with its large installed base can
contemplate offering such a service to users. This backup is different from a data backup on
Google Drive for instance as it involves the backup and management of installed and maybe
licensed third-party applications as well. In all the operating systems, the backup
functionality is present as a recurring process, such as a cronjob in Linux or scheduled task in
Windows. All a user has to do is to set up the backup functionality so that it gets automated
and occurs in a timely manner. Although the physical operating systems do not have
capability of working with snapshots, but the concept of Last Known Good Configurations
work here, which help in mitigating the effect of Ransomware.

5.7. CVE Monitoring

Most of the Ransomware attacks are successful because of two major factors, poor
Cyber-hygiene and unpatched system vulnerabilities. Ethically, penetration testers try to find
out Zero Day vulnerabilities before the malicious actors, and these vulnerabilities are fed into
a database of Common Vulnerabilities and Exploits (CVE). But most of these vulnerabilities
are not patched by developers thus leading to highly advanced and chained attacks. Thus, a
server for latest CVEs can be created which may be used to retrieve real time information
regarding patching possible exploits and vulnerabilities.

27
6.Conclusion

Ransomware remains one of the most significant threats in the cybersecurity

landscape, targeting individuals, organizations, and critical infrastructure worldwide.
Effective detection and mitigation of ransomware require a multi-layered approach,
combining advanced technologies, proactive defense mechanisms, and user
education.

Detection techniques, such as machine learning-based anomaly detection, behavioral

analysis, and signature-based methods, play a critical role in identifying ransomware
activities before they cause irreversible damage. However, no detection system is
foolproof, emphasizing the need for robust mitigation strategies. These include
regular data backups, implementation of least-privilege access, timely patch
management, and incident response plans to reduce the impact of an attack.

The fight against ransomware is a continuous process that demands collaboration

between organizations, governments, and cybersecurity professionals. By fostering a
culture of security awareness and leveraging innovative technologies, it is possible to
significantly reduce the risk and impact of ransomware attacks, ensuring a more
resilient and secure digital environment.

28
References

1. The Growing Menace of Ransomware. Available online:

https://alliantnational.com/the-growing-menace-of-ransomware/
2. The State of Ransomware 2020. Available online:
https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-
state-of-ransomware-2020-wp.pdf
3. Cybersecurity Issues and Challenges during COVID-19 Pandemic. Available online:
https://cyber-trust.eu/2021/01/07/cyber-security-challenges-during-the-covid-19-
pandemic/
4. The Growing Threat of Ransomware. Available online:
https://purplesec.us/resources/cyber-security-statistics/ ransomware/
5. Global Ransomware Damage Costs Predicted to Exceed 265 Billion by 2031.
Available online:https://cybersecurityventures.com/global-ransomware-damage-costs-
predicted-to-reach-250-billion-usd-by-2031/
6. Microsoft. Next-Gen Ransomware Protection with Windows 10 Creators Update
Ransomware in 2017: Growing in Sophistication and Reach. Available online:
https://download.microsoft.com/download/8/A/3/8A3ADCCE-C141-4E31-AB0D-
26AA990D70A0/
Next_gen_ransomware_protection_with_Windows_10_Creators_Update_EN_US.pdf
7. Ransomware Explained Geeks for Geeks. Available Online:
https://www.geeksforgeeks.org/ransomware-explained-how-it-works-and-how-to-
prevent-it/
8. DAM Framework Available Online: https://complexdiscovery.com/dam-ransomware-
a-detection-avoidance-and-mitigation-dam-framework-for-ransomware/

29