MN502 Potential Threats and Mitigation Tools

Students should be able to demonstrate their achievements in the following unit learning outcomes:

1. Analyse and discuss common emerging threats, attacks, mitigation and countermeasures in networked information systems

Recommend any two mitigation tools to tackle the ransomware attacks and discuss the effectiveness of these tools

• Discuss any two mitigation tools
• Discuss the effeteness of selected mitigation tools in terms of response time and resolution time

Ransomware and its impacts on society

Ransomware are the type of malware using which, unauthorised users infects, puts the system in lockdown or gains control of the system and demand ransom to normalise the system. The main intention of a ransomware is to extort money from the owner of the system. The extortion of money from the victims is done by the attackers with the help of threat of holding the device or system to ransom, and the threat of releasing or erasing the data to force the payment [3]. This malicious software is often spread with the method of phishing emails containing malicious attachments or by downloading drive-by. Drive-by downloading happens when an user mistakenly visit infected sites and then the malware gets downloaded in the system and installed without the knowledge of the user [4]. There are several impacts of a ransomware attack in a system such as:

1. Proprietary or sensitive information is lost, maybe permanent or temporary.
2. Regular operations are disrupted.
3. Huge loss of capital takes place while restoring the files and the system.
4. The reputation of an organisation is damaged [5].

Five variants of ransomware

1. CryptXXX: this type of ransomware has the ability to lock the files of the system of a victim as well as capabilities of stealing Bitcoin. An upgraded version of this ransomware known as CryptXXX 3.0 has a better encryption tool that prevents the use of free decrypter tools that are available online. The specific nature of this type of ransomware is that it restores the desktop wallpaper to an image that is alike the refurbished Tor payment site [10].
2. Crysis: this type of ransomware majorly targets the individuals and organisations. This kind of ransomware is spread through poisoned emails comprising of attachments with double file extensions that masks the malicious files as non-executable files. This type of ransomware was also spread among the users as installers for some legitimate applications such as Microsoft Excel, iExplorer and WinRar. It has the ability to make the systems unstable.
3. BlackShades: this ransomware has been caught targeting the users who speak English and Russian with a ransom amount, which are payable with bitcoins. The codes of this ransomware was difficult to recognise as these codes were left clouded and when the codes of this malware was scrutinised, it communicated with the analysts. This malware uses 256-bit encryption for encrypting 195 file types. They are generally found in the folders of drive C: such as, Documents, Downloads, Desktop, Music, Videos, Picture and Public [11].
4. Apocalypse: this kind of ransomware has a requirement of communication between the data kidnapper and the victim. This communication takes place when the hacker demands the email of the victim for sharing the ransom instructions after affixing affected files with a .encrypted It also generates an autorun entry that signals the ransomware to start whenever the user logs into the system.
5. RAA: this ransomware led may people to believe that this malware was built by the use of web-based language, which is javascript. The uniqueness of this ransomware lies in the fact that it was originally created for interpretation by the browsers. Later, it was found that this malware was using Jscript and not Javascript.

Working mechanism of ransomware

Ransomware is the most sinister threats for an organisation due to the tendency of ransomware being one of the most profitable types of malware outbreak. In this type of malicious activity, the user do not have any option but paying the cybercriminal as non-compliance might lead leak of sensitive data or even loss of data. Once the ransom is paid, then the cybercriminal decrypts the original files and data. The mechanism of a ransomware attack works in five phases:

1. Phase 1: manipulation and infection

A successful malicious software needs to be first installed in a computer. This may happen with the knowledge of the user or unknowingly by the user. This process takes place generally by phishing of e-mails or toolkit for exploitation. Exploitation of security holes in some software applications is carried out by a malicious toolkit. In case of cryptolocker malware, Angler Exploit Kit is a common method of gaining access due to its higher efficiency in gaining execution [6].

2. Phase 2:  delivering and execution of the malware

As soon as the execution is completed, within seconds, the actual ransomware is delivered in to the system of the victim. After the execution is done, appropriate persistence mechanisms are put in place. Delivery of ransomware can take place via means like delivery using emails, delivery using websites or delivery using files. Delivery using emails works with the mechanism using malicious emails that are sent to the computer of victims and they are tricked into opening those emails and download the attachment files in those emails. Delivery using websites when a user accesses a website that is compromised and redirecting them to an exploit kit landing page, which activates installation of the payload of the ransomware.

3. Phase 3: spoliation of backup

In this phase, the backups of the files and data of the computer of the victim is deleted. This is carried out just to make sure that there is possibility of recovering back from that attack. The data and folders residing in the system of the victim is targeted complete deletion of all files takes place. But this method is limited to some cybercrime software, majority of the malicious programs do not bother to carry out this task. The ability to recover from this type of attack is minimal [7].

4. Phase 4: file encryption

After the compromisation of backups is done, the ransomware establishes some encryption keys, which can be used for unlocking files as soon as the ransom demand is paid by the victim. For establishing further lock-down of the local system of the user, the ransomware malware performs an exchange of secure keys with the control server and the command.

5. Phase 5: User notification and cleanup

After the completion of the legwork of encryption of the ransomware and the capabilities of the backup of company is compromised, the demand of payment in exchange for the files of the user is placed. This usually happens with a ransom note that the victim receives. The exchange of money and the  files takes place after few days, during  which the user is completely vulnerable without the data and files. Sometimes ransom are asked for more than one time for the files [8].

Threats posed by ransomware

Ransomware is a tool that is used to place malicious software in a system and is used to lock using encryption of the data and it is only decrypted when ransom is paid for that data. The threats of ransomware is that it can be used to extort money from the victims and also use the information on the system for other malicious intents. The backup files are deleted by the software of ransomware, which can lead to sensitive data loss and huge amount of money is invested to retrieve the data. There is a case of persistent payload, which guarantees that the malware can be used for future purposes. The restore functions of systems are disabled, which means there is no way to recover from these types of attacks [9].

Case study of WannaCry Ransomware attack

This attack was a worldwide cyberattack that happened in May 2017 [12]. It was executed by the help of WannaCry ransomware cryptoworm. It majorly targeted the computers running operating system of Microsoft Windows with the help of encryption of data and demanded payments of ransom in the cryptocurrency of Bitcoin. The propagation of this ransomware took place with the help of EternalBlue, which is an exploit that was released in older windows by the Shadow Brokers. This ransomware installed backdoors into infected systems, which acted as an advantage of this ransomware. This attack was stopped with the help of emergency patches that were released by Microsoft and with the help of kill switch that prohibited the outbreak of this malware to other computers. It was estimated to have affected around 200,000 computers [13]. Experts suggested that the place of origin of this ransomware was in North Korea or the agencies that are working for this country. As this malware has the ability to spread itself, it is therefore also considered to be a network worm. This malware uses EternalBlue to gain access into the system and then uses DoublePulsar tool to execute and make a duplicate of itself.

The attack occurred through an uncovered vulnerable SMB port, which was unusual from the previous attacks using phishing emails. The systems with the Microsoft update from April 2017 were most affected. According to reports, majority of the infected computers were running windows 7 and the systems running on windows xp were less affected [14]. The attack in the systems running Windows XP failed because the operating system could not execute such dense programs and every time the system crashed, which prevented the malware from completing the execution and encrypt the files on the system. The initial attack was suppressed with the help of emergency security patches released by Microsoft to mitigate the risks of this ransomware. Later after analysis of the ransomware, a kill switch was designed to prevent further outbreak of the malware.

Mitigation tools to tackle WannaCry Ransomware attack

1. Procmon: This is a monitoring tool, which provides all the desired activity within the system. As event concludes constantly, Procmon delivers filters so that user do not get flooded by information while using the platform. These kind of filters exclude or include processes with specific names, write or read operations and more. The process involved in this software is that it writes the filtered events into a .PML file, which is the basic file type of the software  and later these files are converted into CSV file [15].
2. SSDT: once a process that is responsible for encryption of the files have been discovered by SSDT, the software can search the log to find the place of origin of the encryption. By the help of this searching process, the log will display every patent process , and every single action and the location of the files that are created. This can be helpful to restore the system to a state before the entry of the malicious files and if there is an entry of the files then it can be deleted and all the process that are unauthorised can be killed. This will result in total clearing of entire system, along with the removal of malicious processes and registry and files changes [16].

Conclusion

Therefore it can be concluded that ransomware is a  malware with the help of which, all the data in the computer of a victim is locked using encryption and huge ransom is demanded before decrypting the data and the victim has the access to the systems. The impacts of ransomware on society are like Proprietary or sensitive information is lost, maybe permanent or temporary, Regular operations are disrupted, Huge loss of capital takes place while restoring the files and the system and the damage on the reputation of an organisation. ransomware works is five phases, which are manipulation and infecting of the system, delivery and execution of malware in the system, spoliation of backup, files encryption and user notification and cleanup. There are some threats that are poseb by ransomware. Some  variants of ransomware are CryptXXX, RAA, Blackshades, Crysis and Apocalypse. The  threats of ransomware can be mitigated by using Procmon or SSDT.

References

1. Branche, Patrick O. "Ransomware: An Analysis of the Current and Future Threat Ransomware Presents." PhD diss., Utica College, 2017.
2. Andronio, Nicoló, Stefano Zanero, and Federico Maggi. "Heldroid: Dissecting and detecting mobile ransomware." In International Workshop on Recent Advances in Intrusion Detection, pp. 382-404. Springer, Cham, 2015.
3. Lee, Jun Hak, and Jaewoong Jeong. "Increase of Awareness of the Importance of Information Security Using Simulation Experiment Technique Model as Ransomware." Advanced Science Letters23, no. 10 (2017): 10246-10249.
4. Matsunaka, Takashi, Ayumu Kubota, and Takahiro Kasama. "An approach to detect drive-by download by observing the web page transition behaviors." In Information Security (ASIA JCIS), 2014 Ninth Asia Joint Conference on, pp. 19-25. IEEE, 2014.
5. Sharma, Ms Prachi, Mr Shubham Zawar, and Suryakant B. Patil. "Ransomware Analysis: Internet of Things (Iot) Security Issues, Challenges and Open Problems Inthe Context of Worldwide Scenario of Security of Systems and Malware Attacks."  J. Innov. Res. n Sci. Eng2, no. 3 (2016): 177-184.
6. Weckstén, Mattias, Jan Frick, Andreas Sjöström, and Eric Järpe. "A novel method for recovery from Crypto Ransomware infections." In Computer and Communications (ICCC), 2016 2nd IEEE International Conference on, pp. 1354-1358. IEEE, 2016.
7. Scaife, Nolen, Patrick Traynor, and Kevin Butler. "Making Sense of the Ransomware Mess (and Planning a Sensible Path Forward)." IEEE Potentials36, no. 6 (2017): 28-31.
8. Pathak, P. B., and Yeshwant Mahavidyalaya Nanded. "A dangerous trend of cybercrime: ransomware growing challenge." International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Volume5 (2016).
9. Tuttle, Hilary. "Ransomware attacks pose growing threat." Risk Management63, no. 4 (2016): 4.
10. Glet, Micha?. "Analysis of cryptographic mechanisms used in ransomware CryptXXX v3." Biuletyn Wojskowej Akademii Technicznej65, no. 4 (2016): 93-121.
11. Ahuja, Mridul, and Anuradha Gupta. "Detecting Backdoors in Windows Processes." network6: 2.
12. Mohurle, Savita, and Manisha Patil. "A brief study of wannacry threat: Ransomware attack 2017." International Journal of Advanced Research in Computer Science8, no. 5 (2017).
13. Collier, Roger. "NHS ransomware attack spreads worldwide." (2017): E786-E787.
14. Chen, Qian, and Robert A. Bridges. "Automated Behavioral Analysis of Malware A Case Study of WannaCry Ransomware." arXiv preprint arXiv:1709.08753(2017).
15. Blokhin, Kristina, Josh Saxe, and David Mentis. "Malware similarity identification using call graph based system call subsequence features." In 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, pp. 6-10. IEEE, 2013.
16. Christensen, J. B., and Niels Beuschau. "Ransomware detection and mitigation tool." (2017).