CORE Metadata, citation and similar papers at core.ac.uk

Provided by Open Repository and Bibliography - Luxembourg

The Cipher, the Random and the Ransom: A Survey on Current and Future Ransomware

Ziya Alper Genç Gabriele Lenzini Peter Y.A. Ryan University of Luxembourg University of Luxembourg University of Luxembourg Interdisciplinary Centre for Interdisciplinary Centre for Interdisciplinary Centre for Security, Reliability and Trust Security, Reliability and Trust Security, Reliability and Trust [email protected] [email protected] [email protected] ABSTRACT infected by a crypto-ransomware variant, the victim’s files Although conceptually not new, ransomware recently re- are encrypted using strong cryptography [] and the recovery gained attraction in the cybersecurity community: notorious may not be possible. Given this situation even the Federal attacks in fact have caused serious damage, proving their Bureau of Investigation (FBI) reportedly advises victims to disruptive effect. This is likely just the beginning of a new era. simply pay the ransom []. However paying the ransom According to a recent intelligence report by Cybersecurity may not guarantee to obtain the decryption keys and recover Ventures, the total cost due to ransomware attacks is pre- the files []. dicted to exceed $ billion in 
. How can this disruptive While Microsoft Windows platform continues to be the threat can be contained? Current anti-ransomware solutions major target of ransomware threat [], recently a Korean are effective only against existing threats, and the worst is hosting firm have been hit by a Linux ransomware and had to yet to come. Cyber criminals will design and deploy more pay $
million [
]. Ransomware are therefore cross-platform, sophisticated strategies, overcoming current defenses and, as targeting indiscriminately private citizens and companies, it commonly happens in security, defenders and attackers and able to hit many countries at once indistinguishably. will embrace a competition that will never end. In this arm The infamous WannaCry ransomware recently attacked more race, anticipating how current ransomware will evolve may than 200 000 computers in 150 countries [
]. help at least being prepared for some future damage. Attacks does not seem to slow down in the near future. In this paper, we describe existing techniques to mitigate According to a recent intelligence report by Cybersecurity ransomware and we discuss their limitations. Discussing Ventures, the total cost due to ransomware attacks is pre- how current ransomware could become even more disruptive dicted to exceed $ billion in 
 []. Ransomware threat and elusive is crucial to conceive more solid defense and sys- is likely to have more consequences than just economical e.g., tems that can mitigate zero-day ransomware, yielding higher denial of services, downgrade in service quality, lost of social security levels for information systems, including critical in- trust or lost of trust in Information and Communications frastructures such as intelligent transportation networks and Technology (ICT). Ransomware attacks may even cause prob- health institutions. lems of civil liability and culminate lawsuits against victim companies and institutions from customers e.g., by patients KEYWORDS whose care are delayed or hindered. All these circumstances draw attention of information security community and there ransomware threat, ransomware mitigation, malware, cyber- have been several proposals to mitigate ransomware. security, survey In this paper we review current defense techniques for ran- somware, discussing their strong and weak points. Then, we
INTRODUCTION discuss what potential strategies could ransomware designer implement to bypass current countermeasures to continue When installed on a system, a ransomware encrypts files or causing damage for an extended period: we introduce origi- blocks functionalities and when the job is done it asks for a nal ransomware variants that employ rootkit techniques and ransom. The victim is left with the choice between paying white-box cryptography, and, inspired by the cybersecurity up and regain access to the files and functionalities or never incidents occurred in real-world applications, we point out being able to use the system again. The ransom is usually new possible ransomware targets and attack types. paid in anonymous cryptocurrencies, like Bitcoin [], leaving the ominous transactions untraceable by the authorities. No risk of being seized together with low development effort  BACKGROUND have made ransomware a very popular weapon in the arsenal Ransomware aims to extort money through preventing access of cyber criminals. Kaspersky reports that in every 40 seconds to data or functionality on victim’s system. Cryptographic a business is attacked by ransomware and that frequency is ransomware accomplishes this goal by encrypting files using fourfold for individuals []. A ransomware is therefore a type strong cryptography [] while holding the description keys of malware but the nature of ransomware attacks significantly so that victims are forced to pay the ransom to obtain those differ from the ones of conventional malware in terms of the keys and regain access to their files. Another variant, the economical damage and the recoverability. When a system is locker ransomware, reaches this aim via taking control of CECC 
, November 
, Ljubljana, Slovenia Z.A. Genç, G. Lenzini, and P.Y.A. Ryan the victim’s system and denies functionality. In this case, traces the execution of applications and monitors I/O rela- user data are untouched but the infected system becomes tionship in the program flow. Based on the occurrences of unusable. bitwise arithmetic instructions and loops, and relationships between the inputs and outputs of the program routines, .
Defense Systems heuristics are applied to recognize the cryptographic algo- rithms. On the other hand, [
] uses static analysis and Current Mitigations. Existing anti-ransomware applica- Data Flow Graph (DFG) isomorphisms to identify cryp- tions, excluding the inefficient and ineffective practice to tographic algorithms in the binary programs. Basically, back-up and restore files, can be grouped in three main this technique work as follows: First, the DFG of binary families. The first includes defences which monitor an appli- program is build. Next, the DFG in hand is normalized cation’s activity in real time in search for patterns that justify using rewrite rules in order to remove the variations due blocking a potential ransomware from working (behavioral to complier optimizations. Finally, subgraphs which are analysis). The second contains defences that create the con- isomorphic to graph signatures of cryptographic algorithms ditions to nullify or reverse the effect of a ransomware (key are searched in the DFG. A match directly flags that the escrow strategies). The last one includes defences that isolate corresponding algorithm exists in the analyzed program. the binary of applications and analyze their code in search for calls to cryptographic operations which would reveal at least Other Methods. The main shortcoming of behavioral anal- in potential the presence of a malicious intention (detection ysis approach for ransomware prevention is the potential false of cryptographic primitives). In detail: results due to the lack of an accurate decision mechanisms. In order to increase the accuracy of detection, anti-ransomware • Behavioral analysis: In this approach, ransomware defense systems aim to consider more indicators which distinguish systems examine the behavior of an application and its ransomware from benign applications. As the number of rules interactions with the environment, e.g., file system activity, increases, simple decision techniques become inadequate. For network connections and modifications on operating sys- this purpose, Machine Learning (ML) algorithms are used to tem (OS) components. There are various proposals in the analyze benign applications and known ransomware samples literature that uses behavioral analysis approach. One of to extract feature vectors, build models and classify them. them, [] generates an artificial user environment Unveil Recently, a ML based ransomware defense system has been and monitors desktop lockers, file access patterns and I/O made commercially available [
]. Meanwhile, the debate over data entropy. Another one, [] observes CryptoDrop the security of ML based malware defense systems continues. file type changes and measures file modifications using For instance, Hu and Tan proposed an algorithm to generate similarity-preserving hash functions and Shannon Entropy adversarial examples which cause the ML based malware to recognize ransomware. Moreover, [
] moni- ShieldFS detection systems to misclassify the applications []. tors low-level file system activities and collects the following Beside technical solutions, Lu and Liao suggest improving features: folder listing, file read/write/rename, file type user awareness to help mitigate ransomware []. Security and write entropy. A ransomware is detected by compar- education for end users would effectively prevent ransomware ing these characteristics with that of benign applications. attacks originating from phishing or spam emails. However, Unlike the previous two, can recover the files ShieldFS the attack surface that ransomware can exploit is far more which are already encrypted before detection, though this larger. As the recent WannaCry attack demonstrates, ran- capability comes with a significant performance overhead. somware evolution has enabled it to spread over the network. • Key escrow: In this approach, cryptographic materials gen- Especially, zero-day attacks can amplify the damage of ran- erated by ransomware on the victim’s system are obtained somware and user education cannot help in this case. and held in escrow to later use for recovery. For instance, PayBreak [] is a key escrow based mitigation system and works by intercepting cryptographic Application Pro-  POTENTIAL NEW THREATS gramming Interface (API), extracting passed parameters We start by giving high-level descriptions of advanced tech- and storing them in a secure key vault. In the case of in- niques that ransomware may utilize to defeat the defense fection, the defense system tries to decrypt the encrypted systems characterized in the previous section. Next, we point files using the stored keys and parameters. However, this out new areas that ransomware may exploit and extend the approach can succeed only if the cryptographic functions attack surface that next generation ransomware may target. employed by the ransomware are correctly recognized and In each discussion, our observations are supported by the the parameters passed to the APIs are logged. While this real world incidents. is feasible for built-in cryptographic functions on the host system, ransomware that utilizes third-party libraries can .
Rootkit-based Ransomware bypass detection through obfuscation [] as we will discuss Rootkit is a type of malware that has the ability to conceal in Section .. its activities on the target computer system, e.g., code execu- • Detection of cryptographic primitives: In this approach, tions, file I/O, network and connections []. The capability binary programs are analyzed to identify cryptographic of hiding malicious operations is achieved by hooking operat- operations in their executable codes. To this goal, [
] ing system’s APIs in order to filter and remove the rootkit’s Future Threats of Ransomware CECC 
, November 
, Ljubljana, Slovenia traces, as depicted in Figure
. Since a rootkit clears its executable code in the binary programs. Concordantly, ob- footprints from APIs that inspect file and memory access, fuscated malware can evade from signature based detection the rootkits are harder to detect than other types of malware. techniques which is one of the oldest approaches in the battle with malware. push rbp push rbp Application ReadFile() mov rbp, rsp mov rbp, rsp mov WORD PTR[rbp-2],1 mov WORD PTR[rbp-2],1 mov WORD PTR[rbp-4],2 mov WORD PTR[rbp-4],2 movzx eax, WORD PTR[rbp-2] kernel.dll NtReadFile() add eax,1 mov WORD PTR[rbp-2], ax and WORD PTR[rbp-2], 32767 movzx eax, WORD PTR[rbp-2] movzx eax, WORD PTR[rbp-2] SYSENTER (x) sub eax,1 ntdll.dll or SYSCALL (x) mov WORD PTR[rbp-2], ax and WORD PTR[rbp-4], 32767 User mode movzx edx, WORD PTR[rbp-4] movzx edx, WORD PTR[rbp-4] movzx eax, WORD PTR[rbp-2] Kernel mode imul eax, edx imul eax, edx mov WORD PTR[rbp-6], ax mov WORD PTR[rbp-6], ax ntoskrnl.exe NtReadFile() movsx eax, WORD PTR[rbp-6] movsx eax, WORD PTR[rbp-6] pop rbp pop rbp ret ret I/O Manager Rootkit

Figure : Two code fragments that are semanti- File System cally equivalent and multiply the integers 1 and 2. Driver Stack Left, the original function. Right, the transformed function by adding ineffective instructions shown in- Figure
: Interception of read calls by a kernel mode side red boxes. Note that the code’s appearance is rootkit in order to hide its trace. changed while keeping its behavior same.

Obfuscating malware can be categorized into four types: Hooking system APIs can be accomplished in several ways, encrypting, oligomorphic, polymorphic and metamorphic mal- including changing the function addresses in Import Address ware []. The members of the first type encrypts malicious Table (IAT), patching System Service Dispatch Table (SSDT) code segment in the binary program and decrypt it in the in kernel level, and injecting code into applications (DLL runtime. This involves a decryptor function embedded in injection) [ ]. Starting from Windows Server , x- the malware body to decrypt and execute the malicious based versions of Windows platform introduced Kernel Patch code. Anti-malware systems, though, would still recognize Protection (KPP) which forces kernel mode drivers to be dig- the decryptor function and identify malicious software. Thus, itally signed, hence prevents unknown modification of code the second type, oligomorphic malware, carries a set of en- or critical structures in Windows kernel []. Nevertheless, crypted decryptors in data segment of binary and changes cybercriminals frequently used stolen certificates to sign mal- the decryptor in each generation. However, the number of ware in order to penetrate this defense [ , 
]. Ransomware decryptors is limited and therefore all of them eventually gets authors also seems to have this capability. A recent Virus- identified by anti-malware systems. On the other hand, poly- Total report shows that a sample of Razy ransomware has a morphic malware mutates its decryption engine randomly, valid digital signature []. hence evades signature based detection. The means of mu- Implementations of current ransomware defense approaches tation include dead code insertion, register reassignment, deeply rely on the security guarantees of the host OSes. While subroutine reordering, instructor substitution, code transpo- increasing the bar for cybercriminals, state-of-the-art ran- sition & integration. For instance, dead code insertion is the somware defense systems utilizes user mode hooks or kernel practice of adding code that has no effect on the functionality mode drivers to monitor behavior of applications and stop of the software and is shown in Figure . For the details of ransomware [
, , , ]. Although there is currently no other techniques, we refer the reader to []. Anti-malware known ransomware which utilizes the advanced techniques of vendors developed sandboxing approach to help detection, rootkits, the aforementioned defense systems may not detect which works by observing the program’s behavior in a safe a rootkit-based ransomware. environment. Once the polymorphic malware is executed in sandbox and the constant malicious part is decrypted . Obfuscation in the memory, signature based detection can be applied. Obfuscation is the practice of making a software implementa- The race between cybercriminals and anti-malware vendors tion incomprehensible through a sequence of transformations resulted the appearance of metamorphic malware which ac- while preserving the program semantics [
]. Originally, le- tively recognizes, parses and mutates its whole body. As gitimate vendors utilized obfuscation to protect intellectual it does not contain a constant body, and thus cannot be property in software implementation. However, malware au- detected via signature analysis [], metamorphic malware has thors also take advantage of obfuscation to conceal malicious been considered to be most dangerous type. CECC 
, November 
, Ljubljana, Slovenia Z.A. Genç, G. Lenzini, and P.Y.A. Ryan

In the ransomware side, the situation seems to be safe for built in or third party) and stores parameters of encryption now. As of today, there is no known instance of obfuscated functions in a vault []. In virtual environments, point-in- ransomware through aforementioned techniques. Contempo- time snapshot of memory would also reveal those keys and rary ransomware utilizes binary packers, e.g., UPX
, ASPack recovery could be possible. Furthermore, some ransomware or PEtite, which are used to compress the compiled code in families encrypt victim’s files using a key which is hard-coded order to make the size of executable even smaller. However, in the ransomware body [ ]. In this case, binary analysis malware authors do not confine themselves to well-known can be utilized to search for static encryption keys in the packers, often write their own obfuscator routines and uti- compiled code. In other words, one can interact with the lize combined packers []. This multi-layer protection may ransomware and propose solutions if the encryption keys hinder defense systems based on API monitoring (if third resides unprotected in the memory. That being said, key party crypto libraries statically linked) and sandboxing. In extraction from securely implemented white-box algorithms the case of an unlucky event of infection, such a ransomware is meant to be hard. Therefore, introducing of secure white- can be devastating. box implementations of block ciphers can tip the balance in favor of ransomware authors. . White-Box Cryptography White-box cryptography is the concept of protecting the sen- sitive data hard-coded in a software implementation [
,

]. . Ransomware of Things In particular, main focus of this domain is to embed secret Internet of Things (IoT) refers to the interconnected network keys into the source code in such a way that it is hard to of physical devices that can communicate over the Inter- extract them from compiled binary. An example of a Feistel net []. An IoT device can be equipped with electronic network based block cipher and its fixed-key white-box im- components, firmware, software, various types of sensors to plementation are illustrated in Figure . Although white-box collect information and actuators that allows to interact with cryptography is not a new idea (it is first introduced in ), the physical environment. Besides electronic devices like tele- no secure white-box implementation of the block cipher AES visions, mobile phones and surveillance systems, in today’s exists yet, for instance, previous proposals are found to be world, cars, planes, buildings, kitchen gadgets and even toys open to key extraction and table-decomposition attacks []. are also connected to the web. Nevertheless, white-box cryptography still continues to be IoT devices has been a part of our daily lives for a long time an active field of research [, , ]. and can be seen virtually everywhere. However, IoT devices are inherently resource-constrained (CPU with low clock key plaintext plaintext rate, small memory size). As such, the available options for cryptographic algorithms to use is limited when designing a secure communication protocol [ ]. The security issues with IoT have always been a concern in information community [
], most importantly access control problems. Given that the vulnerabilities in IoT devices and the high motivation of cyber criminals, there have already occurred several alarming and threatening ransomware incidents as follows. Hackers took control of ticket machines of San Fran- sisco’s public transportation network and claimed ransom []. Furthermore in Austria, a hotel had to pay ransom after a ransomware infected its management system and blocked generating new cards []. Researchers demonstrated a proof- ciphertext ciphertext of-concept that the control of an Internet-enabled thermostat can be taken by a ransomware, allowing them to change Figure : Left, a block cipher algorithm based on the heating settings []. Similarly, A recent security report Feistel network structure. Right, a white-box imple- states that cybercriminals launched a Permanent Denial of mentation of that block cipher where a key is hard- Service (PDoS) attack on IoT devices which wipes all data coded into the algorithm. on the device and destroy its firmware and/or basic functions, causing a permanent corruption []. Currently, ransomware implementations cannot protect By extending the attack surface and lack of adequate secu- the secret keys in the memory during the encryption process. rity, IoT has a potential of opening doors to novel ransomware Using this weakness, defense systems can extract these keys attacks. For example, researchers demonstrated that it is pos- using various techniques. For instance, a key escrow like sible to take control of a car and remotely stop it [
]. Also, approach monitors calls to known cryptographic APIs (either another group of researchers showed that 75% of bluetooth

Ultimate Packer for eXecutables, https://upx.github.io/ smart door locks can be wirelessly hacked []. Given these ASPack, http://www.aspack.com/aspack.html facts, it is reasonable to ask the following questions: Consider PEtite, http://www.unseen.com/petite/ that your car was remotely stopped in a rural area. Would Future Threats of Ransomware CECC 
, November 
, Ljubljana, Slovenia you pay the ransom to re-activate the car’s engine? Likewise, would be safe to expect that extortion via stealing sensitive when you return your home in the middle of the night and information may be an increasing trend in the near future see that your door is locked. Would you pay the ransom to and prepare the network infrastructures against this threat. go in your home? The picture may become worse for the enterprises, as the ransom amounts can be set higher and  CONCLUSION this makes the enterprises a more plausible target for cyber Ransomware is a class of malware whose goal is to extort criminals. But the negative effects of a ransomware attack is money, a goal that is facilitated by current anonymous curren- beyond the money: the damage in the reputation and work cies which guarantee to cyber-criminals to be paid without be- loss should also be counted. Taking into the account that the ing traced. Then we need solid defense systems against what security flaws in IoT devices do not seem to be fixed soon, or can easily degenerate in a pandemia of digital crimes. How- even fixable [], ransomware attacks may gravitate towards ever, unlike conventional anti-malware systems, ransomware IoT in the near future. mitigation does not tolerate mistake. If the ransomware is implemented properly and the attack succeeds, then the . Socio Technical Attacks damage taken may be irreversible. Existing ransomware mitigation systems are build upon The ultimate goal of cyber-criminals is to obtain money as the analysis of collected samples but a better strategy is to much as possible. To achieve this, they can become very cre- anticipate the future, and be prepared for the ransomware ative and employ novel marketing strategies. In one of these, that will come. In this respect, we described possible threats a ransomware variant called Popcorn Time offers an option that ransomware may pose by relying on novel techniques, to victims who want to get decryption keys without paying. like root-kit, obfuscation, and white-box, not yet adopted in The condition is first victim infects other two ones and these real attack as well as by targeting critical domains, such as the two victims pay the ransom. Then, the first victim obtains Internet of Things and the Socio-Technical systems, which the keys. The initial samples of Popcorn Time ransomware will worrisomely amplify the effectiveness of ransomware have an encryption key embedded in the malware body [
]. attacks. Our research is timely, since it is known that we must Although the key can be extracted from the current sample design products keeping security in mind, not integrating after of Popcorn Time and files can be recovered for now, previ- whereas network infrastructures must be carefully configured ous evolution of ransomware suggests that future samples of and fully patched in order to prevent ransomware attacks Popcorn Time may become more effective. through data exfiltration. We hope that our observations To this day, the vast majority of famous ransomware fami- help developing and building more robust defense systems lies share the same principle. Extortion by holding decryption against ransomware threat. keys can be expected to succeed when its vital for victims to regain access to their data. However, on the other side Acknowledgements. This work is supported by a partner- of medallion, there is another fact. Some data may need to ship between “pEp Security SA” and the Interdisciplinary be kept private such that when leaked, data owner may lose Centre for Security, Reliability and Trust. advantage and/or have economical damage. Thus, another way to extort victims can be to exfiltrate sensitive data and REFERENCES ask for a ransom to not make it public. These data types [
] Luigi Atzori, Antonio Iera, and Giacomo Morabito. 
. The may include trading secrets, financial records, medical his- Internet of Things: A survey. Computer Networks ,
 (
), tory, government documents, details of high-tech projects,  – . [] Arini Balakrishnan and Chloe Schulze. . Code obfuscation blue-prints of critical infrastructures, and internal/private literature survey. (). communications. For example, the disclosure of data breaches [] Marc Beunardeau, Aisling Connolly, Remi Geraud, and David reduced the purchase price of Yahoo by $ million when it Naccache. 
. White-box cryptography: Security in an insecure environment. IEEE Security & Privacy
,  (
), – . is acquired by Verizon [
]. It comes to mind that, instead of [] Dan Bilefsky. 
. Hackers Use New Tactic at Austrian Hotel: selling the leaked data in the underground market, hackers Locking the Doors. ( Jan. 
). Retrieved June
, 
 can try to claim a ransom to get a higher revenue. Another from https://www.nytimes.com/
/
//world/europe/hotel -austria-bitcoin-ransom.html attack hit Sony Pictures, hackers compromised the comput- [] Andrey Bogdanov and Takanori Isobe. 
. White-Box Cryp- ers and released sensitive data including company’s financial tography Revisited: Space-Hard Ciphers. In Proc. nd ACM Conf. Comput. and Commun. Security (CCS ’
). records and e-mail messages of executives []. The contents [] Andrey Bogdanov, Takanori Isobe, and Elmar Tischhauser. 
. of the breach put the company in a difficult situation so that Towards Practical Whitebox Cryptography: Optimizing Effi- one may ask the question: Would Sony Pictures pay a ransom ciency and Space Hardness. In Proc. nd Int. Conf. Theory and Application of Cryptology and Inform. Security (ASIACRYPT if attackers demand it? ’
). Lastly, we would like to point an important difference [] Jean-Marie Borello and Ludovic Mé. . Code obfuscation tech- between extortion via encryption and data exfiltration. In niques for metamorphic viruses. Journal in Computer Virology ,  (), 

–. the former case, the instance of threat comes to an end when [] Bromium. 
. Understanding Crypto-Ransomware. (
). the victims regain access to their files. In contrast, no one Retrieved June , 
 from https://www.bromium.com/sites/ default/files/rpt-bromium-crypto-ransomware-us-en.pdf can guarantee that could retain cyber-criminals from asking [ ] Thomas M. Chen and Saeed Abu-Nimeh. 

. Lessons from for ransom again in the latter case. In this situation, it stuxnet. Computer ,  (

),
– . CECC 
, November 
, Ljubljana, Slovenia Z.A. Genç, G. Lenzini, and P.Y.A. Ryan

[
] Stanley Chow, Philip Eisen, Harold Johnson, and Paul C. [] Security Ledger. 
. FBI’s Advice on Ransomware? Just Van Oorschot. . White-Box Cryptography and an AES Pay The Ransom. ( Oct. 
). Retrieved June , 
 Implementation. In Proc. Int. Workshop Select. Areas in Cryp- from https://securityledger.com/
/
/fbis-advice-on-cryptol tography (SAC ’). ocker-just-pay-the-ransom/ [

] Stanley Chow, Phil Eisen, Harold Johnson, and Paul C. van [
] Pierre Lestringant, Frédéric Guihéry, and Pierre-Alain Fouque. Oorschot. . A White-Box DES Implementation for DRM Ap- 
. Automated Identification of Cryptographic Primitives plications. In Proc. ACM Workshop on Digital Rights Manage. in Binary Code with Data Flow Graph Isomorphism. In Proc. (DRM ’).
th ACM Symp. Information Comput. and Commun. Security [
] Christian Collberg, Clark Thomborson, and Douglas Low.
. (ASIACCS ’
). Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. [] Xin Luo and Qinyu Liao. . Awareness Education as the Key In Proc. th ACM Symp. Principles of Programming Lan- to Ransomware Prevention. Information Systems Security
,  guages (POPL ’ ). (),
–. [
] Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, [] Trend Micro. 
. Kansas Hospital Hit by Ransomware, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Extorted Twice. ( May 
). Retrieved June , 
 from Federico Maggi. 
. ShieldFS: A Self-healing, Ransomware- https://www.trendmicro.com/vinfo/us/security/news/cybercri aware Filesystem. In Proc. nd Annu. Conf. Comput. Security me-and-digital-threats/kansas-hospital-hit-by-ransomware-ext Applicat. (ACSAC ’
). orted-twice [
] Paul Ducklin. 
. Popcorn Time ransomware lets you off if you [] Microsoft. . Kernel patch protection: frequently infect two other people. (
 Dec. 
). Retrieved July
, 
 asked questions. (Jan. ). Retrieved June
, 
 from https://nakedsecurity.sophos.com/
/
/
/popcorn-ti from https://msdn.microsoft.com/en-us/library/windows/hardw me-ransomware-lets-you-off-if-you-infect-two-other-people/ are/Dn
 (v=vs.).aspx [
] Shona Ghosh. 
. The massive global cyberattack af- [] Satoshi Nakamoto. . Bitcoin: A peer-to-peer electronic cash fecting , victims will cause more chaos on Mon- system. https://bitcoin.org/bitcoin.pdf.(). day. (
 May 
). Retrieved June , 
 from [] Radwire. 
. “BrickerBot” Results In PDoS At- http://uk.businessinsider.com/europol-said-there-are-- tack. ( May 
). Retrieved June , 
 from cyberattack-victims-and-the-number-will-go-up-
- https://security.radware.com/ddos-threats-attacks/bricke [
] Vindu Goel. 
. Verizon Will Pay $ Million Less rbot-pdos-permanent-denial-of-service/ for Yahoo. (
Feb. 
). Retrieved July
, 
 [] Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin R.B. from https://www.nytimes.com/
//
/technology/verizon Butler. 
. CryptoLock (and Drop It): Stopping Ransomware -will-pay--million-less-for-yahoo.html Attacks on User Data. In Proc. th Int. Conf. Distributed [
] Dan Goodin. 
. Web host agrees to pay $
m after it’s hit by Computing Syst. (ICDCS ’
). Linux-targeting ransomware. ( June 
). Retrieved June , [] Bruce Schneier. 
. The Internet of Things Is Wildly Insecure – 
 from https://arstechnica.com/security/
//web-host-a And Often Unpatchable. ( Jan. 
). Retrieved June , 
 grees-to-pay-
m-after-its-hit-by-linux-targeting-ransomware/ from https://www.wired.com/
/
/theres-no-good-way-to- [
] Andy Greenberg. 
. Hackers Remotely Kill a Jeep on the patch-the-internet-of-things-and-thats-a-huge-problem/ Highway—With Me in It. (
July 
). Retrieved June , [ ] Spencer Smith and John Harrison. 
. Rootkits. (
). 
 from https://www.wired.com/
//hackers-remotely-kil Retrieved June
, 
 from http://www.symantec.com/content l-jeep-highway/ /en/us/enterprise/media/security_response/whitepapers/rootki [
] Felix Gröbert, Carsten Willems, and Thorsten Holz. 

. Au- ts.pdf tomated Identification of Cryptographic Primitives in Binary [] Symantec. 
. An ISTR Special Report: Ransomware and Programs. In Proc.
th Int. Conf. Recent Advances in Intru- Businesses 
.(
July 
). Retrieved June , 
 from sion Detection (RAID ’

). https://www.symantec.com/content/en/us/enterprise/media/ [] Jayavardhana Gubbi, Rajkumar Buyya, Slaven Marusic, and security_response/whitepapers/ISTR
_Ransomware_and Marimuthu Palaniswami. 
. Internet of Things (IoT): A vision, _Businesses.pdf architectural elements, and future directions. Future generation [
] Peter Szor. 

. Duqu–Threat Research and Analysis. (Nov. computer systems  ,  (
),
–
. 

). Retrieved June
, 
 from https://securingtomorrow.m [
] Peter Hale. 
. Acronis True Image 
: Artificial Intelligence cafee.com/wp-content/uploads/

/
/Duqu.pdf Meets Intelligent Backup. ( Aug. 
). Retrieved October , [] Andrew Tierney. 
. Thermostat Ransomware: a lesson 
 from https://www.acronis.com/en-us/blog/posts/acronis-t in IoT security. (Aug. 
). Retrieved June
, 
 rue-image-
-artificial-intelligence-meets-intelligent-backup from https://www.pentestpartners.com/security-blog/thermost [] Greg Hoglund and James Butler. . Rootkits: subverting the at-ransomware-a-lesson-in-iot-security/ Windows kernel. Addison-Wesley Professional. [] Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, and [] Amanda Holpuch. 
. Sony email hack: what we’ve learned Pablo G. Bringas. 
. SoK: deep packer inspection: a lon- about greed, racism and sexism. (
 Dec. 
). Retrieved July gitudinal study of the complexity of run-time packers. In Proc.
, 
 from https://www.theguardian.com/technology/
/ th IEEE Symp. on Security and Privacy (S&P ’
). dec/
/sony-pictures-email-hack-greed-racism-sexism [] Cybersecurity Ventures. 
. Ransomware Damage Report. (
 [] Weiwei Hu and Ying Tan. 
. Generating Adversarial Malware May 
). Retrieved June , 
 from http://cybersecurityv Examples for Black-Box Attacks Based on GAN. https://arxiv. entures.com/ransomware-damage-report-
--billion/ org/abs/
. .(
). [] VirusTotal. 
. Scan report. (
 June 
). Retrieved July
, [] Yin Jia, TingTing Lin, and Xuejia Lai. 
. A generic attack 
 from https://virustotal.com/en/file/
fdbffdd aef against white box implementation of block ciphers. In Proc. Int. bb eadda
cdf
cbfbc
ea/analysis/ Conf. Comput. Inform. and Telecommun. Systems (CITS ’
). [] Paul Wagenseil. 
.  Percent of Bluetooth Smart Locks [] Kaspersky. 
. Security Bulletin 
. (Dec. 
). Re- Can Be Hacked. (Aug. 
). Retrieved June
, 
 trieved June , 
 from https://securelist.com/files/
/
/ from http://www.tomsguide.com/us/bluetooth-lock-hacks-defc KSB
_Story_of_the_Year_ENG.pdf on
,news-
 .html [] Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, [] Elizabeth Weise. 
. Ransomware attack hit San Francisco and Engin Kirda. 
. UNVEIL: A Large-Scale, Automated train system. ( Nov. 
). Retrieved June , 
 from Approach to Detecting Ransomware. In Proc. th USENIX https://www.usatoday.com/story/tech/news/
/

//san- Security Symp. (USENIX Security ’
). francisco-metro-hack-meant-free-rides-saturday/  / [] Eugene Kolodenker, William Koch, Gianluca Stringhini, and [] Ilsun You and Kangbin Yim. 
. Malware Obfuscation Tech- Manuel Egele. 
. PayBreak: Defense Against Cryptographic niques: A Brief Survey. In Proc. th Int. Conf. Broadband, Ransomware. In Proc. ACM Asia Conf. Comput. and Commun. Wireless Computing, Commun. and Applicat. (BWCCA ’
). Security (ASIACCS ’
). [ ] Kai Zhao and Lina Ge. 
. A Survey on the Internet of Things [ ] Ondrej Kubovič. 
. Ransomware is everywhere, but even Security. In Proc. th Int. Conf. Computational Intelligence black hats make mistakes. ( April 
). Retrieved June
, and Security (CIS ’
). 
 from https://www.welivesecurity.com/
///ransom ware-is-everywhere-but-even-black-hats-make-mistakes/