CS406: Information Security

Ransomware attack is yet another threat that targets individuals and companies. Recently, the FBI stated that losses due to ransomware attacks were about $1 billion in 2016, which indicates the immense financial damage a ransomware can do to companies. The ramifications of a ransomware attack can be more expensive than the ransom itself. Affected companies may suffer the results of the ransomware attack for years because of loss of business, customers, data, and productivity. Ransomware attacks restrict and block access to the victim’s data and files by encrypting them. In order to recover these files, the victim is threatened to publish them unless paying a ransom. This payment must be done with Bitcoins, which is an unregulated digital currency that is hard to track. There are two ways to analyze a ransomware attack: static and dynamic. Static analysis is performed by high skilled engineers and programming language specialists by developing programs to analyze and understand the attack in order to stop it or to get back the encrypted files. Dynamic analysis entails observing the functions of the malware remotely. It requires trusted systems to run untrusted programs without damaging the systems.

A Ransomware attack involves six stages: (1) creating the malware; (2) deployment; (3) installation; (4) command and control; (5) destruction; and (6) extortion. The malware creation consists of developing a ransomware or using an existing one to discover any vulnerability in the victim’s system in order to create a backdoor. The deployment consists of delivering the ransomware by bypassing the security controls through the created backdoor. The installation consists of running the ransomware and infecting the system. In the command and control stage, the ransomware is active when the victim has internet connection to communicate with the command center or it is passive when it is offline. In the destruction stage, the ransomware starts blocking or encrypting data and freezing screens. Extortion consists of contacting the victim demanding ransom in exchange to release the blocked files with a time limit warning. Getting back the files after the victim’s payment is not guaranteed. Once a ransomware attack is launched on a computer, the victims have only three choices: (1) paying the ransom to get back the encrypted files; (2) trying to restore the files from backups if any; or (3) losing the data after refusing to pay the ransom.