Page 1 of 10

MN502
Overview of Network Security
 Page 2 of 10

Table of Contents
Introduction......................................................................................................................................3
Variants of Ransomware..................................................................................................................3
Working Mechanism of Ransomware.............................................................................................5
Potential Threats..............................................................................................................................6
Recent Attack...................................................................................................................................6
Mitigation Tools..............................................................................................................................7
Summary..........................................................................................................................................7
References........................................................................................................................................9
 Page 3 of 10

Introduction

Ransomware may be defined as a subset of malware which locks the pieces of information on the
victim's device. Through ransomware, the data on the devices of the victims are encrypted
initially and payment is called for by the attackers in exchange for decrypting the data and
returning access to the attacked user[7]. Much like other types of malware, the impact of
ransomware can be devastating. The infected computers may still be utilised by the users after
the ransomware attacks, however, the data present on the devices are at risk of being lost which
may affect the productivity of a business. The financial data, as well as, personal information
such as videos, photos and other documents may be stolen by the attackers which may lay
considerable adverse impacts on the reputation of the victims.

In this report, an overview of ransomware, its variants, work mechanisms and mitigation tools
that may be used for minimising the risks associated with ransomware has been provided.

Variants of Ransomware

There are quite a few strands of ransomware that are notable and have been extremely
successful. In this report, five variants of ransomware including CryptoLocker, Cryptowall,
Locky, Wanna cry and Petya will be discussed.

Ransomware

CryptoLocker Petya

Cryptowall Wanna Cry

Locky

CryptoLocker: CryptoLocker revolutionised the ransomware attacks back in 2013. By utilising

the Gameover Zeus botnet, this ransomware infected email attachments in order to expand its
span on the web. CryptoLocker infected PCs that operated on Microsoft Windows OS. An RSA
2048 bit encryption was utilised by CryptoLocker in order to encrypt or lock the data on the
 Page 4 of 10

devices of the victims. In exchange for providing the password which might be used by the
victims to unlock or decrypt their files, CryptoLocker demanded almost $300 in Bitcoin, a virtual
currency. CryptoLocker operated from September 2013 to May 2014 and affected almost
500,000 people globally[4]. This ransomware has been one of the most effective malware to date
and extorted almost $3 million from the victims that were affected by the Trojan. Many of the
modern day ransomware trojans such as Cryptowall and Torrentlocker are modified clones of
CryptoLocker.

Cryptowall: Cryptowall is influenced by the design of CryptoLocker and works much like it. It
is a trojan horse which encrypts the information on the device of the victim and demands ransom
in exchange for the private key. This ransomware typically infects the devices by utilising spam
emails. Additionally, this exploits kits that are hosted through compromised websites or
malicious ads. Cryptowall was discovered on June 19, 2014. Like CryptoLocker, this
ransomware also uses 2048 bit RSA Keys to encrypt the information on the computer of the
victim[8]. Likewise, it also has a deadline for paying the ransom failing to meet which would
lead to the destruction of the private key for decrypting the information.

Locky: Locky is a ransomware which is utilised by the attackers in order to scramble the
contents that the infected computer or server contains. The servers may include associated
networks that are shared along with mapped, unmapped and any type of removable media.
Whatever is contained within the original files are encrypted by this ransomware through a
combination of RSA 2048 bit keys and AES 1024 algorithms. Some of the key features of the
ransomware are DGA or Domain Generation Algorithm, deletion of the restore points of a
system and the discovery of mapper or unmapped network shares. Locky affects the computers
of the victims through spam emails which contain a macro enable MS Office document file as
attachments. After tricking the macros to be enabled, the affected computer is compelled to
download the ransomware. Additionally, the system restore points on the devices are also deleted
by the ransomware which renders the users unable in terms of restoring the overall system to an
earlier stable state.

Wanna cry: The Wanna Cry ransomware was discovered on May 12 2017. The MS Windows
systems are affected by this trojan. Wanna cry is a worm which spreads in the systems by finding
out the vulnerable areas of the systems. There are two fundamental components of the Trojan
 Page 5 of 10

one of which is the worm module which is utilised by the ransomware for propagating itself and
a Ransome module which is utilised in terms of instructing the victims of the ransom payment
processes. The Trojan uses the vulnerabilities of the operating systems like Microsoft Windows
SMB Server Remote Code Execution Vulnerability (CVE-2017-0144), as well as, the Microsoft
Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) [3]. The ransom
demanded from the victims in exchange for getting rid of the ransomware ranges $300 to $600 as
Bitcoin.

Petya: Much like the other ransomware mentioned above, this trojan affects the computers of the
victims and demands a payment of $300 as Bitcoin in exchange for decrypting the files. Petya
has affected many US and Europe based firms in 2017. The spreading process of the ransomware
is extremely swift. The systems are affected via the EternalBlue vulnerability in Windows
operating systems. Although Microsoft has released patches for securing the loophole, it may be
speculated that not every user has installed the patch yet. Two of the administrative tools of
windows are also exploited by the ransomware to spread across the systems. This ransomware
attempts to enter a system through one of the above-mentioned options and in case of failures
immediately go on attempting to enter the system through another option. According to cyber
experts, the mechanism of this ransomware is much better compared to ransomware such as
WannaCry.

Working Mechanism of Ransomware

Although the vectors the ransomware trojans utilise to take the access of a system or a device are
vast, there are some common methods of working for each of the ransomware. Phishing spam is
one of the most common techniques used by the ransomware which is presented to the victims
via emails or malicious ads. Through using complicated algorithms such as the RSA 2048-bit,
these trojans encrypt the files of the users[12]. The vulnerable points within the operating
systems of the devices are identified and exploited by the malware. Some of the ransomware is
self-propagated while some compel the victims in terms of downloading malicious files to take
control of their information. The files that are encrypted by the ransomware cannot be decrypted
without passwords. The attackers demand money from the victims in the form of virtual
currencies by informing them through messages that pop up on the systems of the users. As the
payments are done virtually, the whereabouts of the attackers remains unknown.
 Page 6 of 10

Potential Threats

There is some ransomware which, unlike the other forms of malicious ransomware that scramble
the contents on the files of the victim's computer or encrypts the information on the device of the
victim, hold hostage the complete interface of the affected operating systems. Due to the nature
of these types of attacks, the victims are misguided into thinking that it is impossible for them to
control any of the functions of the operating systems[2]. Messages are displayed on the
interfaces of the devices to provide information to the victims with regards to the manner in
which the payment may be done to unlock the system. With the other types of ransomware
which hold hostage the access to sensitive information of the victims, the files kept within the
system may be corrupted and the restore points created by the victims to bring their devices back
to a previous state may be deleted which would lock the system to its affected state.

A majority of the ransomware function by sending phishing spam to the victims. Once the victim
clicks on the links provided by the attackers, the ransomware trojans use the MACROS, as well
as, the vulnerabilities of the systems, networks or drives in order to gain access to the device.
Afterwards, the ransomware targets files with specific extensions and using complicated
algorithms such as the AES 1024 and the RSA 2048 begins encrypting the data on the victim’s
computer. A deadline is provided to the victim via ransom components embedded within the
ransomware and instruction regarding how the payment may be done is shown on the
messages[6]. Failing to meet the deadlines may result in the deletion of the private key which
may be used by the victim to decrypt the data on the computer. Some of the ransomware also
deletes system restore points which render the users unable in terms of returning the computer to
its previous unaffected state.

Recent Attack

Not Petya is one of the majorly devastating ransomware which introduced itself as a fake tax
software update. In an extremely small span of time, this ransomware affected several thousand
devices in almost hundred nations. As evident from its name, this ransomware is a modification
of Petya. However, the exploitation techniques it uses to invade the systems are similar to
WannaCry. A considerable number of US-based firms faced major damages with regards to
 Page 7 of 10

finance as a consequence of getting attacked by this ransomware. For instance, Merch, a

pharmaceutical giant in the US lost more than 300 million USD[5].

Mitigation Tools

i) Avast anti-ransomware tools

There is a broad range of ransomware variants which work differently. However, a solution to
safeguard a machine from being impacted by ransomware is finding a decryptor made for
specific ransomware. Avast offers 21 types of decryptor tools which are free for the users. These
decryptor tools also search for viruses on the affected machine. An installation and decryption
wizard is provided to the users by Avast. These tools work through comparing the encrypted files
on the user's computer with the non-encrypted files to identify the key[9]. In case the user has
backups, these tools work faster. However, if backups are not present, the locations where the
uninfected files may be are recommended by Avast.

ii) Kaspersky anti-ransomware tool

This tool is specifically designed for small and medium businesses. The ransomware attacks are
prevented prior to they can take access to a system with this tool. The Kaspersky tool always
runs on the background of a system and monitors each network activity on the system to identify
possible patterns of ransomware. The navigation system of the tool is extremely easy and the
protection it offers is of high quality[10]. Like Avast, a number of decryptor tools are offered by
Kaspersky.

In terms of both response and resolution time, Kaspersky is more advanced than Avast as this
tool uses a monitoring program which runs in the background as long as the system is on. On the
other hand, in the absence of backups, Avast can only recommend the locations of the uninfected
files which may not be sufficient in terms of eliminating the malware from the system[11. The
response time of Avast decryptors is also slower in the absence of backup files.

Summary

To conclude, it may be said that ransomware poses a serious threat for both private homes and
businesses as sensitive information that is uploaded on the computers, drives or servers by such
 Page 8 of 10

users may be encrypted by ransomware attacks and lost permanently if immediate measures are
not taken. However, with ransomware risk mitigation tools, it may not only be possible for the
users to eliminate the ransomware from their systems, but also prevent ransomware from
entering their systems.
 Page 9 of 10

References

[1]Cabaj, Krzysztof, and Wojciech Mazurczyk. "Using software-defined networking for

ransomware mitigation: the case of cryptowall." IEEE Network 30, no. 6 (2016): 14-20.
[2]Continella, Andrea, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro
Barenghi, Stefano Zanero, and Federico Maggi. "ShieldFS: a self-healing, ransomware-aware
filesystem." In Proceedings of the 32nd Annual Conference on Computer Security Applications,
pp. 336-347. ACM, 2016.
[3]Ehrenfeld, Jesse M. "Wannacry, cybersecurity and health information technology: A time to
act." Journal of medical systems 41, no. 7 (2017): 104.
[4]Liao, Kevin, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn. "Behind closed doors:
measurement and analysis of CryptoLocker ransoms in Bitcoin." In Electronic Crime Research
(eCrime), 2016 APWG Symposium on, pp. 1-13. IEEE, 2016.
[5]Mansfield-Devine, Steve. "Ransomware: taking businesses hostage." Network Security 2016,
no. 10 (2016): 8-17.
[6]Richardson, Ronny, and Max North. "Ransomware: Evolution, mitigation and
prevention." International Management Review 13, no. 1 (2017): 10-21.
[7]Richet, Jean-Loup. "Extortion on the internet: the rise of crypto-
ransomware." Harvard (2016).
[8]Scaife, Nolen, Henry Carter, Patrick Traynor, and Kevin RB Butler. "Cryptolock (and drop
it): stopping ransomware attacks on user data." In Distributed Computing Systems (ICDCS),
2016 IEEE 36th International Conference on, pp. 303-312. IEEE, 2016.
[9]Taddeo, Mariarosaria, and Luciano Floridi. "Regulate artificial intelligence to avert cyber
arms race." Nature556, no. 7701 (2018): 296-298.
[10]Takeuchi, Yuki, Kazuya Sakai, and Satoshi Fukumoto. "Detecting Ransomware using
Support Vector Machines." In Proceedings of the 47th International Conference on Parallel
Processing Companion, p. 1. ACM, 2018.
[11]Zahra, Asma, and Munam Ali Shah. "IoT based ransomware growth rate evaluation and
detection using command and control blacklisting." In Automation and Computing (ICAC), 2017
23rd International Conference on, pp. 1-6. IEEE, 2017.
 Page 10 of 10

[12]Zheng, Chengyu, Nicola Dellarocca, Niccolò Andronio, Stefano Zanero, and Federico
Maggi. "Greateatlon: Fast, static detection of mobile ransomware." In International Conference
on Security and Privacy in Communication Systems, pp. 617-636. Springer, Cham, 2016.