Artículos
Publicado 2020-05-29
Palabras clave
- cifrado,
- controles,
- malware,
- ransomware
Cómo citar
Osorio-Sierra, A. F., Mateus-Hernández, M. J., & Vargas-Montoya, H. F. (2020). Proceso para la identificación, clasificación y control del comportamiento de familias Ransomware. Revista UIS Ingenierías, 19(3), 131–142. https://doi.org/10.18273/revuin.v19n3-2020013
Derechos de autor 2020 Revista UIS Ingenierías
Esta obra está bajo una licencia internacional Creative Commons Atribución-SinDerivadas 4.0.
Resumen
Desde mayo del 2017, en donde se registraron diferentes ataques de Ransomware a escala mundial que afectaron a varias empresas de Europa a causa del WannaCry, ha habido un aumento progresivo entre los años 2018 y 2019 de ataques informáticos que cifran y secuestran los datos, para luego solicitar un rescate por parte de los ciberdelincuentes.
Este articulo contiene un análisis de los diferentes métodos para la detección y prevención de malware tipo Ransomware, que afectan principalmente al sistema operativo Windows. Para esto se inició con una caracterización de los diferentes tipos de ransonware, se obtuvieron diversos métodos para la detección y prevención de posibles infecciones y finalmente se crearon familias de controles de acuerdo con el comportamiento del malware, estos controles permiten la reducción de los riesgos de exposición, generando con ello, las recomendaciones pertinentes que pueden ser aplicadas en las organizaciones. En ese sentido, se entrega una introducción alrededor de los conceptos de malware y su ciclo de vida, así mismo, se establece un proceso de medición del impacto con base en la metodología internacional CVSS para la clasificación de las vulnerabilidades, se crea una metodología que permite la clasificación de malware de acuerdo a su nivel de daño, filtrando aquellas con impacto medio y alto, se caracterizaron los métodos de prevención y control, se generaron recomendaciones de controles con base en el impacto de los diferentes tipos de malware y finalmente se entregan las conclusiones.
Descargas
Los datos de descargas todavía no están disponibles.
Referencias
[1] “Ministerio TIC - Paraguay. Cómo recuperar ficheros afectados por WannaCry. Telefónica WannaCry File Restorer”, 2019. [En línea]. Disponible en: https://www.cert.gov.py/index.php/noticias/como-recuperar-ficheros-afectados-por-wannacry-telefonica-wannacry-file-restorer
[2] “TrendMicro Corp. SMS Ransomware Tricks Russian Users”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/.
[3] M. Á. Mendoza, “El impacto del ransomware en Latinoamérica durante 2017”, 2018. [En línea]. Disponible en: https://www.welivesecurity.com/la-es/2018/03/01/impacto-ransomware-latinoamerica-2017/
[4] “Ministerio TIC de Colombia. Ransomware sigue creciendo en América Latina”, 2017. [En línea]. Disponible: https://www.enticconfio.gov.co/ransomware-crece-america-latina
[5] “CBSNews. Ransomware attacks on the rise — and small towns are in the crosshairs”, 2019.
[En línea]. Disponible en: https://www.cbsnews.com/news/ransomware-attacks-on-the-rise-and-governments-are-in-the-crosshairs/
[6] R. Brewer, “Ransomware attacks: detection, prevention and cure”, Netw. Secur., no. 9, pp. 5–9, Sep. 2016, doi: 10.1016/S1353-4858(16)30086-1.
[7] “IBM Incident Response Services. Ransomware Response Guide”, 2017. [En línea]. Disponible en: https://cdn2.hubspot.net/hubfs/233484/Open%20Systems%20Specialists/Content/Ransomware%20Response%20Guide.pdf?t=1507156230392
[8] J. A. Gómez-Hernández, L. Álvarez-González, P. García-Teodoro, “R-Locker: Thwarting ransomware action through a honeyfile-based approach,” Comput. Secur., vol. 73, pp. 389–398, 2018, doi: 10.1016/j.cose.2017.11.019
[9] “IBM News room. IBM Study: Businesses More likely to Pay Ransomware than Consumers - United States”, 2016. [En línea]. Disponible en: https://www-03.ibm.com/press/us/en/pressrelease/51230.wss
[10] P. Gaviria, “Aplicación de Metodología de Malware para el Análisis de la amenaza avanzada persistente (APT),” trabajo fin de master, Universidad Nacional de la Rioja, 2016.
[11] S. Alsoghyer, I. Almomani, “Ransomware Detection System for Android Applications,” Electronics, vol., 8, no. 8, 2019, doi: 10.3390/electronics8080868
[12] C. Hosmer, J. Bartolomie, R. Pelli. Chet Hosmer. “The Impact of Windows Command Line Investigations,” en Executing Windows Command Line Investigations. Cambridge, MA, USA: ScienceDirect, 2016, pp. 1-9.
[13] M. U Salvi, K. Kerkar, “Ransomware: A Cyber Extortion,” Asian journal for convergence in technology (ajct), vol. 2, no. 3, pp. 2, 2016.
[14] A. Sanatinia, G. Noubir, “OnionBots: Subverting Privacy Infrastructure for Cyber Attacks,” en 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015, pp. 69–80, doi: 10.1109/DSN.2015.40
[15] L. Bridges, “The changing face of malware,” Netw. Secur., vol. 2008, no. 1, pp. 17–20, 2008, doi: 10.1016/S1353-4858(08)70010-2
[16] V. Kotov, F. Massacci, “Anatomy of Exploit Kits,” en Engineering Secure Software and Systems. ESSoS 2013, vol 7781, pp. 181–196, doi: 10.1007/978-3-642-36563-8_13
[17] S. M. Aziz, “Ransomware in High-Risk Environments” trabajo de investigación independiente, Valparaiso University, 2016.
[18] J. Zorabedian, “Anatomy of a ransomware attack: CryptoLocker, CryptoWall, and how to stay safe (Infographic),” 2015. [En línea]. Disponible en: https://news.sophos.com/en-us/2015/03/03/anatomy-of-a-ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/
[19] “Malc0de. Información de malware”, 2019. [En línea]. Disponible en: http://malc0de.com/dashboard/
[20] “Github. A repository of LIVE malwares”, 2019. [En línea]. Disponible en: https://github.com/ytisf/theZoo.
[21] “NoVirusThanks™ project. Malicious Domains Database”, 2019. [En línea]. Disponible en: http://www.threatlog.com/
[22] “Malekal. Malware and Virus”, 2019. [En línea]. Disponible en: https://www.malekal.com/
[23] “Any.Run. Interactive malware hunting service”. 2019. [En línea]. Disponible en: https://any.run/
[24] “Intezer Analyze Corp. Automate your Security Operations and Incident Response with Genetic Malware Analysis”, 2019. [En línea]. Disponible en: https://analyze.intezer.com/#/.
[25] Spiceworks Corp., “Prevent ransomware by using FSRM”, 2016. [En línea]. Disponible en: https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm
[26] “VMRAY. X-ray vision for malware”, 2019. [En línea]. Disponible en: https://www.vmray.com/
[27] “ESET Latam. RANSOMWARE: Cómo proteger a su empresa del malware de extorsión”, 2018. [En línea]. Disponible en: http://www.eset-la.com/pdf/ransomware-prevention/ransomware-como-proteger-a-su-empresa-del-malware-de-extorsion.pdf.
[28] “TrendMicro. SMS Ransomware Tricks Russian Users - TrendLabs Security Intelligence Blog”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/
[29] M. Nicolett, A. Williams, “Improve IT Security With Vulnerability Management” Gartner Research, 2005. [En línea]. Disponible en: https://www.gartner.com/doc/480703/improve-it-security-vulnerability-management
[30] Z. Xiyang, C. Chuanqing, “Research on VLAN Technology in L3 Switch. 2009,” en IEEE Third International Symposium on Intelligent Information Technology Application, 2009, vol. 3, pp. 722-725, doi: 10.1109/IITA.2009.498
[31] Z. Trabelsi, V. Molvizadah, “Edu-firewall device: An advanced firewall hardware device for information security education,” en 13th IEEE Annual Consumer Communications Networking Conference (CCNC), 2016, pp. 278-279, doi: 10.1109/CCNC.2016.7444779
[32] S. Vasanthi, S. Chandrasekar, “A study on network intrusion detection and prevention system current status and challenging issues,” en IEEE 3rd International Conference on Advances in Recent Technologies in Communication and Computing (ARTCom 2011), pp. 181-183, doi: 10.1049/ic.2011.0075
[33] C. Krasznay, B. P. Hámornik, “Analysis of Cyberattack Patterns by User Behavior Analytics,” AARMS – Academic and Applied Research in Military Science. vol. 17, no. 3, pp. 101-114, 2018.
[34] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, y R. E. Bryant, “Semantics-Aware Malware Detection,” en Semantics-Aware Malware Detection. Proceedings - IEEE Symposium on Security and Privacy, pp. 32- 46, doi:10.1109/SP.2005.20
[35] D. Delaney, “5 Methods For Detecting Ransomware Activity”. 2016. [En línea]. Disponible en: https://www.netfort.com/blog/methods-for-detecting-ransomware-activity/.
[36] C. Moore, “Detecting Ransomware with Honeypot Techniques,” en Cybersecurity and Cyberforensics Conference (CCC), 2016, pp. 77-81, doi: 10.1109/CCC.2016.14
[37] C. Frenz, C. Diaz, “OWASP Anti-Ransomware Guide Project – OWASP”, 2018. [En línea]. Disponible en: https://www.owasp.org/index.php/OWASP_Anti-Ransomware_Guide_Project
[38] D. Nieuwenhuizen. “Based approach to ransomware detection”, F-Secure Labs, 2017.
[39] H. V. Nath, B. M. Mehtre, “Static Malware Analysis Using Machine Learning Methods,” en Recent Trends in Computer Networks and Distributed Systems Security, 2014, pp. 440-450, doi: 10.1007/978-3-642-54525-2_39
[40] “Symantec Corp. Email Gateway Security - Messaging Gateway”, 2018. [En línea]. Disponible en: https://www.symantec.com/products/messaging-gateway
[41] “Segu-Info. Cómo evitar infectarse con archivos JS adjuntos y ransomware”, 2016. [En línea]. Disponible en: https://blog.segu-info.com.ar/2016/03/como-evitar-infectarse-con-archivos-js.html.
[42] “T. Buntrock. How to Block Viruses and Ransomware Using Software Restriction Policies. Windows OS Hub,” 2017. [En línea]. Disponible en: http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/.
[43] “Tripwire. 22 Ransomware Prevention Tips, The State of Security”, 2016. [En línea]. Disponible en: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/
[44] G. Krunal, P. Viral, “Survey on Ransomware: A New Era of Cyber Attack,” Int. J. Comput. Appl., vol. 168, pp. 38-41, 2017, doi: 10.5120/ijca2017914446
[45] “Trisha Corp. OfficeMalScanner : Scan Office Documents for Macros Before Opening”, 2015. [En línea]. Disponible en: https://www.trishtech.com/2015/12/officemalscanner-scan-office-documents-for-macros-before-opening/
[46] “N. Lord. What are Indicators of Compromise?”, 2017. Digital Guardian. [En línea]. Disponible en: https://digitalguardian.com/blog/what-are-indicators-compromise
[47] “Firt and MITRE Corp. Common Vulnerability Scoring System Version 3.0 Calculator”, 2019. [En línea]. Disponible en: https://www.first.org/cvss/calculator/3.0.
[2] “TrendMicro Corp. SMS Ransomware Tricks Russian Users”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/.
[3] M. Á. Mendoza, “El impacto del ransomware en Latinoamérica durante 2017”, 2018. [En línea]. Disponible en: https://www.welivesecurity.com/la-es/2018/03/01/impacto-ransomware-latinoamerica-2017/
[4] “Ministerio TIC de Colombia. Ransomware sigue creciendo en América Latina”, 2017. [En línea]. Disponible: https://www.enticconfio.gov.co/ransomware-crece-america-latina
[5] “CBSNews. Ransomware attacks on the rise — and small towns are in the crosshairs”, 2019.
[En línea]. Disponible en: https://www.cbsnews.com/news/ransomware-attacks-on-the-rise-and-governments-are-in-the-crosshairs/
[6] R. Brewer, “Ransomware attacks: detection, prevention and cure”, Netw. Secur., no. 9, pp. 5–9, Sep. 2016, doi: 10.1016/S1353-4858(16)30086-1.
[7] “IBM Incident Response Services. Ransomware Response Guide”, 2017. [En línea]. Disponible en: https://cdn2.hubspot.net/hubfs/233484/Open%20Systems%20Specialists/Content/Ransomware%20Response%20Guide.pdf?t=1507156230392
[8] J. A. Gómez-Hernández, L. Álvarez-González, P. García-Teodoro, “R-Locker: Thwarting ransomware action through a honeyfile-based approach,” Comput. Secur., vol. 73, pp. 389–398, 2018, doi: 10.1016/j.cose.2017.11.019
[9] “IBM News room. IBM Study: Businesses More likely to Pay Ransomware than Consumers - United States”, 2016. [En línea]. Disponible en: https://www-03.ibm.com/press/us/en/pressrelease/51230.wss
[10] P. Gaviria, “Aplicación de Metodología de Malware para el Análisis de la amenaza avanzada persistente (APT),” trabajo fin de master, Universidad Nacional de la Rioja, 2016.
[11] S. Alsoghyer, I. Almomani, “Ransomware Detection System for Android Applications,” Electronics, vol., 8, no. 8, 2019, doi: 10.3390/electronics8080868
[12] C. Hosmer, J. Bartolomie, R. Pelli. Chet Hosmer. “The Impact of Windows Command Line Investigations,” en Executing Windows Command Line Investigations. Cambridge, MA, USA: ScienceDirect, 2016, pp. 1-9.
[13] M. U Salvi, K. Kerkar, “Ransomware: A Cyber Extortion,” Asian journal for convergence in technology (ajct), vol. 2, no. 3, pp. 2, 2016.
[14] A. Sanatinia, G. Noubir, “OnionBots: Subverting Privacy Infrastructure for Cyber Attacks,” en 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015, pp. 69–80, doi: 10.1109/DSN.2015.40
[15] L. Bridges, “The changing face of malware,” Netw. Secur., vol. 2008, no. 1, pp. 17–20, 2008, doi: 10.1016/S1353-4858(08)70010-2
[16] V. Kotov, F. Massacci, “Anatomy of Exploit Kits,” en Engineering Secure Software and Systems. ESSoS 2013, vol 7781, pp. 181–196, doi: 10.1007/978-3-642-36563-8_13
[17] S. M. Aziz, “Ransomware in High-Risk Environments” trabajo de investigación independiente, Valparaiso University, 2016.
[18] J. Zorabedian, “Anatomy of a ransomware attack: CryptoLocker, CryptoWall, and how to stay safe (Infographic),” 2015. [En línea]. Disponible en: https://news.sophos.com/en-us/2015/03/03/anatomy-of-a-ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/
[19] “Malc0de. Información de malware”, 2019. [En línea]. Disponible en: http://malc0de.com/dashboard/
[20] “Github. A repository of LIVE malwares”, 2019. [En línea]. Disponible en: https://github.com/ytisf/theZoo.
[21] “NoVirusThanks™ project. Malicious Domains Database”, 2019. [En línea]. Disponible en: http://www.threatlog.com/
[22] “Malekal. Malware and Virus”, 2019. [En línea]. Disponible en: https://www.malekal.com/
[23] “Any.Run. Interactive malware hunting service”. 2019. [En línea]. Disponible en: https://any.run/
[24] “Intezer Analyze Corp. Automate your Security Operations and Incident Response with Genetic Malware Analysis”, 2019. [En línea]. Disponible en: https://analyze.intezer.com/#/.
[25] Spiceworks Corp., “Prevent ransomware by using FSRM”, 2016. [En línea]. Disponible en: https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm
[26] “VMRAY. X-ray vision for malware”, 2019. [En línea]. Disponible en: https://www.vmray.com/
[27] “ESET Latam. RANSOMWARE: Cómo proteger a su empresa del malware de extorsión”, 2018. [En línea]. Disponible en: http://www.eset-la.com/pdf/ransomware-prevention/ransomware-como-proteger-a-su-empresa-del-malware-de-extorsion.pdf.
[28] “TrendMicro. SMS Ransomware Tricks Russian Users - TrendLabs Security Intelligence Blog”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/
[29] M. Nicolett, A. Williams, “Improve IT Security With Vulnerability Management” Gartner Research, 2005. [En línea]. Disponible en: https://www.gartner.com/doc/480703/improve-it-security-vulnerability-management
[30] Z. Xiyang, C. Chuanqing, “Research on VLAN Technology in L3 Switch. 2009,” en IEEE Third International Symposium on Intelligent Information Technology Application, 2009, vol. 3, pp. 722-725, doi: 10.1109/IITA.2009.498
[31] Z. Trabelsi, V. Molvizadah, “Edu-firewall device: An advanced firewall hardware device for information security education,” en 13th IEEE Annual Consumer Communications Networking Conference (CCNC), 2016, pp. 278-279, doi: 10.1109/CCNC.2016.7444779
[32] S. Vasanthi, S. Chandrasekar, “A study on network intrusion detection and prevention system current status and challenging issues,” en IEEE 3rd International Conference on Advances in Recent Technologies in Communication and Computing (ARTCom 2011), pp. 181-183, doi: 10.1049/ic.2011.0075
[33] C. Krasznay, B. P. Hámornik, “Analysis of Cyberattack Patterns by User Behavior Analytics,” AARMS – Academic and Applied Research in Military Science. vol. 17, no. 3, pp. 101-114, 2018.
[34] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, y R. E. Bryant, “Semantics-Aware Malware Detection,” en Semantics-Aware Malware Detection. Proceedings - IEEE Symposium on Security and Privacy, pp. 32- 46, doi:10.1109/SP.2005.20
[35] D. Delaney, “5 Methods For Detecting Ransomware Activity”. 2016. [En línea]. Disponible en: https://www.netfort.com/blog/methods-for-detecting-ransomware-activity/.
[36] C. Moore, “Detecting Ransomware with Honeypot Techniques,” en Cybersecurity and Cyberforensics Conference (CCC), 2016, pp. 77-81, doi: 10.1109/CCC.2016.14
[37] C. Frenz, C. Diaz, “OWASP Anti-Ransomware Guide Project – OWASP”, 2018. [En línea]. Disponible en: https://www.owasp.org/index.php/OWASP_Anti-Ransomware_Guide_Project
[38] D. Nieuwenhuizen. “Based approach to ransomware detection”, F-Secure Labs, 2017.
[39] H. V. Nath, B. M. Mehtre, “Static Malware Analysis Using Machine Learning Methods,” en Recent Trends in Computer Networks and Distributed Systems Security, 2014, pp. 440-450, doi: 10.1007/978-3-642-54525-2_39
[40] “Symantec Corp. Email Gateway Security - Messaging Gateway”, 2018. [En línea]. Disponible en: https://www.symantec.com/products/messaging-gateway
[41] “Segu-Info. Cómo evitar infectarse con archivos JS adjuntos y ransomware”, 2016. [En línea]. Disponible en: https://blog.segu-info.com.ar/2016/03/como-evitar-infectarse-con-archivos-js.html.
[42] “T. Buntrock. How to Block Viruses and Ransomware Using Software Restriction Policies. Windows OS Hub,” 2017. [En línea]. Disponible en: http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/.
[43] “Tripwire. 22 Ransomware Prevention Tips, The State of Security”, 2016. [En línea]. Disponible en: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/
[44] G. Krunal, P. Viral, “Survey on Ransomware: A New Era of Cyber Attack,” Int. J. Comput. Appl., vol. 168, pp. 38-41, 2017, doi: 10.5120/ijca2017914446
[45] “Trisha Corp. OfficeMalScanner : Scan Office Documents for Macros Before Opening”, 2015. [En línea]. Disponible en: https://www.trishtech.com/2015/12/officemalscanner-scan-office-documents-for-macros-before-opening/
[46] “N. Lord. What are Indicators of Compromise?”, 2017. Digital Guardian. [En línea]. Disponible en: https://digitalguardian.com/blog/what-are-indicators-compromise
[47] “Firt and MITRE Corp. Common Vulnerability Scoring System Version 3.0 Calculator”, 2019. [En línea]. Disponible en: https://www.first.org/cvss/calculator/3.0.