See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/339326833

Ransomware Prevention and Mitigation Techniques

Article in International Journal of Computer Applications · February 2020

DOI: 10.5120/ijca2020919899

CITATIONS READS

17 12,574

3 authors:

Hesham Alshaikh Nagy Ramadan

Faculty of Graduate Studies for Statistical Research (FGSSR) Cairo University
3 PUBLICATIONS 17 CITATIONS 112 PUBLICATIONS 473 CITATIONS

SEE PROFILE SEE PROFILE

Hesham A. Hefny
Faculty of Graduate Studies for Statistical Research (FGSSR)
313 PUBLICATIONS 2,780 CITATIONS

SEE PROFILE

All content following this page was uploaded by Hesham Alshaikh on 03 October 2023.

The user has requested enhancement of the downloaded file.

 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

Ransomware Prevention and Mitigation Techniques

Hesham Alshaikh Nagy Ramadan Hesham Ahmed Hefny
Sadat Academy for Management Department of Information Department of Computer Science
Sciences, Egypt Systems and Technology Faculty of Graduate Studies for
Faculty of Graduate Studies for Statistical Research, Cairo
Statistical Research, Cairo University, Egypt
University, Egypt

ABSTRACT activity.
Ransomware is a malware family that using security Advances in technology are the main driver for economic
techniques such as cryptography to hijacking user files and growth but, have also led to a higher incidence of
associated resources and requests cryptocurrency in exchange cyberattacks. The 10 major data breaches in the last two
for the locked data. There is no limit to who can be targeted decades combined with the number of hacked accounts and
by ransomware since it can be transmitted over the internet. year occurred. As claimed by Quartz, Yahoo, three billion
Like traditional malware, ransomware may enter the system (2013); Marriott, half billion (2014-2018); Adult
utilizing “social engineering, malware advertising, spam FriendFinder, 412 million (2016); MySpace, 360 million
emails, take advantage of vulnerabilities, drive-by downloads (2016); Under Armor, 150 million (2018); Equifax, 145.5
or through open ports or by utilizing back doors”. But in million (2017); eBay, 145 million (2014); Target, 110 million
contrast to traditional malware, even after removal, (2013); Heartland Payment Systems, 100+ million (2018);
ransomware influence is irreparable and tough to alleviate its LinkedIn, 100 million (2012).
impact without its creator assistance. This kind of attack has a
straightforward financial implication, which is fueled by Moreover, other research from “Cybersecurity Ventures” that
encryption technology, cyber currency. Therefore, approximate there are 111 billion code lines of new software
ransomware has turned into a profitable business that has being generated yearly, which brings in the possibility for an
obtained rising popularity between attackers. As stated by enormous number of vulnerabilities that can be exploited.
“Cybersecurity Ventures”, ransomware is the quickest Utilizing zero-day attack alone is forecasted to be once a day
increasing type of cybercrime. Since, global ransomware by 2021, up from once a week in 2015 [3]. This attack
wastage expense is predicted to hit $20 billion in 2021, up technique makes the prevention task very difficult, even for
from just $325 million in 2015 which, is 57X extra in 2021. In giant firms with a generous cybersecurity fund [4].
this paper, a brief of the recent research in the prevention of The 5 most cyber attacked industries over the previous 5 years
ransomware attacks and the best practices to mitigate the are transportation, healthcare, financial services,
attack impact is presented. manufacturing, government. “Cybersecurity Ventures”
forecast that media and entertainment, retail, petrol and
General Terms natural gas, teaching (kindergarten to 12 grade and higher
Ransomware prevention technique, ransomware mitigation
education) and legal will be among the top 10 industries for
technique, signature-based, behavior-based.
2019 to 2022.
Keywords Hacking tools and equipment for identity theft, cyberattacks,
Ransomware, Cryptography, Cryptocurrency, Cybercrime, malware, ransomware, and other nefarious intent have been
Malware, Cybersecurity, Vulnerability, Cyberattacks. obtainable in the online market for many years at a low price
as $1 which, makes it nearly free to enter the life of
1. INTRODUCTION cybercrime.
Cybercriminal attackers understand that data, files, networks
and all digital resources are the key factors for the growth of Cybersecurity worldwide market value was $3.5 billion in
regular working and any business [1]. These digital assets are 2004 while, its value was more than $120 billion in 2017. The
so precious to the business therefore, the quickest and cybersecurity marketplace rises by about 35X during that
preferable way to earn great money is to keep all these period. The 2019 U.S. president’s financial plan includes $15
resources at ransom. Thus, rise ransomware which, a malware billion for cybersecurity, the Department of Defense (DoD)
that commonly encrypts all files and requests for a payment in was the greatest subscriber with $8.5 billion in cybersecurity
bitcoin to give the victim the decryption key [2]. financing in 2019 [3].

As stated by the "Cisco/Cybersecurity Ventures 2019 Ransomware is a malware family that using security
Cybersecurity Almanac" cybercriminal activity considered techniques such as cryptography to hijacking user files and
one of the major challenges that mankind will confront in the associated resources, then requests cryptocurrency in
following two decades. Cyberattacks are the quickest exchange for the locked data [5]. Some ransomware gets into
increasing crime globally, and they are growing, in size, the system utilizing social engineering, malicious
sophistication, and expenses. advertisements, spamming, drive-by downloads, while others
try to discover vulnerabilities to exploit it, using open ports or
Also, they predict that cybercrime losses will cost the world exploiting a backdoor to get inside [1]. Consequently,
$6 trillion annually by 2021 and more than 70% of all vulnerability testing and security loopholes must be identified,
cryptocurrency bargains yearly will be for illegitimate and people must be aware of these kinds of exploiting

31
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

mechanisms [6]. obtained results hopefully may be used to form a base for
designing and developing more effective defense solutions
Ransomware as a service (RaaS) is a service that grants easy against ransomware attacks.
attainment of ransomware codes without any special
programming skills at a monetary value. The price could be This survey is organized into five sections, the first one being
an explicit buy, or a profit margin scheme could be employed. the present introduction in which, the relevant background
This shows that collaboration exists between criminals [7]. information on cybercrime in general and particularly on
One side oversees originating a custom binary ransomware ransomware is presented to provide an insight into how the
code, while the other side simply downloads the customized ransomware attack is achieved. Then, section 2 shows an
binary ransomware and organize the dissemination of the updated review of research in the area of ransomware and the
contagion or the attack campaign usually through botnet employed techniques for detection, mitigation, and prevention
email, and both parties enjoy the profit from a successful of ransomware attack. Section 3 discusses the present research
attack [8]. directions in ransomware and summarizes its pros and cons.
The concluding remarks are presented in section 4. Finally,
Therefore, ransomware has become a profitable profession section 5 discusses potentially future directions. Table (1), (2)
that has gained boosting popularity between attackers [5]. The shows a summary of related work.
publicity of ransomware has originated an extraordinary
ecosystem of cybercriminals. The ransomware attack has a 2. RELATED WORK
direct financial implication, which is fueled by encryption There are a lot of research efforts have been done to prevent
technology, cyber currency. Encryption is effective and the ransomware attacks employing different approaches to
almost unbreakable. Anonymous cyber currency can obviate identify the presence of ransomware such as:
traceability. Easily attainable ransomware code permits easy
entry to the cybercrime world. A combination of these 2.1 Signature-based Approach:
provides an attractive avenue for cybercriminals, producing The signature approach focuses on, detecting ransomware
specialist cybercriminals [7,9]. unique patterns such as a distinctive sequence of bytes in the
ransomware source code, the order of call functions and the
The U.S. Department of Justice (DOJ) has depicted content of the ransom demand message. Such sequences are
ransomware as a new profession model for cybercrime, and a saved in a database and during the scanning, the anti-malware
universal phenomenon. Global ransomware devastation price software tries to detect such patterns in executable files.
is forecasted to hit $20 billion in 2021, up from just $325
million in 2015, as stated by “Cybersecurity Ventures”. So, it Signature-based malware detection techniques have
is 57X extra in 2021. That turns out ransomware into the conventionally been hugely preferable because they have a
fastest increasing type of cybercrime. “Cybersecurity low false positive ratio. So that an alarm is triggered if a
Ventures” anticipates that businesses shall fall prey for certain well-known pattern is observed. However, Goyal et al.
ransomware onslaught every 11 seconds by 2021, up from [12] Emphasize that the signature-based approach is unable to
every 40 seconds in 2016. Hence, global spending on security cope with the obfuscated code in ransomware and cannot
awareness training for employees one of the quickest detect new strains until they have been analyzed by analyst
increasing categories in the cybersecurity industry is predicted [13].
to reach $10 billion by 2027, up from about $1 billion in 2014
since, training operator on how to reveal and behave with 2.2 Behavior-based Approach:
ransomware is a critical obstacle [3]. In this approach, the researchers create an artificial, realistic
execution environment and monitors how ransomware
Ransomware is the biggest threat to businesses, and it is the interacts with it. Behavior-based detection is the notion of
main reason for enormous damages such as first: business observing the characteristics of how the malware operates.
deadlock and massive casualties to the economy [1]. In May Hence, it relies on study typical ransomware behavior like file
2019, the town of Baltimore uncovers that it was a martyr of a access, file system activity, and network activity.
ransomware attack, in which crucial files are encrypted
remotely till a ransom is settled. The town instantly puts 2.2.1 File Access and File System Activity:
systems offline to hinder the ransomware from propagating, Grant and Parkinson [13] investigated the behavioral
but unfortunately, it was after taking down the parking mulcts characteristics of ransomware focusing on interplay with the
database, email, voice mail and the water invoices system, underlying file system. They implemented a file monitoring
property taxes and vehicle citations [10]. application to monitor all interactions with files in a delimited
directory due to the utilization of windows core functionality.
Second: breakdown production of Renault and Nissan motor This study identifies that each ransomware instance has a
manufacturing UK, after the ransomware infected some of unique behavioral pattern regarding file system activity which
their systems. Spain's Telefónica, FedEx and Deutsche Bahn is, remarkably dissimilar to those of normal user interactions.
were hit with WannaCry ransomware infection as well in Furthermore, it shows that ransomware may be identified
2017. using individual or shared patterns.
Third: life-threatening damages. National Health Service Furthermore, Kok et al. [14] proposed a pre-encryption
hospitals in England and Scotland, and up to 70,000 devices, algorithm that composed of two phases the first, is a machine
including computers, MRI digital scanners, Operation room learning algorithm used to detect the ransomware before
gears, and blood storage fridges have been infected with encrypting user files, which based on API pattern recognition.
WannaCry [11]. Hence, it uses Cuckoo sandbox to captures the (API)
In this survey, a comprehensive review of ransomware generated by the suspicious program and analyzes them, but it
recovery, mitigation, and prevention techniques are performed may have a high false positive rate. The second phase is a
to facilitate future research, study, and analysis. Furthermore, signature repository used to store the generated signatures of
understanding of ransomware and assist researchers and suspicious programs that, used to detect the crypto
developers in their efforts to find adequate solutions. The ransomware in the pre-execution stage using signature

32
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

matching however it, can only detect known crypto 2.2.2 Network behavior:
ransomware. Therefore, each of the two phases complements Some of the research works were interested in finding the
each other and provides an efficient method to protect users network behavior of ransomware. Zimba et al. [21] studied
from crypto ransomware. the emerging cyber threat to crucial infrastructure and
Whereas Scaife et al. [15] presented an early warning magnify the network segmentation approach, prioritize the
awareness system called CryptoDrop, which generate a security of production network devices and limiting
notification at the time of suspicious file activity and allow ransomware propagation. By applying reverse engineering on
users to make the final decision on whether the activity is WannaCry ransomware and perform source code analysis
desired or not. Using a set of behavior denotations they uncover the employed techniques to discover vulnerable
CryptoDrop can eliminate any process that seems to be nodes.
manipulating an enormous amount of user data. The authors Thus, Zimba and Mulenga [22] employed reverse engineering
allege this system prevent ransomware from executing with a on the underlying malware program logic. Using the dynamic
median loss of only 10 files and does not inspect files outside analysis to captivate the corresponding network actions
of the user documents directory. Though, Wolf [16] associated with such logic to unmask WannaCry ransomware
underdetermined the CryptoDrop efficiency, claiming that 40 network interactions. The source code analysis shows that the
files on average could be properly encrypted before it can ransomware fetches the network adapter properties to
detect suspicious activity. determine whether it's residing in a private or public subnet to
While, Continella et al. [17] proposed a technique called effectuate substantial network propagation and subsequent
ShieldFS that copying files when it altered, saving the copy in damage. Nonetheless, the employed network techniques are
a preserved area permitting any alterations to be made to the specified to WannaCry ransomware only.
original file while it keeps track of changes made to it. The Furthermore, Almashhadani et al. [23] established a thorough
detection system established on the integrated analysis of behavioral analysis of crypto ransomware network
entropy of write operations, frequency of reading, write, and interactions, taking Locky, one of the extremely dangerous
folder itemization operations, fraction of files renamed, and ransomware families. A devoted testbed was constructed, and
file type usage statistics. Subsequent if ShieldFS determines a set of worthy and informational network characteristics were
that the process is normal, the saved file can be discarded educed and categorized into multiple types. A network-based
from the kept area since the original file has not been invasion discernment system was implemented, utilizing two
encrypted by ransomware. However, if ShieldFS decided that separate classifiers working side by side on packet and flow
a process is harmful, the aggressive process will be levels. The authors assume that most ransomware families try
suspended, and the saved copies can be brought back, to get in touch with command and control servers before
substituting the altered (encrypted) versions. harmful payloads are achieved which, is not the case in all
Likewise, Kharraz and Kirda [18] proposed a similar ransomware families. Also, monitoring outbound connections
approach to ShieldFS called Redemption where file can be simply eschewed by connection encryption.
operations are being redirected to a dummy copy. This Moreover, Akbanov et al. [24] accomplished extensive
technique initiates a copy from each file subject to be dynamic analysis on WannaCry ransomware and they found
modified by the ransomware, and then redirects the file out that its mechanism based on two different components.
system processes (demanded by the ransomware to encrypt The first enables WannaCry to disseminate through network
the target files) to the copies, hence leaving the original files devices like a worm by generating a list of local and global IP
undamaged. Redemption uses the Windows kernel addresses and scanning both internal and external networks
development framework to reflect the write requests from the for Microsoft's MS17-010 vulnerability by sending packets
target files to the preserved files in a transparent data buffer. via port 445 to infect unpatched systems. The second is the
However, rewrite and create operations can experience encryption process since it has embedded RSA keys used for
slowdowns ranging from 7% to 9% when dealing with many decrypting the required malicious DLL representing the
small files. Creating the reflected files and redirecting the encryption component. Also, they have revealed that
write demands to the restricted area are the main reasons for WannaCry communicates with command and control server
this performance hit under high workloads. through embedded. onion addresses via a secure channel on
Different perspectives adopted by, Winter et al. [19] they port 443 and the common Tor ports 900, 9050 to download
emphasize that technology is not improving as fast as the the "Tor-browser" installation software. The outcome of this
complexity of threats. They have started a cyber-autoimmune research may help to accomplish an efficient mitigation
disease where an antivirus system is responsible for mechanism against WannaCry and any ransomware family
destroying the computer's operating system after they infected that has the same behavior.
system files with malicious code. To draw interest to flaws in
protection systems which, allow attackers to reach their
2.3 Contemporary Prevention Methods
targets more easily causing serious damage. 2.3.1 Categorizing Ransomware Characteristics:
To facilitate the ransomware detection operations. Rajput [6]
However, Lika et al. [20] concluded that no actual solution studied the different types of ransomware families as he
could be used to decrypt the hard disks that have been focused on their evolution and characteristics. The result of
encrypted by NotPetya, ransomware. While crucial answers this analysis shows that many ransomware families exhibit
are lacking, the vaccine has been found where, the existence similar characteristics.
of a local file, prevents the NotPetya execution. Hence, the
authors intended to educate users to increase their awareness Therefore, the main contribution of Hull et al. [25] is a
reactively through gamification. predictive model for categorizing ransomware behavioral
characteristics, which can then be used to ameliorate
uncovering and dealing with ransomware incidents. The
categorization was done with respect to the deployment stages

33
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

of ransomware, by establishing a predictive model called Such as securing email since emails are a major source of
"Randep". The stages are fingerprinting, propagate, ransomware and apply security patches regularly to fix
communicate, map, encrypt, lock, delete and intimidation. vulnerabilities and avoid ransomware. Results show that lack
This model concluded from a study of 18 ransomware of offline backup and poorly implemented offline backup
families. By observing windows Application Programming strategies end up costing businesses more than the ransom
Interface (API) function calls throughout each ransomware demand itself. Nonetheless, systems may still vulnerable to
execution, to comprehend what actions a ransomware strain zero-day attacks.
might do. Nevertheless, not all ransomware families go
through all these deployment stages. Likewise, Lee et al. [30] provided a new technique to recover
from a ransomware attack using the key backup. They
Moreover, Chen and Bridges [26] established an automated assumed that the ransomware uses windows operating system
method to extract distinguishing features of malware from CNG cryptography library to encrypt user files. Therefore,
host logs, which contain many non-malicious events. They they seek to pick up the keys when ransomware generating it
have utilized behavior logs from analysis reports created by inside the host or receiving it from the server. Hence, using it
Cuckoo sandbox under several situations of ordinary and for file recovery after ransomware infects the system and
malware interactions. encrypt the files. Despite this, some ransomware uses libraries
other than CNG such as Cryptolocker which uses the CAPI
likewise, Verma et al. [27] focused on the indicators of cryptography library and others implement their own
compromises (IOCs) for ransomware using Cuckoo sandbox. cryptography library. Furthermore, a few ransomwares don’t
Which will be used to set the base for analyzing and obtain a key from the server, such as Ordinypt and Petya
classifying new ransomware based on their behavior. Using instead, they encrypt files with randomly generated keys
supervised machine learning classifiers to classify the which lead to data loss. Moreover, monitoring the outbound
ransomware samples to their respective 7 families that they communication can be simply bypassed by encrypting these
have worked on. connections.
While Popli and Girdhar [1] ran the ransomware in a Whereas, Zimba et al. [31] used a ransomware categorization
simulated environment using Cuckoo to analyze their attack framework to classify the ransomware attack maliciousness
process, then predict future ransomware, its expected impact based on data deletion and file encryption attack structures.
and how it will be difficult to be detected if polymorphic, The categories classify the technical skill and the overall
metamorphic and other obfuscation techniques used by effectiveness of potential ways of retaining the data without
ransomware. Even though these methods reveal how paying the ransom demand. This framework helps to
ransomware interacts with the environment, but it can't be understand potential inadequacies and glitches to be utilized
used to reveal ransomware infection immediately. for data retrieval via system volume shadow copies or third-
2.3.2 Access Control: party software.
Another prevention technique is to adopt an authentication- Furthermore, Zimba et al. [32] employed reverse engineering
based access control mechanism under the name of and dynamic analysis to assess the underlying attack
“AntiBotics” presented by Ami et al. [28]. “AntiBotics” has structures and data deletion techniques that ransomware use.
three components. The first component is the Policy And have concluded that no matter how destructive a crypto
Enforcement Driver which acts as an initial gate that records ransomware attack might seem, the key to data recapture
and halts any file modification attempts such as, renames or options lies in the underlying attack design and the
deletions. To modify a file, a challenge is created such as implemented data deletion methodology. Though other
CAPTCHA or biometric authentication to authenticate the ransomware has an irreversible impact, for example, no actual
user actions. The next component is the Policy Specification solution could be used to decrypt the hard disks that have
Interface, which is a GUI program that allows administrators been encrypted by NotPetya.
to configure the system policies. The last component is the
Challenge-Response Generator wich, controls the generated 2.3.4 Trapping Attacker:
challenges, i.e. the time-out rate, and mechanisms to prevent lately, some authors have developed further prevention
large generations of challenges. Since humans, are always the methods. Gómez-Hernández et al. [33] proposed a general
fragile bond in any defense system. Users may grant access to methodology called R-Locker to thwart crypto ransomware
a process which, is infected with malignant code. actions. It is based on the deployment of a honey file design
of the Linux system to block the ransomware when it accesses
Also, Christopher and Kumar [29] Presented a preventative a canary file, thus allowing it to maintain the rest of the data.
technique based on ransomware behavior, targeting three In addition to that, this approach can automatically launch
Indicators of Compromise (IOC), file changes within a time steps to solve the infection. Nevertheless, this solution has
interval, file entropy and manipulation of canary files. The some limitations such as, that just a part of the complete file
File system watcher filter used to monitor two artificial system (that corresponding to the user that installs R-Locker)
network drives and disabling methods used to alter Access is protected, also the poor distribution of the traps can reduce
Control Levels (ACL) of files and folders to revoke the the efficiency of the actual protection of the data. At the same
writing privileges when compromise confirmed. Nevertheless, time, this defense can be passed over by the removal of the
the system will suffer from a lot of strain when the monitoring central trap file. Moreover, it can be partially bypassed by
is done on physical drives instead of artificial drives. accessing given folder files by ransomware in a random way
2.3.3 Recovery After Infection: where all files in the folder may be encrypted before the
This is a different technique aims to recovering from the sample can be blocked.
ransomware attack without ransom paying to accomplish this, Whereas, Wang et al. [34] utilized an advanced defense
Zimba and Chishimba [9] suggested to follow mitigation schemes to protect important hosts under targeted ransomware
strategies and recommend best practices based on clarifying attacks. By employing the cyber deception technology to
core components of successful ransomware attack campaigns. blocking attackers via a network deception environment to

34
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

help protect crucial systems through attack guidance, by unearthing zero-day intrusions. When preliminary layers of
drawing attackers off from these preserved systems. As a RansomWall tag a process for suspicious ransomware
result, they deliberately set the administrator privileges of the behavior, files altered by this process are copied into a
deception environment as weak passwords and leave common protected place for preserving user data until it is classified as
vulnerabilities in the environment, such as EternalBlue, to “ransomware or benign” by the machine learning layer.
attract attackers. Furthermore, they have developed an Nevertheless, user critical files may be attacked earlier than
automatic analysis system by taking preference crypto honey files.
ransomware natural language processing and machine
learning techniques to trace-back (RDP) Remote Desktop 3. DISCUSSION
Protocol-based ransomware attacks and identify the original It is significant to note that the research community has put
attack sources. Accordingly, this approach is just for attention in detection, prevention, and even recovery
hindering RDP-based ransomware attacks only. techniques to prevent ransomware infections and mitigates its
impact to avoid data and large economic loss. The main
Furthermore, Shaukat and Ribeiro [35] works is based on contribution of this paper is to summarize the presented
analyzing an extensive dataset of ransomware families literature which, employs different mechanisms to protect the
presents RansomWall, a layered safeguard system for business from ransomware attacks, and revealing its strengths,
protection versus cryptographic ransomware. It follows a weaknesses. Moreover, realizing the related challenges that
hybrid approach of combined static and dynamic analysis to confront with this kind of attack. Therefore, this work may be
generate a compact set of features that characterizes the used as a starting point for future research. The pros and cons
ransomware behavior. It uses trap layer to help in early of the related work are summarized in table (1), (2).
detection and supervised machine learning algorithms for
Table (1) (Related Work Summary)
No. Researcher/s Contribution Pros. Cons.
Make a prediction of future
Popli and Ran recent ransomware in a ransomware, its expected impact They didn’t suggest a specific
1 Girdhar [1], simulated environment and and how difficult it would be to solution to prevent or detect
2018 analyze their attack process detect if polymorphic, metamorphic ransomware infection.
techniques used.
Studied the characteristic of He shows that many Ransomware They didn’t suggest a specific
2 Rajput [6], 2017 ransomware families and its families exhibit similar solution to prevent the
evolution characteristics. ransomware infection.
Suggested mitigation strategies
Zimba and Availability of offline backup will The system still vulnerable to a
utilizing the recommend best
3 Chishimba [9], mitigate the impact of ransomware zero-day attack which, can
practices based on successful
2019 infection break the system.
ransomware attacks campaigns
This paper demonstrates the
limitation of signature-based
Goyal et al. [12], Detected crypto ransomware detection methods, and emphasize Misclassification may happen
4
2020 using a classification model the behavior-based detection due to decision boundary errors.
mechanism capability to detect
crypto ransomware.
Grant and It just monitors interaction with
Proposed a file monitoring Identify the ransomware behavioral
5 Parkinson [13], files only in a “specific
application pattern
2018 directory”, not all user data.
The proposed LA algorithm has The LA can only be
Proposed a pre-encryption accomplished the prediction implemented using a new
6 Kok et al. [14]
algorithm utilizing only API data to detect dataset with API from the pre-
crypto ransomware. encryption stage.
- Does not inspect files outside
of the user documents directory.
Scaife et al. [15], Proposed “CryptoDrop” an - Needs user interaction.
7 It can halt a suspicious process.
2016 early warning detection system
- 40 files could be encrypted
before it can detect suspicious
activity.

Continella et al. Proposed “ShieldFS” Creating the reflected files and

8
[17], 2016 detection system redirecting the write requests to
No file encrypted by ransomware the protected area are the main
Kharraz and Proposed “Redemption “ reasons for performance hit
9 under high workloads.
Kirda [18], 2017 detection system

35
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

There is no specific solution

Emphasize that technology is not proposed other than requesting
Winter et al. Started a cyber-autoimmune
10 evolving as fast as the complexity of anti-virus companies to update
[19], 2018 disease
threats. their inefficient methods and
techniques.
- They didn’t suggest a specific
solution to prevent or detect
Proposed cyberattack ransomware infection.
Lika et al. [20], prevention through Educate users to increase their
11 - They just confirmed the
2018 awareness in an interactive manner
awareness via gamification efficiency of using the “perfc”
file to avoid “NotPetya”
ransomware.
Studied the emerging cyber Uncovered the WannaCry employed
Zimba et al.
12 threat to the critical techniques to discover vulnerable
[21], 2018 The discovered network
infrastructure nodes.
interactions adopted only by
Zimba and Employed reverse engineering WannaCry ransomware.
Unmasked WannaCry ransomware
13 Mulenga [22], on the underlying malware
network interactions
2018 program logic

Table (2) (Related Work Summary)

No. Researcher/s Contribution Pros. Cons.
- The extracted network traffic
is specified to “Locky”
Proposed a multi-classifier ransomware.
Almashhadani et Implemented a network-based
1 network-based ransomware - Not all ransomware families
al. [23], 2019 intrusion detection system.
detection. connect to command and
control servers such as “win-
locker” for example.
Accomplished extensive The results of this research can help The uncovered network attitude
Akbanov et al.
2 dynamic analysis on WannaCry to accomplish an efficient mitigation is utilized by WannaCry
[24]
ransomware mechanism against WannaCry ransomware only.
Proposed Randep a predictive
It can be used for improving Not all ransomware families go
Hull et al. [25], model for categorizing
3 detection and handling of through all these deployment
2019 ransomware according to its
ransomware incidents. stages.
behavioral characteristics.
Presented a method to
Chen and - It can be used to improve They didn’t suggest a specific
automatically extract
4 Bridges [26], ransomware detection and make it solution to prevent or detect
distinguishing features of
2018 more robust to polymorphism. ransomware infection.
malware from host logs.

Implemented an automated - Misclassification due to

system using supervised decision boundary errors.
Verma et al. Classifying the ransomware variants
5 machine learning classifiers to - Some ransomware has limited
[27], 2018 in the real-time environment.
classify the ransomware file system activity. Though, a
samples. few user files may be encrypted.
Users may grant access to a
Ami et al. [28], Adopted authentication-based It can halt file modification attempts
6 process which, is infected with a
2019 access control mechanism. such as renames or deletions.
malicious code.
The system will suffer from a
Alter access control levels of files
Christopher and Presented a preventative lot of strain when the
and folders to revoke ACL writing
7 Kumar [29], technique based on ransomware monitoring is done on physical
privileges when compromise
2019 behavior. drives instead of artificial
confirmed.
drives.
Provided a new technique to The recovered key used for file - Not all ransomware uses the
Lee et al. [30],
8 recover from a ransomware recovery after ransomware infects CNG library such as
2017
attack using key backup. the system and encrypt user files. “Cryptolocker”

36
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

- Not all ransomware obtains the

key from the server like
“Ordinypt” and “Petya”.
- Monitoring the outbound
communication can be easily
avoided by encrypting these
connections.
This framework helps to uncover
ransomware design flaws in order to
Categorized ransomware based
Zimba et al. exploiting them in data recovery, via
9 on data deletion and file
[31], 2019 system volume shadow copies or Some ransomware has an
encryption attack structures.
third-party software without paying irreversible impact, for example,
the ransom. no actual solution could be used
Its concluded that the key to data to decrypt the encrypted hard
Evaluated the underlying recovery options lies in, uncovering disks by NotPetya.
Zimba et al.
10 ransomware attack structures the underlying of attack structure
[32], 2018
and data deletion techniques. and the implemented data deletion
methodology.
- just a part of the complete file
system is protected.
- the poor distribution of the
traps can reduce the efficiency
of data protection.
Proposed a general The proposed methodology - this defense can be passed
Gómez-
methodology called R-Locker eliminates the ransomware when it over by the removal of the
11 Hernández et al.
to thwart crypto ransomware accesses a trap file, thus allowing to central trap file.
[33], 2018
actions. preserve the rest of the data.
- it can be partially bypassed by
accessing given folder files by
ransomware in a random way
where all files in the folder may
be encrypted before the sample
can be blocked.
- This approach helps to
Protect important hosts
under targeted ransomware
attacks.
Utilized cyber deception This approach is just for
Wang et al. [34],
12 technology by trapping - Utilized NLP and machine hindering RDP-based
2018
attackers. ransomware attacks only.
learning to trace-back RDP-
based ransomware attacks
and identify the original
attack sources.
- User critical files may be
attacked earlier than honey files.
When the trap layer suspects a
Presented “RansomWall”, a
Shaukat and process as malicious, the modified - Some ransomware has limited
layered defense system for
13 Ribeiro [35], files are backed up until it is file system activity. Though, a
protection against cryptographic
2018 classified as ransomware or benign few user files may be encrypted.
ransomware.
by the “machine learning layer”.
- Another misclassification is
due to decision boundary errors.

37
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

4. CONCLUSION Ransomware Attack: A Growing Havoc Cyberthreat.

With the existence of ransomware as a service (RaaS) which, InData Management, Analytics and Innovation 2019 (pp.
facilitates obtaining ransomware codes easily. In addition to 403-420). Springer, Singapore.
the availability of free development kits, such as “Torlocker, [9]. Zimba A, Chishimba M. On the Economic Impact of
TOX and Hidden-Tear” which, are available for unskilled Crypto-ransomware Attacks: The State of the Art on
individuals. This greatly reduces the entry barrier of Enterprise Systems. European Journal for Security
ransomware remunerative business, and its activities are only Research. 2019 January;4(1):3-31.
expected to be on the rise and users should brace themselves
against such attacks. [10]. BBC-News 2019, Baltimore ransomware attack: NSA
faces questions, BBC-News, viewed 28 December 2019,
The more critical the data, the more likely the victim is to pay https://www.bbc.com/news/technology-48423954/
the ransom. Reversing ransomware encryption is quite
difficult and consumes time and resources. Even though, [11]. Wikipedia 2019, WannaCry ransomware attack,
employing techniques such as reverse engineering and Wikipedia, viewed 28 December 2019,
cryptanalysis will contribute considerably to ransomware https://en.wikipedia.org/wiki/WannaCry_ransomware_att
attacks declining. These techniques will make it possible for ack/
victims to regain access to their files without paying the [12]. Goyal, P.; Kakkar, A.; Vinod, G. & Joseph, G. Crypto-
ransom. Ransomware Detection Using Behavioral Analysis
Moreover, approaches to prevent ransomware and protect Reliability, Safety and Hazard Assessment for Risk-
devices are necessary. But ransomware developers will soon Based Technologies, Springer, 2020, 239-251.
adapt to the current detection tools and new families with [13]. Grant L., Parkinson S. Identifying File Interaction
different behavior will spread. Patterns in Ransomware Behavior. In: Parkinson S,
Crampton A, Hill R. (eds) Guide to Vulnerability
5. FUTURE WORK Analysis for Computer Networks and Systems. Springer,
In the future, this work will be extended by establishing an
Cham. 2018;14:317-335.
efficient hybrid approach that combines two or more
techniques to prevent ransomware and make user data more [14]. Kok SH, Abdullah A, JhanJhi NZ, Supramaniam M.
resistant to ransomware. Also, the work can be extended to be Prevention of Crypto-Ransomware Using a Pre-
the foundation to propose a ransomware prevention model. Encryption Detection Algorithm. Computers. 2019
Dec;8(4):79.
6. REFERENCES
[1]. Popli N, Girdhar A. Behavioural Analysis of Recent [15]. Scaife N, Carter H, Traynor P, Butler K. CryptoLock
Ransomware and Prediction of Future Attacks by (and Drop It): Stopping Ransomware Attacks on User
Polymorphic and Metamorphic Ransomware. In Verma, Data. In: Proceedings - International Conference on
Nishchal K, Ghosh, A. K. (eds) Computational Distributed Computing Systems. 2016 August;2016:303-
Intelligence: Theories, Applications, and Future 312.
Directions - Volume II ICCI-2017. Springer, Singapore. [16]. Wolf J. “Ransomware Detection.” Friedrich-Alexander-
2018;799(4):65–80. University Erlangen-Nuremberg. 2018.
[2]. Caporusso N, Chea S, Abukhaled R. A game-theoretical [17]. Continella A, Guagnelli A, Zingaro G, Pasquale G,
model of ransomware. In: Proceedings - International Barenghi A, Zanero S, Maggi F. ShieldFS: A Self-
Conference on Applied Human Factors and Ergonomics healing, Ransomware-aware Filesystem. In: Proceedings
2018 Jul 21 (pp. 69-78). Springer, Cham. - Annual Computer Security Applications Conference
[3]. Morgan, Steve. “Cybersecurity Almanac: 100 Facts, (ACSAC). 2016 December:336-347.
Figures, Predictions and Statistics.” Cybercrime [18]. Kharraz A, Kirda E. Redemption: Real-Time Protection
Magazine Cisco and Cybersecurity Ventures. 2019, Against Ransomware at End-Hosts. In: Dacier M, Bailey
https://www.cybersecurityventures.com/cybersecurity‐ a M, Polychronakis M, Antonakakis M. (eds) Research in
lmanac‐ 2019. Attacks, Intrusions, and Defenses. Springer.
[4]. Maccari M, Polzonetti A, Sagratella M. Detection: 2017;10453:98-119.
Definition of New Model to Reveal Advanced Persistent [19]. Winter R, Ruiz R, Army B, Archer R. Cyber
Threat. InProceedings of the Future Technologies Autoimmune Disease When the Virtual Life Imitates the
Conference 2018 Nov 15 (pp. 305-323). Springer, Cham. Real Life. International Journal of Cyber-Security and
[5]. Al-rimy B, Maarof M, Shaid S. Ransomware threat Digital Forensics (IJCSDF).2018;7(1):21-30.
success factors, taxonomy, and countermeasures: A [20]. Lika R, Murugiah D, Brohi S, Ramasamy D. NotPetya:
survey and research directions. Computers and Security. Cyber Attack Prevention through Awareness via
2018; 74:144-166. Gamification. In: International Conference on Smart
[6]. Rajput T. Evolving Threat Agents: Ransomware and their Computing and Electronic Enterprise (ICSCEE).2018:1-
Variants. International Journal of Computer 6.
Applications. 2017 April;164(7):28-34. [21]. Zimba A, Wang Z, Chen H. Multi-stage crypto
[7]. Kok S, Abdullah A, Jhanjhi N, Supramaniam M. ransomware attacks: A new emerging cyber threat to
Ransomware, Threat and Detection Techniques: A critical infrastructure and industrial control systems. ICT
Review. IJCSNS International Journal of Computer Express. 2018;4(1):14-18
Science and Network Security. 2019;19(2):136-146. [22]. Zimba A, Mulenga M. A Dive Into the Deep:
[8]. Tandon A, Nayyar A. A Comprehensive Survey on Demystifying Wannacry Crypto-Ransomware Network

38
 International Journal of Computer Applications (0975 – 8887)
Volume 177 – No. 40, February 2020

Attacks Via Digital Forensics. International Journal on Detection. In: Proceedings - 34th International
Information Technologies & Security. 2018;10:57-69. Conference on Computers and Their Applications.
2019;58:127-116.
[23]. Almashhadani A, Kaiiali M, Sezer S, O'Kane P. A Multi-
Classifier Network-Based Crypto-Ransomware [30]. Lee K, Oh I, Yim K. Ransomware-prevention technique
Detection System: A Case Study of Locky Ransomware. using key backup. Lecture Notes of the Institute for
IEEE Access. 2019;7:47053-47067. Computer Sciences, Social-Informatics, and
Telecommunications Engineering (LNICST). 2017
[24]. Akbanov M, Vassilakis VG, Logothetis MD. WannaCry August;194:105-114.
Ransomware: Analysis of Infection, Persistence,
Recovery Prevention, and Propagation Mechanisms. [31]. Zimba A, Wang Z, Chishimba M. Addressing Crypto-
Journal of Telecommunications & Information Ransomware Attacks: Before You Decide whether To-
Technology. 2019 Mar 1(1). Pay or Not-To. Journal of Computer Information
Systems. 2019 January;4417:1-11.
[25]. Hull G, John H, Arief B. Ransomware deployment
methods and analysis: views from a predictive model and [32]. Zimba A, Wang Z, Simukonda L. Towards Data
human responses. Crime Science. 2019 Resilience: The Analytical Case of Crypto-Ransomware
February;8(1)1:22. Data Recovery Techniques. International Journal of
Information Technology and Computer Science. 2018
[26]. Chen Q, Bridges R. Automated behavioral analysis of January;10(1):40-51.
malware: A Case Study of Wannacry Ransomware. In:
Proceedings - 16th IEEE International Conference on [33]. Gómez-Hernández J, Álvarez-González L, García-
Machine Learning and Applications, (ICMLA) 2017. Teodoro P. R-Locker: Thwarting ransomware action
2018 January:454-460. through a honey-file-based approach. Computers &
Security. 2018;73:389-398.
[27]. Verma M, Kumarguru D, Deb S, Gupta A. Analyzing
indicator of compromises for ransomware: Leveraging [34]. Wang Z, Cui X, Su S, Qiu J, Liu C, Tian Z.
IOCs with machine learning techniques. IEEE Automatically Traceback RDP-Based Targeted
International Conference on Intelligence and Security Ransomware Attacks. Wireless Communications and
Informatics, (ISI). 2018:154-159 Mobile Computing. 2018;2018:1-13.
[28]. Ami O, Elovici Y, Hendler D. Ransomware prevention [35]. Shaukat S, Ribeiro V. RansomWall: A Layered Defense
using application authentication-based file access System against Cryptographic Ransomware Attacks
control. In: The 33rd ACM/SIGAPP Symposium on using Machine Learning. In: Proceedings - 10th
Applied Computing. Pau, France. 2018 April:1610-1619. International Conference on Communication Systems &
Networks (COMSNETS). 2018:356-363.
[29]. Chew C, Kumar V. Behavior Based Ransomware

IJCATM : www.ijcaonline.org
39

View publication stats