IEEE - 56998

Ransomware Attack: An Evolving Targeted Threat

Manuj Aggarwal
Ministry of Electronics & IT
2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT) | 979-8-3503-3509-5/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICCCNT56998.2023.10308249

Delhi, India
[email protected]

Abstract— Ransomware typically locks the system to decrypting it. This was referred to as single extortion.
prevent users from accessing their own system or personal Attackers became more advanced and first exfiltrated the
files. Only after receiving ransom demand by the attacker, the data to a separate location, then encrypted it. The
access is regranted to the user, without which data is organization is threatened of losing and exposing the data to
permanently lost or, in some cases, made publicly available. In the public domain if a ransom is not paid. This was referred
recent years there has been an exponential rise in number of to as double extortion. In Triple extortion attacks, the
ransomware cases. The attackers have evolved their techniques organisation is also threatened by a Distributed Denial of
of attack and have become targeted in their attacks. The Service (DDoS) attack. Figure 1 shows the three types of
objective of this paper is to furnish an exhaustive
exploitation by ransomware. Different attack vectors that can
understanding of ransomware’s threat, present current trends,
discuss current detecting techniques explored and summarize
infect a device or network by a ransomware attack are as
major ransomware groups active in recent years. Lastly, follows [4], [5]:
probable attack vectors, preventive measures and steps to • Phishing emails, spear phishing and other social
respond in case of ransomware attack are discussed. engineering attacks: Cybercriminals often pose as the Law
enforcement agency with its logo in order to scare users into
Keywords— Ransomware, RaaS, Threat, Attacker, Ransom, paying them money as a fine for doing some illegal activity.
Attack vector
• Malvertising and Drive-by downloads: on accessing
INTRODUCTION an infected webpage without the need for the user’s action,
malicious code attacks the system. The code scans the
Ransomware is a kind of malware that locks the system, browser to identify vulnerabilities that can be worked upon
thereby forbidding users from accessing their system or files. inject ransomware.
A ransom demand is made by the attacker in order to regain
access. If the victim doesn’t pay the ransom demand within a • Operating system and software vulnerabilities:
defined timeframe, the data is lost [1-3]. Extortion by unpatched vulnerabilities are used as an attack surface, and
ransomware is not new and has been active since the late often ransomware is distributed with the name of patch,
1980s; in initial cases, the payment was demanded via snail causing users to download and affect their device.
mail [4]. Targets can be generalised or specific to • Credential theft: attackers steal or crack authorised
individuals, organizations or countries speaking a specific users' credentials to log into a device or network to deploy
language. Majorly, the ransom is demanded in the form of ransomware directly. RDP and Telnet are exploited to gain
cryptocurrency. Ransomware can be classified into the access to a computer remotely.
following four categories [4]:
• Other malware: malware developed for other
Scareware: a pop-up message is received stating that a attacks is also used to deliver ransomware to a device. Conti
malware infection is discovered and that to remove it, a ransomware was spread by Trickbot trojan, malware to steal
certain amount needs to be paid. If no action is taken, pop- banking credentials.
ups will continue to be bombarded, but no harm to files is
done. In this paper, ransomware’s threat is discussed. Current
trends in 2022 are presented, and major ransomware groups
Screen lockers: also known as non-encrypting active in recent years are summarized. The rest of the paper
ransomware, on starting up the system, a full-size window is organised as follows: section II discusses related work in
will appear with a logo from a government agency stating an the field of ransomware and section III discusses current
illegal activity has been detected on the device and demands trends. In section IV, a summary of ransomware groups is
some amount. The user is not allowed to perform any work provided. The paper concludes in section V.
by locking the screen or flooding the device with pop-ups.
Encrypting ransomware: also known as crypto- RELATED WORK
ransomware, files are encrypted and taken out of the system.
Payment is demanded in order to decrypt and redeliver. Research has been done in the field of ransomware,
mainly focusing on detection techniques and analysis of
Mobile ransomware - affects mobile devices via samples. Humayun et al. [9] have discussed Ransomware
malicious apps or drive-by downloads. A message appears threats in IoT devices, while Yaqoob et al. [10] have
that due to some illegal activity, the device is locked and can presented some case studies to aware people of the
be unlocked after paying a penalty. Due to the provision of vulnerability of IoT devices to ransomware attacks.
automated cloud data backups, encryption of data does not
benefit attackers. Researchers [11] have worked on detection methods for
ransomware attacks. Monitoring unusual filesystem and
Attackers have evolved their demand style over time to registry entries helps in ransomware detection in Windows
extort more money [5-8]. Earlier attackers encrypted data systems. In the Android environment, caution while granting
found on a system, and a ransom was demanded access to Apps can help in avoiding ransomware attacks.
for

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India
 IEEE - 56998

into an SSD controller as a form of firmware. Detection is

Ransomware
based on the I/O patterns of a host system. The recovery
Attack
algorithm is triggered on the identification of the encryption
process by delaying the deletion feature of an SSD.
Data encryption Threat of loss of data Single
extortion
CURRENT TRENDS
Added threat of posting Double It is not necessary to develop ransomware in order to
Data exfiltration data to public domain extortion perform ransomware attacks. Ransomware-as-a-service
(RaaS) is a business model that provides the attacker with an
easy entry into ransomware attacks by utilising ransomware
Added threat of DDoS Triple developed by some other attacker/group [26-30]. The user
attack extortion purchases an already existing ransomware for carrying out
attacks on their own and becomes an affiliate of the
Fig. 1. Ransomware attacks types ransomware group. Ransom payment is shared with the
developer. It also helps ransomware developers to focus
Researchers [12–15] have exploited API calls to detect better on upgrading the software and earn money for their
ransomware. Arabo et al. [12] developed a system which creations without the need to take time and risk to distribute
monitors API calls of each function used by DLLs to detect their threats. Most of the ransomware groups are providing
if the process is ransomware or not. Other details such as the RaaS service. Ransomware groups are spending money to
disk usage and the thread count are also used in detection. attract affiliates with the ultimate aim of increasing their
The advantage of their system is that the signature database business. Ransomware are also available in the digital market
is not required and due to this zero-day ransomware attacks or dark web for sale. In October 2020, REvil group spent
can also be detected. Hampton et al. [13] also exploited API USD 1 million on recruiting affiliates [5]. Apart from the
calls to detect ransomware and claimed that calls to file RaaS model, there are threat actors who obtain login
system APIs and low-level drivers are unusual for processes. credentials of organizations and provide or sell them to other
The authors supported their claim by presenting an analysis actors, referred to as Access brokers. In 2022, more than
of 14 variants of ransomware. Qin et al. [15] exploited API 2,500 access posts were observed, a 112% increase in
calls and Natural Language Processing for ransomware comparison to 2021, indicating an increase in popularity [8].
detection. Almousa et al. [14] used API calls and machine
Attackers have shifted to using existing tools in the
learning techniques for the detection of ransomware.
operating system or via open-source applications sourced
Many researchers [14, 16–19] have used a machine from various code repositories for attacks as it helps to avoid
learning approach to detect and analyse ransomware. being caught. Cobalt Strike and Brute Ratel are used for such
Sgandurra et al. [16] dynamically analyze and classify purposes. Microsoft Sysinternals utilities (PsExec) are used
ransomware using a machine learning approach. The authors for lateral movements. Non-Sucking Service Manager is
claimed that different ransomware have a set of common used to deploy an executable as a service [3].
features at run-time which helps in the early detection of new
Difficulty in tracing the money trail due to the use of
variants. Registry entry and API calls are two such classes
cryptocurrency for ransom; availability of RaaS and lucrative
with the most pertinent characteristics. However, the
advertising by ransomware groups; easy development tools
approach cannot detect ransomware samples that remain
to develop ransomware and use of new techniques of
dormant for a time period, or wait for user action or do not
encryption have attracted a large number of attackers,
perform any action in a sandbox environment. A reverse
including non-technical attackers into ransomware business;
engineering framework using feature generation engines and
thereby resulting in exponential growth in ransomware
supervised machine learning was developed by Poudyal et al.
incidents [26]. Figure 2 presents the number of ransomware
[18] to identify ransomware efficiently. Raw binaries,
attacks that occurred from 2019 to 2022. As can be observed,
assembly codes, libraries, and function calls are analysed.
exponential growth is observed in the number of ransomware
The authors concluded that static level analysis at the ASM
cases from 2020 to 2021. However, a slight decrease is
level and DLL level distinguish ransomware from normal
observed from 2021 to 2022. The probable cause of the
binaries in a better way. Aljubory and Khammas [20]
decline is due to attackers becoming more focused on
presented a method for detection and classifying ransomware
attacking lucrative organisations rather than attacking any
based on machine learning algorithms. Hirano and
Kobayashi [17] used a machine learning model on storage
Number of Ransomware attacks

access patterns of ransomware and of a normal application

and obtained effective behavioural models of ransomware.
Apart from machine learning, other techniques are also
used by researchers. Cabaj and Mazurczyk [21] claimed that
software-defined networking could help in avoiding
ransomware, while Manavi and Hamzeh [22] used
Convolutional Neural Networks for ransomware detection.
Poudyal, S. and Dasgupta [23] used an AI-based ransomware
detection framework. Moore [24] used a honeypot to detect 2019 2020 2021 2022
ransomware activity. Year

A firmware-based Ransomware defence approach has Fig. 2. Ransomware attacks count globally for the year 2019-2022 [31]
been proposed by Baek et al. [25]. It needs to be embedded

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India
 IEEE - 56998

organisation. Also, organisations have adopted measures compared to 5 days in 2021 [1]. In India, for ransomware
for cyber safety. attacks dwell time is 10 days for large infrastructure
networks and 3 days for smaller network infrastructure [3].
Figure 3 presents the number of ransomware attacks in Figure 5 presents the dwell time of the APAC region, India
top countries/regions in 2022. On comparing the data, it is and globally for the year 2022.
observed that in 2022, the top country affected by
ransomware was the US, with 1038 posts to extortion sites. In the initial days, individual systems were easy targets of
Around 50% of the world’s ransomware attacks were ransomware. Later, cybercriminals began attacking
targeted at the US. Other top affected countries were of organisations and then realized their full potential in making
western Europe having developed economies and more easy money. Due to the impact on production, brand damage
resources that attract attackers of more chances of getting and fear of loss of data and revenue, organisations were
ransom. With an increased economic growth of Asian and compelled to pay ransom [4]. Attackers target almost all
South American countries, and due to increased usage of IT, sectors of organisations, including hospitals, government
these countries have become the next favourable choice of agencies, and commercial institutions. The critical
attackers. Brazil was ahead of India with 55 posts of infrastructure sector is also targeted to disrupt critical
extortion and India ranked ninth in the top 10 list with 41 services that compel them to pay a ransom.
posts to extortion [1]. In APAC and Japan region, India is 20
second and follows Australia in the list and is then succeeded
by Japan and Taiwan [32].
15
1200

Number of days
Number of Ransomware attacks

1000
10
800

600 5

400
0
200 Global APAC India
Country/ Region
0
USA Western Canada Brazil Australia India
Europe Fig. 5. Comparison of dwell time of APAC region, India and globally for
Country/ Region the year 2022 [1], [3]

Fig. 3. Ransomware attacks count in top countries/regions in 2022 [27] On the basis of the number of posts to extortion, in 2022
the manufacturing sector was the top sector affected by
ransomware. 524 posts to extortion were observed in the
40
manufacturing sector; while in 2021, 316 ransomware threat
notes were observed in the manufacturing sector [1]. These
30 attacks also include attacks on manufacturer suppliers as
impacting suppliers severely affects the manufacturing
% increase

20 sector. For example, Toyota’s suppliers were affected in

February 2022 and due to this, Toyota was forced to halt
10 production. In the Indian context, in 2022 IT & IT enabled
Services was the top sector affected by ransomware followed
0
by Finance and Manufacturing [3].
2020 2021 2022
On the basis of average ransom demand, in 2022 the
Global APAC business sector noted a maximum increase. The average
ransom demand raised from an average of $8.4 million in
Fig. 4. Percentage increase in the number of ransomware attacks for the
years 2020-2022 globally and in the APAC region [1] 2021 to $13.2 million in 2022 [33]. On the basis of the
average number of records impacted by ransomware attacks
In 2022, globally 18% of intrusions involved ransomware on businesses, the count raised from 100,000 in 2021 to
whereas for Asia-Pacific (APAC) countries, 32% of almost 900,000 in 2022. On the basis of the number of
intrusions involved ransomware, signifying an increase in records impacted by ransomware attacks, in 2022, around
ransomware cases in the APAC region [1]. For India, a 53% 115 million records were impacted as compared to 49.8
rise in Ransomware incidents is observed in 2022. Figure 4 million records in 2021.
represents the percentage increase in the number of Worldwide, 2022 saw many ransomware attacks, some of
ransomware attacks for the years 2020-2022 globally and in them being TransUnion South Africa (54 million records
the APAC countries group. affected) and a hack on the AirAsia Group (5 million records
Once a ransomware attack has occurred, it is important to affected) [28, 33]. 30 organisations on the Forbes Global
detect it, remove it and make the system back to normal at 2000 list suffered extortion attempts in 2022 [32]. The Top
the earliest. Dwell time for a ransomware attack is defined as five Ransomware Attacks in 2022 [6]:
the number of days it takes to detect the attacker present in a 1. Costa Rica Government - In early April, Conti
compromised environment. The lower the dwell time, the attacked the finance ministry, private import-export
more prepared the organization is. Intrusions involving businesses, and government services and later in May, HIVE
ransomware had a median dwell time of 9 days in 2022,

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India
 IEEE - 56998

affected the Costa Rican social security fund and the Data protection and insurance companies are also now in
healthcare system which resulted in the declaration of a the picture. In April 2023, Data protection providers Rubrik
national emergency. and Zscaler partnered to enable enhanced ransomware
protection. The companies integrated Rubrik’s Sensitive
2. Nvidia - In February, Lapsus$ compromised the Data Monitoring & Management SaaS-based data
world’s largest semiconductor chip company Nvidia and classification, discovering and reporting solutions with the
leaked one terabyte of employee credentials and proprietary data loss prevention (DLP) technology in Zscaler’s data
information online. The ransom amount demanded was $1 protection offering, which will be available to the two
million including a breach of confidential information. companies’ mutual customers [41]. In April 2023, Rubrik,
3. Bernalillo County, New Mexico - On January 5, a the Zero Trust Data Security Company doubled its
ransomware attack hit the security controls in the Ransomware Recovery Warranty to $10 million for
Metropolitan Detention Center due to which convicts had to recovery-related costs [42].
be restricted to their cells. This led to the de-compliance of Law enforcement agencies discourage ransom victims
the agreement and an emergency notice was filed in the from paying ransom as it would motivate other attackers to
federal court. perform ransom attacks. In some cases, it is legally required
4. Toyota – During the first quarter of 2022, Toyota to report ransomware infections. For example, HIPAA
suppliers were hacked by Lockbit causing the suspension of compliance requires reporting any data breach. As per 2020
operations at all lines at 14 domestic Japanese plants advisory from the US Treasury's Office of Foreign Assets
resulting in a dip in Toyota’s overall production capacity. Control, legal action would be taken if ransom is paid to
attackers from countries under US economic sanctions.
5. SpiceJet - In May an attempted ransomware attack on However, due to fear of losing or disclosure of data,
India’s SpiceJet airline impacted and slowed down SpiceJet organisations tend to pay a ransom. In IBM's Cyber Resilient
flight departures by 6 hours and breached the data of 1.2 Organization Study 2021, more than 60% of companies
million passengers. which experienced a ransomware attack, paid a ransom [5].
As per records, India is the ninth most affected country
by ransomware. Recently in India, LockBit 3.0 attacked RANSOMWARE GROUPS
Fullerton India Credit Ltd., a non-banking financial company
There are different ransomware groups active in cyber
that claimed to have over 600 GB of sensitive data [27, 29,
space. For the year 2022, top active ransomware groups by
34–37]. The group demanded a ransom of around INR 24
posts are LockBit, ALPHV/BlackCat, Conti, BlackBasta,
crores within a period of 5 days to erase all the exfiltrated
Phobos, Hive and Karakurt [30]. Figure 6 shows the
data [37]. The top 5 Ransomware attacks in India [38]
contribution of top 5 ransomware groups in 2022. The Hive
occurred are:
ransomware group was reported to be the sixth-most active
1. In February, Jawaharlal Nehru Port Container ransomware group in 2022 according to the volume of its
Terminal handling half of all the containers in India was ransomware notes [1]. For the Indian scenario, Lockbit,
reported to have begun turning away ships after a Makop and DJVU/Stop ransomware were the top
ransomware attack. ransomware. Lockbit, Hive and ALPHV/BlackCat, Black
Basta targeted large organisations, while Makop and Phobos
2. In May, Indian airline SpiceJet faced ransomware targeted medium and small organisations and at the
attacks on 24th, May or Tuesday night, which slowed the individual level, Djvu/Stop was prevalent. New entries such
departure of flights the next morning. It troubles hundreds of as Vice Society, BlueSky etc. were also observed [3]. Table
passengers stuck in the airport and stranded in several 1 gives a summary of prominent ransomware groups.
locations in the country.
From the table, it can be observed that most of the
3. In July, A ransomware attack was carried out on Water ransomware groups are now providing the RaaS service.
Resources Department in Goa, responsible for flood Some of the ransomware utilise the services of access
monitoring systems across all over the regions of Goa. brokers.
4. In October, Tata Power, one of the leading power
company, faced ransomware attacks on 14th Oct. These
attacks impacted their IT infrastructure and system.
BlackCat
5. In November, India’s leading public medical institute Phobos
experienced a cyber-attack impacting primary healthcare
services - discharge, billing, and patient admission system. LockBit Conti
Nothing is safe from ransomware. Apart from Windows,
Apple devices were also affected by ransomware. In 2016 Hive
KeRanger ransomware infected an app called Transmission
and affected Apple devices until Apple released an update. In
2017 Findzip and MacRansom were discovered and in 2020,
ThiefQuest (aka EvilQuest) exfiltrated the data and
encrypted files but was unable to contact users to demand
Others
ransom. In early 2023, LockBit is observed to start targeting
Apple devices [39, 40].
Fig. 6. Top 5 ransomware groups in 2022 [30]

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India
 IEEE - 56998

TABLE 1: DIFFERENT RANSOMWARE ACTIVE IN RECENT YEARS

Ransomw Active Country of origin Attack method Main features
are since year
ALPHV/Bl December Russian -It uses Rust programming language -double-extortion
ackCat 2021 providing fast performance and cross- -affiliates get up to 90% of any ransom collected.
considered to be run platform capabilities, enabling it to target on
by former members Apple and Linux as well.
of the Darkside and -to modify Windows Defender security
Blackmatter settings, uses PowerShell throughout the
victim network
Black April 2022. Russian -uses the ChaCha20 algorithm and RSA- -double-extortion
Basta 4096 to encrypt files. -compromise organizations based in English-
seems to a rebrand -uses Qakbot trojan and PrintNightmare speaking countries
of conti and its exploit -targeting businesses involved in technology,
affiliates insurance, manufacturing, and utilities.
Conti 2020 Russia-based group -uses customized AES-256 and -Mostly affected manufacturing industry
multithreading that makes it much faster -managing to obtain more than $50 Million.
than most ransomware
-remove Volume Shadow Copies, security
checks and disable real time monitor
-except .DLL, .exe, .sys and .lnk files,
encrypts all files
CryptoLoc September Not known -targeted Windows systems -Ransom of around $3 million was made.
ker 2013 -used phishing email and Gameover ZeuS
botnet.

DarkSide August Likely to be -uninstalls certain security features and -Specifically avoids healthcare centres, schools,
2020 Russian, but not backup process. and non-profit organizations.
state-sponsored -based on a MAC address, a user ID is -Checks system language settings and does not
generated that is appended to each filename attack former Soviet-bloc countries and Syrian
code is similar to -algorithms- Salsa20 Arabic.
that of REvil, -Exploited vulnerabilities of VMware ESXi -attacked the U.S. Colonial Pipeline in May 2021,
hypervisor leading to shut down of the pipeline supplying
45% of the U.S. East Coast's fuel.
Djvu/Stop 2018 Eastern Europe -uses multiple layers of obfuscation to slow -second most detected ransomware
-variant of STOP verification and analysis. -more than 222 ransomware variants.
ransomware -focus on Windows operating systems -Does not attack CIS countries and terminates
-gains access to systems through itself.
compromised software downloads, whether
pirated software or a software crack.
Hive June 2021 Russian -Wide variety of initial access methods -Double-extortion
organization depending on affiliate. -ransom note contains the login details for the
-Early versions were developed in GoLang HiveLeaks TOR website, which the victim can use
-terminates backups, restores, anti-virus, to pay the ransom.
antispyware, and file copies to avoid anti- -target healthcare and other Government Facilities,
malware. Communications, Critical Manufacturing and IT.
-To reduce forensic evidence, it creates batch
files, containing commands to delete Hive’s
executable, disc backup copies, snapshots.
Karakurt 2021 Not known -doesn't encrypt data, but steals data -prefers small organizations based in the US, the
-indicated that -Threat to sell or post the data on dark web. UK, Canada, and Germany.
KArakurt and conti -It uses extensive harassment campaigns -targets organizations using single-factor Fortigate
are managed by the against victims to shame them VPN servers using legitimate Active Directory
same party. -Use access brokers credentials.
Lockbit September Likely to be Russian -attempts to encrypt data stored at any local - group does not target Russian organizations, or
2019 or remote device former Soviet countries.
-ability to self-propagate -targets include organizations in the US, China,
-conceals the executable encrypting file by India, Indonesia, Ukraine and Western Europe
hiding it as the image file. -attacks large enterprises in the healthcare and
financial domains.
Makop 2020 Not known -Infect through email attachments (macros), -target companies in Europe and Italy
torrent websites, malicious ads.
-uses custom-developed and off-the-shelf
software tools
Petya and March Russian -Impacts the system by encrypting -In June 2017, a new variant of Petya exploiting
NotPetya 2016 government, the Master File Table of the NTFS file EternalBlue appeared primarily targeting Ukraine.
the Sandworm group system -NotPetya was a wiper with an inability to unlock
-algorithms used- ECDH and SALSA20. systems once locked.
-damages total nearly $10 billion
Phobos 2018 Not known -exploits incorrectly configured Remote -targets smaller organisations and individuals to
- similar to Crysis Desktop Protocols (RDP), avoid coming into the eyes of law enforcement
and Dharma virus -phishing campaigns agencies.
REvil May 2020 Russian -uses double-extortion attacks -attacked a supplier of Apple and stole confidential
-exploited a Kaseya VSA zero-day schematics of their forthcoming products
also known Believed to be an vulnerability of the server platform. -group does not target Russian organizations, or

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India
 IEEE - 56998

as Sodin or offshoot from -delivered as a malicious update to the server former Soviet countries.
Sodinokibi GandCrab. DarkSide platform. -in 2021 attacks against the JBS USA and Kaseya
is an offshoot or a Limited, $ 11 million ransom was paid as its entire
partner of REvil. U.S. beef processing operation was disrupted, and
many of its customers observed significant
downtime.
Ryuk 2018 Initially North -uses Trickbot or Emotet to install itself after -target large, public-entity Microsoft
Korean but later gaining access to a network's servers. Windows cybersystems.
suspected of being -can defeat many anti-malware -ransom demands averaging over $ 1 million.
Russian criminal countermeasures -reach is global and has affected U.S. hospitals
groups -can disable backup files when stored on shutting down access to patient records and U.S.
shared servers and system restore features. school systems
Samsam 2015 Eastern European -exploit Windows servers and employed -Mostly targeted critical infrastructure industries
also hacker group JexBoss Exploit Kit for accessing vulnerable mostly in the US, but also internationally
known as JBoss applications. -Directs victims to connect via a Tor hidden
MSIL/Sam -Use access brokers and propagates through service site.
as.A the RDP.
• Prioritize the restoration of systems by restoring the
PREVENTIVE MEASURES AND INCIDENT RESPONSE most critical ones first, followed by eradication of the threat
Ransomware attack starts by gaining access to the from the network.
system, followed by Reconnaissance, in which Attackers • If backup is available, restore the systems from a
identify files containing important data and additional backup. Otherwise, try for decryption options available
credentials to move laterally throughout the network. After online.
this, in the Activation phase, the Encryption process starts.
Deletion of backups and disabling of system restore features • In case of unavailability of backups and a
is done in this phase. Lastly, a ransom note is left in the decryption key, start from scratch.
system often via a .txt file or through a pop-up message. It
contains information to pay the ransom demand. CONCLUSION
Ransomware attackers have evolved their techniques of
A. Protective measures to avoid attacks include:
attack from time to time. Starting from single extortion to
It includes defence-in-depth by using layers of defence; triple extortion, and a target shift from individuals to
secure email gateways to provide security from targeted organisations is observed. Now organisations from which
attack; secure web gateways to scan and identify malicious large quantity of records and more ransom can be obtained
traffic; monitoring tools for server and network to detect are attacked. There is an exponential growth in ransomware
anomalies; maintaining proper and tested backups of attacks throughout the world. Although in 2022, a slight
sensitive data and system images on other devices decrease is observed in ransomware attacks, due to more
disconnected from the network; applying the latest and tested focused attacks, the amount of data compromised and
patches; providing regular security awareness training and ransom demand has increased. Researchers have different
drills for users and implementing network protection policies detection techniques, out of which analysis of API calls and
such as least privilege, zero-trust architecture, segmentation use of machine learning techniques is most common.
of the network, etc. Different ransomware groups have been active in recent
years, each having different methods of attack and different
B. Steps for responding to a ransomware target organisations. Lastly, proper user awareness and
It is reported that 51% of organizations do not have a preventive measures can only help in avoiding ransomware
prescribed ransomware policy [37]. The human error turned attacks.
out to be the primary cause of data breaches in more than
50% of cases. A tested Business Continuity Plan helps to REFERENCES
avoid major operational disruption, without which it [1] Mandiant, ‘M-Trends', 2023. [Online]. Available:
becomes tedious to analyze the harm made to the system and https://www.mandiant.com/m-trends [Accessed May. 05, 2023].
then restoration of the affected network. The following steps [2] Kespersky, IT Security Economics 2022 Executive summary, 2022
can be taken to minimize damage and quickly return to [Online] Available: https://www.kaspersky.com/resource-
business as usual in case of ransomware attack [26]. center/threats/ransomware [Accessed May. 05, 2023].
[3] CERT-In, India Ransomware Report 2022 [Online]. Available:
• Isolate the infected device from the network to https://www.cert-in.org.in/PDF/RANSOMWARE_Report_2022.pdf
contain the infection. [Accessed May. 05, 2023].
[4] Malwarebytes, All about ransomware attacks.
• Disconnect all suspiciously behaving devices from https://www.malwarebytes.com/ransomware [Accessed May 05,
the network to stop the spread of infection. 2023].
• Assess the damages by preparing a complete list of [5] IBM, What is ransomware? https://www.ibm.com/in-
en/topics/ransomware [Accessed May 05, 2023].
all affected systems and devices.
[6] S. M. Kerner, “Ransomware trends, statistics and facts in 2023.” .
• Identify the entry point by checking for any alerts https://www.techtarget.com/searchsecurity/feature/Ransomware-
from any active monitoring platform and identify the trends-statistics-and-facts [Accessed May 05, 2023].
ransomware by scanning encrypted files and ransom note. [7] A. Gabriella, “2022 Ransomware Statistics & The Biggest
Ransomware Attacks.” https://heimdalsecurity.com/blog/ransomware-
• Reporting the ransomware attack to authorities is statistics/ [Accessed May 05, 2023].
needed as per the rules of law enforcement agencies.

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India
 IEEE - 56998

[8] CrowdStrike, “2023 Global Threat Report.” [Online]. Available: IEEE Transactions on Computers, vol. 70, no. 10, pp. 1762–1776,
https://go.crowdstrike.com/2023-global-threat-report.html [Accessed Oct. 2021, doi: 10.1109/TC.2020.3011214.
May. 05, 2023]. [26] Trellix, What Is Ransomware? [Online]. Available:
[9] M. Humayun, N. Z. Jhanjhi, A. Alsayat, and V. Ponnusamy, “Internet https://www.trellix.com/en-us/security-awareness/ransomware/what-
of things and ransomware: Evolution, mitigation and prevention,” is-ransomware.html [Accessed May 05, 2023].
Egyptian Informatics Journal, vol. 22, no. 1, pp. 105–117, Mar. 01, [27] Recorded Future 2022 Annual Report. [Online]. Available:
2021. doi: 10.1016/j.eij.2020.05.003. https://www.recordedfuture.com/2022-annual-report [Accessed May
[10] I. Yaqoob et al., “The rise of ransomware and emerging security 05, 2023].
challenges in the Internet of Things,” Computer Networks, vol. 129, [28] Thales, 2023 Thales Data Threat Report. [Online]. Available:
pp. 444–458, Dec. 2017, doi: 10.1016/j.comnet.2017.09.003. https://www.thalesgroup.com/en/worldwide/security/press_release/20
[11] Monika, P. Zavarsky, and D. Lindskog, “Experimental Analysis of 23-thales-data-threat-report-reveals-increase-ransomware-attacks
Ransomware on Windows and Android Platforms: Evolution and [Accessed May 05, 2023].
Characterization,” in Procedia Computer Science, vol. 94, 2016, pp. [29] BlackFog, 2022 Ransomware Attack Report, 2023. [Online].
465–472. doi: 10.1016/j.procs.2016.08.072. Available: https://www.blackfog.com/2022-ransomware-attack-report
[12] A. Arabo, R. Dijoux, T. Poulain, and G. Chevalier, “Detecting [Accessed May 05, 2023].
ransomware using process behavior analysis,” in Procedia Computer [30] Sophos, Sophos 2023 Threat Report. [Online]. Available:
Science, vol. 168, 2020, pp. 289–296. doi: https://www.sophos.com/en-us/content/security-threat-report
10.1016/j.procs.2020.02.249. [Accessed May 05, 2023].
[13] N. Hampton, Z. Baig, and S. Zeadally, “Ransomware behavioural [31] Annual number of ransomware attacks worldwide from 2017 to 2022.
analysis on Windows platforms,” Journal of Information Security and [Online]. Available:
Applications, vol. 40, pp. 44–51, Jun. 2018, doi: https://www.statista.com/statistics/494947/ransomware-attacks-per-
10.1016/j.jisa.2018.02.008. year-worldwide/ [Accessed May 05, 2023].
[14] M. Almousa, S. Basavaraju, and M. Anwar, “API-Based Ransomware [32] India second most targeted country by ransomware in APAC and
Detection Using Machine Learning-Based Threat Detection Models,” Japan region: Report. [Online]. Available:
2021 18th International Conference on Privacy, Security and Trust, https://www.businesstoday.in/technology/story/india-second-most-
IEEE, 2021. doi: 10.1109/PST52912.2021.9647816. targeted-country-by-ransomware-in-apac-and-japan-region-report-
[15] B. Qin, Y. Wang, and C. Ma, “API Call Based Ransomware Dynamic 374338-2023-03-22 [Accessed May 05, 2023].
Detection Approach Using TextCNN,” in Proceedings - 2020 [33] Ransomware attacks declined in ’22 but more records being
International Conference on Big Data, Artificial Intelligence and compromised. [Online]. Available:
Internet of Things Engineering, ICBAIE 2020, IEEE, Jun. 2020, pp. https://www.securityinfowatch.com/cybersecurity/article/21292765/ra
162–166. doi: 10.1109/ICBAIE49996.2020.00041. nsomware-attacks-declined-in-22-but-more-records-being-
[16] D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, compromised [Accessed May 05, 2023].
“Automated Dynamic Analysis of Ransomware: Benefits, Limitations [34] ProofPoint, What Is Ransomware? [Online]. Available:
and use for Detection,” Sep. 2016, [Online]. Available: https://www.proofpoint.com/us/threat-reference/ransomware
http://arxiv.org/abs/1609.03020 [Accessed May 05, 2023].
[17] M. Hirano and R. Kobayashi, “Machine Learning Based Ransomware [35] Mitigating malware and ransomware attacks. [Online]. Available:
Detection Using Storage Access Patterns Obtained From Live- https://www.ncsc.gov.uk/guidance/mitigating-malware-and-
forensic Hypervisor,” in Sixth International Conference on Internet of ransomware-attacks [Accessed May 05, 2023].
Things: Systems, Management and Security (IoTSMS) : Granada,
[36] NCSC, A guide to ransomware. [Online]. Available:
Spain, October 22-25, 2019, 2019.
https://www.ncsc.gov.uk/ransomware/home [Accessed May 05,
[18] S. Poudyal, K. P. Subedi, and D. Dasgupta, “A Framework for 2023].
Analyzing Ransomware using Machine Learning,” 2018 IEEE
symposium series on computational intelligence (SSCI), pp. 1692- [37] Update: LockBit 3.0 Ransomware Targets Fullerton India: Company
1699, IEEE, 2018. Reverts to Offline Operations as a Precaution. [Online]. Available:
https://www.timesnownews.com/technology-science/lockbit-3-0-
[19] G. Usha, P. Madhavan, M. Vimal Cruz, N. A. S. Vinoth, Veena, and ransomware-targets-fullerton-india-demand-a-staggering-2400-
M. Nancy, “Enhanced Ransomware Detection Techniques using crores-ransom-in-just-5-days-article-99721253 [Accessed May 05,
Machine Learning Algorithms,” in Proceedings of the 2021 4th 2023].
International Conference on Computing and Communications
Technologies, ICCCT 2021, IEEE, 2021, pp. 52–58. doi: [38] Top 5 Ransomware Attacks in India to Watch Out for in 2023.
10.1109/ICCCT53315.2021.9711906. [Online]. Available: https://www.linkedin.com/pulse/top-5-
ransomware-attacks-india-watch-out-2023-ecscorp [Accessed May
[20] N. Aljubory and B. M. Khammas, “Hybrid Evolutionary Approach in 05, 2023].
Feature Vector for Ransomware Detection,” in International
Conference on Intelligent Technology, System and Service for [39] N. Ahmed, Explained - What is LockBit ransomware and why is it
Internet of Everything, ITSS-IoE 2021, IEEE, 2021. doi: targeting macOS?. [Online]. Available:
10.1109/ITSS-IoE53029.2021.9615344. https://www.thehindu.com/sci-tech/technology/explained-lockbit-
ransomware-and-why-its-targeting-macos/article66766214.ece
[21] K. Cabaj and W. Mazurczyk, “Using software-defined networking for [Accessed May 05, 2023].
ransomware mitigation: The case of cryptowall,” IEEE Netw, vol. 30,
no. 6, pp. 14–20, Nov. 2016, doi: 10.1109/MNET.2016.1600110NM. [40] L. Abrams, LockBit ransomware encryptors found targeting Mac
devices. [Online]. Available:
[22] F. Manavi and A. Hamzeh, “A New Method for Ransomware https://www.bleepingcomputer.com/news/security/lockbit-
Detection Based on PE Header Using Convolutional Neural ransomware-encryptors-found-targeting-mac-devices/ [Accessed May
Networks,” in Proceedings of 17th International ISC Conference on 05, 2023].
Information Security and Cryptology, ISCISC 2020, IEEE, Sep. 2020,
[41] J. Schwartz, Rubrik, Zscaler Partner to Double Down on Ransomware
pp. 82–87. doi: 10.1109/ISCISC51277.2020.9261903.
Protection. [Online]. Available:
[23] S. Poudyal and D. Dasgupta, “AI-Powered Ransomware Detection https://www.channelfutures.com/security/rubrik-zscaler-ransomware-
Framework,” in 2020 IEEE Symposium Series on Computational protection [Accessed May 05, 2023].
Intelligence, SSCI 2020, IEEE, Dec. 2020, pp. 1154–1161. doi:
[42] Rubrik, Rubrik Ups the Ante with $10 Million Ransomware
10.1109/SSCI47803.2020.9308387.
Recovery Warranty. [Online]. Available:
[24] C. Moore, “Detecting ransomware with honeypot techniques,” in https://www.globenewswire.com/news-
Proceedings - 2016 Cybersecurity and Cyberforensics Conference, release/2023/04/24/2652758/0/en/Rubrik-Ups-the-Ante-with-10-
CCC 2016, IEEE, Oct. 2016, pp. 77–81. doi: 10.1109/CCC.2016.14. Million-Ransomware-Recovery-Warranty.html [Accessed May 05,
[25] S. Baek, Y. Jung, D. Mohaisen, S. Lee, and D. H. Nyang, “SSD- 2023].
Assisted Ransomware Detection and Data Recovery Techniques,”

14th ICCCNT IEEE Conference

Authorized licensed use limited to: Ministry of Electronics and Information Technology. Downloaded on January 12,2024 at 12:03:11 UTC from IEEE Xplore. Restrictions apply.
July 6-8, 2023
IIT - Delhi, Delhi, India