132 lines
5.8 KiB
JSON
132 lines
5.8 KiB
JSON
{
|
||
"namespace": "ransomware",
|
||
"expanded": "ransomware types and elements",
|
||
"description": "Ransomware is used to define ransomware types and the elements that compose them.",
|
||
"version": 1,
|
||
"refs": [
|
||
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf"
|
||
],
|
||
"predicates": [
|
||
{
|
||
"value": "type",
|
||
"expanded": "Type",
|
||
"description": "Type is used to describe the type of a ransomware and how it works."
|
||
},
|
||
{
|
||
"value": "element",
|
||
"expanded": "Element",
|
||
"description": "Elements that composed or are linked to a ransomware and its execution."
|
||
},
|
||
{
|
||
"value": "complexity-level",
|
||
"expanded": "Complexity level",
|
||
"description": "Level of complexity of the ransomware."
|
||
}
|
||
],
|
||
"values": [
|
||
{
|
||
"predicate": "type",
|
||
"entry": [
|
||
{
|
||
"value": "scareware",
|
||
"expanded": "Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software."
|
||
},
|
||
{
|
||
"value": "locker-ransomware",
|
||
"expanded": "Locker eansomware, also called computer locker, denies access to the computer or device "
|
||
},
|
||
{
|
||
"value": "crypto-ransomware",
|
||
"expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "element",
|
||
"entry": [
|
||
{
|
||
"value": "ransomnote",
|
||
"expanded": "A ransomnote is the message left by the attacker to threaten his victim and ask for ransom. It is usually seen as a text file or a picture set as background."
|
||
},
|
||
{
|
||
"value": "dropper",
|
||
"expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks by carring the malware inside of itself."
|
||
},
|
||
{
|
||
"value": "downloader",
|
||
"expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "complexity-level",
|
||
"entry": [
|
||
{
|
||
"value": "no-actual-encryption-fake-scareware",
|
||
"expanded": "No actual encryption (fake scareware). infection merely poses as a ransomware by displaying a ransom note while not actually encrypting user files"
|
||
},
|
||
{
|
||
"value": "display-ransomnote-before-encrypting",
|
||
"expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption."
|
||
},
|
||
{
|
||
"value": "decryption-essentials-extracted-from-binary",
|
||
"expanded": "Decryption essentials can be reverse engineered from ransomware code or the user system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by disassembling the ransomware binary. "
|
||
},
|
||
{
|
||
"value": "derived-encryption-key-predicted ",
|
||
"expanded": "Another possibility of reverse engineering the key is demonstrated in the case of the Linux.Encoder. Aransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible."
|
||
},
|
||
{
|
||
"value": "same-key used-for-each-infection",
|
||
"expanded": "Ransomware uses the same key for every victim. If the same key is used to encrypt all victims during a campaign, then one victim can share the secret key with others."
|
||
},
|
||
{
|
||
"value": "encryption-circumvented",
|
||
"expanded": "decryption possible without key - Files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known-ciphertext attacks due to the keyreuse vulnerability and hence this is a poor implementation of the encryption algorithm."
|
||
},
|
||
{
|
||
"value": "file-restoration-possible-using-shadow-volume-copies",
|
||
"expanded": "Files can be restored using system backups, e.g. Shadow Volume Copies on the New Technology File System (NTFS), that were neglected by the ransomware."
|
||
},
|
||
{
|
||
"value": "key-recovered-from-file-system-or-memory",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "due-diligence-prevented-ransomware-from-acquiring-key",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "click-and-run-decryptor-exists",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "kill-switch-exists-outside-of-attacker-s-control",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "decryption-key-recovered-from-a-C&C-server-or-network-communications",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "custom-encryption-algorithm-used",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "decryption-key-recovered-under-specialized-lab-setting",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "small-subset-of-files-left-unencrypted",
|
||
"expanded": ""
|
||
},
|
||
{
|
||
"value": "encryption-model-is-seemingly-flawless",
|
||
"expanded": ""
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|