Day 1: Understanding Ransomware and how to detect them?

To start this journey, let’s begin at the basics and learn about what ransomwares are,
what is the meaning of a ransomware attack, how have other people detected it so far?
By learning the above, we will be in a position to analyze any ransomware attack and devise
methods to detect, mitigate and prevent them.

Definition: Ransomware is a type of malicious software from cryptovirology that threatens to
publish the victim's data or perpetually block access to it unless a ransom is paid.

To continue understanding and addressing the threats posed by ransomware, let us dig a
little deeper. As the definition specifies, ransomware is a type of malicious software. Now,
what is a malicious software?

Definition: Malware (= Malicious + Software) is a software which is specifically designed
to disrupt, damage, or gain authorized access to a computer system.

These malwares (or simply dangerous content that can corrupt your system), can enter your
system from various sources. 80% of today’s malware finds its origin on the Internet.
Pirated websites, adds, downloads, Spam emails etc are few places from where malware
can enter your PC. There are few offline sources like, infected pen drives, CDs etc.

Types of Ransomware

There are various types of ransomware and it becomes crucial to know about how each of
those occur to be able to detect and analyze them. Since there are too many types of them,
I am going to summarize the few famous ones.

• Crypto-malware: This is a type of ransomware that encrypts the user files bu the victim can still access the PC (just not the encrypted files of course). The most recent and dangerous WannaCry attack is an example of a crypto-malware.

• Locker: This is very similar to the previous one but as the name suggests, the victim is locked off from the computer and cannot access it. Petya is one example.

• Doxware: It just downloads a duplicate of the victim’s documents. Victim has to pay the ransom to avoid making the confidential documents public.

• Scareware: Many of us have downloaded many anti-viruses from online. Well many of the certified ones work, whereas there are these others who are just scarewares. They suggest that some malicious content has been found on the PC and you need to pay to get rid of them. Well, unless you trust the source completely, do not go ahead as this is another sort of ransomware attack.

• PopCorn Time Ransomware: This is a type of ransomware “Joker” (from Batman of course) would've designed. The ransomware attacker infects 1 victim system. Goes on to use this vulnerable victim 1 to infect 2 other systems. In case both the other systems pay the ransom, victim 1’s files live to see the light of another day. Even if one of the other 2 victims fail to pay the ransom, it is extracted from victim 1.

There are many such ransomware types apart from the ones mentioned above. If you may be so interested, you could go through this link to find out more: https://www.digitalshadows.com/blog-and-research/the-five-families-the-most-wanted- ransomware-groups/

Ransomware Attacks

A view of how they occur from a more technical standpoint?

Refer to this link for a better understanding of the same: https://hackernoon.com/cryptography-malware-ransomware-36a8ae9eb0b9

Key concept to be concentrating in the above article is Hybrid Cryptography:
combination of symmetric and asymmetric encryption, ransomware attacks are based on
these.

Figure: A diagram to explain how ransomware attack happens

Detecting Ransomware Attacks

The following approaches were taken before the advent of SDNs to detect ransomware.

• By scanning file types of files that travels across the network

• File sizes of files that travel across networks

• Abnormal file system activity on the victim host

• Dynamic analysis of installing softwares that might be a potential attack

• Detection of ransomware through connection establishment packets between the victim and the malicious server

• Observing behavioral pattern based on HTTP traffic and clustering them

• Observing the HTTP message sequences

• Detecting when victim contacts C&C server

The following are few SDN approaches taken to detect ransomware attacks:

• HTTP Traffic characteristics like the size of HTTP headers, HTTP header size etc. 
• Detecting dangerous previously blacklisted server using DNS. The paper link: https://arxiv.org/ftp/arxiv/papers/1608/1608.06673.pdf
• ML technique using PFEs. The paper link:
  https://eric-keller.github.io/papers/2018/ransomware_SDN_NFV_Security_2018.pdf

The above papers are summarized as part of our Literature Survey. If you want to have
a look at it, here you go: https://docs.google.com/document/d/18km6eA_VHNL9qBiHXbjvbWFOWoSMerye XvSD3xOhabk/edit?usp=sharing

Concerns raised:

After going through the above content, we introspected different SDN approaches we could
take to address ransomware attacks and we felt we needed to concentrate on the below
details which could be potential pitfalls in the future.

1. HTTPS and not HTTP - newer ransomware attacks are done through HTTPS and not HTTP. This introduces new challenges to the problem statement since we cannot directly go ahead with Deep Packet Inspection
2. IDS, IPS, Honeypots are one way we were thinking of heading, but there are better solutions out there and these have become obsolete. Want to know what the better solutions are? Stay tuned :P
3. SDN may not perfectly fit for each solution. Thus we need to make cautious technological decisions and not be blind spotted with just SDNs.
4. It’s always better to add or modify existing well performing code than starting from scratch. Since there exists Open Source projects that deal with Ransomware attacks, we need to go through them to analyze and adapt few existing mechanisms.

Future aspects to be looked at in the upcoming week:

1. What is SIEM?
2. Go through - AlienVault, IBM QRadar
3. Could concentrate on Android or other device specific solution (concept of virtual phones)
4. Possibility of SIEM with SDN or NFV
5. The Architecture of Open Source Applications to be known
6. Blockchain as one of the solution