Towards Data Resilience: The Analytical Case of Crypto Ransomware Data Recovery Techniques

Full Text (PDF, 1037KB), PP.40-51

Views: 0 Downloads: 0


Aaron Zimba 1,* Zhaoshun Wang 1 Luckson Simukonda 2

1. University of Science and Technology Beijing/Computer Science and Technology, Beijing, 100083, China

2. Gdańsk University of Technology/Electronics, Telecommunications & Informatics, Gdańsk, 80-233, Poland

* Corresponding author.


Received: 8 Oct. 2017 / Revised: 10 Nov. 2017 / Accepted: 17 Nov. 2017 / Published: 8 Jan. 2018

Index Terms

Ransomware, Data Resilience, Recovery, Data Deletion, Attack Structure


Crypto ransomware has earned an infamous reputation in the malware landscape and its sound sends a lot of shivers to many despite being a new entrant. The media has not helped matters even as the myths and inaccuracies surrounding crypto ransomware continue to deepen. It’s been purported that once crypto ransomware attacks, the victim is left with no option but to pay in order to retrieve the encrypted data, and that without a guarantee, or risk losing the data forever. Security researchers are inadvertently thrown into a cat-and-mouse chase to catch up with the latest vices of the aforesaid in order to provide data resilience. In this paper, we debunk the myths surrounding loss of data via a crypto ransomware attack. Using a variety of crypto ransomware samples, we employ reverse engineering and dynamic analysis to evaluate the underlying attack structures and data deletion techniques employed by the ransomware. Further, we expose the data deletion techniques used by ransomware to prevent data recovery and suggest how such could be countered. From the results, we further present observed sandbox evasion techniques employed by ransomware against both static and dynamic analysis in an effort to obfuscate its operations and subsequently prevent data recovery. Our analyses have led us to the conclusion that no matter how devastating a crypto ransomware attack might appear, the key to data recovery options lies in the underlying attack structure and the implemented data deletion methodology.

Cite This Paper

Aaron Zimba, Zhaoshun Wang, Luckson Simukonda, "Towards Data Resilience: The Analytical Case of Crypto Ransomware Data Recovery Techniques", International Journal of Information Technology and Computer Science(IJITCS), Vol.10, No.1, pp.40-51, 2018. DOI:10.5815/ijitcs.2018.01.05


[1]M. Belkadi, R. Aoudjit, M. Daoui, and M. Lalam. "Energy-efficient secure directed diffusion protocol for wireless sensor networks." International Journal of Information Technology and Computer Science (IJITCS) 6, no. 1 (2013): pp.50.

[2]F. Nadeem. "A Taxonomy of Data Management Models in Distributed and Grid Environments." International Journal of Information Technology and Computer Science (IJITCS) 8, no. 3 (2016): pp.19.

[3]C. Sheth and R. Thakker. "Performance evaluation and comparison of network firewalls under DDoS attack." International Journal of Computer Network and Information Security (IJCNIS) Vol.5, Iss. No. 12 (2013): pp.60-67..

[4]Hilarie Orman. "Evil Offspring-Ransomware and Crypto Technology." IEEE Internet Computing 20, no. 5 (2016): pp.89-94.

[5]Symantec Security Response. "An ISTR Special Report: Ransomware and Businesses 2016." [Online] Available:  /ISTR2016_Ransomware_and_Businesses.pdf [Accessed 24th July 2017]

[6]A.L. Young, and M. Yung. "Cryptovirology: The birth, neglect, and explosion of ransomware." Communications of the ACM 60, no. 7 (2017): pp.24-26.

[7]F. Lombardi, and R. Di Pietro. "Heterogeneous Architectures: Malware and Countermeasures." In Secure System Design and Trustable Computing, pp. 421-438. Springer International Publishing, 2016.

[8]M. Carpenter, T. Liston, and E. Skoudis. "Hiding virtualization from attackers and malware." IEEE Security & Privacy 5, no. 3 (2007).

[9]D. Emm. "Cracking the code: The history of Gpcode." Computer Fraud & Security 2008, no. 9 (2008): 15-17.

[10]E. Fujisaki, and T. Okamoto. "Secure integration of asymmetric and symmetric encryption schemes." In Crypto, vol. 99, no. 32, pp. 537-554. 1999.

[11]K. Cabaj, P. Gawkowski, K. Grochowski, and D. Osojca. "Network activity analysis of CryptoWall ransomware." Przeglad Elektrotechniczny 91, no. 11 (2015): 201-204.

[12]"French researchers find way to unlock “WannaCry” without ransom" (2017). Available [Online] Read more at:" [19th May, 2019]

[13]R. Brewer. "Ransomware attacks: detection, prevention and cure." Network Security 2016, no. 9 (2016): 5-9. Elsevier Publishing.

[14]"How to Remove Crypt888 Ransomware" (2016). Available [Online]: [7th December, 2016]

[15]M. Weckstén, J. Frick, A. Sjöström, and E. Järpe. "A novel method for recovery from Crypto Ransomware infections." In Computer and Communications (ICCC), 2016 2nd IEEE International Conference on, pp. 1354-1358. IEEE, 2016.

[16]A. Zimba, Z.Wang, and H. Chen "Reasoning crypto ransomware infection vectors with Bayesian networks." In Intelligence and Security Informatics (ISI), 2017 IEEE International Conference on, pp. 149-151. IEEE, 2017.

[17]C. Rossow et al. "Prudent practices for designing malware experiments: Status quo and outlook." Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 2012.

[18]"Locky, Cryptowall and Cerber account for '90 per cent of ransomware attacks" (2017). Available [Online]: [22nd February 2017]

[19]"Today's most popular operating systems" (2017). Available [Online]: [9th January, 2017]

[20]"Five Lessons Learned from Recent Cyber Attacks." (2017). IEEE Innovation at Work. Available [Online]: [Accessed 3rd September, 2017]

[21]A. Zimba, L. Simukonda, M. Chishimba. "Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry for Network and Information Security." In Information and Communications Technologies (ICICT), 2017 IEEE International Conference. IEEE, 2017.

[22]D.S. Wall. "Dis-organised crime: Towards a distributed model of the organization of cybercrime." (2015).

[23]MM Ahmadian, HR Shahriari, and SM Ghaffarian. "Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares." In Information Security and Cryptology (ISCISC), 2015 12th International Iranian Society of Cryptology Conference on, pp. 79-84. IEEE, 2015.

[24]N Scaife,H Carter, P Traynor, and KRB Butler. "Cryptolock (and drop it): stopping ransomware attacks on user data." In Distributed Computing Systems (ICDCS), 2016 IEEE 36th International Conference on, pp. 303-312. IEEE, 2016.

[25]Kirda, E., 2015. Most Ransomware Isn’t As Complex As You Might Think Yes, we should be able to detect most of it. DIMVA.

[26]F Mercaldo,, V Nardone, and A Santone. "Ransomware Inside Out." In Availability, Reliability and Security (ARES), 2016 11th International Conference on, pp. 628-637. IEEE, 2016.

[27]K Cabaj and W Mazurczyk. "Using software-defined networking for ransomware mitigation: the case of cryptowall." IEEE Network 30, no. 6 (2016): 14-20.