Republic of Iraq

Ministry of Higher Education and Scientific Research

Dijlah University College
Department of Computer Science

Ransom viruses

2nd Course 2019-2020

A Report Submitted to the

Department of Computer Science – Computer
Security Class / Dijlah University College as a Partial
Fulfilment of the Requirement Degree of Report

By
‫زيد أسامة عصام محمد صبري‬
‫ الشعبة – بي‬/ ‫– المرحلة الرابعة‬

Supervised By

‫سالم محمد زكي‬.‫د‬

July, 2020 – Baghdad

 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

1. Introduction
Ransom virus is a form of malware, which infects vulnerable computer
systems, preventing the victims from accessing data on that system and in some
cases threatening to erase data if the victim does not pay a ransom in a
stipulated time frame.

Ransom viruses usually infiltrate a computer when a user opens a malicious e-

mail attachment or cloud-based document received from an unknown source.
Once triggered (by opening such attachments), the ransom virus will access the
computer’s (or connected network’s) files and holds them hostage. It also gives
the attacker (ransomware creator) the ability to view, copy, and delete files on
those infected computers.

One typical example of ransom virus is called 'Ded Cryptor' which locks your
computer and files until you are forced to pay a ransom. The payment that it
demands is two Bitcoins which costs several hundred dollars. [1]

Ransom virus has caused quite an uproar in the cybersecurity world, due, in part,
to the recent WannaCry attack that crippled thousands of businesses. When
ransom virus strikes, the number one priority of most users will be to save their
data and restore their computers. However, for many businesses, recovering
their sensitive corporate data is merely the beginning.[1]
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

2. Virus transplantation to a victim

Various means of distribution of infection have been seen throughout the en-tire
ransomware phenomenon. One of the easiest and most common way is
viaspam. This includes emails, which contain malicious scripts, or documents,
which download and run the malicious samples. Another way is to create fake
websites(usually which include other phishing techniques) which will trick the
user in to downloading and running the file. Both of these can be combined with
the filelessmalware attack, where a malware sample would be loaded directly
into memory,leaving no physical trace (i.e. on the disk).Another frequent method
is to exploit various security flaws found at soft-ware, operating system or
hardware levels. A famous example is WannaCry ran-somware, which would be
distributed via Eternal Blue exploit. This was based on a vulnerability at the
Samba protocol, which allowed an attacker to inject malicious code remotely.
Another example is the second version of SynAck ran-somware, which uses
Process Doppelg a
̈ nging technique.This involves replacing the memory of a
legitimate process through exploiting some Windows built-in functions (NTFS
transactions – in this case) and how the Windows loader works.Both of them are
based on file less malware attacks.A method of distribution which occurred
especially among the Troldesh ran-somware family (which includes Troldesh,
XTBL, Dharma, Crysis) is brute-forcing the credentials through Remote
Desktop Protocol. Once the attacker obtained access, it would manually
disable any security product and then man-ually run the malicious samples.
This also occurs in various cases of botnets and/or coin-miners. What is
interesting is that only on various occasions any of these techniques are part of
an Advanced Persistent Threat, meaning that the attackers are interested in
making as many victims as possible, without restrict-ing their attack to a specific
zone or victim. A few exceptions have been seen on some ransomwares which
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

will not infect victims based on geographic location (i.e. Gand Crab excepts
Russia IPs). [2]

3. Types of ransomware
There are two main types of ransomware: crypto ransomware and locker ransomware.

Crypto ransomware encrypts valuable files on a computer so that the user cannot access
them.

Cyber thieves that conduct crypto ransomware attacks make money by demanding that
victims pay a ransom to get their files back.

Locker ransomware does not encrypt files. Rather, it locks the victim out of their device,
preventing them from using it. Once they are locked out, cybercriminals carrying out
locker ransomware attacks will demand a ransom to unlock the device.[3]
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

4. Ransomware examples
Locky: Locky is a type of ransomware that was first released in a 2016 attack by
an organized group of hackers.

With the ability to encrypt over 160 file types, Locky spreads by tricking victims to
install it via fake emails with infected attachments. This method of transmission is
called phishing, a form of social engineering.

Locky targets a range of file types that are often used by designers, developers,
engineers, and testers.[4]

WannaCry: WannaCry is ransomware attack that spread across 150 countries in 2017.

Designed to exploit a vulnerability in Windows, it was allegedly created by the United

States National Security Agency and leaked by the Shadow Brokers group. WannaCry
affected 230,000 computers globally.

The attack hit a third of hospital trusts in the UK, costing the NHS an estimated £92
million. Users were locked out and a ransom was demanded in the form of Bitcoin. The
attack highlighted the problematic use of outdated systems, leaving the vital health
service vulnerable to attack.

The global financial impact of WannaCry was substantial -the cybercrime caused an
estimated $4 billion in financial losses worldwide. [4]

Bad Rabbit: Bad Rabbit is a 2017 ransomware attack that spread using a
method called a ‘drive-by’ attack, where insecure websites are targeted and used
to carry out an attack.
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

During a drive-by ransomware attack, a user visits a legitimate website, not

knowing that they have been compromised by a hacker.

Drive-by attacks often require no action from the victim, beyond browsing to the
compromised page. However, in this case, they are infected when they click to
install something that is actually malware in disguise. This element is known as a
malware dropper.

Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to
spread its infection. [4]

Ryuk: Ryuk ransomware, which spread in August 2018, disabled the Windows
System Restore option, making it impossible to restore encrypted files without a
backup.

Ryuk also encrypted network drives.

The effects were crippling, and many organizations targeted in the US paid the
demanded ransoms. August 2018 reports estimated funds raised from the attack
were over $640,000. [4]

Troldesh: The Troldesh ransomware attack happened in 2015 and was spread
via spam emails with infected links or attachments.

Interestingly, the Troldesh attackers communicated with victims directly over

email to demand ransoms. The cybercriminals even negotiated discounts for
victims who they built a rapport with — a rare occurrence indeed.
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

This tale is definitely the exception, not the rule. It is never a good idea to
negotiate with cybercriminals. Avoid paying the demanded ransom at all costs as
doing so only encourages this form of cybercrime. [4]

Jigsaw: Jigsaw is a ransomware attack that started in 2016. This attack got its
name as it featured an image of the puppet from the Saw film franchise.

Jigsaw gradually deleted more of the victim’s files each hour that the ransom
demand was left unpaid. The use of horror movie imagery in this attack caused
victims additional distress. [4]

CryptoLocker: CryptoLocker is ransomware that was first seen in 2007 and

spread through infected email attachments. Once on your computer, it searched
for valuable files to encrypt and hold to ransom.

Thought to have affected around 500,000 computers, law enforcement and

security companies eventually managed to seize a worldwide network of hijacked
home computers that were being used to spread Cryptolocker.

This allowed them to control part of the criminal network and grab the data as it
was being sent, without the criminals knowing. This action later led to the
development of an online portal where victims could get a key to unlock and
release their data for free without paying the criminals. [4]

5. SAFETY METHOD
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

To deal with ransomware experts given few suggestions to use before and after
infection as:

Step 1: Back Up.

Step 2: Avoid all spam links if unknown. Use Ad blockers can protect against
malvertising. Turning off Java and JavaScript.

Step 3: Patch and Block.

Figure: Flowchart to deal with ransomware

1. To save a system from ransomware attack first step to update the operating system,
sometimes it requires the patches thus installation of patches is next step.
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

2. Do not use Operating System that is not supporting.

3. Tasks of step 1 are meaningless if the system does not have any updated antivirus, so
it is a suggestion that system must have a good quality antivirus.

4. Cleaning of spam folder must be the next step after a removal of all
malware/spyware.

5. Java script files and website open option is risky so deactivate it at the end of all
precautions. [5]

6. CONCLUSION FUTURE WORK

This work presents few facts about ransomware with its working and suggestion to save
computers from attack. It shows safety guidelines from ransomware that will be helpful
to researchers as well as society to save data in near future. The review discusses a
picture of the evolution of ransomware with its effects on the system, way of working
and tricks to save our data during the attack. [5]

References

1. https://enterprise.comodo.com/ransom-virus-on-computer.php

2.https://www.researchgate.net/publication/330895043_Trends_in_Design_of_Ransomware_V
iruses_11th_International_Conference_SecITC_2018_Bucharest_Romania_November_8-
9_2018_Revised_Selected_Papers
 Republic of Iraq
Ministry of Higher Education and Scientific Research
Dijlah University College
Department of Computer Science

3. https://www.kaspersky.com/resource-center/threats/ransomware-examples
4. https://www.kaspersky.com/resource-center/threats/ransomware-examples

5.https://www.researchgate.net/publication/325777408_Ransomware_Evolution_Target_and_
Safety_Measures