A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

TL;DR

This paper introduces a classification framework for ransomware based on attack structures, helping to understand their severity and potential for data recovery, which can inform better mitigation strategies.

Contribution

It proposes a novel ransomware categorization framework based on attack structures, aiding in assessing severity and recovery potential.

Findings

Many ransomware exhibit flaws allowing data recovery without paying

Higher severity categories (CAT4, CAT5) are better mitigated by encryption

Lower categories (CAT1, CAT2) are easily mitigated without decryption

Abstract

Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.