Petya Virus Security analysis Conclusions solutions for mail server (original) (raw)
İSTANBUL TECHNICAL UNIVERSITY, 2018
Ransomware, which constantly improves by updating itself and transferring to the network and computing environment, is the most common type of malware used by the attackers recently. Ransomware demands ransom from the user for decrypting the encrypted files. As a result of the payment of the desired amount of ransom, the files can be opened with the decryption key delivered to the user. Various antivirus software using signature-based detection method fail to detect the malware because they perform analysis via hash signature samples in databases. Because hash signature samples of zero-day attacks are not recorded in antivirus software databases, detecting ransomware by using anomaly-based detection method is more effective. The most important factor for anomaly-based detection method is to be able to analyze the data sufficiently to determine the ability and the behavior of the ransomware. This method consists of two phases. These are “training/learning” and “monitoring/detecting” phases. In training phase, many academic publications, international cyber security vendors’ reports on ransomware, and interview with cyber security experts have been examined and utilized during bringing out our study, and consequently, the attack vectors of the ransomware, the core features, the identification methods and the movements based on the Windows OSs have been found. That is, machine learning techniques have not been used, and so all materials have been evaluated as inputs to the design of our tool. In our study, after presenting the behavior of the ransomware in detail, in the monitoring/detecting phase, how the ransomware detection and prevention tool should be created to detect and prevent ransomware on Windows OSs will be explained. It is also evident that the tool in the hybrid structure using signature-based detection method, along with anomaly-based detection method, will be even more successful in detecting and preventing ransomware with minimum false-positive rate and minimum file loss. We consider that we can give a better perspective to the users, software developers, and security administrators about the key features of the ransomware detection and prevention tool that can be used as a solution that does not require high fees for commercial software to protect against ransomware, and we can more easily take measures against ransomware. In our study, the code written in the Python programming language of the ransomware detection and prevention tool proposed in the Appendices of our study is also presented. This code, which is open to development, is thought to be an example of the design of a commercial ransomware detection and prevention tool and maybe a guide to future academic studies on ransomware and other malicious software.
Improving Backup System Evaluations in Information Security Risk Assessments to Combat Ransomware
Computer and Information Science, 2018
Ransomware is the fastest growing malware threat and accounts for the majority of extortion based malware threats causing billions of dollars in losses for organizations around the world. Ransomware is global epidemic that afflicts all types of organizations that utilize computing infrastructure. Once systems are infected and storage is encrypted, victims have little choice but to pay the ransom and hope their data if released or start over and rebuild their systems. Either remedy can be costly and time consuming. However, backups can be used to restore data and systems to known good state prior to ransomware infection. This makes backups the last line of defense and most effective remedy in combatting ransomware. Accordingly, information security risk assessments should evaluate backup systems and their ability to address ransomware threats. Yet, NIST SP-800-30 does not list ransomware as specific threat. This study reviews the ransomware process, functional backup architecture paradigms, their ability to address ransomware attacks, and provides suggestions to improve the guidance in NIST SP-800-30 and information security risk assessments to better address ransomware threats.
Malware-Free Intrusion: A Novel Approach to Ransomware Infection Vectors
The Internet is so diverse such that at any given instance someone is clicking a link, opening a file, downloading an email attachment and so forth. Such seemingly benign actions do not always return the expected outcome because attackers leverage these actions to spread their malware. And malware today casts a broad spectrum of software with varying characteristics some of which include Ransomware. Ransomware has come to claim its place in the malware wild due to the philosophy of extortion behind its operations. Ransomware threat actors are seeking ways to delivery their malware payload in ways that do not generate suspicion via unusual network traffic and system calls by involving less user input if any at all. Malware-free intrusions present attack vectors so desirable to Ransomware threat actors in this respect in that they do not employ an extra malicious code which otherwise would be detected by intrusion detection and prevention system. We in this paper explore the utilization of malware-free backdoors for Ransomware payload delivery over a network with RDP-based remote access. We further show that leveraging such backdoors does not require user input while providing high probability levels of success thus adding to the expansion of the available attack surface.
Cyber Security Guidelines for Healthcare Providers Threats and Defense from Ransomware
This paper will evaluate the threat vector, risks assessment and remediation plan during a specific situation for the Healthcare industry. The scope of this paper will address the Ransomware-" WannaCry " event from the National Health Service (NHS), UK perspective and reflects on our sense and ability to response in that situations Keywords— NHS