Abstract
Ransomware, the kind of malicious software that prevents users from accessing their data and demands payment of a ransom, in order to give this access back, has become a fast growing problem among computer users. This is why several papers in this field have focused on the ways of detecting it or on describing the infection and encryption processes. Our paper examines the ransomware from another point of view by describing an interesting property of it, namely, the overinfection management, or the way of handling multiple infections on the same target. We show that the overinfection in ransomware can have four levels: Level 0 to ensure that the ransomware is not executed twice at the same time on the same machine, Level 1 to avoid re-encrypting its encrypted files, Level 2 to coordinate between its infections on the same machine and Level 3 to manage the infection between many target machines in the same computer park.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Usually, Level 2 of overinfection is managed by a specified key/value in the registry keys or a hidden file in a specified directory. For example, in the user’s profile directory. We will discuss later the difference by using that in Level 0 and Level 2 of overinfection.
- 3.
After the first infection, the ransomware makes a copy and puts it inside any accessible shared directory of the other machines in this computer park.
- 4.
The computer park is noted by its fixed device d mentioned in the previous section.
- 5.
An infected file/machine moved from another computer park \(d'\) has not any effect on the infection process in d.
References
Sood, A.K., Enbody, R.: Malware design strategies for circumventing detection and prevention controls. Virus Bulletin (2012)
Adleman, L.M.: An abstract theory of computer viruses. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 354–374. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_28
Cimpanu, C.: Wana decrypt0r ransomware using NSA exploit leaked by shadow brokers is on a rampage (2017). https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokersis-on-a-rampage/. bleepingcomputer blog
Cohen, F.: Computer viruses. Comput. Secur. 6(1), 22–35 (1987)
Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, 5–9 December 2016, pp. 336–347 (2016)
Filiol, E.: Formalisation and implementation aspects of k-ary (malicious) codes. J. Comput. Virol. 3(2), 75–86 (2007)
Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, 10–12 August 2016, pp. 757–772 (2016)
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, 2–6 April 2017, pp. 599–611 (2017)
Lemmou, Y., Souidi, E.M.: PrincessLocker analysis. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–10, June 2017
Lemmou, Y., Souidi, E.M.: An overview on Spora ransomware. In: Thampi, S.M., MartÃnez Pérez, G., Westphall, C.B., Hu, J., Fan, C.I., Gómez Mármol, F. (eds.) SSCC 2017. CCIS, vol. 746, pp. 259–275. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-6898-0_22
MSDN: Createmutex function. https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms682411%28v=vs.85%29.aspx
Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016, Nara, 27–30 June 2016, pp. 303–312 (2016)
Shivale, S.A.: Cryptovirology: Virus approach. CoRR abs/1108.2482 (2011). http://arxiv.org/abs/1108.2482
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996
Young, A.L.: Cryptoviral extortion using Microsoft’s crypto API. Int. J. Inf. Secur. 5(2), 67–76 (2006)
Acknowledgements
We thank Dr. Vesselin Bontchev and Dr. Afaf Hamzaoui for their useful remarks and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Lemmou, Y., Souidi, E.M. (2019). Overinfection in Ransomware. In: Thampi, S., Madria, S., Wang, G., Rawat, D., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2018. Communications in Computer and Information Science, vol 969. Springer, Singapore. https://doi.org/10.1007/978-981-13-5826-5_39
Download citation
DOI: https://doi.org/10.1007/978-981-13-5826-5_39
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5825-8
Online ISBN: 978-981-13-5826-5
eBook Packages: Computer ScienceComputer Science (R0)