Articles
Process for the identification, classification and control of the behavior of Ransomware families
Andres Felipe Osorio-Sierra- Milton Javier Mateus-Hernández
- Héctor Fernando Vargas-Montoya
Published 2020-05-29
Keywords
- controls,
- encryption,
- malware,
- ransomware
How to Cite
Osorio-Sierra, A. F., Mateus-Hernández, M. J., & Vargas-Montoya, H. F. (2020). Process for the identification, classification and control of the behavior of Ransomware families. Revista UIS Ingenierías, 19(3), 131–142. https://doi.org/10.18273/revuin.v19n3-2020013
Copyright (c) 2020 Revista UIS Ingenierías
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Abstract
Since May 2017, where different ransomware attacks were registered worldwide that affected several companies in Europe due to the WannaCry, there has been a progressive increase between 2018 and 2019 of computer attacks that encrypt and hijack data, and then request a ransom from cyber criminals. This article contains an analysis of the different methods to detect and prevent ransomware-type malware, which mainly affects the Windows operating system. For this, it began with a characterization of the different types of ransonware, several methods were obtained for the detection and prevention of possible infections and finally families of controls were created according to the behavior of the malware, these controls allow reducing the risks of exposure, generating with this, the pertinent recommendations that can be applied in organizations. In that sense, an introduction to the concepts of malware and its life cycle is provided, in the same way, an impact measurement process is established based on the international CVSS methodology for the classification of vulnerabilities. A methodology is created that allows the classification of malware according to its damage level, medium and high impact filters were characterized, prevention and control methods were characterized, control recommendations based on the impact of different types of malware were generated, and finally the conclusions were presented.
Downloads
Download data is not yet available.
References
[1] “Ministerio TIC - Paraguay. Cómo recuperar ficheros afectados por WannaCry. Telefónica WannaCry File Restorer”, 2019. [En línea]. Disponible en: https://www.cert.gov.py/index.php/noticias/como-recuperar-ficheros-afectados-por-wannacry-telefonica-wannacry-file-restorer
[2] “TrendMicro Corp. SMS Ransomware Tricks Russian Users”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/.
[3] M. Á. Mendoza, “El impacto del ransomware en Latinoamérica durante 2017”, 2018. [En línea]. Disponible en: https://www.welivesecurity.com/la-es/2018/03/01/impacto-ransomware-latinoamerica-2017/
[4] “Ministerio TIC de Colombia. Ransomware sigue creciendo en América Latina”, 2017. [En línea]. Disponible: https://www.enticconfio.gov.co/ransomware-crece-america-latina
[5] “CBSNews. Ransomware attacks on the rise — and small towns are in the crosshairs”, 2019.
[En línea]. Disponible en: https://www.cbsnews.com/news/ransomware-attacks-on-the-rise-and-governments-are-in-the-crosshairs/
[6] R. Brewer, “Ransomware attacks: detection, prevention and cure”, Netw. Secur., no. 9, pp. 5–9, Sep. 2016, doi: 10.1016/S1353-4858(16)30086-1.
[7] “IBM Incident Response Services. Ransomware Response Guide”, 2017. [En línea]. Disponible en: https://cdn2.hubspot.net/hubfs/233484/Open%20Systems%20Specialists/Content/Ransomware%20Response%20Guide.pdf?t=1507156230392
[8] J. A. Gómez-Hernández, L. Álvarez-González, P. García-Teodoro, “R-Locker: Thwarting ransomware action through a honeyfile-based approach,” Comput. Secur., vol. 73, pp. 389–398, 2018, doi: 10.1016/j.cose.2017.11.019
[9] “IBM News room. IBM Study: Businesses More likely to Pay Ransomware than Consumers - United States”, 2016. [En línea]. Disponible en: https://www-03.ibm.com/press/us/en/pressrelease/51230.wss
[10] P. Gaviria, “Aplicación de Metodología de Malware para el Análisis de la amenaza avanzada persistente (APT),” trabajo fin de master, Universidad Nacional de la Rioja, 2016.
[11] S. Alsoghyer, I. Almomani, “Ransomware Detection System for Android Applications,” Electronics, vol., 8, no. 8, 2019, doi: 10.3390/electronics8080868
[12] C. Hosmer, J. Bartolomie, R. Pelli. Chet Hosmer. “The Impact of Windows Command Line Investigations,” en Executing Windows Command Line Investigations. Cambridge, MA, USA: ScienceDirect, 2016, pp. 1-9.
[13] M. U Salvi, K. Kerkar, “Ransomware: A Cyber Extortion,” Asian journal for convergence in technology (ajct), vol. 2, no. 3, pp. 2, 2016.
[14] A. Sanatinia, G. Noubir, “OnionBots: Subverting Privacy Infrastructure for Cyber Attacks,” en 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015, pp. 69–80, doi: 10.1109/DSN.2015.40
[15] L. Bridges, “The changing face of malware,” Netw. Secur., vol. 2008, no. 1, pp. 17–20, 2008, doi: 10.1016/S1353-4858(08)70010-2
[16] V. Kotov, F. Massacci, “Anatomy of Exploit Kits,” en Engineering Secure Software and Systems. ESSoS 2013, vol 7781, pp. 181–196, doi: 10.1007/978-3-642-36563-8_13
[17] S. M. Aziz, “Ransomware in High-Risk Environments” trabajo de investigación independiente, Valparaiso University, 2016.
[18] J. Zorabedian, “Anatomy of a ransomware attack: CryptoLocker, CryptoWall, and how to stay safe (Infographic),” 2015. [En línea]. Disponible en: https://news.sophos.com/en-us/2015/03/03/anatomy-of-a-ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/
[19] “Malc0de. Información de malware”, 2019. [En línea]. Disponible en: http://malc0de.com/dashboard/
[20] “Github. A repository of LIVE malwares”, 2019. [En línea]. Disponible en: https://github.com/ytisf/theZoo.
[21] “NoVirusThanks™ project. Malicious Domains Database”, 2019. [En línea]. Disponible en: http://www.threatlog.com/
[22] “Malekal. Malware and Virus”, 2019. [En línea]. Disponible en: https://www.malekal.com/
[23] “Any.Run. Interactive malware hunting service”. 2019. [En línea]. Disponible en: https://any.run/
[24] “Intezer Analyze Corp. Automate your Security Operations and Incident Response with Genetic Malware Analysis”, 2019. [En línea]. Disponible en: https://analyze.intezer.com/#/.
[25] Spiceworks Corp., “Prevent ransomware by using FSRM”, 2016. [En línea]. Disponible en: https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm
[26] “VMRAY. X-ray vision for malware”, 2019. [En línea]. Disponible en: https://www.vmray.com/
[27] “ESET Latam. RANSOMWARE: Cómo proteger a su empresa del malware de extorsión”, 2018. [En línea]. Disponible en: http://www.eset-la.com/pdf/ransomware-prevention/ransomware-como-proteger-a-su-empresa-del-malware-de-extorsion.pdf.
[28] “TrendMicro. SMS Ransomware Tricks Russian Users - TrendLabs Security Intelligence Blog”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/
[29] M. Nicolett, A. Williams, “Improve IT Security With Vulnerability Management” Gartner Research, 2005. [En línea]. Disponible en: https://www.gartner.com/doc/480703/improve-it-security-vulnerability-management
[30] Z. Xiyang, C. Chuanqing, “Research on VLAN Technology in L3 Switch. 2009,” en IEEE Third International Symposium on Intelligent Information Technology Application, 2009, vol. 3, pp. 722-725, doi: 10.1109/IITA.2009.498
[31] Z. Trabelsi, V. Molvizadah, “Edu-firewall device: An advanced firewall hardware device for information security education,” en 13th IEEE Annual Consumer Communications Networking Conference (CCNC), 2016, pp. 278-279, doi: 10.1109/CCNC.2016.7444779
[32] S. Vasanthi, S. Chandrasekar, “A study on network intrusion detection and prevention system current status and challenging issues,” en IEEE 3rd International Conference on Advances in Recent Technologies in Communication and Computing (ARTCom 2011), pp. 181-183, doi: 10.1049/ic.2011.0075
[33] C. Krasznay, B. P. Hámornik, “Analysis of Cyberattack Patterns by User Behavior Analytics,” AARMS – Academic and Applied Research in Military Science. vol. 17, no. 3, pp. 101-114, 2018.
[34] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, y R. E. Bryant, “Semantics-Aware Malware Detection,” en Semantics-Aware Malware Detection. Proceedings - IEEE Symposium on Security and Privacy, pp. 32- 46, doi:10.1109/SP.2005.20
[35] D. Delaney, “5 Methods For Detecting Ransomware Activity”. 2016. [En línea]. Disponible en: https://www.netfort.com/blog/methods-for-detecting-ransomware-activity/.
[36] C. Moore, “Detecting Ransomware with Honeypot Techniques,” en Cybersecurity and Cyberforensics Conference (CCC), 2016, pp. 77-81, doi: 10.1109/CCC.2016.14
[37] C. Frenz, C. Diaz, “OWASP Anti-Ransomware Guide Project – OWASP”, 2018. [En línea]. Disponible en: https://www.owasp.org/index.php/OWASP_Anti-Ransomware_Guide_Project
[38] D. Nieuwenhuizen. “Based approach to ransomware detection”, F-Secure Labs, 2017.
[39] H. V. Nath, B. M. Mehtre, “Static Malware Analysis Using Machine Learning Methods,” en Recent Trends in Computer Networks and Distributed Systems Security, 2014, pp. 440-450, doi: 10.1007/978-3-642-54525-2_39
[40] “Symantec Corp. Email Gateway Security - Messaging Gateway”, 2018. [En línea]. Disponible en: https://www.symantec.com/products/messaging-gateway
[41] “Segu-Info. Cómo evitar infectarse con archivos JS adjuntos y ransomware”, 2016. [En línea]. Disponible en: https://blog.segu-info.com.ar/2016/03/como-evitar-infectarse-con-archivos-js.html.
[42] “T. Buntrock. How to Block Viruses and Ransomware Using Software Restriction Policies. Windows OS Hub,” 2017. [En línea]. Disponible en: http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/.
[43] “Tripwire. 22 Ransomware Prevention Tips, The State of Security”, 2016. [En línea]. Disponible en: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/
[44] G. Krunal, P. Viral, “Survey on Ransomware: A New Era of Cyber Attack,” Int. J. Comput. Appl., vol. 168, pp. 38-41, 2017, doi: 10.5120/ijca2017914446
[45] “Trisha Corp. OfficeMalScanner : Scan Office Documents for Macros Before Opening”, 2015. [En línea]. Disponible en: https://www.trishtech.com/2015/12/officemalscanner-scan-office-documents-for-macros-before-opening/
[46] “N. Lord. What are Indicators of Compromise?”, 2017. Digital Guardian. [En línea]. Disponible en: https://digitalguardian.com/blog/what-are-indicators-compromise
[47] “Firt and MITRE Corp. Common Vulnerability Scoring System Version 3.0 Calculator”, 2019. [En línea]. Disponible en: https://www.first.org/cvss/calculator/3.0.
[2] “TrendMicro Corp. SMS Ransomware Tricks Russian Users”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/.
[3] M. Á. Mendoza, “El impacto del ransomware en Latinoamérica durante 2017”, 2018. [En línea]. Disponible en: https://www.welivesecurity.com/la-es/2018/03/01/impacto-ransomware-latinoamerica-2017/
[4] “Ministerio TIC de Colombia. Ransomware sigue creciendo en América Latina”, 2017. [En línea]. Disponible: https://www.enticconfio.gov.co/ransomware-crece-america-latina
[5] “CBSNews. Ransomware attacks on the rise — and small towns are in the crosshairs”, 2019.
[En línea]. Disponible en: https://www.cbsnews.com/news/ransomware-attacks-on-the-rise-and-governments-are-in-the-crosshairs/
[6] R. Brewer, “Ransomware attacks: detection, prevention and cure”, Netw. Secur., no. 9, pp. 5–9, Sep. 2016, doi: 10.1016/S1353-4858(16)30086-1.
[7] “IBM Incident Response Services. Ransomware Response Guide”, 2017. [En línea]. Disponible en: https://cdn2.hubspot.net/hubfs/233484/Open%20Systems%20Specialists/Content/Ransomware%20Response%20Guide.pdf?t=1507156230392
[8] J. A. Gómez-Hernández, L. Álvarez-González, P. García-Teodoro, “R-Locker: Thwarting ransomware action through a honeyfile-based approach,” Comput. Secur., vol. 73, pp. 389–398, 2018, doi: 10.1016/j.cose.2017.11.019
[9] “IBM News room. IBM Study: Businesses More likely to Pay Ransomware than Consumers - United States”, 2016. [En línea]. Disponible en: https://www-03.ibm.com/press/us/en/pressrelease/51230.wss
[10] P. Gaviria, “Aplicación de Metodología de Malware para el Análisis de la amenaza avanzada persistente (APT),” trabajo fin de master, Universidad Nacional de la Rioja, 2016.
[11] S. Alsoghyer, I. Almomani, “Ransomware Detection System for Android Applications,” Electronics, vol., 8, no. 8, 2019, doi: 10.3390/electronics8080868
[12] C. Hosmer, J. Bartolomie, R. Pelli. Chet Hosmer. “The Impact of Windows Command Line Investigations,” en Executing Windows Command Line Investigations. Cambridge, MA, USA: ScienceDirect, 2016, pp. 1-9.
[13] M. U Salvi, K. Kerkar, “Ransomware: A Cyber Extortion,” Asian journal for convergence in technology (ajct), vol. 2, no. 3, pp. 2, 2016.
[14] A. Sanatinia, G. Noubir, “OnionBots: Subverting Privacy Infrastructure for Cyber Attacks,” en 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015, pp. 69–80, doi: 10.1109/DSN.2015.40
[15] L. Bridges, “The changing face of malware,” Netw. Secur., vol. 2008, no. 1, pp. 17–20, 2008, doi: 10.1016/S1353-4858(08)70010-2
[16] V. Kotov, F. Massacci, “Anatomy of Exploit Kits,” en Engineering Secure Software and Systems. ESSoS 2013, vol 7781, pp. 181–196, doi: 10.1007/978-3-642-36563-8_13
[17] S. M. Aziz, “Ransomware in High-Risk Environments” trabajo de investigación independiente, Valparaiso University, 2016.
[18] J. Zorabedian, “Anatomy of a ransomware attack: CryptoLocker, CryptoWall, and how to stay safe (Infographic),” 2015. [En línea]. Disponible en: https://news.sophos.com/en-us/2015/03/03/anatomy-of-a-ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/
[19] “Malc0de. Información de malware”, 2019. [En línea]. Disponible en: http://malc0de.com/dashboard/
[20] “Github. A repository of LIVE malwares”, 2019. [En línea]. Disponible en: https://github.com/ytisf/theZoo.
[21] “NoVirusThanks™ project. Malicious Domains Database”, 2019. [En línea]. Disponible en: http://www.threatlog.com/
[22] “Malekal. Malware and Virus”, 2019. [En línea]. Disponible en: https://www.malekal.com/
[23] “Any.Run. Interactive malware hunting service”. 2019. [En línea]. Disponible en: https://any.run/
[24] “Intezer Analyze Corp. Automate your Security Operations and Incident Response with Genetic Malware Analysis”, 2019. [En línea]. Disponible en: https://analyze.intezer.com/#/.
[25] Spiceworks Corp., “Prevent ransomware by using FSRM”, 2016. [En línea]. Disponible en: https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm
[26] “VMRAY. X-ray vision for malware”, 2019. [En línea]. Disponible en: https://www.vmray.com/
[27] “ESET Latam. RANSOMWARE: Cómo proteger a su empresa del malware de extorsión”, 2018. [En línea]. Disponible en: http://www.eset-la.com/pdf/ransomware-prevention/ransomware-como-proteger-a-su-empresa-del-malware-de-extorsion.pdf.
[28] “TrendMicro. SMS Ransomware Tricks Russian Users - TrendLabs Security Intelligence Blog”, 2011. [En línea]. Disponible en: https://blog.trendmicro.com/trendlabs-security-intelligence/sms-ransomware-tricks-russian-users/
[29] M. Nicolett, A. Williams, “Improve IT Security With Vulnerability Management” Gartner Research, 2005. [En línea]. Disponible en: https://www.gartner.com/doc/480703/improve-it-security-vulnerability-management
[30] Z. Xiyang, C. Chuanqing, “Research on VLAN Technology in L3 Switch. 2009,” en IEEE Third International Symposium on Intelligent Information Technology Application, 2009, vol. 3, pp. 722-725, doi: 10.1109/IITA.2009.498
[31] Z. Trabelsi, V. Molvizadah, “Edu-firewall device: An advanced firewall hardware device for information security education,” en 13th IEEE Annual Consumer Communications Networking Conference (CCNC), 2016, pp. 278-279, doi: 10.1109/CCNC.2016.7444779
[32] S. Vasanthi, S. Chandrasekar, “A study on network intrusion detection and prevention system current status and challenging issues,” en IEEE 3rd International Conference on Advances in Recent Technologies in Communication and Computing (ARTCom 2011), pp. 181-183, doi: 10.1049/ic.2011.0075
[33] C. Krasznay, B. P. Hámornik, “Analysis of Cyberattack Patterns by User Behavior Analytics,” AARMS – Academic and Applied Research in Military Science. vol. 17, no. 3, pp. 101-114, 2018.
[34] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, y R. E. Bryant, “Semantics-Aware Malware Detection,” en Semantics-Aware Malware Detection. Proceedings - IEEE Symposium on Security and Privacy, pp. 32- 46, doi:10.1109/SP.2005.20
[35] D. Delaney, “5 Methods For Detecting Ransomware Activity”. 2016. [En línea]. Disponible en: https://www.netfort.com/blog/methods-for-detecting-ransomware-activity/.
[36] C. Moore, “Detecting Ransomware with Honeypot Techniques,” en Cybersecurity and Cyberforensics Conference (CCC), 2016, pp. 77-81, doi: 10.1109/CCC.2016.14
[37] C. Frenz, C. Diaz, “OWASP Anti-Ransomware Guide Project – OWASP”, 2018. [En línea]. Disponible en: https://www.owasp.org/index.php/OWASP_Anti-Ransomware_Guide_Project
[38] D. Nieuwenhuizen. “Based approach to ransomware detection”, F-Secure Labs, 2017.
[39] H. V. Nath, B. M. Mehtre, “Static Malware Analysis Using Machine Learning Methods,” en Recent Trends in Computer Networks and Distributed Systems Security, 2014, pp. 440-450, doi: 10.1007/978-3-642-54525-2_39
[40] “Symantec Corp. Email Gateway Security - Messaging Gateway”, 2018. [En línea]. Disponible en: https://www.symantec.com/products/messaging-gateway
[41] “Segu-Info. Cómo evitar infectarse con archivos JS adjuntos y ransomware”, 2016. [En línea]. Disponible en: https://blog.segu-info.com.ar/2016/03/como-evitar-infectarse-con-archivos-js.html.
[42] “T. Buntrock. How to Block Viruses and Ransomware Using Software Restriction Policies. Windows OS Hub,” 2017. [En línea]. Disponible en: http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/.
[43] “Tripwire. 22 Ransomware Prevention Tips, The State of Security”, 2016. [En línea]. Disponible en: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/
[44] G. Krunal, P. Viral, “Survey on Ransomware: A New Era of Cyber Attack,” Int. J. Comput. Appl., vol. 168, pp. 38-41, 2017, doi: 10.5120/ijca2017914446
[45] “Trisha Corp. OfficeMalScanner : Scan Office Documents for Macros Before Opening”, 2015. [En línea]. Disponible en: https://www.trishtech.com/2015/12/officemalscanner-scan-office-documents-for-macros-before-opening/
[46] “N. Lord. What are Indicators of Compromise?”, 2017. Digital Guardian. [En línea]. Disponible en: https://digitalguardian.com/blog/what-are-indicators-compromise
[47] “Firt and MITRE Corp. Common Vulnerability Scoring System Version 3.0 Calculator”, 2019. [En línea]. Disponible en: https://www.first.org/cvss/calculator/3.0.