Zhen Li,Qi Liao

DOI: https://doi.org/10.13052/jcsm2245-1439.1013

2021-03-22

Journal of Cyber Security and Mobility

Abstract:We are experiencing the worst years of ransomware attacks with continuing news reports on high-profile ransomware attacks on organizations such as hospitals, schools, government agencies and private businesses. Recently a few ransomware attackers have gone beyond simply encrypting files and waiting for ransom. They threaten to release the data if the victims refuse their ransom request. In this paper, we propose a hypothetical new revenue model for the ransomware, i.e., selling the stolen data rather than publishing the data for free. Through a game-theoretical analysis between attackers and victims, we contribute a novel model to understand the critical decision variables for the proposed data-selling ransomware (which we refer as "ransomware 2.0") that sells data as well as demands ransom. We compare the role of reputation and the profitability of the data-selling ransomware with traditional ransomware ("ransomware 1.0") that demands ransom only and the data-threat ransomware ("ransomware 1.5") that demands ransom with the threat of releasing data for no compliance. Both theoretical modeling and simulation studies suggest that in general both ransomware 2.0 and 1.5 are more profitable than ransomware 1.0, while ransomware 2.0 is always more profitable than ransomware 1.5. Notably, common defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy. Our findings also suggest that the uncertainties created by this new revenue model may affect attackers' reputation and users' willingness-to-pay, therefore, ransomware 2.0 may not always increase the profitability of attackers. Another finding of the study suggests that reputation maximization is critical in ransomware 1.0 and 1.5, but not in ransomware 2.0, where attackers could manipulate reputation for profit maximization.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.147

2008-01-01

Abstract:The purpose of this paper is to resolve information security problem in the mobile electronic commerce industry chain. We analyze information security based on evolutionary game theory. In this paper, we set up the information security game model with penalty parameter, calculate replicator dynamics, and analyze the evolutionary stable strategy of the game model. The result reveals that reducing the investment cost is the key factor to promote information security investment. If this condition can not be satisfied, the regulation of penalty parameter will help to promote the investment. The research method in this paper provides a new thought for the solution of information security in the mobile electronic commerce chain.

Erick Galinkin

DOI: https://doi.org/10.48550/arXiv.2107.14578

2021-07-30

Cryptography and Security

Abstract:Ransomware is a growing threat to individuals and enterprises alike, constituting a major factor in cyber insurance and in the security planning of every organization. Although the game theoretic lens often frames the game as a competition between equals -- a profit maximizing attacker and a loss minimizing defender -- the reality of many situations is that ransomware organizations are not playing a non-cooperative game, they are playing a lottery. The wanton behavior of attackers creates a situation where many victims are hit more than once by ransomware operators, sometimes even by the same group. If defenders wish to combat malware, they must then seek to remove the incentives of it. In this work, we construct an expected value model based on data from actual ransomware attacks and identify three variables: the value of payments, the cost of an attack, and the probability of payment. Using this model, we consider the potential to manipulate these variables to reduce the profit motive associated with ransomware attack. Based on the model, we present mitigations to encourage an environment that is hostile to ransomware operators. In particular, we find that off-site backups and government incentives for their adoption are the most fruitful avenue for combating ransomware.

Julio Hernandez-Castro,Edward Cartwright,Anna Stepanova

DOI: https://doi.org/10.48550/arXiv.1703.06660

2017-03-20

Abstract:We present in this work an economic analysis of ransomware, with relevant data from Cryptolocker, CryptoWall, TeslaCrypt and other major strands. We include a detailed study of the impact that different price discrimination strategies can have on the success of a ransomware family, examining uniform pricing, optimal price discrimination and bargaining strategies and analysing their advantages and limitations. In addition, we present results of a preliminary survey that can helps in estimating an optimal ransom value. We discuss at each stage whether the different schemes we analyse have been encountered already in existing malware, and the likelihood of them being implemented and becoming successful. We hope this work will help to gain some useful insights for predicting how ransomware may evolve in the future and be better prepared to counter its current and future threat.

Cryptography and Security,Computers and Society

Aron Laszka,Sadegh Farhang,Jens Grossklags

DOI: https://doi.org/10.48550/arXiv.1707.06247

2017-08-22

Abstract:While recognized as a theoretical and practical concept for over 20 years, only now ransomware has taken centerstage as one of the most prevalent cybercrimes. Various reports demonstrate the enormous burden placed on companies, which have to grapple with the ongoing attack waves. At the same time, our strategic understanding of the threat and the adversarial interaction between organizations and cybercriminals perpetrating ransomware attacks is lacking. In this paper, we develop, to the best of our knowledge, the first game-theoretic model of the ransomware ecosystem. Our model captures a multi-stage scenario involving organizations from different industry sectors facing a sophisticated ransomware attacker. We place particular emphasis on the decision of companies to invest in backup technologies as part of a contingency plan, and the economic incentives to pay a ransom if impacted by an attack. We further study to which degree comprehensive industry-wide backup investments can serve as a deterrent for ongoing attacks.

Cryptography and Security

Pranjal Sharma

2024-09-15

Abstract:Day by day, the frequency of ransomware attacks on organizations is experiencing a significant surge. High-profile incidents involving major entities like Las Vegas giants MGM Resorts, Caesar Entertainment, and Boeing underscore the profound impact, posing substantial business barriers. When a sudden cyberattack occurs, organizations often find themselves at a loss, with a looming countdown to pay the ransom, leading to a cascade of impromptu and unfavourable decisions. This paper adopts a novel approach, leveraging Prospect Theory, to elucidate the tactics employed by cyber attackers to entice organizations into paying the ransom. Furthermore, it introduces an algorithm based on Prospect Theory and an Attack Recovery Plan, enabling organizations to make informed decisions on whether to consent to the ransom demands or resist. This algorithm Ransomware Risk Analysis and Decision Support (RADS) uses Prospect Theory to re-instantiate the shifted reference manipulated as perceived gains by attackers and adjusts for the framing effect created due to time urgency. Additionally, leveraging application criticality and incorporating Prospect Theory's insights into under/over weighing probabilities, RADS facilitates informed decision-making that transcends the simplistic framework of "consent" or "resistance," enabling organizations to achieve optimal decisions.

Cryptography and Security

Rui Fang,Maochao Xu,Peng Zhao

DOI: https://doi.org/10.48550/arxiv.2010.06700

2020-01-01

Abstract:Ransomware has emerged as one of the most concerned cyber risks in recent years, which has caused millions of dollars monetary loss over the world. It typically demands a certain amount of ransom payment within a limited timeframe to decrypt the encrypted victim's files. This paper explores whether the ransomware should be paid in a novel game-theoretic model from the perspective of Bayesian game. In particular, the new model analyzes the ransom payment strategies within the framework of incomplete information for both hacker and victim. Our results show that there exist pure and randomized Bayesian Nash equilibria under some mild conditions for the hacker and victim. The sufficient conditions that when the ransom should be paid are presented when an organization is compromised by the ransomware attack. We further study how the costs and probabilities of cracking or recovering affect the expected payoffs of the hacker and the victim in the equilibria. In particular, it is found that the backup option for computer files is not always beneficial, which actually depends on the related cost. Moreover, it is discovered that fake ransomware may be more than expected because of the potential high payoffs. Numerical examples are also presented for illustration.

Yiwei Hou,Lihua Guo,Chijin Zhou,Yiwen Xu,Zijing Yin,Shanshan Li,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1145/3597503.3639090

2024-01-01

Abstract:The threat of ransomware to the software ecosystem has become increasingly alarming in recent years, raising a demand for large-scale and comprehensive ransomware analysis to help develop more effective countermeasures against unknown attacks. In this paper, we first collect a real-world dataset Maraudermap, consisting of 7,796 active ransomware samples, and analyze their behaviors of disrupting data in victim systems. All samples are executed in iso-lated testbeds to collect all perspectives of six categories of runtime behaviors, such as API calls, I/O accesses, and network traffic. The total logs volume is up to 1.98 TiB. By assessing collected behaviors, we present six critical findings throughout ransomware attacks' data reconnaissance, data tampering, and data exfiltration phases. Based on our findings, we propose three corresponding mitigation strategies to detect ransomware during each phase. Experimental results show that they can enhance the capability of state-of-the-art anti-ransomware tools. We report a preliminary result of a 41%-69% increase in detection rate with no additional false positives, showing that our insights are helpful.

Rui Fang,Maochao Xu,Peng Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102685

IF: 5.105

2022-01-01

Computers & Security

Abstract:Ransomware has emerged as one of the most concerned cyber risks in recent years, which has caused millions of dollars monetary loss over the world. It typically demands a certain amount of ransom payment within a limited timeframe to decrypt the encrypted victim’s files. This paper explores whether the ransomware should be paid in a novel game-theoretic model from the perspective of Bayesian game. In particular, the new model analyzes the ransom payment strategies within the framework of incomplete information for both hacker and victim. Our results show that there exist pure and randomized Bayesian Nash equilibria under some mild conditions for the hacker and victim. The sufficient conditions that when the ransom should be paid are presented when an organization is compromised by the ransomware attack. We further study how the costs and probabilities of cracking or recovering affect the expected payoffs of the hacker and the victim in the equilibria. In particular, it is found that the backup option for computer files is not always beneficial, which actually depends on the related cost. Moreover, it is discovered that fake ransomware may be more than expected because of the potential high payoffs. Numerical examples are also presented for illustration.

Timothy McIntosh,Teo Susnjak,Tong Liu,Dan Xu,Paul Watters,Dongwei Liu,Yaqi Hao,Alex Ng,Malka Halgamuge

DOI: https://doi.org/10.1145/3691340

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.

computer science, theory & methods

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Li Kuang,Yujia Zhu,Shuqi Li,Xuejin Yan,Han Yan,Shuiguang Deng

DOI: https://doi.org/10.1155/2018/3486529

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:With the rapid development of sensor acquisition technology, more and more data are collected, analyzed, and encapsulated into application services. However, most of applications are developed by untrusted third parties. Therefore, it has become an urgent problem to protect users’ privacy in data publication. Since the attacker may identify the user based on the combination of user’s quasi-identifiers and the fewer quasi-identifier fields result in a lower probability of privacy leaks, therefore, in this paper, we aim to investigate an optimal number of quasi-identifier fields under the constraint of trade-offs between service quality and privacy protection. We first propose modelling the service development process as a cooperative game between the data owner and consumers and employing the Stackelberg game model to determine the number of quasi-identifiers that are published to the data development organization. We then propose a way to identify when the new data should be learned, as well, a way to update the parameters involved in the model, so that the new strategy on quasi-identifier fields can be delivered. The experiment first analyses the validity of our proposed model and then compares it with the traditional privacy protection approach, and the experiment shows that the data loss of our model is less than that of the traditional k-anonymity especially when strong privacy protection is applied.

Gavin Hull,Henna John,Budi Arief

DOI: https://doi.org/10.1186/s40163-019-0097-9

2019-02-12

Crime Science

Abstract:Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fingerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staff at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response.

Aaron Zimba,Mumbi Chishimba,Sipiwe Chihana

DOI: https://doi.org/10.48550/arXiv.2102.10632

2021-02-22

Abstract:Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.

Cryptography and Security

Mingxin Yang,Lei Feng,Xiaoming Zhang

DOI: https://doi.org/10.1177/17483026231157204

2023-03-01

Abstract:Journal of Algorithms &Computational Technology, Volume 17, Issue , January-December 2023. In recent years, data leakage incidents have been frequently exposed, and personal privacy protection has become a major issue. To explore the laws of data leakage and solve practical problems, the reasons for data leakage and the evolution of players' strategy in the game are discussed. After sorting out the interest relationship of data leakage incidents, a three-party evolution model of invaders, operators, and regulators is established to analyze the evolution path from the perspective of a single party. The Lyapunov theory is used to analyze the stability of equilibrium points of the system and then verified by MATLAB simulation. The influence relationship of various parameters on the system is analyzed. Finally, the ideal state is defined and the system is attempted to be modified. The results demonstrate that under the current system, the evolution direction cannot be changed by the initial intention of players. The game result will eventually form a situation with a strong attack from invaders, advanced defense from operators, and extensive management from regulators. The attack level can be reduced by adjusting the controllable parameters, modifying the evolution path, and calculating the parameter range.

Murat Ozer,Said Varlioglu,Bilal Gonen,Mehmet F. Bastug

DOI: https://doi.org/10.1109/CSCI49370.2019.00032

2020-03-17

Abstract:Over the past three years, especially following WannaCry malware, ransomware has become one of the biggest concerns for private businesses, state, and local government agencies. According to Homeland Security statistics, 1.5 million ransomware attacks have occurred per year since 2016. Cybercriminals often use creative methods to inject their malware into the target machines and use sophisticated cryptographic techniques to hold hostage victims' files and programs unless a certain amount of equivalent Bitcoin is paid. The return to the cybercriminals is so high (estimated \$1 billion in 2019) without any cost because of the advanced anonymity provided by cryptocurrencies, especially Bitcoin \cite{Paquet-Clouston2019}. Given this context, this study first discusses the current state of ransomware, detection, and prevention systems. Second, we propose a global ransomware center to better manage our concerted efforts against cybercriminals. The policy implications of the proposed study are discussed in the conclusion section.

Cryptography and Security

Alian Yu,Jian Kang,Joshua Morris,Elisa Bertino,Dan Lin

DOI: https://doi.org/10.1109/tdsc.2024.3364209

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ransomware attacks have become widespread in the last few years and have affected many critical industries and infrastructures. Unfortunately, there are no recovery tools that can effectively defend against all types of ransomware. Approaches, such as frequent data backups, have several drawbacks. They are expensive in terms of resources and trained technical staff. Therefore, it is much more challenging and cost-consuming for average users and small business owners to survive ransomware attacks. To provide an easy-to-use tool for a broader population of users and businesses, we propose a novel ransomware defense mechanism that can be conveniently deployed in modern Windows systems which have over 76% market share as of 2022. The uniqueness of our approach is to fight malware like malware. We leverage Alternate Data Streams, which are sometimes used by malicious applications, to design and implement a data protection method that misleads the ransomware into attacking only file “shells” instead of the actual file content. We have evaluated our approach against different cryptographic ransomware. The results show that our approach is usable, efficient, and effective.

computer science, information systems, software engineering, hardware & architecture

Jiseok Bang,Jeong Nyeo Kim,Seungkwang Lee

DOI: https://doi.org/10.3390/s24051446

IF: 3.9

2024-02-24

Sensors

Abstract:This study presents a groundbreaking approach to the ever-evolving challenge of ransomware detection. A lot of detection methods predominantly rely on pinpointing high-entropy blocks, which is a hallmark of the encryption techniques commonly employed in ransomware. These blocks, typically difficult to recover, serve as key indicators of malicious activity. So far, many neutralization techniques have been introduced so that ransomware utilizing standard encryption can effectively bypass these entropy-based detection systems. However, these have limited capabilities or require relatively high computational costs. To address these problems, we introduce a new concept entropy sharing. This method can be seamlessly integrated with every type of cryptographic algorithm and is also composed of lightweight operations, masking the high-entropy blocks undetectable. In addition, the proposed method cannot be easily nullified, contrary to simple encoding methods, without knowing the order of shares. Our findings demonstrate that entropy sharing can effectively bypass entropy-based detection systems. Ransomware utilizing such attack methods can cause significant damage, as they are difficult to detect through conventional detection methods.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jeffrey Pawlick,Edward Colbert,Quanyan Zhu

DOI: https://doi.org/10.1145/3337772

IF: 16.6

2020-07-31

ACM Computing Surveys

Abstract:Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this article, we survey 24 articles from 2008 to 2018 that use game theory to model defensive deception for cybersecurity and privacy. Then, we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models that can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.

computer science, theory & methods

Hao Hu,Yuling Liu,Chen,Hongqi Zhang,Yi Liu

DOI: https://doi.org/10.1109/tnsm.2020.2995713

2020-01-01

IEEE Transactions on Network and Service Management

Abstract:At present, there are many techniques for cyber security defense such as firewall, intrusion detection and cryptography. Despite decades of studies and experiences on this issue, there still exists a problem that we always pay great attention to technology while overlooking strategy. In the traditional warfare, the level of decision-making and the formulation of optimal strategies have a great effect on the warfare result. Similarly, the timeliness and quality of decision-making in cyber attack-defense also make great significance. Since the attackers and defenders are oppositional, the selection of optimal defense strategy with the maximum payoff is difficult. To solve this problem, the stochastic evolutionary game model is utilized to simulate the dynamic adversary of cyber attack-defense. We add the parameter λ to the Logit Quantal Response Dynamics (LQRD) equation to quantify the cognitive differences of real-world players. By calculating the evolutionary stable equilibrium, the best decision-making approach is proposed, which makes a balance between defense cost and benefit. Cases studies on ransomware indicate that the proposed approach can help the defender predict possible attack action, select the related optimal defense strategy over time, and gain the maximum defense payoff.