Skip to main content

A Brief Description of Ransomware Attacks

· 9 min read

My submission for IE4758 Information Security 2022 Assignment

"It has been reported that the number of ransomware attacks have significantly increased as many people are still working from home and the number of online users has significantly increased. Thus, the purpose of this assignment is to research and highlight how cyber criminals are launching ransomware attacks and how businesses, governments and individuals are developing policies and are using technology for protection."

Ransomware attacks have been on the rise amid the global pandemic. Part of the reason being that more people are online for both work and leisure. The demand for internet services has increased to reflect this change in lifestyle. While the convenience of online services benefits us in carrying out our daily activities, malicious actors are capturing this opportunity to target governments, businesses as well as individuals to profit from the lack of information security. It has been reported that in Singapore, about 1.16 million US dollars have been paid out on average to ransomware attackers in the year of 2021.1 This puts Singapore at the 6^th^ place in the chart of countries with highest average ransom payments. Across the globe, companies have also fallen prey to ransomware attacks. JBS, the world's largest meat packer, halted its operations in North America and Australia due to suspension of cyber systems that were attacked.2 The ramifications of ransomware attacks highlight the importance of prevention and protection against the cyber criminals with effective security policies and best-practices.

Elements of ransomware attacks

Overview

Ransomware is a term to describe ransom malware, which is a type of malware that prevents users from accessing their system or personal files. The attackers then demand ransom payment in exchange for the data. The ransom is typically paid in Bitcoins or other cryptocurrencies to reduce traceability. Despite payment, it is worth noting that there is no guarantee that the hackers will return or decrypt the data.

Types of ransomware

In general, there are three types of ransomwares: Crypto ransomware, Locker ransomware, and Scareware.

Fig1 Types of ransomware3

How cyber criminals are launching ransomware attacks

To launch ransomware attacks, cyber criminals typically perform the following:

Creating ransomware

Besides developing custom and novel ransomware, novice cyber criminals are also able to launch attacks with easily obtainable ransomware toolkits and via RaaS (ransomware as a service). RaaS allows ransomware developers to generate variations of an existing ransomware and sell it for a profit.

Distributing ransomware

Most ransomwares are distributed through phishing via emails or deceptive links on vulnerable websites. The target group unknowingly opens an attachment or clicks on a hyperlink that results in the download of malicious software. Such software then requests for execution permission (or exploits existing vulnerabilities) and proceeds with harmful activities in the computing devices.

Setting up command and control servers

Some ransomware will require external servers that they use to store encryption/decryption keys and look up dynamic pricing according to the IP address of the infected machine.

Receive payment and decryption process

After a ransomware has encrypted files or blocked system functionalities, it typically reveals an instruction to notify the user on the attack and how payment is expected. Such instructions would include steps to purchase Bitcoin and describe how decryption can be done.

Fig2. Hybrid approach to encrypt and decrypt a user's data4

Defence against ransomware attacks

How are governments, businesses, and individuals affected by ransomware

While all parties that are hit by ransomware encounter destruction to their digital information and private data, ransomware criminals have differentiated approaches to deal with different groups of victims. While the criminals demand payment to recover data, businesses and governments are generally required to pay a larger sum due to their ability to pay and the urgency to continue operation. Businesses also have a huge interest in protecting their reputation should the cyber criminals threaten to release the encrypted data online. As for governments, they typically hold more sensitive personal data which may have a wide impact if breached.

Defence against ransomware attacks generally involve a combination of policy and technology. While technical advances in anti-virus and ransomware research can help make machines less vulnerable to ransomware attacks, human actions are often the weak point of the system. In addition to prevention, policies are also important should the event of a ransomware attack happen. A response checklist will be effective when dealing and recovering from a ransomware attack.

Prevention

To prevent ransomware attacks requires both hardware protections and human intervention.

Secure data and devices

Since files are typically under attack by ransomware, it is important to maintain offline, encrypted backups of data. For cloud infrastructures, it may also be useful to maintain an image of critical systems for rebuilding them in the event of compromise. A periodic schedule should be created to patch bugs and known vulnerabilities.5 In addition, anti-virus and network firewalls should be installed and updated to filter out potentially harmful network requests.

Education

By providing training and workshops to share best practices, we will be less likely to fall for phishing attacks and naively bring ransomware into the system. Education about cyber security can also highlight high risk activities such as downloading unverified email attachments and executing malicious macros hidden in Excel spreadsheets. Other measures such as improving password security and understanding configurations and system settings may also go a long way to help keep attackers out of the system.

Drills and insurance

Safety drills may be helpful for governments and businesses to detect potential loopholes in the current defence system, by simulating an attack and analyse the response. In addition, Cyber insurance can provide coverage against ransomware. In the state of ransomware 2022 report6, 89% of those hit by ransomware have cyber insurance.

Response

As it is difficult to prevent ransomware attacks due to resource constraints and human errors, a proper response plan is required to actively react to the attacks. This involves setting up cybersecurity budgets and an incident response plan. The plan may include details such as immediate response by investigating and isolating affected servers and machines to reduce further damage, engaging in negotiation with the cyber criminals, recovering loss of assets from backups and setting up temporary alternatives that are required to maintain business operations.

Recovery

Recovery from ransomware attacks is a continued effort from the active response to prevent future attacks. This means engaging law enforcement and cyber security firms to evaluate, analyse, and rebuild the system to mitigate security risks.7 While paying the cyber criminals could be cost-effective, it is largely an undesirable solution as it funds the cyber criminals further and may not always guarantee the return of the digital assets.

Challenges and advancements

With more information online and the recent advances in blockchain based technology, we may need to caution ourselves against block-chain based ransomware8 schemes that could use smart contracts to automate and attack with a more irreversible effect.

While ransomwares have grown to be a billion-dollar business, research on how to identify and protect against them also improved over the years. Besides a signature-based detection that may be inadequate, machine learning approaches9 have been applied to train and then spot ransomware accurately.

Conclusion

The battle against ransomware attacks is an arduous and relentless one. As humans further integrate their lives into the digital world, the attack vectors continue to increase over the years. Hence, education about information security and vigilance in carrying out measures to safeguard ourselves against attacks will continue to be necessary and important in keeping our information safe and secure.

Citations

  • Andronio, N., Zanero, S., & Maggi, F. (2015, November). Heldroid: Dissecting and detecting mobile ransomware. In international symposium on recent advances in intrusion detection (pp. 382-404). Springer, Cham.

  • Al-rimy, B. A. S., Maarof, M. A., Prasetyo, Y. A., Shaid, S. Z. M., & Ariffin, A. F. M. (2018). Zero-day aware decision fusion-based model for crypto-ransomware early detection. International Journal of Integrated Engineering, 10(6).

  • Alshaikh, H., Ramadan, N., & Hefny, H. A. (2020). Ransomware prevention and mitigation techniques. Int J Comput Appl, 117, 31-39.

  • Aurangzeb, S., Aleem, M., Iqbal, M. A., & Islam, M. A. (2017). Ransomware: a survey and trends. Journal of Information Assurance & Security, 6(2), 48-58.

  • Delgado-Mohatar, O., Sierra-Cámara, J. M., & Anguiano, E. (2020). Blockchain-based semi-autonomous ransomware. Future Generation Computer Systems, 112, 589-603.

  • Low, D. (2022, August 30). Ransomware attacks threaten nations, 137 s'pore firms fell prey in 2021: CSA. The Straits Times. Retrieved September 19, 2022, from https://str.sg/wD9K

  • Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5), 1938-1940.

  • Ransomware guide. CISA. (n.d.). Retrieved September 27, 2022, from https://www.cisa.gov/stopransomware/ransomware-guide

  • Richardson, R., & North, M. M. (2017). Ransomware: Evolution, mitigation and prevention. International Management Review, 13(1), 10.

  • Rosenberg, J. M. (2015, April 8). A Q&A about the malicious software known as ransomware. Retrieved April 8, 2015, from http://www.salon.com/2015/04/08/a_qa_about_the_malicious_software_known_as_ransomware/

  • The state of ransomware 2022 - sophos. (n.d.). Retrieved September 27, 2022, from https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf

  • US says ransomware attack on Meatpacker JBS likely from Russia; Cattle Slaughter resuming. The Straits Times. (2021, June 3). Retrieved September 19, 2022, from https://str.sg/3krC

  • Zetter, K. (2015, September 17). Hacker lexicon: A guide to Ransomware, the scary hack that's on the rise. Retrieved from Security, https://www.wired.com/2015/09/hacker-lexicon-guideransomware-scary-hack-thats-rise/

End

Footnotes

  1. Low, D. (2022, August 30). Ransomware attacks threaten nations, 137 s'pore firms fell prey in 2021: CSA. The Straits Times. Retrieved September 19, 2022, from https://str.sg/wD9K

  2. US says ransomware attack on Meatpacker JBS likely from Russia; Cattle Slaughter resuming. The Straits Times. (2021, June 3). Retrieved September 19, 2022, from https://str.sg/3krC

  3. Andronio, N., Zanero, S., & Maggi, F. (2015, November). Heldroid: Dissecting and detecting mobile ransomware. In international symposium on recent advances in intrusion detection (pp. 382-404). Springer, Cham.

  4. Beaman, C., Barkworth, A., Akande, T. D., Hakak, S., & Khan, M. K. (2021). Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security, 111, 102490. https://doi.org/10.1016/j.cose.2021.102490

  5. Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5), 1938-1940.

  6. The state of ransomware 2022 - sophos. (n.d.). Retrieved September 27, 2022, from https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf

  7. Richardson, R., & North, M. M. (2017). Ransomware: Evolution, mitigation and prevention. International Management Review, 13(1), 10.

  8. Delgado-Mohatar, O., Sierra-Cámara, J. M., & Anguiano, E. (2020). Blockchain-based semi-autonomous ransomware. Future Generation Computer Systems, 112, 589-603.

  9. Alshaikh, H., Ramadan, N., & Hefny, H. A. (2020). Ransomware prevention and mitigation techniques. Int J Comput Appl, 117, 31-39.

End of University Year 3 Sem 1 (SUSEP)

· 8 min read

Thoughts

For a variety of reasons, I decided to do a partial local exchange from the NUS school of computing (Computer Science) to NTU. Overall, I think the experience was good and refreshing to study in a (slightly) different environment. I ended up taking 1 module at NUS, and 5 modules at NTU. I will be writing a review of the modules below, and more importantly, I want to note down some of the gotchas that I encountered during the process of applying for the exchange. I hope that this will be useful to anyone who is considering doing a partial local exchange. Note that some of the information might be outdated, so please still do your own research.

Application

Singapore Universities Student Exchange Programme (SUSEP) is a program that allows students to take modules at another local university. The exchange is usually for a semester, and it is possible to do a partial exchange(meaning you can still do some modules at your home university). If you are interested, you should look out for the announcement email that will be sent out by the school nearer to the application period, which should be in the semester before the exchange. E.g. for my semester starting in August, the application period was in February. As they mentioned in the email, the quota is limited for NUS SOC so the application could be selective.

Application materials

Things required:

  • submit an application form
  • might require transcript
  • will need a personal statement stating why you want to do the exchange
  • an exchange plan indicating module mappings and the modules you want to take at the other university

I think a good personal statement could be important for the selection as there are only a few slots.

Module mapping

I would say that module mapping is a really troublesome part of the process. You need to do your own research to find out the modules offered and whether they could possibly be mapped back.

Some things to do include:

  • going into Edurec and checking the past module mapping records, which could be found under academics -> global education -> search module mapping
  • search online to see if the modules are still available and offered in the coming semester

Below is a list of approved modules that I requested, so you can use it as a reference. (open the image in a new tab if blurry) mapping

Gotchas

Here's what I painfully learned during the process of module mapping:

  • some modules might not be offered to exchange students.
    • some modules may claim that they don't offer to exchange students but somehow you can bid and get the module ...
  • some modules may be phased out.
  • some modules have separate module codes for a particular faculty, e.g. CZ XXXX for computer science students.
  • module code and content could change from year to year, which means the module mapping may become invalid if it differs from what you requested
  • when filling up the individual module request, you will need to provide module information as well as your pre-requisite module grades. Sometimes it's impossible to find a URL for module details, in those cases you can try to print out the NTU official module search webpage and upload it to dropbox, and then link it. If you can't find the module details e.g the module components, you can just leave it blank (which was what I did).
  • if you are doing a partial exchange, do take note that you may need to submit appeals to NUS to adjust your min workload. This is to prevent the system from disallowing you to drop the extra modules you applied to at your home university. I applied for additional modules at NUS just in case I could not secure the modules that I wanted at NTU, and I had a hard time dropping them after I got the modules I wanted at NTU.
  • Some modules will be preallocated to you before the exchange period, and for the rest, you will have to go through the module bidding process.
  • If you are doing a partial exchange, you will need to be careful about schedule conflicts. Even if the modules don't directly conflict, you may need to take into account the time you need to travel between the two universities. I would say for some of the modules in NTU, it was fine that I did not attend the tutorials and lectures as I could just watch the recordings or read the slides. However, for some modules, there are compulsory labs or you need to be careful with the quiz timings that happen during lecture time.

Below is a sample module mapping request that you will need to fill up. (open the image in a new tab if blurry)

request

CS3219 Software Engineering Principles and Patterns (NUS)

This is an over-subscribed software engineering module that many students want to do. It was worth doing because I got to try and understand not just some of the software principles, but also technologies that support them. A large part of what I learned came from working on individual assignments, which got me into Docker, Kubernetes, Redis, AWS hosting and deployment, kafka, and more. Those experiences were really valuable as I wanted to learn about these technologies for a long time and finally had the chance to do so. The group assignment was also a good way to practice building an application powered by micro-services. Overall, I would say that the practical aspects of the module were really good. Of course, what you learn out of it depends on how much effort you put in, but I would say that the assignments were well structured for you to learn.

One thing that I remembered: my first time implementing a complete authentication system via JWT......pretty cool experience as I discovered some intricacies of JWT and how to use it properly. (I will probably write about it in the future)

SC2005 Operating Systems (NTU)

I took this module to map it back to our NUS core OS module, and surprisingly the quality of this module in NTU was pretty decent. I think that the two profs delivered the course well (lectures were great) and the tutorial was conducted in a way that was very helpful for students to understand the concepts (again, the prof for my tutorial was great). The labs were a little less challenging and the workload overall was very manageable.

CZ4003 Computer Vision (NTU)

This module is an overview of the computer vision space, talking about how digital images can be enhanced, and how computers "see" them (so edge detection, object detection, 3D reconstruction etc). I think it gave me some ideas about what computer vision means and the mechanisms behind things like object detection. My personal opinion is that the module materials were not very easy to understand and perhaps some background knowledge was required in order to understand the concepts better. When going into the technical details such as deriving Fourier transforms, some mathematical maturity certainly helps for topics on linear algebra, calculus, trigonometry, and matrix manipulation. Overall, I think I would not recommend this module.

IE4483 Artificial Intelligence and Data Mining (NTU)

This module is split into 3 parts:

  • traditional AI methods(e.g. search, logic, planning, etc)
  • Machine learning (convolutional neural networks, decision trees, etc)
  • Data mining and more ML (clustering, optimization, PCA etc)

The last two parts were well taught and the topics covered gave me a good introduction to machine learning. The first part was a little less interesting, probably because I already learned those in the introduction to AI in NUS. The assignments were doable. Overall I would say that this module is worth doing if you want to learn more about machine learning.

IE4758 Information Security (NTU)

I think this module is super light and the workload is almost non-existent. The module is about the basics of information security, and the topics covered are pretty much common sense. It's like a general knowledge class where you just come in and listen to the prof talk about the topics. The only technical parts are some calculations that you need to do for cryptography(e.g RSA and Diffie-Hellman key exchange), which is not difficult. Overall this module is pretty simple and recommended if you want to do a near-zero workload module.

CX4153 Blockchain Technology (NTU)

The lectures in this module are all recorded and every week you will need to watch a series of videos. After doing this module, I finally understood some of the concepts in the blockchain world. I think the topics are interesting and I got the fundamental ideas of blockchain after doing this module. And I appreciate why blockchain is so popular because it solves some of the existing problems with such an elegant computational and distributed solution. The assignment also gave me a good idea of how to write a smart contract and connect it to a frontend. Overall, I would say that this module is highly recommended if you are interested in blockchain.

Repository Pattern, Revisited

· 8 min read

Motivation

I first encountered the repository pattern in a Go backend codebase, where there are files/packages named "repo" and those packages are used to supply information from data sources. I was puzzled by such usage because until then, I have always known "repository" as a term related to "Git" and "GitHub". With further research online, I then realized that the repository pattern is a popular abstraction layer between the business logic and the data sources.

A succinct description of the repository pattern by Edward Hieatt and Rob Mee (P of EAA):

Mediates between the domain and data mapping layers using a collection-like interface for accessing domain objects.

UML illustration, source: martinfowler.com

This pattern is often discussed when talking about Domain Driven Design, which is

an approach to software development that centers the development on programming a domain model that has a rich understanding of the processes and rules of a domain. - Martin Fowler DomainDrivenDesign

In this article, I hope to consolidate some of the excellent resources that discuss the repository pattern in-depth and provide my examples and reflections on this pattern.

Uncovering the Repository Pattern

The idea of the repository pattern is to have a layer between a business domain and a data store. This can be done via an interface that defines data store handling logic, which the domain service logic can depend on.

Let's discuss a simplified example in Go, in the context of a URL-shortener application.

1. Create a repository interface in the service layer

The example application provides a URL-shortening service, which essentially takes in any URL and returns a shortened version that redirects visitors to the original address.

Let's assume that the URL-shortener service needs

  • a way to create a mapping of the original URL and the shortened URL
  • a way to query for the original URL for redirection
  • anything else (for simplicity we will only focus on the two above, CR of CRUD)

We mentioned that a repository interface needs to be created, but where?

The short answer is that we can implement it alongside the service layer. This is because the service knows what needs to be done with the data store (it may not need to know how). The repository interface, therefore, specifies the operations required by the service (without underlying details). One possible arrangement in Go is to have the service domain struct contain a reference to the repository interface, which is passed in from the constructor.

For example, we can have the following in a service/urlshortener.go file

package service

// The interface to be implemented by the actual datastore
type URLShortenerRepository interface {
Create(ctx context.Context, url string) (error)
Find(ctx context.Context, url string) (string, error)
}

// Domain struct
type URLShortener struct {
repo URLShortenerRepository
}

func NewURLShortener(repo URLShortenerRepository) *URLShortener {
return &URLShortener{repo: repo}
}

// Illustrations of the wrapping methods on the domain struct
func (u *URLShortener) Create(ctx context.Context, url string) (error) {
err := u.repo.Create(ctx, url)
if err != nil {
fmt.Println(err)
return err
}
return nil
}

func (u *URLShortener) Find(ctx context.Context, url string) (string, error) {
result, err := u.repo.Find(ctx, url)
if err != nil {
fmt.Println(err)
}
return result, err
}

2. Implement the repository interface in the data store layer

So far we have the service layer interacting with the repository interface, and we can now focus on implementing the actual handling logic in the data store layer. This typically involves a persistent database either relational or NoSQL like MongoDB, which we will use in this example.

Now, let's implement the handling logic in a mongoDB/mongo.go file

// Note that in Go, interfaces are implemented implicitly
type MongoDBRepository struct {
connectionString string
}

func NewMongoDBRepository(connectionString string) *MongoDBRepository {
return &MongoDBRepository{connectionString: connectionString}
}

func (m *MongoDBRepository) Create(ctx context.Context, url string) (error) {
// Insert a URL pair into the datastore via some MongoDB specific query
}

func (m *MongoDBRepository) Find(ctx context.Context, url string) (string, error) {
// Find from the datastore via some MongoDB specific query
}

3. Connecting the repository interface with the implementation

The last step in the process is to utilize what we have implemented so far.

We can imagine a central place where the service is initialized along with the data store, perhaps in a main.go file

repo := mongoDB.NewMongoDBRepository("db connection url here")
URLShortenerService := service.NewURLShortener(repo)

// example usage
err := URLShortenerService.Create(context.Background(), "some long url here")
if err != nil {
panic(err)
}

Diagram of the repository pattern Summary of the repository pattern

Analyzing the Repository Pattern

In the above section, we discussed a possible repository pattern implementation. In this part, we will highlight some of the benefits achieved.

Abstraction

The repository interface created separates the contract from implementation. This reduces the complexity at the service layer as only cares about the supporting behaviors of the underlying data store and not how they are actually implemented. It also reduces code duplication as all other services can share a consistent way to access data via the repository interface.

In the article on why you should use the repository pattern by Joe Petrakovich, he uses an analogy of a universal adapter to describe how the repository pattern sits between services and the data so that access or even modifications will less likely to impact the business logic code.

Encapsulation

Closely related to abstraction, encapsulation here means your repository interface helps to control access in a standardized way. This means regardless of the underlying data store, the repository interface exposes only the essential and expected ways to interact with the data store. This means a set of consistent error handling or logging can be performed at this layer and changes to the underlying data store are unlikely to affect the service layer code.

Separation of concern

The separation created by the repository layer reduces coupling as the service layer code does not depend on the data store directly. Similarly, the data store changes can hence be independent of the business requirement.

Facilitate unit testing via dependency injection

A crucial benefit of the repository pattern is that it allows for easy mocking and quicker unit tests. As we can see in our example's main.go file, a mock repository can be implemented and passed into the constructor instead. During testing, a mock repository can remove the need to establish a database connection or query a database, hence isolating the service layer logic.

Diagram of the repository pattern test Testing with the repository pattern

For example:

// Note that in Go, interfaces are implemented implicitly
type MockRepository struct {}

func NewMockRepository() *MockRepository {
return &MockRepository{}
}

func (m *MockRepository) Create(ctx context.Context, url string) (error) {
// Simulate insertion
return nil
}

func (m *MockRepository) Find(ctx context.Context, url string) (string, error) {
// Simulate read
return "https://short.com/url", nil
}

repo := NewMockRepository()
URLShortenerService := service.NewURLShortener(repo)

// example usage
err := URLShortenerService.Create(context.Background(), "some long url here")
if err != nil {
panic(err)
}

To understand dependency injection better, read more here

Drawbacks and Considerations

As with all patterns, there are drawbacks and even proponents who are loudly against the use of the repository pattern. Here are some of my observations and thoughts on the matter.

Is it cost-effective?

When implementing a software design pattern, it typically adds on the number of boilerplate codes to "set it up". Similarly for the repository pattern, implementing it could mean more structural code is added for the sake of "writing more code now so as to not repeat ourselves down the line". If however, the project is small-scale and there's likely no further development given that it is a demo/playground application, the investment in using the repository pattern could go unrealized.

Is another layer of indirection really necessary?

A fairly famous quote in computer science states:

Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem

I am very cautious whenever I need to build a new layer of abstraction, because often than not, abstractions turned out to be "leaky" or "hasty". Such layers of abstractions don't deliver on their promises of simplicity and in very extreme cases, make the code harder to understand for ourselves and more so for future maintainers.

Better or worst testing?

Together with dependency injection, the repository pattern can help speed up unit testing by abstracting away the database. However, it does not remove the need to conduct integration tests because with a mock repository, the responses from the data store layer may not be realistic. To gain confidence in the system, integration tests are still necessary.

Conclusion

Design patterns such as the repository pattern are useful to understand because even if we choose not to use them, we are likely to come across them in existing codebases. As with all design patterns, the key is to plan well and find the right context before moving headlong into implementation. That's all and hope you enjoyed reading this article!

References