Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures

Full Text (PDF, 1689KB), PP.26-39

Views: 0 Downloads: 0


Aaron Zimba 1,* Mumbi Chishimba 2

1. Mulungushi University/Department of Computer Science & Information Technology, Kabwe, 10101, Zambia

2. National Institute of Public Administration/Information & Communications Technology, Lusaka, 10101, Zambia

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2019.01.03

Received: 23 Nov. 2018 / Revised: 2 Dec. 2018 / Accepted: 14 Dec. 2018 / Published: 8 Jan. 2019

Index Terms

Ransomware, encryption, attack structure, bitcoin, enterprise security


The devasting effects of ransomware have continued to grow over the past two decades which have seen ransomware shift from just being opportunistic attacks to carefully orchestrated attacks. Individuals and business organizations alike have continued to fall prey to ransomware where victims have been forced to pay cybercriminals even up to $1 million in a single attack whilst others have incurred losses in hundreds of millions of dollars. Clearly, ransomware is an emerging cyber threat to enterprise systems that can no longer be ignored. In this paper, we address the evolution of the ransomware and the associated paradigm shifts in attack structures narrowing down to the technical and economic impacts. We formulate an attack model applicable to cascaded network design structures common in enterprise systems. We model the security state of the ransomware attack process as transitions of a finite state machine where state transitions depict breaches of confidentiality, integrity, and availability. We propose a ransomware categorization framework that classifies the virulence of a given ransomware based on a proposed classification algorithm that is based on data deletion and file encryption attack structures. The categories that increase in severity from CAT1 to CAT5 classify the technical prowess and the overall effectiveness of potential ways of retaining the data without paying the ransom demand. We evaluate our modeling approach with a WannaCry attack use case and suggest mitigation strategies and recommend best practices based on these models.

Cite This Paper

Aaron Zimba, Mumbi Chishimba, "Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures", International Journal of Computer Network and Information Security(IJCNIS), Vol.11, No.1, pp.26-39, 2019. DOI:10.5815/ijcnis.2019.01.03


[1]Palisse A, Le Bouder H, Lanet JL, Le Guernic C, Legay A. Ransomware and the legacy crypto API. In International Conference on Risks and Security of Internet and Systems 2016 Sep 5 (pp. 11-28). Springer, Cham.
[2]Thomas J, Galligher G. Improving backup system evaluations in information security risk assessments to combat ransomware. 2017
[3]Young AL, Yung M. On Ransomware and Envisioning the Enemy of Tomorrow. IEEE Computer Vol.50(11):82-5. 2017.
[4]Srinivasan CR. Hobby hackers to billion-dollar industry: the evolution of ransomware. Computer Fraud & Security. 2017 Nov 30;2017(11):7-9. 2017.
[5]Baek S, Jung Y, Mohaisen A, Lee S, Nyang D. SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS) Jul 2 (pp. 875-884). IEEE.2018.
[6]Kim, W., Jeong, O.R., Kim, C. and So, J. The dark side of the Internet: Attacks, costs, and responses. Information systems, 36(3), pp.675-705. 2011.
[7]Mather, T., Kumaraswamy, S. and Latif, S. Cloud security and privacy: an enterprise perspective on risks and compliance. O'Reilly Media, 2009.
[8]Al-rimy, B.A.S., Maarof, M.A. and Shaid, S.Z.M. A 0-day aware crypto-ransomware early behavioral detection framework. In International Conference of Reliable Information and Communication Technology (pp. 758-766). 2017.
[9]Ehrenfeld, J.M. Wannacry, cybersecurity and health information technology: A time to act. Journal of medical systems, 41(7), p.104. 2017.
[10]Fayi, S.Y.A. What Petya/NotPetya Ransomware Is and What Its Remediations Are. In Information Technology-New Generations (pp. 93-100). Springer, 2018.
[11]Chen J. Effectively Exercising Deterrence in the Cyber Domain. In ICCWS 2018 13th Int. Conf. on Cyber Warfare and Security (p. 120). Academic Conferences and publishing. 2018.
[12]Wirth, A. The Times They Are a-Changin': Part One. Biomedical instrumentation & technology, 52(2), pp.148-152. 2018.
[13]Cohen A, Nissim N. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Systems with Applications. Vol.15; 102: pp. 158-78. 2018.
[14]Roberts, N., 2018. Ransomware: An Evolving Threat (Doctoral dissertation, Utica College).
[15]Google Trends. (2018). [Online] Available: https://trends.google.com/trends/explore?date=2016-10-18%202018-07-18&geo=US&q=ransomware.
[16]Kao DY, Hsiao SC. The dynamic analysis of WannaCry ransomware. In Advanced Communication Technology (ICACT), 2018 20th International Conference on 2018 Feb 11 (pp. 159-166). IEEE.
[17]Bajpai P, Sood AK, Enbody R. A key-management-based taxonomy for ransomware. In APWG Symposium on Electronic Crime Research (eCrime) 2018 May 15 (pp. 1-12). IEEE.
[18]Bhardwaj A. Ransomware: A rising threat of new age digital extortion. In Online Banking Security Measures and Data Protection 2017 (pp. 189-221). IGI Global.
[19]Cabaj K, Mazurczyk W. Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Network. 2016 Nov; 30(6):14-20.
[20]Cabaj K, Gawkowski P, Grochowski K, Osojca D. Network activity analysis of CryptoWall ransomware. Przeglad Elektrotechniczny. 2015; 91(11):201-4.
[21]Palisse A, Le Bouder H, Lanet JL, Le Guernic C, Legay A. Ransomware and the legacy crypto API. In International Conference on Risks and Security of Internet and Systems Sep 5 (pp. 11-28). 2016.
[22]Williams, T.J., 1994. The Purdue enterprise reference architecture. Computers in industry, 24(2-3), pp.141-158.
[23]Bodenheim, R., Butts, J., Dunlap, S. and Mullins, B. Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. International Journal of Critical Infrastructure Protection, 7(2), pp.114-123. 2014.
[24]Wang, Z., Wu, X., Liu, C., Liu, Q. and Zhang, J., 2018, June. RansomTracer: Exploiting Cyber Deception for Ransomware Tracing. In 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). IEEE.
[25]Newman I.H. 2018. Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. [Online] Available: https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/
[26]Bad Rabbit: A new ransomware epidemic is on the rise. 2017. [Online] Available https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/.
[27]Zimba A, Wang Z. Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors. International Journal of Computer Network and Information Security. Vol 9(7). 2017.
[28]Ransomware back in a big way, 181.5 million attacks since January. (July 13, 2018). [Online] Available: http://vinransomware.com/latest-news/ransomware-back-in-big-way-181-5-million-attacks-since-january.
[29]Al-rimy BA, Maarof MA, Shaid SZ. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Computers & Security. 2018 Jan 10.
[30]Zimba A, Wang Z, Simukonda L. Towards Data Resilience: The Analytical Case of Crypto Ransomware Data Recovery Techniques. International Journal of Information Technology & Computer Science 10 (1), 40-51.
[31]Takeuchi Y, Sakai K, Fukumoto S. Detecting Ransomware using Support Vector Machines. In Proceedings of the 47th International Conference on Parallel Processing Companion 2018 Aug 13 (p. 1). ACM.
[32]O'Kane P, Sezer S, Carlin D. Evolution of ransomware. IET Networks. 2018 May 17; 7(5):321-7.
[33]Kharraz A, Robertson W, Balzarotti D, Bilge L, Kirda E. Cutting the Gordian knot: A look under the hood of ransomware attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment 2015 Jul 9 (pp. 3-24). Springer, Cham.