Erick Galinkin

DOI: https://doi.org/10.48550/arXiv.2107.14578

2021-07-30

Cryptography and Security

Abstract:Ransomware is a growing threat to individuals and enterprises alike, constituting a major factor in cyber insurance and in the security planning of every organization. Although the game theoretic lens often frames the game as a competition between equals -- a profit maximizing attacker and a loss minimizing defender -- the reality of many situations is that ransomware organizations are not playing a non-cooperative game, they are playing a lottery. The wanton behavior of attackers creates a situation where many victims are hit more than once by ransomware operators, sometimes even by the same group. If defenders wish to combat malware, they must then seek to remove the incentives of it. In this work, we construct an expected value model based on data from actual ransomware attacks and identify three variables: the value of payments, the cost of an attack, and the probability of payment. Using this model, we consider the potential to manipulate these variables to reduce the profit motive associated with ransomware attack. Based on the model, we present mitigations to encourage an environment that is hostile to ransomware operators. In particular, we find that off-site backups and government incentives for their adoption are the most fruitful avenue for combating ransomware.

Rui Fang,Maochao Xu,Peng Zhao

DOI: https://doi.org/10.48550/arxiv.2010.06700

2020-01-01

Abstract:Ransomware has emerged as one of the most concerned cyber risks in recent years, which has caused millions of dollars monetary loss over the world. It typically demands a certain amount of ransom payment within a limited timeframe to decrypt the encrypted victim's files. This paper explores whether the ransomware should be paid in a novel game-theoretic model from the perspective of Bayesian game. In particular, the new model analyzes the ransom payment strategies within the framework of incomplete information for both hacker and victim. Our results show that there exist pure and randomized Bayesian Nash equilibria under some mild conditions for the hacker and victim. The sufficient conditions that when the ransom should be paid are presented when an organization is compromised by the ransomware attack. We further study how the costs and probabilities of cracking or recovering affect the expected payoffs of the hacker and the victim in the equilibria. In particular, it is found that the backup option for computer files is not always beneficial, which actually depends on the related cost. Moreover, it is discovered that fake ransomware may be more than expected because of the potential high payoffs. Numerical examples are also presented for illustration.

Julio Hernandez-Castro,Edward Cartwright,Anna Stepanova

DOI: https://doi.org/10.48550/arXiv.1703.06660

2017-03-20

Abstract:We present in this work an economic analysis of ransomware, with relevant data from Cryptolocker, CryptoWall, TeslaCrypt and other major strands. We include a detailed study of the impact that different price discrimination strategies can have on the success of a ransomware family, examining uniform pricing, optimal price discrimination and bargaining strategies and analysing their advantages and limitations. In addition, we present results of a preliminary survey that can helps in estimating an optimal ransom value. We discuss at each stage whether the different schemes we analyse have been encountered already in existing malware, and the likelihood of them being implemented and becoming successful. We hope this work will help to gain some useful insights for predicting how ransomware may evolve in the future and be better prepared to counter its current and future threat.

Cryptography and Security,Computers and Society

Aron Laszka,Sadegh Farhang,Jens Grossklags

DOI: https://doi.org/10.48550/arXiv.1707.06247

2017-08-22

Abstract:While recognized as a theoretical and practical concept for over 20 years, only now ransomware has taken centerstage as one of the most prevalent cybercrimes. Various reports demonstrate the enormous burden placed on companies, which have to grapple with the ongoing attack waves. At the same time, our strategic understanding of the threat and the adversarial interaction between organizations and cybercriminals perpetrating ransomware attacks is lacking. In this paper, we develop, to the best of our knowledge, the first game-theoretic model of the ransomware ecosystem. Our model captures a multi-stage scenario involving organizations from different industry sectors facing a sophisticated ransomware attacker. We place particular emphasis on the decision of companies to invest in backup technologies as part of a contingency plan, and the economic incentives to pay a ransom if impacted by an attack. We further study to which degree comprehensive industry-wide backup investments can serve as a deterrent for ongoing attacks.

Cryptography and Security

Rui Fang,Maochao Xu,Peng Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102685

IF: 5.105

2022-01-01

Computers & Security

Abstract:Ransomware has emerged as one of the most concerned cyber risks in recent years, which has caused millions of dollars monetary loss over the world. It typically demands a certain amount of ransom payment within a limited timeframe to decrypt the encrypted victim’s files. This paper explores whether the ransomware should be paid in a novel game-theoretic model from the perspective of Bayesian game. In particular, the new model analyzes the ransom payment strategies within the framework of incomplete information for both hacker and victim. Our results show that there exist pure and randomized Bayesian Nash equilibria under some mild conditions for the hacker and victim. The sufficient conditions that when the ransom should be paid are presented when an organization is compromised by the ransomware attack. We further study how the costs and probabilities of cracking or recovering affect the expected payoffs of the hacker and the victim in the equilibria. In particular, it is found that the backup option for computer files is not always beneficial, which actually depends on the related cost. Moreover, it is discovered that fake ransomware may be more than expected because of the potential high payoffs. Numerical examples are also presented for illustration.

Zhen Li,Qi Liao

DOI: https://doi.org/10.13052/jcsm2245-1439.1013

2021-03-22

Journal of Cyber Security and Mobility

Abstract:We are experiencing the worst years of ransomware attacks with continuing news reports on high-profile ransomware attacks on organizations such as hospitals, schools, government agencies and private businesses. Recently a few ransomware attackers have gone beyond simply encrypting files and waiting for ransom. They threaten to release the data if the victims refuse their ransom request. In this paper, we propose a hypothetical new revenue model for the ransomware, i.e., selling the stolen data rather than publishing the data for free. Through a game-theoretical analysis between attackers and victims, we contribute a novel model to understand the critical decision variables for the proposed data-selling ransomware (which we refer as "ransomware 2.0") that sells data as well as demands ransom. We compare the role of reputation and the profitability of the data-selling ransomware with traditional ransomware ("ransomware 1.0") that demands ransom only and the data-threat ransomware ("ransomware 1.5") that demands ransom with the threat of releasing data for no compliance. Both theoretical modeling and simulation studies suggest that in general both ransomware 2.0 and 1.5 are more profitable than ransomware 1.0, while ransomware 2.0 is always more profitable than ransomware 1.5. Notably, common defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy. Our findings also suggest that the uncertainties created by this new revenue model may affect attackers' reputation and users' willingness-to-pay, therefore, ransomware 2.0 may not always increase the profitability of attackers. Another finding of the study suggests that reputation maximization is critical in ransomware 1.0 and 1.5, but not in ransomware 2.0, where attackers could manipulate reputation for profit maximization.

Zhen Li,Qi Liao

DOI: https://doi.org/10.1016/j.cose.2022.102644

2022-05-01

Abstract:Ransomware has risen to be among the top cyber threats in recent years. There is an alarming trend of ransomware stealing data in addition to locking files. Compared to traditional ransomware, this new data-selling ransomware can be more harmful to the victims facing the data leakage threat. Traditional wisdom of defensive measures such as data backup is less effective in preventing the attacker from making money by selling data. We propose two preventive measures designed to defend against the data-selling ransomware, i.e., preventive data encryption and preventive data deception. Users may form a preventive portfolio made up of the two preventive measures. We contribute a novel game theoretical model of the data-selling ransomware to study the equilibrium strategies of the attacker and victims. The equilibrium solution of the portfolio and tradeoff analysis of both data encryption and deception are particularly useful for the users to optimize their system to defend against ransomware attacks. Simulation studies demonstrate the effectiveness of the preventive portfolio, which maximizes user utility while significantly reducing the profit of the attacker.

computer science, information systems

Nandita Pattnaik,Jason R. C. Nurse,Sarah Turner,Gareth Mott,Jamie MacColl,Pia Huesch,James Sullivan

2023-07-06

Abstract:As cyber-attacks continue to increase in frequency and sophistication, organisations must be better prepared to face the reality of an incident. Any organisational plan that intends to be successful at managing security risks must clearly understand the harm (i.e., negative impact) and the various parties affected in the aftermath of an attack. To this end, this article conducts a novel exploration into the multitude of real-world harms that can arise from cyber-attacks, with a particular focus on ransomware incidents given their current prominence. This exploration also leads to the proposal of a new, robust methodology for modelling harms from such incidents. We draw on publicly-available case data on high-profile ransomware incidents to examine the types of harm that emerge at various stages after a ransomware attack and how harms (e.g., an offline enterprise server) may trigger other negative, potentially more substantial impacts for stakeholders (e.g., the inability for a customer to access their social welfare benefits or bank account). Prominent findings from our analysis include the identification of a notable set of social/human harms beyond the business itself (and beyond the financial payment of a ransom) and a complex web of harms that emerge after attacks regardless of the industry sector. We also observed that deciphering the full extent and sequence of harms can be a challenging undertaking because of the lack of complete data available. This paper consequently argues for more transparency on ransomware harms, as it would lead to a better understanding of the realities of these incidents to the benefit of organisations and society more generally.

Cryptography and Security,Computers and Society

Gavin Hull,Henna John,Budi Arief

DOI: https://doi.org/10.1186/s40163-019-0097-9

2019-02-12

Crime Science

Abstract:Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fingerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staff at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response.

Alex Zarifis,Xusen Cheng,Uchitha Jayawickrama,Simone Corsi

DOI: https://doi.org/10.4018/IJISSS.289219

2024-01-20

Abstract:Ransomware attack effectiveness has increased causing far reaching consequences that are not fully understood. The ability to disrupt core services, the global reach, extended duration, and the repetition has increased their ability to harm organizations. One aspect that needs to be understood better is the effect on the user. The user in the current environment is exposed to new technologies that might be adopted, but there are also habits of using existing systems. The habits have developed over time with trust increasing in the organization in contact directly and the institutions supporting it. This research explores whether the global, extended, and repeated RW attacks reduce the trust and inertia sufficiently to change long-held habits in using information systems. The model tested measures the effect of the RW attack on the e-commerce status quo to evaluate if it is significant enough to overcome the users resistance to change.

Cryptography and Security,Computers and Society

Amir Atapour-Abarghouei,Stephen Bonner,Andrew Stephen McGough

DOI: https://doi.org/10.48550/arXiv.1911.08364

2019-11-19

Abstract:With the recent growth in the number of malicious activities on the internet, cybersecurity research has seen a boost in the past few years. However, as certain variants of malware can provide highly lucrative opportunities for bad actors, significant resources are dedicated to innovations and improvements by vast criminal organisations. Among these forms of malware, ransomware has experienced a significant recent rise as it offers the perpetrators great financial incentive. Ransomware variants operate by removing system access from the user by either locking the system or encrypting some or all of the data, and subsequently demanding payment or ransom in exchange for returning system access or providing a decryption key to the victim. Due to the ubiquity of sensitive data in many aspects of modern life, many victims of such attacks, be they an individual home user or operators of a business, are forced to pay the ransom to regain access to their data, which in many cases does not happen as renormalisation of system operations is never guaranteed. As the problem of ransomware does not seem to be subsiding, it is very important to investigate the underlying forces driving and facilitating such attacks in order to create preventative measures. As such, in this paper, we discuss and provide further insight into variants of ransomware and their victims in order to understand how and why they have been targeted and what can be done to prevent or mitigate the effects of such attacks.

Cryptography and Security

Cheng Wang,Christopher Redino,Ryan Clark,Abdul Rahman,Sal Aguinaga,Sathvik Murli,Dhruv Nandakumar,Roland Rao,Lanxiao Huang,Daniel Radke,Edward Bowen

2024-06-25

Abstract:Ransomware presents a significant and increasing threat to individuals and organizations by encrypting their systems and not releasing them until a large fee has been extracted. To bolster preparedness against potential attacks, organizations commonly conduct red teaming exercises, which involve simulated attacks to assess existing security measures. This paper proposes a novel approach utilizing reinforcement learning (RL) to simulate ransomware attacks. By training an RL agent in a simulated environment mirroring real-world networks, effective attack strategies can be learned quickly, significantly streamlining traditional, manual penetration testing processes. The attack pathways revealed by the RL agent can provide valuable insights to the defense team, helping them identify network weak points and develop more resilient defensive measures. Experimental results on a 152-host example network confirm the effectiveness of the proposed approach, demonstrating the RL agent's capability to discover and orchestrate attacks on high-value targets while evading honeyfiles (decoy files strategically placed to detect unauthorized access).

Cryptography and Security,Artificial Intelligence,Machine Learning

Timothy McIntosh,Teo Susnjak,Tong Liu,Dan Xu,Paul Watters,Dongwei Liu,Yaqi Hao,Alex Ng,Malka Halgamuge

DOI: https://doi.org/10.1145/3691340

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.

computer science, theory & methods

Akashdeep Bhardwaj,G.V.B. Subrahmanyam,Vinay Avasthi,Hanumat Sastry

DOI: https://doi.org/10.48550/arXiv.1512.01980

2015-12-07

Cryptography and Security

Abstract:This article attempts to discover the surreptitious features of ransomware and to address it in information systems security research. It intends to elicit attention with regard to ransomware, a newly emerged cyber threat using such encryption technology as RSA, and to help both academic researchers and IT practitioners understand the technological characteristics of ransomware, along with its severity analysis. As ransomware infections continue to rise and attacks employing refined algorithm become increasingly sophisticated, data protection faces serious challenges. The article discusses future trends and research directions related to ransomware, and provides prevention strategies for SMEs.

Murat Ozer,Said Varlioglu,Bilal Gonen,Mehmet F. Bastug

DOI: https://doi.org/10.1109/CSCI49370.2019.00032

2020-03-17

Abstract:Over the past three years, especially following WannaCry malware, ransomware has become one of the biggest concerns for private businesses, state, and local government agencies. According to Homeland Security statistics, 1.5 million ransomware attacks have occurred per year since 2016. Cybercriminals often use creative methods to inject their malware into the target machines and use sophisticated cryptographic techniques to hold hostage victims' files and programs unless a certain amount of equivalent Bitcoin is paid. The return to the cybercriminals is so high (estimated \$1 billion in 2019) without any cost because of the advanced anonymity provided by cryptocurrencies, especially Bitcoin \cite{Paquet-Clouston2019}. Given this context, this study first discusses the current state of ransomware, detection, and prevention systems. Second, we propose a global ransomware center to better manage our concerted efforts against cybercriminals. The policy implications of the proposed study are discussed in the conclusion section.

Cryptography and Security

Ian W. Gray,Jack Cable,Benjamin Brown,Vlad Cuiujuclu,Damon McCoy

2023-04-23

Abstract:Ransomware operations have evolved from relatively unsophisticated threat actors into highly coordinated cybercrime syndicates that regularly extort millions of dollars in a single attack. Despite dominating headlines and crippling businesses across the globe, there is relatively little in-depth research into the modern structure and economics of ransomware operations. In this paper, we leverage leaked chat messages to provide an in-depth empirical analysis of Conti, one of the largest ransomware groups. By analyzing these chat messages, we construct a picture of Conti's operations as a highly-profitable business, from profit structures to employee recruitment and roles. We present novel methodologies to trace ransom payments, identifying over $80 million in likely ransom payments to Conti and its predecessor -- over five times as much as in previous public datasets. As part of our work, we publish a dataset of 666 labeled Bitcoin addresses related to Conti and an additional 75 Bitcoin addresses of likely ransom payments. Future work can leverage this case study to more effectively trace -- and ultimately counteract -- ransomware activity.

Cryptography and Security

Ali Mehrban,Shirin Karimi Geransayeh

2024-02-04

Abstract:In recent years, there has been a noticeable increase in cyberattacks using ransomware. Attackers use this malicious software to break into networks and harm computer systems. This has caused significant and lasting damage to various organizations, including government, private companies, and regular users. These attacks often lead to the loss or exposure of sensitive information, disruptions in normal operations, and persistent vulnerabilities. This paper focuses on a method for recognizing and identifying ransomware in computer networks. The approach relies on using machine learning algorithms and analyzing the patterns of network traffic. By collecting and studying this traffic, and then applying machine learning models, we can accurately identify and detect ransomware. The results of implementing this method show that machine learning algorithms can effectively pinpoint ransomware based on network traffic, achieving high levels of precision and accuracy.

Cryptography and Security,Machine Learning

Ali Ahmed Mohammed Ali Alwashali,Noriswadi Ismail,Nor Azlina Abd Rahman

DOI: https://doi.org/10.1109/DeSE54285.2021.9719456

2021-12-07

Abstract:Industries all around the world seek realistic predictions for new threats that might appear in new future that will affect their business and the security of their data. Year 2020 was full of uncertainty due the Covid19 pandemic, entire world had to change the way they do business by shifting to the digital world. The new working methods introduced new threats which will persist, and potential continue to grow in coming few years. Cyber security predictions address challenges and threats caused by the pandemic such as the huge increase of ransomware attacks in the coming year. Almost every organization changed their option to access work and used new software that will allow them to operate from home. Education sector for example uses virtual classes, healthcare sector use web to deliver and communicate with patients and so on. The more individuals and business rely on technology, the more it becomes part of their lives and cannot be replaced. Cyber criminals realized this fact and increased the demand for higher ransom. The goal of this paper is to study the trend and the influence of Ransomware as a service in today era. This paper is proposed steps to reduce the impact of Ransomware attack to individuals and organizations. The discussion on how ransomware as a service work, statistic of ransomware cases, methods of improving operational security of the organizations and technical countermeasures that should be taken by organization and also individuals are included in this research paper.

Business,Computer Science

Aaron Zimba,Mumbi Chishimba,Sipiwe Chihana

DOI: https://doi.org/10.48550/arXiv.2102.10632

2021-02-22

Abstract:Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.

Cryptography and Security

Kai Wang,Michael Tong,Jun Pang,Jitao Wang,Weili Han

DOI: https://doi.org/10.1145/3687487

IF: 3.35

2024-08-29

ACM Transactions on the Web

Abstract:Recently, there is a surge in ransomware activities that encrypt users' sensitive data and demand bitcoins for ransom payments to conceal the criminal's identity. It is crucial for regulatory agencies to identify as many ransomware addresses as possible in order to accurately estimate the impact of these ransomware activities. However, existing methods for detecting ransomware addresses rely primarily on time-consuming data collection and clustering heuristics, and they face two major issues: 1) the features of an address itself are insufficient to accurately represent its activity characteristics, and 2) the number of disclosed ransomware addresses is extremely less than the number of unlabeled addresses. These issues lead to a significant number of ransomware addresses being undetected, resulting in a substantial underestimation of the impact of ransomware activities. To solve the above two issues, we propose an optimized ransomware address detection method based on Bitcoin transaction relationships, named XRAD , to detect more ransomware addresses with high performance. To address the first one, we present a cascade feature extraction method for Bitcoin transactions to aggregate features of related addresses after exploring transaction relationships. To address the second one, we build a classification model based on Positive-Unlabeled learning to detect ransomware addresses with high performance. Extensive experiments demonstrate that XRAD significantly improves average accuracy, recall, and F1 score by 15.07%, 19.71%, and 34.83%, respectively, compared to state-of-the-art methods. In total, XRAD detects 120,335 ransomware activities from 2009 to 2023, revealing a development trend and average ransom payment per year that aligns with three reports by FinCEN, Chainalysis, and Coveware.

computer science, information systems, software engineering