Techniques and Solutions for Addressing Ransomware Attacks

Home , Cryptographic primitive

Ph.D. Thesis Proposal

Amin Kharraz

College of Computer and Information Science

Northeastern University

Ph.D. Committee

Engin Kirda Advisor, Northeastern University

William Robertson Advisor, Northeastern University

Manuel Egele External Member, Boston University

Long Lu Northeastern University – Stony Brook University

July 2017 Abstract

Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests money to release them. Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity. In fact, over the last few years, a number of high-proﬁle ransomware attacks were reported. Very recently, WannaCry ransomware infected thousands of vulnerable machines around the world, and substantially disrupted critical services such as British healthcare system. Given the size and variety of threats we are facing today, having solutions to effectively detect and analyze unknown ransomware attacks seems necessary. In this thesis, we argue that it is possible to extend existing defense mechanisms, and protect user data from a large number of ransomware attacks with zero data loss. To support this claim, in the ﬁrst part of the thesis, we perform an evolutionary-based analysis to understand the destructive behavior of ransomware attacks. We show that by monitoring the interaction of malicious processes with the operating system, it is possible to design practical defense mechanisms that could stop even very successful cryptographic ransomware attacks. In the second part, we propose a novel dynamic analysis system, called Unveil, that is designed to analyze ransomware attacks, and model their interactions. In the third and the last part, we propose an end-point framework, called Redemption, to protect user data from ransomware attacks. We present an operating system-independent design, and also provide implementation details which show that such lightweight solutions could be integrated into existing operating systems while achieving zero data loss in a large number of successful ransomware attacks. Contents

1 Introduction 1 1.1 Focus of this Work ...... 2 1.2 Related Work ...... 3

2 An Analysis on Current Ransomware Attacks 4 2.1 Ransomware Dataset ...... 4 2.2 Developing the Monitoring Tool ...... 5 2.3 Characterization and Evolution ...... 6

3 A Dynamic Analysis Approach to Detecting Ransomware 6 3.1 System Design ...... 7 3.2 Analysis and Findings ...... 10 3.3 Detecting Zero-Day Ransomware ...... 12

4 Protecting End-Points from Ransomware Attacks 14 4.1 System Design ...... 15 4.2 Dataset ...... 16 4.3 Analysis on Labeled Data ...... 16

5 Future Work and Timeline 18 5.1 Evaluating the Redemption Prototype ...... 18 5.2 Timeline ...... 18

II 1 Introduction

Malware attacks continue to remain one of the most popular attack vectors in the wild [60, 47]. Among all classes of malware, ransomware has recently become very popular among malware authors [9, 16, 20, 26]. Ransomware is a kind of scareware that locks the victims’ computers until they make a payment to re-gain access to their data. In fact, this class of malware is not a new concept (such attacks have been in the wild since the last decade), but the growing number of high- profile ransomware attacks has resulted in increasing concerns on how to defend against this class of malware. In 2016, several public and private sectors, including the healthcare industry, were impacted by ransomware [13, 10, 66]. Lately, US officials have also expressed their concerns about ransomware [23, 30], and even asked the U.S. government to focus on fighting ransomware under the Cybersecurity National Action Plan [30]. Very recently, WannaCry ransomware, the most recent successful ransomware attack, impacted thousands of users around the world by exploiting the EternalBlue vulnerability, encrypting user data, and demanding bitcoin payments in exchange for unlocking files [48]. In response to the increasing number of ransomware attacks, users are often advised to create backups of their critical data. Certainly, having a reliable data backup policy minimizes the potential costs of being infected with ransomware, and is an important part of the IT management process. However, the growing number of paying victims [11, 51, 24] suggests that technically unsophisticated users – who are the main target of these attacks – do not follow these recommendations, and easily become a paying victim of ransomware. Hence, ransomware authors continue to create new attacks and evolve their creations as evidenced by the emergence of more sophisticated ransomware every day [62, 8, 60, 53]. Unfortunately, many of the recent security reports about ransomware [19, 31, 32, 60, 61, 47] mainly focus on the advancements in ransomware attacks and their levels of sophistication, rather than providing some insights about effective defense techniques that should be adopted against this threat. Furthermore, the current defense mechanisms to detect, analyze, and defend against ransomware are not very different from the ones that are used to detect other types of evasive malware. Perhaps, the main assumption here is that this class of malware employs all possible evasion techniques, similar to other classes of malware, to bypass detection tools, reach end-users, and successfully launch attacks. While we agree that this is a valid assumption, we claim that these mechanisms cannot lead to the best defense mechanisms against ransomware, as evidenced by the increasing number of very successful ransomware attacks in the wild.

1 1.1 Focus of this Work

In this thesis, we investigate the feasibility of developing solutions to detect and analyze ransomware attacks. In fact, the thesis of this dissertation is that, unlike other malware, the nature of ransomware attacks is not very broad, and protecting against a large number of ransomware attacks is possible. We argue that ransomware attacks follow very similar patterns in order to be successful and force victims to pay the ransom fee. For example, unlike other classes of malware that aims to be stealthy to collect banking credentials or keystrokes without raising suspicion, ransomware notifies victims that they are infected. Moreover, a successful ransomware usually needs to prevent user’s access to his own data by performing encryption and/or deletion operations, and repeating these destructive actions during an attack. This thesis aims to show that if we use these insights in the defense side, and accurately model these behaviors, we can reliably detect a significant number of ransomware attacks in the wild. In the first part of this thesis, we perform an evolutionary-based analysis on ransomware attacks to understand the main characteristics of these attacks. This work is motivated by our need to study the core functionalities of these attacks from a filesystem perspective. To this end, we created a dataset of ransomware samples that covers the majority of the existing ransomware families which have been observed in the wild. We design and implement a kernel level module to closely monitor the interaction of user mode processes with the filesystem. Our analysis shows that different classes of ransomware attacks with multiple levels of sophistication share very similar characteristics from a filesystem perspective due to the nature of these attacks. In the second part of this thesis, we present a novel dynamic analysis system, called Unveil, that is designed to analyze ransomware attacks and model their behaviors. In our approach, the system automatically creates an artificial, realistic execution environment and monitors how ransomware interacts with that environment. We evaluate Unveil using more than 148,000 distinct samples belonging to different malware families. The evaluation of Unveil shows that our approach was able to correctly detect 13,637 ransomware samples from multiple ransomware families in a real- world data feed with zero false positives. Our analysis shows that Unveil can significantly enhance the current anti-malware solutions with regard to ransomware. In the third part of the thesis, we investigate the possibility of protecting user data from ransomware attacks at end-hosts with zero data loss. To this end, we propose a general framework, called Redemption, to augment the operating system with ransomware protection capabilities. Re- demption does not require performing any significant changes in the semantics of the underlying filesystem functionality, or modifying the architecture of the operating systems.

2 1.2 Related Work

Malware attacks are important problems. They have been extensively investigated in security research over the last couple of years. For example, a number of approaches have been proposed to describe program behavior from analyzing byte patterns [42, 59, 57, 67] to transparently running programs in malware analysis systems [6, 36, 35, 63]. Early steps to analyze and capture the main intent of a program focused on analysis of control flow. Kruegel et al. [40] and Bruschi et al. [14] showed that by modeling programs based on their instruction-level control flow, it is possible to bypass some forms of obfuscation. Similarly, Christodorescu et al. [18] used instruction-level control flow to design obfuscation-resilient detection systems. Later work focused on analyzing and detecting malware using higher-level semantic characterizations of their runtime behavior derived from sequences of system call invocations and OS resource accesses [37, 38, 17, 46, 58, 68]. In order to analyze the malicious behavior of malware samples, dynamic analysis tools have become popular over the last few years. Most of these techniques depend on extracting system calls or Windows API call traces using sandboxing techniques. For example, CWSandbox [65] and Norman Sandbox [5] trace API calls, while Anubis [12] and Panorama [68] are examples of emulation-based malware analysis systems that can perform data-flow analysis. More recently, BareCloud [36] has been proposed which is a bare-metal analysis system to detect evasive malware samples. A first report on specific ransomware families was made by Gazet where the author analyzed three ransomware families including Krotten and Gpcode [25]. The recent resurgence of ransomware attacks has attracted the attention of several researchers once more. Kharraz et al. [34] analyzed 15 ransomware families including desktop locker and cryptographic ransomware, and provided an evolution-based study on ransomware attacks. The authors concluded that a significant number of ransomware in the wild has a very similar strategy to attack user files, and can be recognized from benign processes. In another work, Kharraz et al. [33] proposed Unveil, a dynamic analysis system, that is specifically designed to assist reverse engineers to analyze the intrinsic behavior of an arbitrary ransomware sample. Scaife et al. [52] proposed CryptoDrop which is built upon the premise that the malicious process aggressively encrypts user files. In the paper, as a limitation of CryptoDrop, the authors state that the tool does not provide any recovery or minimal data loss guarantees. Their approach is able to detect a ransomware attack after a median of ten file losses. Very recently, Continella et al. [21], and Kolodenker et al. [39] proposed protection schemes to detect ransomware. Continella et al. [21] proposed ShieldFS which has a similar goal to us. The authors also look at the filesystem layer to find typical ransomware activity. While ShieldFS is a significant improvement over the status quo, it would be desirable to complement it with a more generic approach which is also resistant to unknown cryptographic functions. Unlike ShieldFS, the approach we proposed in Section4 does not rely on cryptographic primitive identification.

3 Kolodenker et al. [39] proposed PayBreak which securely stores cryptographic encryption keys in a key vault that is used to decrypt affected files after a ransomware attack. In fact, PayBreak intercepts calls to functions that provide cryptographic operations, encrypts symmetric encryption keys, and stores the results in the key vault. After a ransomware attack, the user can decrypt the key vault with his private key and decrypt the files without making any payments. As mentioned earlier, our proposed solution in Section 4 does not depend on any hooking technique to identify cryptographic functions. Furthermore, the detection accuracy of the framework is not impacted by the type of packer a ransomware family may use to evade common anti-malware systems. This makes our proposed technique a more generic solution to the same problem space. This dissertation proposal consists of the following sections: In Section 2, we provide an overview of current ransomware attacks and the techniques they use. In Section 3. we describe a dynamic analysis system that is specifically designed to detect and analyze ransomware samples. Section 4 describes an end-point solution to protect the consistent state of user data during a ransomware attack. In Section 5, we briefly explain our milestones, the proposed research plan, and timeline to complete each task.

2 An Analysis on Current Ransomware Attacks

Given the significant growth of ransomware attacks [9, 16, 20, 26], it is very important to understand how ransomware payloads are developed, how they evolved over time, and how the malicious process attacks user data. Answering these questions allows us to develop models that look for specific behaviors in ransomware attacks. Currently, most of the recent security reports about ransomware [62, 8, 60, 53] rely on ad-hoc procedures rather than a scientific assessment. In fact, these reports mainly focus on the advancements in ransomware attacks and their levels of sophistication, rather than providing some insights about effective defense techniques that should be adopted against this threat. As a first step, we investigate the key functionalities of ransomware attacks to understand how these functionalities differ from other malware behaviors so that we can construct accurate models to detect unknown ransomware attacks.

2.1 Ransomware Dataset

To build the ransomware dataset, we collected malware samples from multiple sources such as Anubis, a public malware analysis system, and a set of public malware repositories [4, 2, 1] and manually browsing through security forums [45, 3]. We collected 3,921 ransomware samples from all these sources. However, after removing the samples that did not execute properly in our analysis environment, our dataset contained a total of 1,359 active ransomware samples from 15 ransomware families. To obtain accurate labels for these samples, we cross-checked the malware samples by au-

4 Table 1: The list of malware families used in our experiments.

Family Family Description Types of Attacks Samples Variants First Seen Most Recent Encypting Files Changing MBR Deleting Files Stealing Info Reveton 244(17.95%) 14 2012 2014 ✓ ✓ Cryptolocker 32 (2.35%) 4 2013 2014 ✓ ✓ CryptoWall 11(0.8) 2 2014 2014 ✓ Tobfy 122 (8.97%) 12 2010 2014 ✓ Seftad 23 (1.69%) 4 2006 2010 ✓ Winlock 308(22.66%) 27 2008 2013 ✓ Loktrom 4 (0.29%) 2 2012 2013 Calelk 9 (0.663%) 2 2009 2010 Urausy 523 (38.48%) 16 2009 2014 ✓ ✓ Krotten 17 (1.25%) 3 2008 2009 ✓ BlueScreen 4 (0.29%) 1 2008 2009 ✓ Kovter 8 (0.58%) 2 2013 2013 ✓ Filecoder 9 (0.66%) 3 2012 2014 ✓ ✓ GPcode 21 (1.54%) 4 2004 2008 ✓ Weelsof 24 (1.76%) 3 2012 2013 ✓ No. of Samples 1,359 - - - 73(5.37%) 23(1.69%) 484(35.61%) 44(3.23%) No. of Variants - 99 - - 13(13.13%) 4(4.04%) 29(21.33%) 6(6.06%) tomatically submitting the list of MD5 hashes to VirusTotal. To be conservative on our ransomware malware selection, we consider a malware to be ransomware if at least three AV engines recognized it as belonging to this category. Table 1 represents the set of ransomware families we used in our experiments.

2.2 Developing the Monitoring Tool

One of our first goals in this project is to describe how a malicious process interacts with the filesystem when a machine is under a ransomware attack. To answer this question, we investigate the common characteristics of ransomware attacks from a filesystem perspective regardless of the technical differences that these attacks might have (such as the infection and the key generation techniques). In order to monitor filesystem activity, multiple approaches could be used. One classic approach is to hook the SSDT table [28, 41] to monitor interesting function calls. In our analysis, we developed a minifilter driver [49] to capture all I/O requests that the I/O manager generates on behalf of user-mode processes to access the filesystem. To monitor the I/O requests, we define callback routines to precisely record any I/O and trans- action activity on the files. For each filesystem request, we collect the process name, the process ID, the parent process ID, the pre-operation and post-operation callback time, the IRP type, the ar- guments and the result of the operation. Our minifilter driver is deployed in a privileged kernel mode that has access to nearly all objects of the operating system. Furthermore, since we capture the filesystem activity directly from Windows I/O manager in the kernel, there is a low chance that malware authors develop code in the user mode that could bypass our monitor.

5 2.3 Characterization and Evolution

In this project, the characterization of ransomware attacks was based on 1,359 ransomware samples among 15 families that have emerged over the last few years. Encryption and deletion operations are two important components of most of recent ransomware attack as they allow the malicious payload to prevent access to digital resources, and minimize the chance of regaining access to them. We performed an analysis on these two operations by running malware samples in an isolated environment, and monitoring the filesystem activity traces. Our results show that a significant number of ransomware families share very similar characteristics in the core part of the attacks, but still lack reliable destructive functions to successfully target victims files. We also observed that suspicious filesystem activity of multiple types of destructive ransomware families can be reliably extracted. More specifically, when looking at the execution traces of malware programs, we observed that the way malicious processes generate requests to access filesystem was significantly different from benign processes. We also observed that different classes of ransomware attacks with multiple levels of sophistication share very similar characteristics from filesystem perspective due to the nature of these attacks. Unlike recent discussions in security community about ransomware attacks, our analysis suggests that implementing practical defense mechanisms is still possible, if we effectively monitor the filesystem activity for example the changes in Master File Table (MFT) or the types of I/O Request Packets (IRP) generated on behalf of processes to access the filesystem.

3 A Dynamic Analysis Approach to Detecting Ransomware

Today, an important enabler for behavior-based malware detection is dynamic analysis. These systems execute a captured malware sample in a controlled environment, and record its behavior (e.g., system calls, API calls, and network traffic). Unfortunately, malware detection systems that focus on stealthy malware behavior (e.g., suspicious operating system functionality for keylogging) might fail to detect ransomware because this class of malicious code engages in activity that appears similar to benign applications that use encryption or compression. Furthermore, these systems are currently not well-suited for detecting the specific behaviors that ransomware engages in, as evidenced by misclassifications of ransomware families by AV scanners [15, 55]. In this section, we propose a novel dynamic analysis system that is designed to analyze, and model their behaviors. In our approach, the system automatically creates a realistic execution environment, and monitors how ransomware interacts with that environment. Closely monitoring process interactions with the filesystem allows the system to precisely characterize cryptographic ransomware behavior. In parallel, the system tracks changes to the computers desktop that indicates ransomware-like

6 behavior. The key insight is that in order to be successful, ransomware will need to access and tamper with a victim’s ﬁles or desktop. Our automated approach, called Unveil, allows the system to analyze many malware samples at a large scale, and to reliably detect and ﬂag those that exhibit ransomware-like behavior. In addition, the system is able to provide insights into how the ransomware operates, and how to automatically differentiate between different classes of ransomware

3.1 System Design

In this section, we describe our techniques for detecting multiple classes of ransomware attacks.

Generating Articial User Environments: Protecting malware analysis environments against fingerprinting techniques is non-trivial in a real-world deployment. Sophisticated malware authors exploit static features inside analysis systems (e.g., name of a computer) and launch reconnaissance- based attacks [44] to fingerprint both public and private malware analysis systems. The static features of analysis environments can be viewed as the Achilles’ heel of malware analysis systems. One static feature that can have a significant impact on the effectiveness of the malware analysis systems is the user data that can be effectively used to fingerprint the analysis environment. That is, even on bare-metal environments where classic tricks such as virtualization checks are not possible, an unrealistic looking user environment can be a telltale sign that the code is running in a malware analysis system. Intuitively, a possible approach to address such reconnaissance attacks is to build the user environment in such a way that the user data is valid, real, and non-deterministic in each malware run. These automatically-generated user environments serve as an “enticing target” to encourage ransomware to attack user data while at the same time preventing the possibility of being recognized by adversaries. Before each run, Unveil automatically generates an artificial – yet realistic – user environment for ransomware.

Filesystem Activity Monitor: Th first core component of Unveil is a filesystem monitor which is used to collect filesystem activities during a cryptographic ransomware attack. The filesystem monitor in Unveil has direct access to data buffers involved in I/O requests, giving the system full visibility into all filesystem modifications. Figure 4 shows a high-level design of Unveil in the Windows environment. For all of the cryptographic ransomware samples that we studied, we empirically observed that these samples issue I/O traces that exhibit distinctive, repetitive patterns. This is due to the fact that these samples each use a single, specific strategy to deny access to user data. This attack strategy is accurately reflected in the form of I/O access patterns that are repeated for each file when performing the attack. Consequently, these I/O access patterns can be extracted as a distinctive I/O

7 Process 1 Process 2 Process 3 Process N

. . .

read write write delete User Mode Kernel Mode

I/O Scheduler file’s data Buffer

Identify I/O File OP Requests UNVEIL Calculate I/O Type Entropy

FileSystem Identify Driver Process

I/O Monitor ENTER Record I/O Physical Request Device I/O Monitor EXIT

I/O Access Monitor

Figure 1: Overview of the design of I/O access monitor in Unveil. The module monitors system-wide ﬁlesys- tem accesses of user-mode processes. This allows Unveil to have full visibility into interactions with user ﬁles.

fingerprint for a particular family. We note that our approach mainly considers write or delete requests. We elaborate on extracting I/O access patterns per file in Section 3.1. For every read and write request to a file, Unveil computes the entropy of the corresponding data buffer. Comparing the entropy of read and write requests to and from the same file offset serves as an excellent indicator of cryptographic ransomware behavior. This is due to the common strategy to read in the original file data, encrypt it, and overwrite the original data with the encrypted version. The system uses Shannon entropy [43] for this computation.

Constructing Access Patterns: For each execution, after Unveil generates I/O access traces for the sample, it sorts the I/O access requests based on file names and request timestamps. This allows the system to extract the I/O access sequence for each file in a given run, and check which processes accessed each file. The key idea is that after sorting the I/O access requests per file, repetition can be observed in the way I/O requests are generated on behalf of the malicious process. The particular detection criterion used by the system to detect ransomware samples is to identify write and delete operations in I/O sequences in each malware run. In a successful ransomware attack, the malicious process typically aims to encrypt, overwrite, or delete user files at some point during the attack. In Unveil, these I/O request patterns raise an alarm, and are detected as suspicious filesystem activity. We studied different cryptographic ransomware samples across different ransomware families. Our analysis shows that although these attacks can be very different in their attack strategies (e.g., evasion techniques, key generation, key management, connecting to C&C

8 overwrite read encrypt delete read encrypt overwrite File x File x File x.locked File x File x File x.locked File x

Open Open Open Open Open Open Open

Read Read Write Delete Read Write Read

Write Close Close Close Close Close Write

Close Close

(1) (2) (3)

Figure 2: Strategies differ across ransomware families with respect to I/O access patterns. (1) Attacker over- writes the users’ file with an encrypted version; (2) Attacker reads, encrypts and deletes files without wiping them from storage; (3) Attacker reads, creates a new encrypted version, and securely deletes the original files by overwriting the content.

servers), they can be categorized into three main classes of attacks based on their access requests. Figure 2 shows the high-level access patterns for multiple ransomware families we studied during our experiments. For example, the access pattern shown to the left is indicative of Cryptolocker variants that have varying key lengths and desktop locking techniques. However, its access pattern remains constant with respect to family variants. We observed the same I/O activity for samples in the CryptoWall family as well. While these families are identified as two different ransomware families, since they use the same encryption functions to encrypt files (i.e., the Microsoft CryptoAPI), they have similar I/O patterns when they attack user files. As another example, in FileCoder family, the ransomware first creates a new file, reads data from a victim’s file, generates an encrypted version of the original data, writes the encrypted data buffer to the newly generated file, and simply unlinks the original user’s file (See Figure 2.2). In this class of cryptographic ransomware, the malware does not wipe the original file’s data from the disk. For attack approaches like this, victims have a high chance of recovering their data without paying the ransom. In the third approach (Figure 2.3), however, the ransomware creates a new encrypted file based on the original file’s data and then securely deletes the original file’s data using either standard Windows APIs or custom overwriting implementations (e.g., such as CrypVault family).

Detecting Screen Lockers: The second core component of Unveil is aimed at detecting screen locker ransomware. The key insight behind this component is that the attacker must display a ransom note to the victim in order to receive a payment. In most cases, the message is prominently displayed, covering a signiﬁcant part, or all, of the display. As this ransom note is a virtual invariant of ransomware attacks, Unveil aims to automatically detect the display of such notes.

9 The approach adopted by Unveil to detect screen locking ransomware is to monitor the desktop of the victim machine, and to attempt to detect the display of a ransom note. Similar to Grier et al. [27], we take automatic screenshots of the analysis desktop before and after the sample is executed. The screenshots are captured from outside of the dynamic analysis environment to prevent potential tampering by the malware. This series of screenshots is analyzed and compared using image analysis methods to determine if a large part of the screen has suddenly changed between captures. However, smaller changes in the image such as the location of the mouse pointer, current date and time, new desktop icons, windows, and visual changes in the task bar should be rejected as inconsequential. In Unveil, we measure the structural similarity (SSIM) [64] of two screenshots – before and after sample execution – by comparing local patterns of pixel intensities in terms of both luminance and contrast as well as the structure of the two images. Extracting structural information is based on the observation that pixels have strong inter-dependencies – especially when they are spatially close. These dependencies carry information about the structure of the objects in the image. After a successful ransomware attack, the display of the ransom note often results in automatically identi- fiable changes in the structural information of the screenshot (e.g., a large rectangular object covers a large part of the desktop). Therefore, the similarity of the pre- and post-attack images decreases significantly, and can be used as an indication of ransomware. Unveil also extracts the text within the area where changes in the structure of the image has occurred. The system extracts the text inside the selected area and searches for specific keywords that are highly correlated with ransom notes (e.g.,). Given two screenshots X and Y, we define the overall similarity between the two screenshots X and Y as the arithmetic mean of the similarity of the image contents. We define a similarity threshold τsim such that Unveil considers the sample a potential screen locking ransomware. If the structural similarity score between two images exceeds the threshold values. Unveil then extracts the text within the image and searches for ransomware-related words within the modified area. Applying the image similarity test with the best similarity threshold (see Section 3.2) gives us the highest recall with 100% precision for the entire dataset.

3.2 Analysis and Findings

We evaluated Unveil detection accuracy by running two experiments. The goal of the ﬁrst experiment is to demonstrate that the system can detect known ransomware samples, while the goal of the second experiment is to demonstrate that Unveil can detect previously unknown ransomware samples. The Unveil prototype is built on top of Cuckoo Sandbox [22]. Cuckoo provides basic services such as sample submission, managing multiple VMs, and performing simple human interaction tasks such as simulating user input during an analysis. However, in principle, Unveil could

10 Family Type Samples

Cryptolocker crypto 33 (1.5%) CryptoWall crypto 42 (2.0%) CTB-Locker crypto 77 (3.6%) CrypVault crypto 21 (1.0%) CoinVault crypto 17 (0.8%) Filecoder crypto 19 (0.9%) TeslaCrypt crypto 39 (1.8%) Tox crypto 71 (3.3%) VirLock locker 67 (3.2%) Reveton locker 501 (23.6%) Tobfy locker 357 (16.8%) Urausy locker 877 (41.3%)

Total Samples - 2,121

Table 2: The list of ransomware families used in the ﬁrst experiment. be implemented using any dynamic analysis system (e.g., BitBlaze [7], VxStream Sandbox [54]). As described in Section 3.1, user environments were generated for each run, ﬁlesystem I/O traces were recorded, and pre- and post-execution screenshots were captured. After each execution, the VM was rolled back to a clean state to prevent any interference across executions. Each sample was executed in the analysis environment for 20 minutes. All experiments were performed according to well-established experimental guidelines [56] for malware experiments.

Ground Truth (Labeled) Dataset: In this experiment, we collected ransomware samples from public repositories [1, 4] and online forums that share malware samples [3, 45]. We also received labeled ransomware samples from two well-known anti-malware companies. In total, we collected 3,156 recent samples. In order to make sure that those samples were indeed active ransomware, we ran them in our test environment. We confirmed 2,121 samples to be active ransomware instances. After each run, we checked the filesystem activity of each sample for any signs of attacks on user data. If we did not see any malicious filesystem activity, we checked whether running the sample displayed a ransom note. Table 2 describes the ransomware families we used in this experiment. We note that the dataset covers the majority of the current ransomware families in the wild. In addition to the labeled ransomware dataset, we also created a dataset that consisted of non-ransomware samples. These samples were submitted to the Anubis analysis platform [29], and consisted of a collection of benign as well as malicious samples. We selected 149 benign executables including applications that have ransomware-like behavior such as secure deletion, encryption, and compression. A short list of these applications are provided in Table 3. We also tested 384 non-ransomware malware samples from 36 malware families to evaluate the false positive rate of Unveil.

11 We performed a precision-recall analysis to ﬁnd the best similarity threshold τsim for desktop locking detection. The best threshold value to discriminate between similar and dissimilar screenshots should be deﬁned in such a way that Unveil is be able to detect screen locker ransomware while maintaining an optimal precision-recall rate. Our empirical analysis shows that with τsim = 0.32 more than 97% of the ransomware samples across both screen locker and cryptographic ransomware samples are detected with 100% precision. In the second experiment, we used this similarity threshold to detect screen locker ransomware in a malware feed unknown to Unveil.

Application Main Capability Version

7-zip Compression 15.06 Winzip Compression 19.5 WinRAR Compression 5.21 DiskCryptor Encryption 1.1.846.118 AESCrypt Encryption — Eraser Shredder 6.2.0.2969 SDelete Shredder 1.61

Table 3: The list of benign applications that generate similar I/O access patterns to ransomware.

3.3 Detecting Zero-Day Ransomware

The main goal of the second experiment is to evaluate the accuracy of Unveil when applied to a large dataset of recent real-world malware samples. We then compared our detection results with those reported by AV scanners in VirusTotal. This dataset was acquired from the daily malware feed provided by Anubis [29] to security researchers. The samples were collected from May 18th 2015 until February 12th 2016. The dataset contained 148,223 distinct samples. Each sample was then submitted to Unveil to obtain I/O access traces and pre-/post-execution desktop image dissimilarity scores.

Early Warning: One of the design goals of Unveil is to be able to automatically detect previously unknown (i.e., zero-day) ransomware. In order to run this experiment, we did the following. Once per day over the course of the experiment, we built a malware dataset that was concurrently submitted to Unveil and VirusTotal. If a sample was detected as ransomware by Unveil, we checked the VirusTotal (VT) detection results. In cases where a ransomware sample was not detected by any VT scanner, we reported it as a new detection. In addition, we also measured the lag between a new detection by Unveil and a VT detection. To that end, we created a dataset from the newly detected samples submitted on days {1, 2, ... , n − 1, n} and re-submitted these samples to see whether the detection results changed. We considered the

12 Submission #1 Submission #2 0.7 0.6 0.25 0.5 0.20 0.4 0.15 0.3 0.10 0.2 0.1 0.05 0.0 0.00 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 Submission #3 Submission #4 0.20 0.20 0.15 0.15 0.10 0.10 0.05 0.05 0.00 0.00

Density Distribution 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 Submission #5 Submission #6 0.20 0.25 0.15 0.20 0.10 0.15 0.10 0.05 0.05 0.00 0.00 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 Pollution Ratio

Figure 3: Evolution of VT scanner reports after six submissions. 72.2% of the samples detected by Unveil were not detected by any of AV scanners in the ﬁrst submission. After a few re-submissions, the detection results do not change signiﬁcantly. The detection results tend to be concentrated either towards small or very large detection ratios. This means that a sample is either detected by a relatively small number of scanners, or almost all of the scanners.

13 Evaluation Results

Total Samples 148,223 Detected Ransomware 13,637 (9.2%) Detection Rate 96.3% False Positives 0.0% New Detection 9,872 (72.2%)

Table 4: Unveil detection results. 72.2% of the ransomware samples detected by Unveil were not detected by any of AV scanners in VirusTotal at the time of the ﬁrst submission. 7,572 (76.7%) of the newly detected samples were destructive ﬁle locker ransomware samples.

result of all 55 VT scanners in this experiment. Since the number of scanners is relatively high, we defined a VT detection ratio ρ as the ratio of the total number of scanners that identified the sample as ransomware or malware to the total number of scanners checked by VT. ρ is therefore a value on the interval [0,1] where zero means that the sample was not detected by any of the 55 VT scanners, and 1 means that all scanners reported the sample as malware or ransomware. Since there is no standard labeling scheme for malware in the AV industry, a scanner can label a sample using a completely different name from another scanner. Consequently, to avoid biased results, we consider the labeling of a sample using any name as a successful detection. In our experiment, we submitted the detected samples every day to see how the VT detection ratio ρ changes over time. The distribution of ρ for each submission is shown in Figure 3. Our analysis shows that ρ does not significantly change after a small number of subsequent submissions. For the first submission, 72.2% of the ransomware samples detected by Unveil were not detected by any of the 55 VT scanners. After a few submissions, ρ does not change significantly, but generally was concentrated either towards small or very large ratios. This means that after a few re-submissions, either only a few scanners detected a sample, or almost all the scanners detected the sample. The large scale experiment shows that Unveil outperforms all the public AV scanners in detecting both superficial and technically sophisticated ransomware attacks. Among our findings was also a new ransomware family that no AV scanners, including a modern industrial sandboxing technology, had previously detected before we submitted it to VirusTotal.

4 Protecting End-Points from Ransomware Attacks

In response to the increasing number of ransomware attacks [9, 16, 20, 26], a desirable and comple- mentary defense would be to augment the operating system with transparent techniques that would make the operating system more resistant against ransomware-like behavior. In this project, we introduce the concepts of a general framework, called Redemption, to protect

14 user data from ransomware attacks in a real-time fashion. Our goal is to define a practical solution that can be used as an augmented service to the operating system without changing the semantics of the underlying filesystem functionality. Redemption is based on two main components: First, an abstract characterization of the behavior of a large class of current ransomware attacks is constructed. More precisely, our technique applies the results of a long-term dynamic analysis to binary objects to determine if a process matches the abstract model. A process is labeled as malicious if it exhibits behaviors that match the abstract model. Second, a high-performance, high-integrity mechanism that protects and restores all attacked files by utilizing a transparent data buffer to redirect access requests while tracking the write contents.

4.1 System Design

In this section, we introduce the components of Redemption which are: (1) a lightweight kernel module that intercepts process interactions, and (2) a user-mode daemon, called behavioral monitor and notification module, that assigns a malice score to a process, and is used to notify the user about the potential malicious behavior of a process. Intercepting Access Requests. In order to implement a reliable dynamic access control mechanism over user data, this part of the system should be implemented in the kernel, and be able to mediate the access to the filesystem. The prototype redirects each write access request to the user files to a protected area without changing the status of the original file. Figure 4 presents an example that illustrates how access requests are processed. The system introduces the following changes. (1) Redemption receives the request A from the application X to access the file F at the time t, (2) if At requests access with write or delete privilege to the file F, and the file F resides in a user defined path, the Redemption’s monitor is called, (3) Redemption creates a corresponding file in the protected area, called reflected file, and handles the write requests. These changes are periodically flushed to the storage to ensure that they are physically available on the disk. The meta-data entry of the corresponding file is updated with the offset and length of the data buffer in the I/O request after a successful data write at Step 3. (4) the malice score of the process is updated, and is compared to a pre-configured threshold α. (5) the Redemption monitor sends a notification to the display monitor to alert the user depending on the calculated malice score. (6) a success/failure notification is generated, and is sent to the system service manager. Malice Score Calculation (MSC) Function. The MSC function allows the system to identify the suspicious process and notify the user when the process matches the abstract model. Given a process X, we assign a malice score S to the process each time it requests privileged access to a user file. If the malice score S exceeds a pre-defined malice threshold α, it means that the process exhibits abnormal behaviors. In section 4.3, we provide more details on how we selected the malice score for our experiments.

15 1 1 5 4

2 Redemption Monitor 6 3 2

Figure 4: Redemption mediates the access to the filesystem and redirects each write request on the user files to a protected area without changing the status of the original file. Reading the user files, creating and writing on new files follow the standard 2-step procedure since they do not introduce any risk with regard to ransomware attacks on user data. Behavioral Detection and Notification Module. We implemented this module as a user-mode service. This was a conscious design choice similar to the design of most anti-malware solutions. Note that Microsoft officially supports the concept of protected services, called Early Launch Anti- Malware (ELAM), to allow anti-malware user-mode services to be launched as protected services. In fact, after the service is launched as a protected service, Windows uses code integrity to only allow trusted code to load into a protected service. Windows also protects these processes from code injection and other attacks from admin processes [50]. If Redemption identifies the existence of a malicious process, it automatically terminates the malicious process.

4.2 Dataset

The ground truth dataset consists of filesystem traces of manually confirmed ransomware samples as well as more than 230 GB of data which contains the interaction of benign processes with filesystem on multiple machines. We used this dataset to verify the effectiveness of Redemption, and to determine the best threshold value to label a suspicious process.

4.3 Analysis on Labeled Data

The prototype of the Redemption supports all Windows platforms. In our experiments, we used Windows 7 by simply attaching Redemption to the ﬁlesystem. The remainder of this section dis- cusses how benign and malicious dataset were collected, and how we will conduct the experiments to evaluate the effectiveness of our approach. One of the design requirements of the system is to produce low false positives, and to minimize

16 Table 5: A list of Benign application and their Table 6: A list of ransomware families and their malice scores. malice scores.

Program Min. Score Max. Score Family Samples Min. Score Max. Score Recovery

Adobe Photoshop 0.032 0.088 Cerber 33 0.41 0.73 5 AESCrypt 0.37 0.72 Cryptolocker 50 0.36 0.77 4 AxCrypt 0.31 0.75 CryptoWall3 39 0.4 0.79 6 Adobe PDF reader 0.0 0.0 CryptXXX 46 0.49 0.71 3 Adobe PDF Pro 0.031 0.039 CTB-Locker 53 0.38 0.75 7 Google Chrome 0.037 0.044 CrypVault 36 0.53 0.73 3 Internet Explorer 0.035 0.045 CoinVault 39 0.42 0.69 4 Matlab 0.038 0.92 Filecoder 54 0.52 0.66 5 MS Words 0.041 0.089 GpCode 45 0.52 0.76 2 MS PowerPoint 0.025 0.102 TeslaCrypt 37 0.43 0.79 4 MS Excel 0.017 0.019 Virlock 29 0.51 0.72 3 VLC Player 0.0 0.0 SilentCrypt 43 0.31 0.59 9 Vera Crypt 0.33 0.71 Samples 504 - - - WinRAR 0.0 0.16 Score Median - 0.43 0.73 - Windows Backup 0.0 0.0 Recovery Median - - - 4 Windows paintit 0.029 0.083 SDelete 0.283 0.638 Skype 0.011 0.013 Spotify 0.01 0.011 Sumatra PDF 0.022 0.041 Zip 0.0 0.16

Malice Score Median 0.027 0.0885

the number of unnecessary notifications to end-users. To this end, the system employs a threshold value to determine when an end-user should be notified about the suspicious behavior of a process. We tested a large set of benign as well as ransomware samples on a Redemption enabled machine. As depicted in Table 5 and Table 6, the median score of benign applications is significantly lower than ransomware samples. For file encryption programs such as AxCrypt which are specifically designed to protect the privacy of the users, the original file is overwritten with random data once the encrypted version is generated. In this case, Redemption reports the action as being malicious – which, in fact, is a false positive. Unfortunately, such false positive cases are inevitable since these programs are exhibiting the exact behavior that a typical ransomware exhibits. In such cases, Redemption informs the end-user and asks for a manual confirmation. Given these corner cases, we select the malice score as α = 0.12 where the system achieves the best detection and false positive rates (FPs = 0.5% at a TP = 100%). This malice threshold is still significantly lower than the minimum malice score of all the ransomware families in the dataset as provided in Table 6. The table also shows the median file recovery rate. As depicted, Redemption detects a malicious process and successfully recovers encrypted data after observing on average four files. Our experiment on the dataset also showed that 7 GB storage is sufficiently large for the protected area in order to enforce the data consistency policy.

17 5 Future Work and Timeline

5.1 Evaluating the Redemption Prototype

In Section 4, we proposed an end-point framework that protects user data from ransomware attacks. Designing a reliable end-point solution that guarantees minimal data loss is non-trivial. A successful implementation of the framework should achieve a high true positive rate and a low false positive rate. Furthermore, it should not impose a noticeable performance impact, or require significant changes to the way users interact with standard operating systems. We showed that the system achieves good detection results when using 10-fold cross validation on the labeled dataset. In addition to this experiment, we plan to test the system with ransomware samples that are not used in the model learning process. In this experiment, we plan to evaluate the detection accuracy of the system in a real-world setting where the trained model has not necessarily observed all types of attacks in this specific class of malware. We also plan to measure the potential performance impacts of the system when it is deployed on end-user machines. In fact, we plan to test which operations are more expensive when system is deployed, and whether the incurred overhead makes the system inefficient. The goal of this experiment is to test how the system works under heavy reads and writes. Furthermore, we would like to measure how many files should be maintained in the protected area when Redemption is actively monitoring the filesystem activity.

5.2 Timeline

Table 7 is the proposed timeline to complete our research: Table 7: The proposed timeline to complete the research

To-do tasks Completion Date (end of)

Large Scale Evaluation July 2017 Usability Tests July 2017 Filesystem Benchmarks August 2017 Dissertation Defense August 2017

References

[1] Minotaur Analysis - Malware Repository. minotauranalysis.com.

[2] VX Vault - Online Repository of Malware Samples. vxvault.siri-urz.net.

18 [3] Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange. 104/.

[4] MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist. com.

[5] Norman Sandbox. http://www.norman.com/.

[6] Proof-of-concept Automated Baremetal Malware Analysis Framework. https://code.google. com/p/nvmtrace/.

[7] BitBlaze Malware Analysis Service. http://bitblaze.cs.berkeley.edu/, 2016.

[8] Anand Ajjan. Ransomware: Next-Generation Fake Antivirus. http://www.sophos.com/en-us/ medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf, 2013.

[9] Alex Hern. Major sites including New York Times and BBC hit by ransomware malvertising. https://www.theguardian.com/technology/2016/mar/16/ major-sites-new-york-times-bbc-ransomware-malvertising, 2016.

[10] Alex Hern. Ransomware threat on the rise as almost 40 percent of bussi- nesses attacked. https://www.theguardian.com/technology/2016/aug/03/ ransomware-threat-on-the-rise-as-40-of-businesses-attacked, 2016.

[11] Andrew Dalton. Hospital paid 17K ransom to hackers of its computer network. http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/ hospital-paid-17k-ransom-hackers-its-computer-network, 2016.

[12] Ulrich Bayer, Christopher Kruegel, and Engin Kirda. TTAnalyze: A Tool for Analyzing Mal- ware. In Proceedings of the European Institute for Computer Antivirus Research Annual Conference, April 2006.

[13] BBC News. University pays 20,000 Dollars to ransomware hackers. http://www.bbc.com/news/ technology-36478650, 2016.

[14] Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Detecting self-mutating malware using control-ﬂow graph matching. In Detection of Intrusions and Malware & Vulnerability Assess- ment, pages 129–143. Springer, 2006.

[15] Catalin Cimpanu. Breaking Bad Ransomware Completely Un- detected by VirusTotal. http://http://news.softpedia.com/news/ breaking-bad-ransomware-goes-completely-undetected-by-virustotal-493265.shtml, 2015.

19 [16] Chris Francescani. Ransomware Hackers Blackmail U.S. Police Departments. http:// www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html, 2016.

[17] Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining speciﬁcations of malicious behavior. In Proceedings of the 1st India software engineering conference, pages 5–14. ACM, 2008.

[18] Mihai Christodorescu, Somesh Jha, Sanjit A Seshia, Dawn Song, and Randal E Bryant. Semantics-aware malware detection. In Security and Privacy, 2005 IEEE Symposium on, pages 32–46. IEEE, 2005.

[19] Cisco, Inc. Ransomware on Steroids: Cryptowall 2.0. http://blogs.cisco.com/security/ talos/cryptowall-2, 2015.

[20] Connor Mannion. Three U.S. Hospitals Hit in String of Ransomware Attacks. http://www.nbcnews.com/tech/security/ three-u-s-hospitals-hit-string-ransomware-attacks-n544366, 2016.

[21] Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi. Shieldfs: a self-healing, ransomware-aware ﬁlesystem. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages 336–347. ACM, 2016.

[22] Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis. www.cuckoosandbox. org, 2015.

[23] Dan Whitcomb. California lawmakers take step toward outlawing ransomware. http://www. reuters.com/article/us-california-ransomware-idUSKCN0X92PA, 2016.

[24] Dell SecureWorks. University of Calgary paid 20K in ransomware attack. http://www.cbc.ca/ news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979, 2016.

[25] Alexandre Gazet. Comparative analysis of various ransomware virii. Journal in Computer Virol- ogy, 6(1):77–90, February 2010.

[26] Grefgory Wolf. 8 High Proﬁle Ransomware Attacks You May Not Have Heard Of. https://www.linkedin.com/pulse/ 8-high-profile-ransomware-attacks-you-may-have-heard-gregory-wolf, 2016.

[27] Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, et al. Manu-

20 facturing compromise: the emergence of exploit-as-a-service. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 821–832, 2012.

[28] Greg Hoglund and Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2005.

[29] International Secure System Lab. Anubis - Malware Analysis for Unknown Binaries. https: //anubis.iseclab.org/, 2015.

[30] Jerry Zremski. New York Senator Seeks to Combat Ransomware. http://www.govtech.com/ security/New-York-Senator-Seeks-to-Combat-Ransomware.html, 2016.

[31] John Miller, Matt Allen, Christopher Glyer, Ian Ahl, Nick Carr. Petya Ransomware Spread- ing Via EternalBlue Exploit. https://www.fireeye.com/blog/threat-research/2017/06/ petya-ransomware-spreading-via-eternalblue-exploit.html, 2017.

[32] Kevin Savage, Peter Coogan, Hon Lau. the Evolution of Ransomware. http: //www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ the-evolution-of-ransomware.pdf, 2015.

[33] Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. In 25th USENIX Security Sym- posium, 2016.

[34] Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 07 2015.

[35] Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. Barebox: efﬁcient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 403–412. ACM, 2011.

[36] Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. Barecloud: Bare-metal analysis-based evasive malware detection. In 23rd USENIX Security Symposium (USENIX Security 14), pages 287–301. USENIX Association, 2014.

[37] Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard Kemmerer. Behavior-based spyware detection. In Usenix Security, volume 6, 2006.

[38] Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiao-yong Zhou, and XiaoFeng Wang. Effective and efﬁcient malware detection at the end host. In USENIX security symposium, pages 351–366, 2009.

21 [39] Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Com- puter and Communications Security, ASIA CCS ’17, pages 599–611, New York, NY, USA, 2017. ACM.

[40] Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. Poly- morphic worm detection using structural information of executables. In Recent Advances in Intrusion Detection, pages 207–226. Springer, 2006.

[41] Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. Accessminer: Using system-centric models for malware protection. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 399–412. ACM, 2010.

[42] Wei-Jen Li, Ke Wang, Salvatore J Stolfo, and Benjamin Herzog. Fileprints: Identifying ﬁle types by n-gram analysis. In Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth Annual IEEE SMC, pages 64–71. IEEE, 2005.

[43] Jianhua Lin. Divergence measures based on the shannon entropy. IEEE Transactions on Informa- tion theory, 37:145–151, 1991.

[44] Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. Detecting environment- sensitive malware. In Recent Advances in Intrusion Detection, pages 338–357. Springer, 2011.

[45] Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. http://malware. dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html, 2015.

[46] Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, and John C Mitchell. A layered architecture for detecting malicious behaviors. In Recent Advances in Intrusion Detection, pages 78–97. Springer, 2008.

[47] McAfee Labs. McAfee Labs 2017 Threat Predictions Report. https://www.mcafee.com/us/ resources/reports/rp-threats-predictions-2017.pdf, 2017.

[48] Michael Mimoso. Leaked NSA Exploit Spreading Ransomware WorldWide. https:// threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/, 2017.

[49] Microsoft, Inc. File System Miniﬁlter Drivers. https://msdn.microsoft.com/en-us/library/ windows/hardware/ff540402%28v=vs.85%29.aspx, 2014.

[50] Microsoft, Inc. Protecting Anti-Malware Services. https://msdn.microsoft.com/en-us/ library/windows/desktop/dn313124(v=vs.85).aspx, 2016.

[51] Ms. Smith. Kansas Heart Hospital hit with ransomware; attackers de- mand two ransoms. http://www.networkworld.com/article/3073495/security/

22 kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom. html, 2016.

[52] Patrick Traynor Nolen Scaife, Henry Carter and Kevin Butler. CryptoLock (and Drop It): Stop- ping Ransomware Attacks on User Data. In In IEEE International Conference on Distributed Com- puting Systems (ICDCS), 2016.

[53] Gavin O’Gorman and Geoff McDonald. Ransomware: A Growing Menance. http://www. symantec.com/connect/blogs/ransomware-growing-menace, 2012.

[54] Payload Security Inc,. Payload Security. https://www.hybrid-analysis.com, 2016.

[55] REAQTA Inc,. HyraCrypt Ransomware. https://reaqta.com/2016/02/hydracrypt- ransomware/, 2016.

[56] Christian Rossow, Christian J Dietrich, Chris Grier, Christian Kreibich, Vern Paxson, Norbert Pohlmann, Herbert Bos, and Maarten Van Steen. Prudent practices for designing malware experiments: Status quo and outlook. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 65–79. IEEE, 2012.

[57] Matthew G Schultz, Eleazar Eskin, Erez Zadok, and Salvatore J Stolfo. Data mining methods for detection of new malicious executables. In Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on, pages 38–49. IEEE, 2001.

[58] Elizabeth Stinson and John C Mitchell. Characterizing bots remote control behavior. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 89–108. Springer, 2007.

[59] Andrew H Sung, Jianyun Xu, Patrick Chavez, and Srinivas Mukkamala. Static analyzer of vicious executables (save). In Computer Security Applications Conference, 2004. 20th Annual, pages 326–334. IEEE, 2004.

[60] Symantec, Inc. Internet Security Threat Report. http://www.symantec.com/security_ response/publications/threatreport.jsp, 2017.

[61] Tom Spring. Second Global Ransomware Outbreak Under Way. https://threatpost.com/ second-global-ransomware-outbreak-under-way/126549/, 2017.

[62] TrendLabs. An Onslaught of Online Banking Malware and Ransomware. http: //apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/ rpt-cashing-in-on-digital-information.pdf, 2013.

[63] Amit Vasudevan and Ramesh Yerraballi. Cobra: Fine-grained malware analysis using stealth localized-executions. In Security and Privacy, 2006 IEEE Symposium on, 2006.

23 [64] Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. Image quality assessment: from error visibility to structural similarity. Image Processing, IEEE Transactions on, 13(4):600–612, 2004.

[65] Carsten Willems, Thorsten Holz, and Felix Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy, 5(2):32–39, March 2007.

[66] WIRED Magazine. Why Hospitals Are the Perfect Targets for Ransomware. https://www. wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/, 2016.

[67] J-Y Xu, Andrew H Sung, Patrick Chavez, and Srinivas Mukkamala. Polymorphic malicious executable scanner by api sequence analysis. In Hybrid Intelligent Systems, 2004. HIS’04. Fourth International Conference on, pages 378–383. IEEE, 2004.

[68] Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: cap- turing system-wide information ﬂow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security, pages 116–127. ACM, 2007.