Fig 13 - available from: Crime Science
This content is subject to copyright. Terms and conditions apply.
Source publication
Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better underst...
Context in source publication
Context 1
... 63% of the cases reported in our study, the ransom- ware did not propagate; infection was limited to only one device within the organisations (Table 1). Nearly 77% of respondents could access their files after the attack. In 69.7% of the cases, the means to recover files was from backup, only one respondent having paid the ransom (Fig. ...
Similar publications
Market and Entrepreneurial Orientation contributes in better business performance of Nepalese SMEs.
Based on Resource Based Theory (RBT), the competitiveness of Small and Medium-sized Enterprises (SMEs) depends on the uniqueness of resources used in the production and delivering of goods and services. Moreover, the innovation capability of SMEs is critical in enhancing their uniqueness. Various factors, however, could potentially influence SME in...
The purpose of this paper is to determine how effectively Digital-MSME. The purpose of this article is to determine how effectively Digital-MSME can be implemented with the help of Digital India program and outline recommendations for its successful implementation to support cloud adoption in Indian small and medium enterprises (SMEs). Using case r...
The effect of international ethnic communities on international opportunity exploitation of Wenzhou industrial SMEs is examined. The following hypotheses are tested: the hypothesis on the connection between international ethnic ties and international opportunity exploitation; the hypothesis on the mitigation of “liability of foreignness” effects th...
Citations
... Neural networks were particularly noted for their ability to model non-linear relationships and adapt to new, previously unseen patterns of ransomware behavior, providing a dynamic approach to detection [3,4]. Another significant research theme focused on the use of heuristic-based approaches to identify ransomware through anomaly detection in network activities, which involved predefined rules and patterns that, when matched, indicated potential ransomware presence [5,6]. While heuristic approaches were effective in certain scenarios, they often suffered from high false-positive rates, which could overwhelm security operations and reduce their overall efficacy [7]. ...
Ransomware poses a significant threat to cybersecurity, causing extensive financial and operational damage by encrypting critical data and demanding ransom for its release. The proposed novel two-tier machine learning approach significantly enhances ransomware detection through the integration of network and file system activities, providing a comprehensive view of system behaviors and improving detection accuracy. Initial clustering of network activities followed through by a refined analysis of file system data enables the identification of complex ransomware patterns. Extensive experimentation has demonstrated that this approach outperforms existing methods, achieving higher precision, recall, and overall accuracy while maintaining scalability and robustness. The research highlights the importance of leveraging diverse data sources and advanced machine learning techniques to create more resilient and effective cybersecurity defenses. The findings demonstrate the potential for practical applications in real-world scenarios, offering a significant advancement in the fight against ransomware and contributing to the protection of critical organizational assets.
... The next malicious pattern from our observations was unlinking of users' files. This behaviour is normally exhibited by crypto ransomware after the file encryption process has occurred [24,31]. From our analysis, we found consistent occurrences of this pattern in both benign and ransomware samples during our observation phase. ...
Ransomware, particularly crypto ransomware, has emerged as the go-to malware for threat actors aiming to compromise data on Android devices as well as in general. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We first describe our repeatable and extensible methodology for extracting the system call log and patterns. We then identify and present some common high-level system call behavioural patterns exhibited by crypto ransomware, and evaluate these patterns. We further describe the implementation of a streaming implementation that utilises regular expressions for modelling malware behaviours and finite state machines for detecting crypto ransomware behaviours in real time. The success of our proof of concept evaluation allows us to envision our proposed technique applied as part of a self-protection system on Android phones against malware.
... As a particular form of malware, ransomware presents a distinct structure that sets it apart from benign files. Typically, its subroutines involve gathering system information, mapping the targeted environment to identify user files, utilizing Application Programming Interfaces (APIs) for file encryption, and connecting to a Command-and-Control (C&C) server [2,6,7]. There are two primary types of analysis for ransomware detection: dynamic and static. ...
This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.
... Ransomware, a pernicious form of software specifically designed to block access to computer systems, demanding a monetary ransom for release, has undergone significant evolution over the years [1,2]. Initially, these attacks were primarily centered on the encryption of data, known as crypto-ransomware, where the perpetrators demanded payments for the decryption keys [3]. ...
... In recent years, the landscape of ransomware attacks has undergone a marked transformation, increasingly focusing on the theft of data [2]. This shift has been motivated by attackers seeking to augment their leverage against victims, thereby enhancing the likelihood of ransom payment [16]. ...
... While ransomware has been a topic of extensive research, current studies predominantly focus on technical and theoretical aspects, often overlooking practical business applications [16]. For example, researchers have explored machine learningbased detection systems, which, while effective in identifying patterns, often require extensive datasets and computational resources, limiting their practicality for small and medium-sized businesses [2]. Another area of focus has been on network behavior analysis, which, although useful in detecting anomalies, can be resource-intensive and may not scale well for larger networks [3]. ...
Ransomware has rapidly evolved into sophisticated, stealthy threats built to extort payments through data encryption and extraction. This paper presents an innovative methodology for ransomware risk evaluation using the mathematical frameworks of Markov Decision Processes (MDP). By modeling ransomware scenarios as MDPs, overlaying risk equations, and applying our analysis, a quantitative assessment of dynamic risk levels and effectiveness of defensive strategies is enabled. The technique is demonstrated through comparative assessment of prominent ransomware groups, industry-specific impact analysis, and time projections of data theft risk trajectories. Despite limitations in model complexity and real-world validation, the methodology elucidates an interdisciplinary approach blending decision theory, control systems and applied mathematics to enrich cyber risk research.
... Email attachments are the most common propagation mechanism for ransomware, with attackers using social engineering tactics to trick users into downloading and executing the malware. The ransomware, masquerading as authentic MS Office files, may either execute the embedded ransomware code or stealthily download the ransomware in the background through a Trojan delivered by malicious macros embedded within the files [13,14]. ...
Ransomware attacks have become a major threat to organizations and individuals, as such an attack can cause significant financial loss and disruption to business operations. Traditional methods of ransomware detection, such as signature-based detection and heuristic-based detection, have proven to be inadequate in dealing with the constantly evolving ransomware variants.
Machine learning (ML)-based detection methods have shown promise in detecting ransomware. These methods rely on the extraction of relevant features from the samples and the training of a classifier to distinguish between ransomware and non-ransomware samples. Due to the high dimensionality of the feature space, machine learning algorithms can be employed to identify a crucial subset of features which in turn enhances the detection accuracy.
This research presents a novel approach that combines ensemble classifiers with feature selection using the Particle Swarm Optimization (PSO) algorithm. The objective is to improve the detection accuracy and reduce false positives and false negatives in classification tasks. Two separate ensemble models were constructed: one comprising Random Forest (RF) and Support Vector Machine (SVM) classifiers, and the other consisting of Decision Tree (DT) and K-Nearest Neighbors (KNN) classifiers. The PSO algorithm was employed to determine the optimal features and their corresponding weights for each ensemble classifier.
Experiments were conducted to evaluate the performance of the proposed approach and the results demonstrated that integrating PSO for feature selection significantly enhanced the overall detection rate compared to using all features with equal weights. By identifying the most relevant features and assigning appropriate weights, the ensemble classifiers achieved higher accuracy and improved the overall classification performance.
... In this case, there was substantial data loss and emotional effects on staff. • Findings of a survey of forty-six ransomware victims in the UK reported that weak defences was a key factor, and that universities are more likely to be attacked than SMEs [Hull et al. 2019]. • [Connolly and Wall 2019] conducted interviews with ransomware victims and law enforcement representatives; ...
Drawing upon direct interviews and secondary sources, this paper presents a qualitative comparative analysis of thirty-nine ransomware attacks, twenty-six of which occurred shortly before the outbreak of the COVID-19 pandemic and thirteen of which took place during the pandemic. The research objective was to gain an understanding of how ransomware attacks changed tactics across this period. Using inductive content analysis, a number of key themes emerged, namely: (1) ransomware attackers have adopted more sinister tactics and now commit multiple crimes to maximise their return, (2) the expanded attack surface caused by employees working from home has greatly aggravated the risk of malicious intrusion, (3) the preferred attack vectors have changed, with phishing and VPN exploits now to the fore, (4) failure to adapt common business processes from off-line to on-line interaction has created vulnerabilities, (5) the ongoing laissez-faire attitude towards cybersecurity and lack of preparedness continues to be a substantial problem, and (6) ransomware attacks now pose potentially severe consequences for individuals, whose personal data has become a central part of the game. Recommendations are proposed to address these issues.
... By proactively adopting these measures, organizations can fortify their systems against potential threats and maintain their resilience in the face of cyber-attacks. From the earliest extensive analyses of ransomware behavior [16,17], scholars have advanced diverse perspectives and multifarious tools and techniques to detect ransomware behavior, including but not limited to filesystem activity monitoring and application programming interface (API) hooking. It is significant to note that while static analysis, particularly signature-based detection, retains its status as a conventional method for detecting malware in general, it is not as widely utilized in the context of ransomware detection. ...
Internet-enabled (IoT) devices are typically small, low-powered devices used for sensing and computing that enable remote monitoring and control of various environments through the Internet. Despite their usefulness in achieving a more connected cyber-physical world, these devices are vulnerable to ransomware attacks due to their limited resources and connectivity. To combat these threats, machine learning (ML) can be leveraged to identify and prevent ransomware attacks on IoT devices before they can cause significant damage. In this research paper, we explore the use of ML techniques to enhance ransomware defense in IoT devices running on the PureOS operating system. We have developed a ransomware detection framework using machine learning, which combines the XGBoost and ElasticNet algorithms in a hybrid approach. The design and implementation of our framework are based on the evaluation of various existing machine learning techniques. Our approach was tested using a dataset of real-world ransomware attacks on IoT devices and achieved high accuracy (90%) and low false-positive rates, demonstrating its effectiveness in detecting and preventing ransomware attacks on IoT devices running PureOS.
... As a specific type of malware, ransomware is structurally different from benign files, with its typical subroutines involving obtaining system information, mapping the victim environment to locate user files, invoking an Application Programming Interface (API) for file encryption, and connecting to a Command-and-Control (C2C) server ( Hampton et al., 2018;Hull et al., 2019;Kapoor et al., 2022 ). There are two main types of analysis for ransomware detection: dynamic and static. ...
All malware are harmful to computer systems; however, crypto-ransomware specifically leads to irreparable data loss and causes substantial economic prejudice. Ransomware attacks increased significantly during the COVID-19 pandemic, and because of its high profitability, this growth will likely persist. To respond to these attacks, we apply static analysis to detect ransomware by converting Portable Executable (PE) header files into color images in a sequential vector pattern and classifying these via Xception Convolutional Neural Network (CNN) model without transfer learning, which we call Xception ColSeq. This approach simplifies feature extraction, reduces processing load, and is more resilient against evasion techniques and ransomware evolution. The proposed method was evaluated using two datasets. The first contains 1000 ransomware and 1000 benign applications, on which the model achieved an accuracy of 93.73%, precision of 92.95%, recall of 94.64%, and F-measure of 93.75%. The second dataset, which we created and have made available, contains 1023 ransomware, grouped in 25 still active and relevant families, and 1134 benign applications, on which the proposed method achieved an accuracy of 98.20%, precision of 97.50%, recall of 98.76%, and F-measure of 98.12%. Furthermore, we refined a testing methodology for a particular case of zero-day ransomware attacks detection—the detection of new ransomware families—by adding an adequate amount of randomly selected benign applications to the test set, providing representative evaluation performance metrics. These results represent an improvement over the performance of the current methods reported in the literature. Our advantageous approach can be applied as a technique for ransomware detection to protect computer systems from cyber threats.
... 1) Code Obfuscation: The utilization of sophisticated code obfuscation and polymorphism are sharply increasing [26]. This technique allows criminals to hide the well-known string of malicious code to bypass the detection system. ...
... 2) File-less Ransomware: In addition to the code obfuscation techniques utilized to evade the detection [26], the shift to fileless ransomware is also increasing in the cyber community. Unlike attacks with files, fileless ransomware is sneakier in its malicious activity into legitimate applications already built into the operating system so that it turns Windows against itself. ...
With advances in social engineering tricks and other technical shortcomings, ransomware attacks have become a severe cybercrime affecting organizations of all shapes and sizes. Although the security teams are making plenty of ransomware detection tools, the ransomware incident report shows they are ineffective in detecting emerging ransomware attacks. This work presents “RTrap,” a systematic framework to detect and contain ransomware efficiently and effectively via machine learning-generated deceptive files. Using a data-driven decoy file selection and generation strategy, RTrap plants deceptive decoy files across the directory to lure the ransomware to access it. RTrap also introduced a lightweight decoy watcher to monitor generated decoy files in real time. As the timing of the ransomware attack is not known to the victim in advance, and the ransomware encryption process is speedy, the proposed decoy-watcher executes an automatic/automated response after the detection promptly. The experiment shows that RTrap can detect ransomware with an average 18 file loss per 10311 legitimate user files.
... [log ( )] Dx (3) [log(1 (G(z)))] D − (4) [log ( ) log(1 (G(z)))] D x D +− (5) Discriminator recognizes the real data and fake data by using the functions of equation (3) and (4) respectively. The generator has no access to logD(x) hence cannot affect it directly instead it affects the term log(1-D(G(z))) by minimizing it or maximizing logD(G(z)). ...
Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim’s device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the pre-encryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-the-art solutions. The wGAN achieved higher accuracy and lower false alarm rates.
