Ransomware, also known as Scareware is over ten years old and has increased over 500 percent to 2013. Reports show that 2015 -2016 also saw a 300 percent increase.
An understanding of how the attacks are perpetrated is necessary to defend against them. Over one thousand Ransomware samples were looked at and allocated into 15 varieties, such as 'Cryptolocker' and 'CrytoWall'. Cryptowall attack can delete back up files on a system to prevent it being restored.
Experiments were also set up and analysed and the the system was cleaned of the malware code. The authors showed that Ransomware like 'Cryptolocker' overwrites a legitimate file on a victims computer and replaces it with an encrypted file containing the malicious code. Once the system files become encrypted they are nearly impossible to decrypt without the necessary key.
One typical method found was that the desktop was locked after creating a new desktop with the Ransomware message on it.
Research has shown that it is possible to detect or thwart attacks by the following methods:
API, Application programming interface Call monitoring
This would require software that could detect any unusual sequences of code and stop them running. The dormant ransomware files can be left in the system registry and only start working when the sytem re-starts.
Monitoring the file system activity
The research showed that a vastly increased number of MFT, Master file table requests when a Ransomware request is initiated. The Master file table can be monitored for unusual deletion and creation of file activities which is still a useful defence tactic.
