Research Methods

Ransomware is a method of malicious malware that locks users out of their computers until they pay a ransom the criminal. It is exploding all over the globe, posing a serious threat to consumers' and corporations' digital data. Every year, ransomware causes financial damages in the tens of billions of dollars. Experts have found a new form of this disruptive malware every year. New tools are used in the new releases to get through the defences. Ransomware criminals encodes records on an infested device and keeps the key to unlock them until the user pays a sum of money or ransom. This study provides a short “history or evolution of Ransomware”, as well as the best approaches for preventing the infection, detecting it, and recovering from it, in the following paper. Even though many Online users tend to be unaware of Ransomware and do not know how to wake up and defend themselves, they believe that since they are ordinary people of cyberspace, they would not be targeted if they use a highly automated platform like the current internet resources

In the last couple of years, ransomware, also known as crypto virus, has gotten a lot of attention from cyber scholars. This malware is used by criminals to steal personal information. The transaction or demand may be in the form of digital currency or orders to purchase items from specific retailers (Luo and Q. Liao 2007). Ransomware is designed to prevent users from accessing data or even the computer directly. After that, the perpetrators use the target to retrieve the materials or records. In today's world, ransomware shows a computer with a warning about the ransomware terms known as 'ransom note'.

Any Ransomware would go so far as to show pornographic material on the screen while promoting the danger to something like the person's life. Felons utilize these terrifying tactics to make payment seem less difficult (Kharraz, W. Robertson 2015). This has been well established, the Web network is a two-edged blade, but now the current Technology, as well as emerging technology such as cloud storage and virtual money like "Bitcoin and Ethereum", therefore provide best base for criminals, particularly the few who construct Ransomware. The sum of money demanded as ransom varies from $300 and $1150 for individuals and $10K to $17K for businesses (D. Balzarotti, L. Bilge and E. Kirda 2015). As per the analysis of FBI’s "Cyber Crime Complaint Centre", cyber threats cost at least $ 1.2 billion between April 2014 and June 2015 (P.O'Kane, S.Sezer and D.Carlin 2018).

In some of these cases, the first and only way to recover the data is to pay the demanded ransom, despite the fact that this would not be suggested. Under particular reasons[6], two forms of encryption are discussed: "Locky and Crypto". Crypto Ransomware employs strong encryption that protect backup data against user accounts; this is much more challenging to bypass, and the damage may be irreversible. Crypto Ransomware might be the most widely exploited form of ransomware among malicious hackers. Locky Ransomware, on either side, encrypts the entire computer and prevents its user from accessing it, although it is usually simple to remove. " Scareware" is the third kind of ransomware. While the third category was not regarded a category of Ransomware, it was included by some researchers.

Progression of Ransomware is not really a modern concept; the "PC CYBORG (Helps) Trojan" was the first Ransomware to develop in 1989. Throughout 1989, Joseph Popp created the first Encryption software, naming it after the most serious illnesses there at current period. The " AIDS (PC Cyborg)" was viewed and believed to be a Trojan. This Trojan was distributed using floppy discs. After inserting the floppy disc into the system, the AIDS software encrypts the files on the C - drive and requests $189 to be sent to a Panama PO Box.

The "AIDS Ransomware" has a number of flaws:

1) The encryption process was insecure and vulnerable to decryption.

2) The majority of victims that can be reached is very small.

3) The mode of payment was obvious. (R. Richardson and K. North)

4) The time for the project is unreliable (floppy disc used).

As reported in (R. Richardson and K. North), there has already been a surge of Malware in recent times, which had already spread across the world, blindly invading targets and encrypting files, locking employers and employees set out certain computers. The number of encryption algorithms has increased by 600%, including Cerber, Locky, and CryptoWall, among several others, that illustrates the history of ransomware attacks (2005- 2020). The following segment will include a description of the most significant emerging technology-based attacks.

Hackers conducted a "symmetric encryption Ransomware attack which is termed as (Gpcoder)" in 2005. About a year, hackers created a tougher encryption system known as "asymmetric encryption"(S.Kok, A.Abdullah), as per analysts adding connected encryption keys are used in asymmetric encryption (public and private keys). The public key is used to scramble data, and data cannot be encoded, so the public key can be exchanged or transmitted without revealing any detail about the private key or encrypted key (N. Jhanjhi and M. Supramaniam). The secret key is only used to encrypt data and will be kept hidden until the payment is received. In 2006, the first time RSA encryption (Rivest–Shamir–Adleman) had been used in the Ransomware industry (S. Azam, K. Kannoorpatti). "Archievus" employs the Hashing or RSA algorithms for asymmetric encryption. It encrypts the "My Document directory", and the victim must purchase an object from various websites to obtain entry to the website.

(Image source: https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time)

Around 2010, "WinLock" resurfaced as Locky Ransomware, that booted then prevented access to the infected computer (known as a Storage). The " WinLock" displays obscene images before the victim sends a $10 premium-rate SMS to receive an open code. A further Malware intruder distributed it by imitating the Computers Item note and providing victims with a knowledge into process systems to dial that included a 6-digit password. Each call connection will be redirected to a country with high international phone prices, and the person would be made to wait although the bills accumulated. In 2010, ten people linked to Winlock were caught in Moscow; the group was also idle for around a year and had allegedly made over $16 million from the Text message scheme. "Reveton" reappeared following two years, and, as previously mentioned, it is now known as "Trojan: W32/Reveton". It seizes hold of the user's computer (M. Jonkman and G. Samy)

This employs the "RSA-2048 algorithm", which utilizes "Asymmetric Encoding", and it opens up new incidents of applications in order to communicate with the defendant's C&C server (Monika, P. Zavarsky and D. Lindskog 2016). Also, it encodes the lot of files and shows a notification on the computer requesting payment of the ransom. The payment show alert provides a law action alert with screen videos, which gives the impression that the individual has done something wrong, causing the victim to be afraid. From Sep 2013 to Sep 2014, Crypto Locker took place. The Trojan is used in this intrusion, and was designed to target pcs "windows Operating Systems". Infected email invitations and an currently established "Gameover ZeuS botnet" helped it spread. When used, it uses RSA Adaptive cryptographic for encryption, specific kinds of data located on localized and installed file servers, with both the secret key being stored mostly on malware's network and system.

The "Samas attacks" were reported in March 2016 with both the support of previous technologies such as "TOR C&C, Bitcoin payment, and AES file encryption. The creators of Samas were only interested in targeting organisations; they were uninterested in single goals or large movements. The "Samas" system has a real-time feedback mechanism for criminals to communicate with their victims (J. Scott and D. Spaniel 2016). "Petya" (which was common in 2016) may be a variation on the traditional encryption setup.

It must have been decided to wreak havoc on the program's lower power memory setup by malicious intent manipulating the critical boot log and encoding the primary data board (R. Brewer 2016). Upon relaunching the corrupted machine, it accesses the critical database sheet (MFT), making boot sector register (MBR) as impossible (Bacani, 2014). Only as effect of trapping the MBR, the infected device will gradually turn ineffective, preventing anyone from accessing certain data or the system software on the computer, as it is required to recognise the Virtual machine as a hard drive connection and the path of such records. Cerber, the first "Ransomware-as-a-Service (RaaS)" attack, was discovered in March 2016.

For "RaaS", the suspect's licence is transferred from over web with assistance of a hacker, who then shares the payment with the intruder. As previously said (L.Abrams), for a 40-percentage cut, the programmer could register as a "Cerber co-partner” and get any "Cerber Ransomware" he desires. Because an attacker is unable to exchange his bribe with others, the bulk of malware doesn't really make use of such a function. The benefit of the whole system, as with any alliance, is that the amount of effort required with strikes is shorter than average (R. Richardson and K. North). " Cerber", like all the other Ransomware threats, employs "AES encryption". The Jigsaw" was born in the month of April of 2016 and It expanded by common methods such as email links including advertisements.

This has the potential to influence database file, making this the first Encryption to erase data in an intrusion to facilitate compensation, but that would remove thousands of files each attempt it was rebooted. Prior Cyberattacks, from the other direction, created various fake claims to erase information. It is using the same AES coding as other Encryption (S. Maniath, P. Poornachandran and V. Sujadevi).

The far more famous Infection, "WannaCry," reached multiple nations since May of 2017, infecting nearly 151 nations. This same essence of the assault is not discriminatory. It targeted colleges, transportation, health care, and a variety of other institutions (Turkel, D 2016).

(Image Source: https://sbscyber.com/Portals/0/WannaCryArticle.pdf)

The above image presents the worldwide reach of confirmed "WannaCry" activities. This same best delivery techniques used, known as "infection mechanisms", as well as the strong encoding methods utilized, that got the effectiveness to the spread.

Encryption with a high level of resiliency (R. Richardson and K. North). Mostly in initial part of 2017, the "Samsam Malware" emerged. This targeted "Erie County Medical Center (ECMC)", with 6,000 desktop computers as casualties (Monika, P. Zavarsky and D. Lindskog 2016). Along with contrast to the most popular spam email infection vector. It is dependent on the strength components in the system, such as the firewall or router, and it utilizes any vulnerabilities (Á. Valdivieso Caraguay and M. Hernández- Álvarez).

Thus, according research (J. Herrera Silva, L. Barona López), "Samsam" specifically targets and exploits login credentials for cloud server and remote access interfaces loopholes. That operation as well as a big largest in north America were seriously weakened with zero individual attacks, because that was the pass of the Silenced Fight (Luo and Q. Liao 2007).

Atlanta isn't the only site of that kind of internet attack, as stated in (J. Herrera Silva, L. Barona López). According to (S.Aurangzeb, M.Aleem, M.Iqbal and M.Islam), this encryption nearly cost 900,000 dollars. Through 2019, the "REvil Ransomware" was discovered. These do encrypt and decrypt on the affected server, but it always erases all shadow copies, making recovery very difficult. This started its strikes against the "Oracle Weblogic framework," as well as members of major VPN providers such as "Pulse and Fortinet" (M.Kiru and A.Jantan 2019). Sodinkibi, REvil's other name, has received almost $6 million in ransomware fees, according to the bullying website. Within mid of 2020, a most major Cyber-attack was confirmed.

Thus, according to many studies, it spreads via emails, just like the prior Ransomware (S. Fayi 2018). It is designed to attack a wide range of configuration files. Which attaches the "hALioS file extensions" to the peoples' computer after it accesses it. Such modern mindset is seen by identity thieves and as a new challenge to most businesses, people, as well as the govt. Continuing to develop this malware by building on the new model and introducing additional techniques to add it more stability. From the other direction, large encryption process firmware developed by anti-virus companies such as "MacAfee and Kaspersky" have been used to lower the risk by which the harm is caused by Malwares. There are over 60 of them (S. Fayi 2018) due to bad coding execution, weakly randomised, and many other errors made this is also with large families of such Malware. Ransomware has evolved into a powerful encryption application with a secret command and control centre.

Specific users were historically the far more likely targets of malware strikes. However, in 2016, there was a significant change to businesses, with "Symantec" reporting and blocking 42 percent of all ransomware attacks (R. Richardson and K. North). This is linked to a variety of factors, one of which is the spread of ransomware by several machines connected to both the corporate network and the demand for such a payoff for a particular infringement (Turkel, D 2016).

Growing number of strikes against "individual users" has significantly declined throughout recent times. But at the other extreme, Symantec (R. Richardson and K. North) documented an unprecedented amount of ransomware infections affecting organisations and businesses between 2016 to 2020. This is due to a variety of factors, including pervasive malware inside businesses (Turkel, D 2016). This same ransom demand will be increased based on a variety of factors, including the worth of something like the enclosed papers, the suspects' willingness to keep their promise, and the victims's desire to pay. The damages incurred by malware that were disclosed to the FBI between 2012 and 2019 are depicted in the following graph.

(Image source: https://www.mygreatlearning.com/blog/ransomware-facts-figures-and-statistics/#:~:text=Losses%20due%20to%20ransomware%20attack,by%20the%20end%20of%202021.)

Such are the actual costs, not the losses incurred as a result of companies ceasing operations, jobs, files, or different pieces of materials. ZDnet, a business information news organisation, looked at "Cryptolocker ransom payments" made to four Bitcoin wallets at just the end of 2013.

The business's issues lead to even more over about 40 thousand transfers to all those accounts between 15th October and 18th December, equating to "27 million" [3,44]. Which FBI's Cyber Crimes Reporting Center reported substantial raises in ransomware attacks during that timeframe. The FBI calculated the size of the market of malware to be around $200 million a year, thus according (R. Richardson and K. North). A total of 1000 attacks were registered to CryptoWall (R. Richardson and K. North). The cumulative damages suffered by CryptoWall are projected to be $18 million. The variation in cash payments was exacerbated by fluctuations in the Bitcoin currency value (R. Richardson and K. North). The ransom variance in "CryptoWall" was dependent upon on target as well as the nation in which he resided (S.Aurangzeb, M.Aleem, M.Iqbal and M.Islam).

The ransomware "Popcorn" allowed victims access decode their data for free if they corrupted 2 more victims with that as well (Turkel, D 2016). This Malware has a high profit margin. When it comes to victim nature, it has some slack. Both transfers were uninformed at the start of the intrusion, with set prices for everyone. However, this does not convince the suspects. The new ransomware families came with new clever requests. It charges depending on the defendants' financial willingness to pay (R. Richardson and K. North).

The ML or "Machine Learning" is simply a method of using numerical computations to forecast outcomes or make decisions in response to an event (Á. Valdivieso Caraguay and M. Hernández-Álvarez). The much more crucial thing in this technology is to identify the cleaner data points that can be combined with the right algorithm to provide the best possible outcome. Unlike everything else in the environment, ML has two aspects. On the one hand, by using the right algorithm, its result can be determined clearly; in the other hand, this technique cannot become stupid. That being said, it is possible to fall into a loop of mistakes when trying to discover the solution or algorithm. Furthermore, it is important to exercise caution in order to avoid fitting problem (D.Balzarotti, L.Bilge and E.Kirda 2015).

Trap files are used to lure the victim into the honeypot (L. Constantin 2015). The malware can be listed until the trapped files have been infected. This same benefit of this strategy is it doesn't need computing power or server upkeep; however, the ransom is intended to target the trapped records, so there is no guarantee that it can, so understanding malware actions is needed herein (L. Constantin 2015).

This "statistic" can be used to examine the characteristics of any entity (L. Constantin 2015). Using this intrusion detection method is a time-consuming process. In fact, such method entails evaluating encryption by inspecting application without even running it (J. Herrera Silva, L. Barona López). In the other hand, dimensional research involves experimentation but only in a safe area to avoid penetration from the outside.

It is a valuable tool for identifying malicious activities, as per (S. Azam, K. Kannoorpatti 2016), by tracking file activity and uploading either actual and historic information to common network exchanges. Even if there are so many file extensions such days, these methods can still be useful.

Such strategy is really not widely used; whenever ransomware strikes, it can modify large file identities/names when encrypting data (S. Azam, K. Kannoorpatti 2016).

The "Anti-ransomware" software searches the System files for text files associated with malware (S. Azam, K. Kannoorpatti 2016). These criminals operate in the shadows to prevent encryption from securing information (S. Azam, K. Kannoorpatti 2016).

There are several useful ways to stop a ransomware attack and reduce the chance of compromised computers in this segment. The majority of them seem to be defense fundamentals for whatever threats, not only malware.

1. Exercise caution when opening unwarranted invitations/invitations.

2. Back it up sensitive files on a constant and secure basis, and still have a copy offline.  It is important to "encrypt/protect" backed-up data in order for approved users who recover data.

3. Don't put login as administrator for any more duration than is absolutely necessary (S.Kok, A.Abdullah).

4. Verify that the "firewall" is appropriately installed in the device.

5. Cyber - criminals hack their identities and send out false connections to as many users as possible in order to launch Cyberattacks (Bacani, 2014).

6. In order to prevent contamination, mail screening is a must. Symantec offers a cyber cloud (S. Sharma, R. Kumar and C. Krishna 2019) that aids in the blocking of fraudulent emails until they reach their intended recipients. 

Since modern malware emerged alongside new technologies or a new family, it would be the first time it targeted another user. In this case, the majority of malware programs or utilities will fail to restore the encrypted data. Mitigation techniques, on the other hand, are capable of making a difference. And if the device is corrupted, if the recovery is not harmed, it will restore the records within hrs [(M.Kiru and A.Jantan 2019). Since the ransomware authors are concerned with recovery results, they introduced a new version which executes "vssadmin.exe" and deletes the owner's path backups. As a result, backups must be protected using several layers of authentication [(M.Kiru and A.Jantan 2019). For any changes to the storage database server, reference validation is needed.

The significance of this strategy arose from the infeasibility of a constant backup of all records. Simply put, information which can be updated without difficulty is more economical if it is protected. However, if the data associated with the outcome is encoded, the entire process must be relaunched (J. Herrera Silva, L. Barona López). If something unexpected happens with those records, this will have a huge impact on the whole system. Under various policies, categorising can be achieved functionally or logically (Turkel, D 2016).

Cyber threats focused on ransom have seen a major and clear growth over the last 5 years, and all these threats persist to this very day, particularly and during covid 19 pandemic (D.Balzarotti, L.Bilge and E.Kirda 2015). Need not pay ransom if any such things happen, which is the first piece of advice to follow if any other options to retrieve data have failed, because negotiating with criminals makes it difficult to retrieve the data. "Social engineering" strategies are used to deal with criminals in order to retrieve all data needed (R. Richardson and K. North). Any decryption software and services are available. Whenever the intruder created their ransomware, they will take the account the and robust encryption algorithm. The data cannot be recovered if the victim does not have a backup device.

The keys used to decode and override their malware have been discovered in several operations. Through collaboration with certain other security vendors and enforcement agencies, like "MacAfee and Kaspersky" created a platform named "Shade Ransomware Decryption", which has had considerable success in combating Shading malwares. A few other businesses provide database decoding solutions; however, these service providers rely upon publicly accessible key. The "AVG" also offers free decryption software with specific ransomware forms (D.Balzarotti, L.Bilge and E.Kirda 2015).

Year after year, ransomware becomes more extreme even risky. Following a thorough examination of over 30 ransomware groups, we reached the conclusion which ransomware costs countries huge sums of money per year. It employs sophisticated data encryption. This has a wide range of applications for a variety of approaches at various stages. The Cybercriminals are now currently relying on it as their primary source of revenue. In Germany, the first ransomware-related death occurred in 2020, due to the destruction of hospital records. Any company or individual with Internet connection is a potential victim of the ransomware attack. From big corporations to a child who simply tries to even get free skins for Computer games, he is duped by certain webpage. To recap, there are two primary methods for avoiding this phenomenon. First is to become well-aware of scams and malware campaigns. Another is keeping offline copies of the computer's important and relevant data.

A. S. Aurangzeb, M. Aleem, M. Iqbal and M. Islam, "Ransomware: A Survey and Trends", vol. Available at: https://www.researchgate.net/profile/Muhammad_Aleem1 1/publication/317380115_Ransomware_A_Survey_and_Trends/links/5e19a33ea6fdcc283769077c/Ransomware-ASurvey-and-Trends.pdf.

B. Hern. A: New nasty ransomware encourages victims to attack other computers ‘, The Guardian (2017).