Cryptographic Ransomware Encryption Detection: Survey: Author's Declaration

cover
15 Jun 2024

Authors:

(1) Kenan Begovic, currently a Ph.D. candidate in Computer Science at Qatar University. He received his MS in Information and Computer Security from University of Liverpool;

(2) Abdulaziz Al-Ali ,received the Ph.D. degree in machine learning from the University of Miami, FL, USA, in 2016 and he is currently an Assistant Professor in the Computer Science and Engineering Department, and director of the KINDI Center for Computing Research at Qatar University;

(3) Qutaibah Malluhi, a Professor at the Department of Computer Science and Engineering at Qatar University (QU).

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

CRediT authorship contribution statement

Kenan Begovic: Conceptualization, Methodology, Formal analysis, Resources, Writing – original draft, Writing – review & editing. Abdulaziz Al-Ali: Conceptualization, Validation, Writing – review & editing, Supervision. Qutaibah Malluhi: Conceptualization, Validation, Writing – review & editing, Supervision.

Data availability

No data was used for the research described in the article.

References

Almashhadani, A.O., Kaiiali, M., Sezer, S., O’Kane, P., 2019. A multi-classifier networkbased crypto ransomware detection system: a case study of Locky ransomware. IEEE Access 7, 47053–47067. doi:10.1109/ACCESS.2019.2907485.

A Targeted Campaign Break-Down - Ryuk Ransomware. Check Point Research 2018. https://research.checkpoint.com/2018/ryuk-ransomware-targetedcampaign-break/(accessed December 9, 2021).

Adamov, A., Carlsson, A., Surmacz, T., 2019. An analysis of lockergoga ransomware. In: 2019 IEEE East-West Design & Test Symposium (EWDTS). IEEE, pp. 1–5.

Ahmed, Y.A., Koçer, B., Huda, S., Saleh Al-rimy, B.A., Hassan, M.M., 2020. A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection. J. Netw. Comput. Appl. 167, 102753. doi:10.1016/j.jnca.2020.102753.

Aidan, J.S., Verma, H.K., Awasthi, L.K., 2017. Comprehensive survey on petya ransomware attack. In: 2017 International Conference on Next Generation Computing and Information Systems (ICNGCIS). IEEE, pp. 122–125.

Akbanov, M., Vassilakis, V.G., Logothetis, M.D., 2019. Ransomware detection and mitigation using software-defined networking: the case of WannaCry. Comput. Electr. Eng. 76, 111–121. doi:10.1016/j.compeleceng.2019.03.012.

Almomani, I., Qaddoura, R., Habib, M., Alsoghyer, S., Khayer, A.A., Aljarah, I., et al.,2021. Android ransomware detection based on a hybrid evolutionary approach in the context of highly imbalanced data. IEEE Access 9, 57674–57691. doi:10. 1109/ACCESS.2021.3071450.

Almousa, M., Basavaraju, S., Anwar, M., 2021. API-based ransomware detection using machine learning-based threat detection models. In: 2021 18th International Conference on Privacy, Security and Trust (PST), IEEE, pp. 1–7.

Alotaibi, F. M., Vassilakis, V. G. SDN-based detection of self-propagating ransomware: the case of BadRabbit 2021;9:28039–58.

Al-Rimy, B.A.S., Maarof, M.A., Alazab, M., Alsolami, F., Shaid, S.Z.M., Ghaleb, F.A., et al., 2020.

A pseudo feedback-based annotated TF-IDF technique for dynamic crypto-ransomware pre-encryption boundary delineation and features extraction. IEEE Access 8, 140586–140598.

Al-Rimy, B.A.S., Maarof, M.A., Alazab, M., Shaid, S.Z.M., Ghaleb, F.A., Almalawi, A., et al., 2021. Redundancy coefficient gradual up-weighting-based mutual information feature selection technique for crypto-ransomware early detection. Future Gen. Comput. Syst. 115, 641–658.

Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M., 2019. Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Future Gen. Comput. Syst. 101, 476–491. doi:10.1016/j.future.2019.06. 005.

Al-rimy, B. A. S., Maarof, M. A., Shaid, S. Z. M. Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions 2018;74:144– 66.

Ameeno, N., Sherry, K., Gagneja, K., 2019. Using machine learning to detect the file compression or encryption. Amity J. Comput. Sci. 3, 6.

Ameer, M., Murtaza, S., Aleem, M., 2018. A study of android-based ransomware: discovery, methods, and impacts. J. Inf. Assurance Security 13.

Analyzing the REvil Ransomware Attack. Qualys Security Blog 2021. https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/ analyzing-the-revil-ransomware-attack (accessed January 6, 2022).

Arabo, A., Dijoux, R., Poulain, T., Chevalier, G., 2020. Detecting ransomware using process behavior analysis. Procedia Comput. Sci. 168, 289–296. doi:10.1016/j. procs.2020.02.249.

Arntz, P. Explained: domain generating algorithm. malwarebytes labs 2016. https:// blog.malwarebytes.com/security-world/2016/12/explained-domain-generatingalgorithm/ (accessed December 29, 2021).

Azmoodeh, A., Dehghantanha, A., Conti, M., Choo, K.K.R., 2018. Detecting cryptoransomware in IoT networks based on energy consumption footprint. J. Ambient Intell. Human. Comput. 9, 1141–1152. doi:10.1007/s12652-017-0558-5.

Bello, I., Chiroma, H., Abdullahi, U.A., Gital, A.Y., Jauro, F., Khan, A., et al., 2021. Detecting ransomware attacks using intelligent algorithms: recent development and next direction from deep learning and big data perspectives. J. Ambient Intell. Human. Comput. 12, 8699–8717.

Berrueta, E., Morato, D., Magana, E., Izal, M. A Survey on Detection Techniques for Cryptographic Ransomware 2019;7:144925–44.

BlackByte Ransomware – Pt. 1 In-depth Analysis. Trustwave n.d. https: //www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyteransomware-pt-1- in-depth-analysis/ (accessed January 6, 2022).

Blackmailer: the story of Gpcode. n.d. https://securelist.com/blackmailer-the-story-of-gpcode/36089/ (accessed January 4, 2022).

blogs.blackberry.com. Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe n.d. https://blogs.blackberry.com/en/2019/12/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe (accessed January 5, 2022).

Bold, R., Al-Khateeb, H., Ersotelos, N., 2022. Reducing false negatives in ransomware detection: a critical evaluation of machine learning algorithms. Appl. Sci. 12, 12941.

Dong, C., Lu, Z., Cui, Z., Liu, B., Chen, K., 2021. MBTree: detecting encryption RATs communication using malicious behavior tree. IEEE Trans. Inf. Forensics Secur. 16, 3589–3603. doi:10.1109/TIFS.2021.3071595.

Cabaj, K., Gawkowski, P., Grochowski, K., Osojca, D., 2015. Network activity analysis of CryptoWall ransomware. Przeglad Elektrotechniczny 91, 201–204.

Case Study: AIDS Trojan Ransomware. SDxCentral n.d. https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware/ (accessed January 4, 2022a).

Case Study: Archievus Ransomware. SDxCentral n.d. https://www.sdxcentral.com/security/definitions/case-study-archievus-ransomware/ (accessed January 4, 2022b).

Chen, Q., Bridges, R.A., 2017. Automated behavioral analysis of malware: a case study of wannacry ransomware. In: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), IEEE, pp. 454–460.

CISOMAG. RIplace – A Security Evading Ransomware Technique. CISO MAG | Cyber Security Magazine 2019. https://cisomag.eccouncil.org/ riplace-ransomware-technique/ (accessed January 10, 2022).

Connolly, L. Y., Wall, D. S., Lang, M., Oddson, B. An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability. 2020;6:1–18.

Conti, M., Gangwal, A., Ruj, S., 2018. On the economic significance of ransomware campaigns: a Bitcoin transactions perspective. Comput. Security 79, 162–189.

Conti Ransomware. NHS Digital n.d. https://digital.nhs.uk/cyberalerts/2020/cc-3544 (accessed January 5, 2022).

Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., et al. ShieldFS: a self-healing, ransomware-aware filesystem. Proceedings of the 32nd Annual Conference on Computer Security Applications, 2016, p. 336–47.

Crysis Ransomware Gaining Foothold, Sets Sights to Take Over TeslaCrypt - Wiadomosci ´ bezpieczenstwa. ´ n.d. https://www.trendmicro.com/vinfo/pl/ security/news/cybercrime-and-digital-threats/crysis-to-take-over-teslacrypt (accessed February 26, 2022).

Cryzip Ransomware Trojan Analysis. n.d. https://www.secureworks.com/research/cryzip (accessed January 4, 2022).

Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G., Benedetto, L., 2019. A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. J. Comput. Virol. Hack Tech. 15, 277–305. doi:10.1007/s11416-019-00338-7.

Dark Web Threat Profile: Grief Ransomware Group. SOCRadar® Cyber Intelligence Inc 2021. https://socradar.io/dark-web-threat-profile-grief-ransomware-group/ (accessed January 6, 2022).

Darktrace for Ransomware. n.d. https://www.darktrace.com/en/ransomware (accessed February 21, 2022).

Dell EMC Cyber Recovery Solution – Cyber and Ransomware Data Recovery. n.d. https://www.dell.com/en-us/dt/data-protection/cyber-recovery-solution.htm (accessed February 21, 2022).

Dimov, D., Tsonev, Y.O., 2020. Measuring and collecting HDD performance metrics on a physical machine during ransomware attack. Inf. Security 47, 317–327.

Dynamic Resolution: Domain Generation Algorithms, Sub-technique T1568.002 - Enterprise | MITRE ATT&CK®. n.d. https://attack.mitre.org/techniques/T1568/ 002/ (accessed December 29, 2021).

Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot. Recorded Future 2020. https://www.recordedfuture.com/ egregor-ransomware-attacks/ (accessed January 5, 2022).

Emm, D., 2008. Cracking the code: the history of Gpcode. Comput. Fraud Security doi:10.1016/S1361-3723(08)70139-8, 2008:15–7.

Endpoint Protection Platform | VMware Carbon Black Endpoint. VMware n.d.https://www.vmware.com/products/carbon-black-cloud-endpoint.html (accessed February 21, 2022).

Enterprise Ransomware Protection & Removal. Trend Micro n.d. https://www.trendmicro.com/en_us/business/capabilities/solutions-for/ransomware.html (accessed February 21, 2022).

Erebus Resurfaces as Linux Ransomware. Trend Micro 2017. https://www.trendmicro.com/en_se/research/17/f/erebus-resurfaces-as-linux-ransomware. html (accessed February 25, 2022).

Eze, K., Akujuobi, C., Sadiku, M., Chhetri, P., 2018. An approach to changing ransomware threat landscape. J. Sci. Eng. Res. 5, 68–74.

Fernández Maimó, L., Huertas Celdrán, A., Perales Gómez, Á.L., García Clemente, F.J., Weimer, J., Lee, I., 2019. Intelligent and dynamic ransomware spread detection and mitigation in integrated clinical environments. Sensors 19 (14248220), 1114.

Fortinet. The 2021 Ransomware Survey Report 2021. GIBON Ransomware. NHS Digital n.d. https://digital.nhs.uk/cyber-alerts/2017/ cc-1791 (accessed January 4, 2022).

GoldSparrow. Revenge Ransomware. Remove Spyware & Malware with SpyHunter - EnigmaSoft Ltd 2017. https://www.enigmasoftware.com/ revengeransomware-removal/ (accessed February 25, 2022).

GoldSparrow. Anubis Ransomware. Remove Spyware & Malware with SpyHunter - EnigmaSoft Ltd 2016. https://www.enigmasoftware.com/ anubisransomware-removal/ (accessed February 25, 2022).

Gómez-Hernández, J.A., Álvarez-González, L., García-Teodoro, P., 2018. R-Locker: Thwarting ransomware action through a honeyfile-based approach. Comput. Security 73, 389–398.

Grossman, J.H., Reid, P.P., Morgan, R.P., 2001. Contributions of academic research to industrial performance in five industry sectors. J. Technol. Transfer 26, 143–152.

Hahn, K. Look for a fix, get malware instead: examining the Cyrat ransomware 2021. https://www.gdatasoftware.com/blog/cyrat-ransomware (accessed January 5, 2022).

Hansberry, A., Lasse, A., Tarrh, A. Cryptolocker: 2013’s most malicious malware. Retrieved February 2014;9:2017.

Herrera Silva, J.A., Barona López, L.I., Valdivieso Caraguay, Á.L., Hernández-Álvarez, M., 2019. A survey on situational awareness of ransomware attacks—detection and prevention parameters. Remote Sens. 11 1168–1168.

Herzog, B., Balmas, Y., 2016. Great crypto failures. Virus Bull. 2016.

Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R., 2020. Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. 8, 341–351. doi:10.1109/ TETC.2017.2756908.

Hsu, C.M., Yang, C.C., Cheng, H.H., Setiasabda, P.E., Leu, J.S., 2021. Enhancing file entropy analysis to improve machine learning detection rate of ransomware. IEEE Access 9, 138345–138351. doi:10.1109/ACCESS.2021.3114148.

Hu, J.W., Zhang, Y., Cui, Y.P., 2020. Research on Android ransomware protection technology. J. Phys. Conf. Ser. 1584, 012004 IOP Publishing.

Hwang, J., Kim, J., Lee, S., Kim, K., 2020. Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wirel. Personal Commun.: Int. J. 112, 2597–2609. doi:10.1007/s11277-020-07166-9.

Jegede, A., Fadele, A., Onoja, M., Aimufua, G., Mazadu, I.J., 2022. Trends and future directions in automated ransomware detection. J. Comput. Soc. Inform. 1, 17–41.

Jethva, B., Traore, I., Ghaleb, A., Ganame, K., Ahmed, S., 2020. Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring. J. Comput. Security 28, 337–373. doi:10.3233/JCS-191346.

Jiao, J., Zhao, H., Liu, Y., 2021. Analysis and detection of android ransomware for custom encryption. In: 2021 IEEE 4th International Conference on Computer and Communication Engineering Technology (CCET), IEEE, pp. 220–225.

Joshi, Y.S., Mahajan, H., Joshi, S.N., Gupta, K.P., Agarkar, A.A., 2021. Signature-less ransomware detection and mitigation. J. Comput. Virol. Hacking Techn. 17, 299– 306. doi:10.1007/s11416-021-00384-0.

Jung, S., Won, Y., 2018. Ransomware detection method based on context-aware entropy analysis. Soft Comput. 22, 6731–6740. doi:10.1007/s00500-018-3257-z.

Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree SentinelOne. n.d. https://www.sentinelone.com/labs/karma-ransomware-anemerging-threat-with-a-hint-of-nemty-pedigree/ (accessed January 6, 2022).

Kashef, R., Freunek, M., Schwartzentruber, J., Samavi, R., Bulgurcu, B., Khan, A. J., et al. Bridging the bubbles: connecting academia and industry in cybersecurity research. arxiv Preprint arxiv:230213955 2023.

Khammas, B.M., 2020. Ransomware detection using random forest technique. ICT Express 6, 325–331. doi:10.1016/j.icte.2020.11.001.

Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E. {UNVEIL}: a large-scale, automated approach to detecting ransomware. 25th {USENIX} Security Symposium ({USENIX} Security 16), 2016, p. 757–72.

Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Mandiant. n.d. https://www.mandiant.com/resources/sabbath-ransomware-affiliate (accessed January 6, 2022).

Kok, S.H., Abdullah, A., Jhanjhi, N.Z., 2020a. Early detection of crypto-ransomware using pre-encryption detection algorithm. J. King Saud Univ.-Comput. Inf. Sci..

Kok, S.H., Azween, A., Jhanjhi, N.Z., 2020b. Evaluation metric for crypto-ransomware detection using machine learning. J. Inf. Security Appl. 55, 102646.

Labs, M. Locky Bart ransomware and backend server analysis. Malwarebytes Labs 2017a. https://blog.malwarebytes.com/threat-analysis/2017/01/ locky-bart-ransomware-and-backend-server-analysis/ (accessed December 9, 2021).

Labs, M., 2017b. Explained: Spora ransomware. Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/. accessed February 25, 2022.

Labs, M., 2017c. Explained: Sage ransomware. Malwarebytes Labs. https: //blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/. accessed February 25, 2022.

Lee, K., Lee, S.Y., Yim, K., 2019. Effective ransomware detection using entropy estimation of files for cloud services. In: Esposito, C, Hong, J, Choo, K-KR (Eds.), Pervasive Systems, Algorithms and Networks. Springer International Publishing, Cham, pp. 133–139.

Lee, S., Jho, N., Chung, D., Kang, Y., Kim, M., 2022. Rcryptect: real-time detection of cryptographic function in the user-space filesystem. Comput. Security 112,doi:10.1016/j.cose.2021.102512.

Lemmou, Y., Lanet, J.L., Souidi, E.M., 2021. A behavioural in-depth analysis of ransomware infection. IET Inf. Secur. 15, 38–58. Li, S., Liu, P., 2020. Detection and forensics of encryption behavior of storage file and network transmission data. IEEE Access 8, 145833–145842.

Liao, K., Zhao, Z., Doupe, A., Ahn, G.J., 2016. Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin. In: 2016 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–13. doi:10.1109/ECRIME.2016. 7487938.

Lipovský, R., Štefanko, L., Engineer, D., 2018. Android ransomware: from android defender to Doublelocker. ESET Technol. 6–10.

Loman, M. How ransomware attacks 2019.

LV Ransomware. n.d. https://www.secureworks.com/research/lv-ransomware (accessed January 6, 2022).

Maigida, A.M., Abdulhamid, S.M., Olalere, M., Alhassan, J.K., Chiroma, H., Dada, E.G., 2019. Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. J. Reliable Intell. Environ. 5, 67–89.

MayArchive.B Description | F-Secure Labs. n.d. https://www.f-secure.com/v-descs/ mayarchive_b.shtml (accessed January 4, 2022).

McIntosh, T., Jang-Jaccard, J., Watters, P., Susnjak, T., 2019. The inadequacy of entropy-based ransomware detection. In: Gedeon, T, Wong, KW, Lee, M (Eds.), Neural Information Processing. Springer International Publishing, Cham, pp. 181–189.

McIntosh, T., Kayes, A.S.M., Chen, Y.P.P., Ng, A., Watters, P., 2021. Dynamic usercentric access control for detection of ransomware attacks. Comput. Security 111, 102461. doi:10.1016/j.cose.2021.102461.

Meet “Tox”: Ransomware for the Rest of Us. McAfee Blog 2015. https://www.mcafee. com/blogs/other-blogs/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/ (accessed February 24, 2022).

Mehnaz, S., Mudgerikar, A., Bertino, E., 2018. Rwguard: A real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, pp. 114–136.

Mount Locker Ransomware In The Mix - IBM X-Force Collection. n.d. https://exchange.xforce.ibmcloud.com/collection/Mount-Locker-RansomwareIn-The-Mix-2beadd4d61c2c0c77e1416d7e1b6e0eb (accessed January 5, 2022).

Moussaileb, R., Cuppens, N., Lanet, J. L., Bouder, H. L. A Survey on windows-based ransomware taxonomy and detection mechanisms: case closed? 2021;54:1–36.

Mülders, D. A. C. Network based ransomware detection on the samba protocol. Student thesis: Master. 2017.

N3TW0RM ransomware emerges in wave of cyberattacks in Israel. BleepingComputer n.d. https://www.bleepingcomputer.com/news/security/ n3tw0rm-ransomware-emerges-in-wave-of-cyberattacks-in-israel/ (accessed January 6, 2022).

Naseer, A., Mir, R., Mir, A., Aleem, M. Windows-based Ransomware: A Survey. 2020;15:107–25.

New crypto–ransomware hits macOS. WeLiveSecurity 2017. https://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/ (accessed December 9, 2021).

New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer. Unit42 2016. https://unit42.paloaltonetworks.com/new-os-x-ransomwarekeranger-infected-transmission-bittorrent-client-installer/ (accessed January 6, 2022).

Nicol, D. M., Sanders, W. H., Scherlis, W. L., Williams, L. A. Science of security hard problems: a lablet perspective. Science of Security Virtual Organization Web(Nov 2012) 2012.

Nicol, D. M., Scherlis, W. L., Katz, J., Scherlis, W. L., Dumitras, T., Williams, L. M., et al. Science of security lablets progress on hard problems. Science of Security and Privacy Virtual Organization: http://Cps-vo-Org/Node/21590 Accessed 2015;7:18.

Noberus: Technical analysis shows sophistication of new rust-based ransomware. n.d. https://symantec-enterpriseblogs.security.com/blogs/threat- intelligence/noberus-blackcat-alphv-rust-ransomware (accessed January 6, 2022).

NotPetya Ransomware Attack [Technical Analysis]. CrowdstrikeCom 2017. https://www.crowdstrike.com/blog/petrwrap-ransomware-technicalanalysis-triple-threat-file-encryption-mft-encryption-credential-theft/ (accessed December 9, 2021).

Oz, H., Aris, A., Levi, A., Uluagac, A.S., 2022. A survey on ransomware: evolution, taxonomy, and defense solutions. ACM Comput. Surv. (CSUR) 54, 1–37.

Paik, J.Y., Shin, K., Cho, E.S., 2016. Poster: Self-defensible storage devices based on flash memory against ransomware. In: Proceedings of IEEE Symposium on Security and Privacy.

Park, J., Park, Y., 2020. Symmetric-Key cryptographic routine detection in anti-reverse engineered binaries using hardware tracing. Electronics 9, 957.

Pletinckx, S., Trap, C., Doerr, C., 2018. Malware coordination using the blockchain: an analysis of the cerber ransomware. In: 2018 IEEE conference on communications and network security (CNS), IEEE, pp. 1–9.

PXJ Ransomware Campaign Identified by X-Force IRIS. Security Intelligence 2020. https://securityintelligence.com/posts/pxj-ransomware-campaignidentified-by-x-force- iris/ (accessed January 5, 2022).

Qin, B., Wang, Y., Ma, C., 2020. API call based ransomware dynamic detection approach using TextCNN. In: 2020 International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE), IEEE, pp. 162–166.

Raheem, A., Raheem, R., Chen, T.M., Alkhayyat, A., 2021. Estimation of ransomware payments in bitcoin ecosystem. In: 2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom), IEEE, pp. 1667–1674.

RansomEXX Trojan attacks Linux systems. n.d. https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (accessed January 5, 2022).

Ransomware Detection and Response - Ransomware Solutions | Vectra AI. n.d. https: //www.vectra.ai/solutions/ransomware (accessed February 21, 2022).

Ransomware Maze. McAfee Blogs 2020. https://www.mcafee.com/blogs/other-blogs/ mcafee-labs/ransomware-maze/ (accessed December 29, 2021).

Ransomware Mitigation & Detection Solution - ExtraHop. n.d. https://www. extrahop.com/solutions/security/ransomware-prevention/ (accessed February 21, 2022).

Ransomware Protection: Learn How Veeam Can Protect Your Data. Veeam Software n.d. https://www.veeam.com/ransomware-protection.html?ck=1642616056853 (accessed February 21, 2022).

Ransomware Protection Solution for an Impenetrable Business. Arcserve n.d. https: //www.arcserve.com/ransomware-recovery (accessed February 21, 2022).

Ransomware Protection with Backup for Business - Acronis. n.d. https:// www.acronis.com/en-eu/lp/business/backup/ransomware/ (accessed February 21, 2022).

Ransomware Recap: Patcher Ransomware Targets MacOS - Security News. n.d. https: //www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ ransomware-recap-patcher-ransomware-targets-macos (accessed February 25, 2022a).

Ransomware Recap: Sept. 23, 2016 - Security News - Trend Micro SE. n.d. https: //www.trendmicro.com/vinfo/se/security/news/cybercrime-and-digital-threats/ ransomware-recap-sept-23-2016 (accessed February 25, 2022b).

Ransomware Recovery. Rubrik n.d. https://www.rubrik.com/solutions/ ransomware-recovery (accessed February 21, 2022).

Ransomware Recovery | Reduce Downtime with Rapid Recovery. Cohesity n.d. https: //www.cohesity.com/solutions/ransomware/ (accessed February 21, 2022).

Ransomware Recovery - Commvault. n.d. https://www.commvault.com/ransomware (accessed February 21, 2022).

Rao, S., Simpson, N., Hoeck, M., Rozeman, J. Gartner: Magic Quadrant for Enterprise Backup and Recovery Software Solution 2021.

Reshmi, T.R., 2021. Information security breaches due to ransomware attacks - a systematic literature review. Int. J. Inf. Manage. Data Insights 1, 100013. doi:10. 1016/j.jjimei.2021.100013.

Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit. n.d. https://www.bleepingcomputer.com/news/security/revenge-ransomwarea-cryptomix-variant-being-distributed-by-rig-exploit-kit/ (accessed December 9, 2021).

Roy, K. C., Chen, Q. DeepRan: Attention-based BiLSTM and CRF for Ransomware Early Detection and Classification. 2021;23:299–315.

Russia-based ransomware group Conti issues warning to Kremlin foes | Reuters. n.d. https://www.reuters.com/technology/russia-based-ransomwaregroup-conti-issues-warning-kremlin-foes-2022-02-25/ (accessed February 28, 2022).

Sage 2.0 Ransomware. SANS Internet Storm Center n.d. https://isc.sans.edu/forums/ diary/21959/ (accessed December 9, 2021).

Sala, M. A brief summary of encryption method used in widespread ransomware. Infosec Resources n.d. https://resources.infosecinstitute.com/topic/ a-brief-summary-of-encryption-method-used-in-widespread-ransomware/ (accessed January 7, 2022).

Scala, N.M., Reilly, A.C., Goethals, P.L., Cukier, M., 2019. Risk and the five hard problems of cybersecurity. Risk Anal. 39, 2119–2126.

Scalas, M., Maiorca, D., Mercaldo, F., Visaggio, C.A., Martinelli, F., Giacinto, G., 2019. On the effectiveness of system API-related information for Android ransomware detection. Comput. Security 86, 168–182. doi:10.1016/j.cose.2019.06.004.

Sharma, S., Krishna, C.R., RansomDroid, K.R., 2021. Forensic analysis and detection of Android Ransomware using unsupervised machine learning technique. Forensic Sci. Int.: Dig. Investig. 37, 301168. doi:10.1016/j.fsidi.2021.301168.

Sheen, S., Yadav, A. Ransomware detection by mining API call usage. 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2018, p. 983–7. doi:10.1109/ICACCI.2018.8554938.

Shevchenko, S., bin Abu Bakar, H. M., Wong, J. Taiwan Heist: Lazarus Tools and Ransomware. Bae Systems Threat Assessment (Baesystemsai Blog Spot Co Nz/2017/10/Taiwan-Heist-Lazarus-Tools Html) 2017.

Sibi Chakkaravarthy, S., Sangeetha, D., Cruz, M.V., Vaidehi, V., Raman, B., 2020. Design of intrusion detection honeypot using social leopard algorithm to detect IoT ransomware attacks. IEEE Access 8, 169944–169956. doi:10.1109/ACCESS.2020. 3023764.

Singleton, C., Wikoff, A., McMillen, D. X-Force Threat Intelligence Index 2021 2021.

SMAUG Ransomware. NHS Digital n.d. https://digital.nhs.uk/cyber-alerts/2020/ cc-3614 (accessed January 5, 2022).

Sophos. The State of Ransomware 2021 2021.

Su, D., Liu, J., Wang, X., Wang, W., 2018. Detecting Android locker-ransomware on Chinese social networks. IEEE Access 7, 20381–20393.

Take a “NetWalk” on the Wild Side. McAfee Blogs 2020. https://www.mcafee.com/ blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/ (accessed January 5, 2022).

Tang, F., Ma, B., Li, J., Zhang, F., Su, J., Ma, J., 2020. RansomSpector: an introspection-based approach to detect crypto ransomware. Comput. Security 97, 101997.

Thanos Ransomware: Destructive variant targeting state-run organizations in the Middle East and North Africa. Unit42 2020. https://unit42.paloaltonetworks. com/thanos-ransomware/ (accessed January 5, 2022).

The rise of TeleBots: Analyzing disruptive KillDisk attacks. WeLiveSecurity 2016. https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzingdisruptive-killdisk-attacks/ (accessed December 9, 2021).

Threat Assessment: Matrix Ransomware. Unit42 2021. https://unit42. paloaltonetworks.com/matrix-ransomware/ (accessed February 25, 2022).

Try2Cry Ransomware - IBM X-Force Collection. n.d. https://exchange.xforce. ibmcloud.com/collection/Try2Cry-Ransomware-ea520c55a8cb033c4196c6a8dd7fcc34 (accessed January 5, 2022).

Umar, R., Riadi, I., Kusuma, R.S., 2021. Network forensics against ryuk ransomware using Trigger, Acquire, Analysis, Report, and Action (TARA) methods. Kinetik: game technology, information system. Comput. Network, Comput., Electron., Control 6, 133–140.

Upadhyaya, R., Jain, A. Cyber ethics and cyber crime: A deep dwelved study into legality, ransomware, underground web and bitcoin wallet. 2016 International Conference on Computing, Communication and Automation (ICCCA), 2016, p. 143–8. doi:10.1109/CCAA.2016.7813706.

Updated, D. S. BlackMatter Ransomware: In-Depth Analysis & Recommendations. Inside Out Security 2021. https://www.varonis.com/blog/blackmatter-ransomware/ (accessed January 6, 2022).

Urooj, U., Al-rimy, B.A.S., Zainal, A., Ghaleb, F.A., Rassam, M.A., 2022. Ransomware detection using the dynamic analysis and machine learning: a survey and research directions. Appl. Sci. 12, 172.

U.S. Department of Health and Human Services Cybersecurity Program. Ransomware Trends 2021 2021.

Usharani, S., Bala, P.M., Mary, M.M.J., 2021. Dynamic analysis on crypto-ransomware by using machine learning: Gandcrab ransomware. J. Phys. Conf. Ser. 1717, 012024 IOP Publishing.

Velasco, L. Exorcist ransomware — from triaging to deep dive. Medium 2020. https://medium.com/@velasco.l.n/exorcist-ransomware-from-triagingto-deep-dive-5b7da4263d81 (accessed January 5, 2022).

Walter, J. Zeoticus 2.0 | Ransomware with No C2 required - SentinelLabs. SentinelOne n.d. https://www.sentinelone.com/labs/zeoticus-2-0-ransomwarewith-no-c2-required/ (accessed January 5, 2022a).

Walter, J. Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set - SentinelLabs. SentinelOne n.d. https://www.sentinelone.com/labs/ thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/ (accessed January 10, 2022b).

Walter, J. Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare - SentinelLabs. SentinelOne n.d. https://www.sentinelone.com/labs/ hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/ (accessed January 6, 2022c).

Walter, J. The FONIX RaaS | New Low-Key Threat with Unnecessary Complexities - SentinelLabs. SentinelOne n.d. https://www.sentinelone.com/labs/ the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/ (accessed January 5, 2022d).

Wang, Z., Liu, C., Qiu, J., Tian, Z., Cui, X., Su, S., 2018. Automatically traceback RDP-based targeted ransomware attacks. Wirel. Commun. Mob. Comput. 2018, 1–13.

Weckstén, M., Frick, J., Sjöström, A., Järpe, E., 2016. A novel method for recovery from Crypto Ransomware infections. In: 2016 2nd IEEE International Conference on Computer and Communications (ICCC), IEEE, pp. 1354–1358.

When Viruses Mutate: SunCrypt Ransomware Evolves from QNAPCrypt. Intezer 2021. https://www.intezer.com/blog/malware-analysis/when-viruses-mutatedid-suncrypt-ransomware-evolve-from-qnapcrypt/ (accessed January 5, 2022).

Wood, A.C., Eze, T., 2020. The evolution of ransomware variants. In: Proceedings of the European Conference On Cyber Warfare & Security, pp. 410–420.

Wyke, J., Ajjan, A. The current state of ransomware. SOPHOS A SophosLabs Technical Paper 2015.

Xu, D., Ming, J., Wu, D., 2017. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In: 2017 IEEE Symposium on Security and Privacy (SP), IEEE, pp. 921–937.

Lemmou, Y, Souidi, E.M., 2018. Infection, self-reproduction and overinfection in ransomware: the case of TeslaCrypt. In: 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8. doi:10.1109/ CyberSecPODS.2018.8560670.

Yadav, N., Kaur, G., Kaur, S., Vashisth, A., Rohith, C., 2021. A complete study on malware types and detecting ransomware using API calls. In: 2021 9th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO), IEEE, pp. 1–5.

Yang, H., He, Q., Liu, Z., Zhang, Q. Malicious Encryption Traffic Detection Based on NLP. Security and Communication Networks 2021;2021.

Young, J., Foster, K., Garfinkel, S., Fairbanks, K., 2012. Distinct sector hashes for target file detection. Computer 45, 28–35.

Zavarsky, P., Lindskog, D., 2016. Experimental analysis of ransomware on windows and android platforms: evolution and characterization. Procedia Comput. Sci. 94, 465–472.

Zhang, X. Deep Analysis – The EKING Variant of Phobos Ransomware. Fortinet Blog 2020. https://www.fortinet.com/blog/threat-research/deep-analysis-theeking-variant-of-phobos-ransomware.html (accessed January 5, 2022).

This paper is available on arxiv under CC BY 4.0 DEED license.