In-Depth Analysis of Ransom Note Files

Lanet, Jean‐Louis; Souidi, El Mamoun

doi:10.3390/computers10110145

Cited by 3 publications

(3 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some reasons why this rate was not even higher were that some ransomware strains do not create ransom notes, some ransom notes were actual graphics and some ransomware strains changed the desktop background to display the ransom message. This is a promising finding as many ransomware strains create the ransom note prior to the encryption [63] of the data and a successful interception at this point in the attack would be beneficial.…”

Section: Evaluation and Discussionmentioning

confidence: 99%

“…There are normally several characteristics of this Ransom note file that can be used to distinguish it from other files. The file is normally below one KB in size, is plain text and usually contains some specific keywords such as: encrypted, ransom, tor, onion, recover, wallet, bitcoin [63]. In this test, the actual file name is also analysed for typical ransom note file name strings such as:decrypt, readme, restore and helpme.…”

Section: File Content Analysismentioning

confidence: 99%

See 1 more Smart Citation

Majority Voting Ransomware Detection System

Davies¹,

Macfarlane²,

Buchanan³

2023

JIS

View full text Add to dashboard Cite

Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets and suggestions are offered as to how these tests, and combinations of tests, could be adapted to further improve the detection accuracy.

show abstract

Section: Evaluation and Discussionmentioning

confidence: 99%

Section: File Content Analysismentioning

confidence: 99%

Majority Voting Ransomware Detection System

Davies¹,

Macfarlane²,

Buchanan³

2023

JIS

View full text Add to dashboard Cite

show abstract

“…Based on an OCR (Optical Character Recognition) process, the message and the payment instructions are recovered. More recently, the authors of reference [222] propose studying files related to ransomware to identify it. For that, LSA (Latent Semantic Analysis), used to seek similarities among files, and ML, used to classify files as benign or malicious, are implemented.…”

Section: Data Sourcementioning

confidence: 99%

Crypto-Ransomware: A Revision of the State of the Art, Advances and Challenges

Gómez Hernández,

García Teodoro,

Magán Carrión

et al. 2023

Electronics

View full text Add to dashboard Cite

According to the premise that the first step to try to solve a problem is to deepen our knowledge of it as much as possible, this work is mainly aimed at diving into and understanding crypto-ransomware, a very present and true-world digital pandemic, from several perspectives. With this aim, this work contributes the following: (a) a review of the fundamentals of this security threat, typologies and families, attack model and involved actors, as well as lifecycle stages; (b) an analysis of the evolution of ransomware in the past years, and the main milestones regarding the development of new variants and real cases that have occurred; (c) a study of the most relevant and current proposals that have appeared to fight against this scourge, as organized in the usual defence lines (prevention, detection, response and recovery); and (d) a discussion of the current trends in ransomware infection and development as well as the main challenges that necessarily need to be dealt with to reduce the impact of crypto-ransomware. All of this will help to better understand the situation and, based on this, will help to develop more adequate defence procedures and effective solutions and tools to defeat attacks.

show abstract