Classifying Ransomware? A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

This paper evaluates attack methodologies of a ransomware attack: the underlying file deletion and file-encryption attack structures. In the former, the authors uncover the data recovery-prevention techniques and in the latter, they uncover the associated cryptographic attack models. The deeper comprehension of potential flaws and inadequacies exhibited in these attack structures form the basis of the overall objective of this paper. The deeper comprehension also enables the provision of enough technical information to guide decisions by victims before making hasty decisions to pay a ransom which might result into not only financial loss but loss of access to the attacked files if decryption is not possible by the attacker.

en flag
nl flag
et flag
fi flag
fr flag
de flag
he flag
ja flag
lv flag
pl flag
pt flag
ru flag
es flag

Content Assessment: Classifying Ransomware? A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

Information - 90%
Insight - 90%
Relevance - 85%
Objectivity - 85%
Authority - 90%

88%

Good

A short percentage-based assessment of the qualitative benefit of the published paper on a ransomware classification framework designed to support ransomware response decisions.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


Research Report*

A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

Citation: Zimba, A., Chishimba, M. and Chihana, S., 2021. A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures. [online] arXiv. Available at: <https://arxiv.org/abs/2102.10632> [Accessed 13 September 2021].

Abstract

Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.

Introduction

Since the invention of the Internet, cyber-crime has continued to grow with attackers employing more innovative ways to attain proceeds of cyber-crime. Since the motivation behind most cyber-crime is monetary gain (excluding cyber espionage and hacktivism), the challenge mainly has been to seamless collect the associated monetary proceeds without a trace. The invention of Bitcoin seems to be a dream come true for cyber criminals due to the anonymity provided by the Bitcoin system. As such, attackers eschewing data exfiltration attacks for less tedious attacks with a high turnover. One such attack is ransomware where the attacker takes hostage of the victim’s data without the need to exfiltrate it at all. In a ransomware attack, the attacker uses robust and resilient encryption to make the target data inaccessible without the appropriate decryption keys. Furthermore, the attacker demands a ransom in Bitcoins and usually the victim is left with a binary option of whether to pay or not to. The popularity of ransomware is echoed by Interest Over Time (IOT) as shown in figure 1 (See Complete Paper)

This has seen some victims part away with over a million dollars in a single attack. As such, the ransomware business model is a multi-billion lucrative industry in the cyber-crime landscape which is growing each day with criminal business concepts such as Ransomware-as-a-service. Sadly, the myths and inaccuracies around ransomware continue to deepen. This has caused victims to make uninformed decisions upon a ransomware attack. Depending on the underlying attack structures, some ransomware attacks can be mitigated and the data recovered without paying the ransom. Unfortunately, some victims have had to pay ransom demands when data could be recovered without honoring the ransom demand, as was with the major ransomware attack of 2017 depicted in figure 1 (See Complete Paper). As such, knowledge of a ransomware’s attack structure is vital to the mitigation thereof. In light of the aforesaid, this paper evaluates attack methodologies of a ransomware attack: the underlying file deletion and file-encryption attack structures. In the former, we uncover the data recovery-prevention techniques and in the latter, we uncover the associated cryptographic attack models. The deeper comprehension of potential flaws and inadequacies exhibited in these attack structures form the basis of the overall objective. This enables the provision of enough technical information before making a hasty decision to pay a ransom which might result into not only financial loss but loss of access to the attacked files if decryption is not possible by the attacker. We present a threat and attack model which is representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures.

Read from the original source.


Complete Report: A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures (PDF) – Mouseover to Scroll

A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

Read the original paper.

*Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.


Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights cyber, data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

U.S. Department of Treasury Takes Actions to Counter Ransomware

According to Treasury Secretary Janet L. Yellen, “Ransomware and cyber-attacks are...

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE): September 2021 Cyber Events Report

The twelfth installment in the cyber events series published by the...

[Legal Education Webcast] Breaches, Responses, and Challenges: Cybersecurity Essentials That Every Lawyer Should Know

Every large corporation and organization today face the significant threat of...

Classifying Ransomware? A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

This paper evaluates attack methodologies of a ransomware attack: the underlying...

Mitratech Acquires Alyne

According to Mike Williams, CEO of Mitratech, "The combination of Alyne...

Magnet Forensics Acquires DME Forensics

According to the announcement, under the terms of the agreement, Magnet...

Consilio to Acquire Legal Consulting and eDiscovery Business Units of Special Counsel from Adecco

According to Laurie Chamberlin, Head of Professional Recruitment and Solutions North...

Nuix Acquires Natural Language Processing Company

According to Nuix CEO Rod Vawdrey, “Topos will strengthen Nuix’s product...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on Cyber, Data, and Legal Discovery for September 2021

From countering ransomware to predictive coding and packaged services, the September...

Five Great Reads on Cyber, Data, and Legal Discovery for August 2021

From the interplay of digital forensics in eDiscovery to collecting online...

Five Great Reads on Cyber, Data, and Legal Discovery for July 2021

From considerations for cyber insurance and malware to eDiscovery business confidence...

Five Great Reads on eDiscovery for June 2021

From remediating cyberattacks to eDiscovery pricing, the June 2021 edition of...

More Keepers? Predictive Coding Technologies and Protocols Survey – Fall 2021 Results

From the most prevalent predictive coding platforms to the least commonly...

Glowing Expectations? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2021

In the summer of 2021, 63.3% of survey respondents felt that...

Issues Impacting eDiscovery Business Performance: A Summer 2021 Overview

In the summer of 2021, 24.4% of respondents viewed increasing types...

Looking Up? eDiscovery Operational Metrics in the Summer of 2021

In the summer of 2021, 80 eDiscovery Business Confidence Survey participants...