A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

In recent years, ransomware has been one of the most notorious malware targeting end users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.

[1]  Fabio Martinelli,et al.  Phylogenetic Analysis for Ransomware Detection and Classification into Families , 2018, ICETE.

[2]  Andrew Honig,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012 .

[3]  Satoshi Fukumoto,et al.  Detecting Ransomware using Support Vector Machines , 2018, ICPP Workshops.

[4]  Daniele Sgandurra,et al.  On Deception-Based Protection Against Cryptographic Ransomware , 2019, DIMVA.

[5]  Miroslaw Malek,et al.  Extinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection , 2017, FPS.

[6]  Arun Kumar Sangaiah,et al.  Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes , 2020, Future Gener. Comput. Syst..

[7]  Bruce Schneier,et al.  Stop Trying to Fix the User , 2016, IEEE Secur. Priv..

[8]  Ismaila Idris,et al.  AN INTELLIGENT CRYPTO-LOCKER RANSOMWARE DETECTION TECHNIQUE USING SUPPORT VECTOR MACHINE CLASSIFICATION AND GREY WOLF OPTIMIZATION ALGORITHMS , 2019, i-manager’s Journal on Software Engineering.

[9]  Huirong Fu,et al.  Ransomware in Windows and Android Platforms , 2020, ArXiv.

[10]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[11]  Deborah Johnson,et al.  Wired , 2011, AAP News.

[12]  Huy Kang Kim,et al.  Ransomware protection using the moving target defense perspective , 2019, Comput. Electr. Eng..

[13]  Jan van den Berg,et al.  Ransomware: Studying transfer and mitigation , 2016, 2016 International Conference on Computing, Analytics and Security Trends (CAST).

[14]  Hamid Jahankhani,et al.  Ransomware Impact to SCADA Systems and its Scope to Critical Infrastructure , 2019, 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3).

[15]  Iman Almomani,et al.  Ransomware Detection System for Android Applications , 2019, Electronics.

[16]  Elena Sitnikova,et al.  Industrial Internet of Things Based Ransomware Detection using Stacked Variational Neural Network , 2019, BDIOT 2019.

[17]  Lorena Isabel Barona López,et al.  A Survey on Situational Awareness of Ransomware Attacks - Detection and Prevention Parameters , 2019, Remote. Sens..

[18]  Jinsoo Hwang,et al.  Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques , 2020, Wirel. Pers. Commun..

[19]  Jean-Louis Lanet,et al.  Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure , 2017, NordSec.

[20]  Miguel Correia,et al.  Hail to the Thief: Protecting data from mobile ransomware with ransomsafedroid , 2017, 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA).

[21]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[22]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[23]  Prabaharan Poornachandran,et al.  Survey on Prevention, Mitigation and Containment of Ransomware Attacks , 2018, SSCC.

[24]  Christopher Kruegel,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2019, Lecture Notes in Computer Science.

[25]  Aman Jantan,et al.  The Age of Ransomware , 2021, Research Anthology on Artificial Intelligence Applications in Security.

[26]  Mahadevan Supramaniam,et al.  Ransomware , Threat and Detection Techniques : A Review , 2019 .

[27]  Iman Almomani,et al.  On the Effectiveness of Application Permissions for Android Ransomware Detection , 2020, 2020 6th Conference on Data Science and Machine Learning Applications (CDMA).

[28]  Mikel Izal,et al.  Ransomware early detection by the analysis of file sharing traffic , 2018, J. Netw. Comput. Appl..

[29]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[30]  Junbeom Hur,et al.  CLDSafe: An Efficient File Backup System in Cloud Storage against Ransomware , 2017, IEICE Trans. Inf. Syst..

[31]  Rudolf Hackenberg,et al.  On Threat Analysis and Risk Estimation of Automotive Ransomware , 2019, CSCS.

[32]  Wu Jing,et al.  Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm , 2019 .

[33]  Aderemi A. Atayero,et al.  Ransomware: Current Trend, Challenges, and Research Directions , 2017 .

[34]  Shafii Muhammad Abdulhamid,et al.  Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms , 2019, Journal of Reliable Intelligent Environments.

[35]  Karim Ganame,et al.  Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring , 2020, J. Comput. Secur..

[36]  Wojciech Mazurczyk,et al.  Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics , 2016, Comput. Electr. Eng..

[37]  Kangbin Yim,et al.  Effective Ransomware Detection Using Entropy Estimation of Files for Cloud Services , 2019, I-SPAN.

[38]  David Emm Cracking the code: The history of Gpcode , 2008 .

[39]  Manisha Kaushik,et al.  Android Ransomware and Its Detection Methods , 2020 .

[40]  S. Hewitt,et al.  2008 , 2018, Los 25 años de la OMC: Una retrospectiva fotográfica.

[41]  Muna Al-Hawawreh,et al.  Leveraging Deep Learning Models for Ransomware Detection in the Industrial Internet of Things Environment , 2019, 2019 Military Communications and Information Systems Conference (MilCIS).

[42]  Eiad Yafi,et al.  Security Assurance Against Cybercrime Ransomware , 2018, Intelligent Computing & Optimization.

[43]  Dimitris Gritzalis,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012, Comput. Secur..

[44]  Asifullah Khan,et al.  Ransomware Analysis using Feature Engineering and Deep Neural Networks , 2019, ArXiv.

[45]  Hamid Reza Ghaffary,et al.  I2CE3: A dedicated and separated attack chain for ransomware offenses as the most infamous cyber extortion , 2020, Comput. Sci. Rev..

[46]  Nashwa Abdelbaki,et al.  A New Static-Based Framework for Ransomware Detection , 2018, 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[47]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[48]  Sanggeun Song,et al.  The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform , 2016, Mob. Inf. Syst..

[49]  Daniel Morato,et al.  A Survey on Detection Techniques for Cryptographic Ransomware , 2019, IEEE Access.

[50]  Alfredo Cuzzocrea,et al.  A Novel Structural-Entropy-based Classification Technique for Supporting Android Ransomware Detection and Analysis , 2018, 2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[51]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[52]  Scott E. Coull,et al.  Exploring Adversarial Examples in Malware Detection , 2018, 2019 IEEE Security and Privacy Workshops (SPW).

[53]  A. Selcuk Uluagac,et al.  LNBot: A Covert Hybrid Botnet on Bitcoin Lightning Network , 2020, ESORICS.

[54]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[55]  Engin Kirda,et al.  Redemption: Real-Time Protection Against Ransomware at End-Hosts , 2017, RAID.

[56]  Insup Lee,et al.  Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments , 2019, Sensors.

[57]  Ali Dehghantanha,et al.  Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware , 2018, ArXiv.

[58]  Mohammad Mehdi Ahmadian,et al.  A Novel Approach for Detecting DGA-based Ransomwares , 2018, 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC).

[59]  Da-Yu KAO,et al.  Analyzing WannaCry Ransomware Considering the Weapons and Exploits , 2019, 2019 21st International Conference on Advanced Communication Technology (ICACT).

[60]  Ondrej Krejcar,et al.  A Multi-Tier Streaming Analytics Model of 0-Day Ransomware Detection Using Machine Learning , 2020, Applied Sciences.

[61]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[62]  Vassilios G. Vassilakis,et al.  Ransomware detection and mitigation using software-defined networking: The case of WannaCry , 2019, Comput. Electr. Eng..

[63]  Tanupriya Choudhury,et al.  A Past Examination and Future Expectation: Ransomware , 2018, 2018 International Conference on Advances in Computing and Communication Engineering (ICACCE).

[64]  Ali Dehghantanha,et al.  Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection , 2018, ArXiv.

[65]  Mohammad Mehedi Hassan,et al.  Avoiding Future Digital Extortion Through Robust Protection Against Ransomware Threats Using Deep Learning Based Adaptive Approaches , 2020, IEEE Access.

[66]  Sung-Ryul Kim,et al.  Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph , 2017, RACS.

[67]  Damon McCoy,et al.  Tracking Ransomware End-to-end , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[68]  Daniyal M. Alghazzawi,et al.  A Review on Android Ransomware Detection Using Deep Learning Techniques , 2019, MEDES.

[69]  Sutharshan Rajasegarar,et al.  VoterChoice: A ransomware detection honeypot with multiple voting framework , 2020, Concurr. Comput. Pract. Exp..

[70]  Md. Mahbubur Rahman,et al.  RansHunt: A support vector machines based ransomware analysis framework with integrated feature set , 2017, 2017 20th International Conference of Computer and Information Technology (ICCIT).

[71]  Sudhakar,et al.  An emerging threat Fileless malware: a survey and research challenges , 2020, Cybersecur..

[72]  Dipankar Dasgupta,et al.  A Framework for Analyzing Ransomware using Machine Learning , 2018, 2018 IEEE Symposium Series on Computational Intelligence (SSCI).

[73]  Budi Arief,et al.  Ransomware deployment methods and analysis: views from a predictive model and human responses , 2019, Crime Science.

[74]  Elisa Bertino,et al.  RWGuard: A Real-Time Detection System Against Cryptographic Ransomware , 2018, RAID.

[75]  Carla Purdy,et al.  Ransomware Detection Using Limited Precision Deep Learning Structure in FPGA , 2018, NAECON 2018 - IEEE National Aerospace and Electronics Conference.

[76]  Huirong Fu,et al.  RanDroid: Structural Similarity Approach for Detecting Ransomware Applications in Android Platform , 2018, 2018 IEEE International Conference on Electro/Information Technology (EIT).

[77]  Krishna Chandra Roy,et al.  DeepRan: Attention-based BiLSTM and CRF for Ransomware Early Detection and Classification , 2020, Inf. Syst. Frontiers.

[78]  Yoojae Won,et al.  Ransomware detection method based on context-aware entropy analysis , 2018, Soft Comput..

[79]  Gopika Vinod,et al.  Crypto-Ransomware Detection Using Behavioural Analysis , 2020 .

[80]  S. Revathi,et al.  Ransomware protection in IoT using software defined networking , 2020 .

[81]  Yuli Adam Prasetyo,et al.  Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection , 2018, International Journal of Integrated Engineering.

[82]  Anys Bacha,et al.  The Case for Native Instructions in the Detection of Mobile Ransomware , 2019, IEEE Letters of the Computer Society.

[83]  Gabriele Lenzini,et al.  No Random, No Ransom: A Key to Stop Cryptographic Ransomware , 2018, DIMVA.

[84]  Miguel Correia,et al.  RockFS: Cloud-backed File System Resilience to Client-Side Attacks , 2018, Middleware.

[85]  Ali Dehghantanha,et al.  Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence , 2018, IEEE Transactions on Emerging Topics in Computing.

[86]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[87]  Robert A. Bridges,et al.  Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection , 2019, SciSec.

[88]  Junghee Lee,et al.  Amoeba: An Autonomous Backup and Recovery SSD for Ransomware Attack Defense , 2018, IEEE Computer Architecture Letters.

[89]  A. Stephen McGough,et al.  Volenti non fit injuria: Ransomware and its Victims , 2019, 2019 IEEE International Conference on Big Data (Big Data).

[90]  Peng Liu,et al.  MimosaFTL: Adding Secure and Practical Ransomware Defense Strategy to Flash Translation Layer , 2019, CODASPY.

[91]  Jack W. Stokes,et al.  Attention in Recurrent Neural Networks for Ransomware Detection , 2019, ICASSP 2019 - 2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[93]  Simon Parkinson,et al.  Classifying Ransomware Using Machine Learning Algorithms , 2019, IDEAL.

[94]  Thaier Hayajneh,et al.  Detection and prevention of crypto-ransomware , 2017, 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON).

[95]  Yoshio Kakizaki,et al.  Evaluation to Classify Ransomware Variants based on Correlations between APIs , 2020, ICISSP.

[96]  Hiran V. Nath,et al.  A Survey on Ransomware Detection Techniques , 2019, SKM.

[97]  Sakir Sezer,et al.  Evolution of ransomware , 2018, IET Networks.

[98]  Fei Tang,et al.  RansomSpector: An introspection-based approach to detect crypto ransomware , 2020, Comput. Secur..

[99]  Yahye Abukar Ahmed,et al.  Automated Analysis Approach for the Detection of High Survivable Ransomware , 2020, KSII Trans. Internet Inf. Syst..

[100]  Mamoona Humayun,et al.  Internet of things and ransomware: Evolution, mitigation and prevention , 2020, Egyptian Informatics Journal.

[101]  Sungjin Lee,et al.  RansomBlocker: a Low-Overhead Ransomware-Proof SSD , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[102]  Ali A. Ghorbani,et al.  DNA-Droid: A Real-Time Android Ransomware Detection Framework , 2017, NSS.

[103]  Chang-Gyu Lee,et al.  KEY-SSD: Access-Control Drive to Protect Files from Ransomware Attacks , 2019, ArXiv.

[104]  C. Martin 2015 , 2015, Les 25 ans de l’OMC: Une rétrospective en photos.

[105]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[106]  Alireza Karimi,et al.  Android ransomware detection using reduced opcode sequence and image similarity , 2017, 2017 7th International Conference on Computer and Knowledge Engineering (ICCKE).

[107]  Hani Alshahrani,et al.  An Intelligent Behavior-Based Ransomware Detection System For Android Platform , 2019, 2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA).

[108]  M. Varacallo,et al.  2019 , 2019, Journal of Surgical Orthopaedic Advances.

[109]  Richard J. Enbody,et al.  A key-management-based taxonomy for ransomware , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[110]  Mohammed A. Saleh,et al.  A Proactive Approach for Detecting Ransomware based on Hidden Markov Model (HMM) , 2019, International Journal of Intelligent Computing Research.

[111]  Kristie B. Hadden,et al.  2020 , 2020, Journal of Surgical Orthopaedic Advances.

[112]  Sungjin Lee,et al.  SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[113]  Bander Ali Saleh Al-rimy,et al.  Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions , 2018, Comput. Secur..

[114]  Issa Traoré,et al.  Detecting Ransomware in Encrypted Web Traffic , 2019, FPS.

[115]  Aniello Cimitile,et al.  Talos: no more ransomware victims with formal methods , 2018, International Journal of Information Security.

[116]  Jitti Annie Abraham,et al.  A Survey on Preventing Crypto Ransomware Using Machine Learning , 2019, 2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT).

[117]  Mumbi Chishimba,et al.  Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures , 2019, International Journal of Computer Network and Information Security.

[118]  Shina Sheen,et al.  Ransomware detection by mining API call usage , 2018, 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[119]  Moti Yung,et al.  Cryptovirology: extortion-based security threats and countermeasures , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[120]  Iman M. Almomani,et al.  Optimizing Extreme Learning Machines Using Chains of Salps for Efficient Android Ransomware Detection , 2020, Applied Sciences.

[121]  Moti Yung,et al.  On Ransomware and Envisioning the Enemy of Tomorrow , 2017, Computer.

[122]  Arun Kumar Sangaiah,et al.  Classification of ransomware families with machine learning based on N-gram of opcodes , 2019, Future Gener. Comput. Syst..

[123]  Mohammad Mehedi Hassan,et al.  A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection , 2020, J. Netw. Comput. Appl..

[124]  Nir Nissim,et al.  Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory , 2018, Expert Syst. Appl..

[125]  Peng Liu,et al.  FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware , 2017, CCS.

[126]  Bander Ali Saleh Al-rimy,et al.  Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection , 2019, Future Gener. Comput. Syst..

[127]  Ali Dehghantanha,et al.  Detecting crypto-ransomware in IoT networks based on energy consumption footprint , 2018, J. Ambient Intell. Humaniz. Comput..

[128]  Tooska Dargahi,et al.  A Cyber-Kill-Chain based taxonomy of crypto-ransomware features , 2019, Journal of Computer Virology and Hacking Techniques.

[129]  Vinay J. Ribeiro,et al.  RansomWall: A layered defense system against cryptographic ransomware attacks using machine learning , 2018, 2018 10th International Conference on Communication Systems & Networks (COMSNETS).

[130]  Daniele Sgandurra,et al.  Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection , 2016, ArXiv.

[131]  Fabio Martinelli,et al.  R-PackDroid: API package-based characterization and detection of mobile ransomware , 2017, SAC.

[132]  Fabio Martinelli,et al.  On the effectiveness of system API-related information for Android ransomware detection , 2018, Comput. Secur..

[133]  Sankardas Roy,et al.  Deep Ground Truth Analysis of Current Android Malware , 2017, DIMVA.

[134]  Samuel Kounev,et al.  Hands Off my Database: Ransomware Detection in Databases through Dynamic Analysis of Query Sequences , 2019, ArXiv.

[135]  Stefano Zanero,et al.  GreatEatlon: Fast, Static Detection of Mobile Ransomware , 2016, SecureComm.

[136]  Prabaharan Poornachandran,et al.  Deep learning LSTM based ransomware detection , 2017, 2017 Recent Developments in Control, Automation & Power Engineering (RDCAPE).

[137]  Eul Gyu Im,et al.  Ransomware detection using machine learning algorithms , 2019, Concurr. Comput. Pract. Exp..

[138]  金錫俊 1990 , 1990, Literatur in der SBZ/DDR.