Anatomy of a Ransomware Attack - Part 2

2. ANATOMY OF RANSOMWAREHow it works : A ransomware attack goes through five stages from the time it installs on your computer to the appearance of the ransom warning on your screen2.1 Five Stages of Crypto Ransomware 2.1.1 INSTALLATIONAfter a victim’s computer is infected, the crypto-ransomware installs itself, and sets keys in the Windows Registry to start automatically every time your computer boot up. [3]2.1.2 CONTACTING SERVERBefore crypto-ransomware can attack you, it contact a server operated by the criminal gang that owns it. [3]2.1.3 HANDSHAKE KEYSThe ransomware client and server identify each other through a carefully arranged “Handshake” and the server generates two cryptographic keys. One key is kept on your system, and second key is stored securely on the criminals’ server. [3]2.1.4 ENCRYPTIONSWith the cryptographic keys established, the ransomware on your computer starts encrypting every file its finds with any of dozens of common il extensions, from Microsoft Office documents to .JPG images and more. [3]2.1.4 Extortion The ransomware displays a screen giving you a time limit to pay up before the criminals destroy the key to decrypt your files. The typical price, $300 to $500, must be paid in untraceable bitcoins or other electronic payments. [3]

---

References:[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.[3]     Anatomy of a Crypto Ransomware Attack   https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware- attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin. https://www.bizjournals.com/memphis/blog/2014/11/tennessee-sheriff-pays-ransom-to-cybercriminals-in.html, 2014.[5]     Common type of Ransomware http://securityjar.com/types-of-ransomware-attacks/[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.

1. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)