Ransomware Evolution, Growth and Recommendation for Detection

Ransomware is a malicious program that can affect any person or organization. Ransomware is a complicated malicious attack that aims at lock or encrypt user files. Up to this date, there is no individual method, tool, which guarantee to protect against ransomware. Most tools available can detect some types of ransomware but it fails to detect other types of ransomware. In this research author talks about several methods, tools, procedures which can be taken to reduce the possibility of ransomware occurrences. Up to this moment, the main methods used by attacker to infect your machine are malicious emails and malicious links. After analyzing several reports written by some anti-viruses’ company such as Kaspersky ,McAfee, and several researches which talks about ransomware, author conclude two points: first point, educating users, following up a strict security policy, procedures and backup strategies are the best methods which can be taken to minimize the possibility of ransomware. second point, future methods to detect ransomware mainly will be based on artificial intelligence.


Introduction
Ransomware is a specific type of malware that encrypt user data which will restrict individual access to his own files. Ransomware as a name come from two words, ransom and malware. Malware is an abbreviated term for "Malicious Software". Malware is specifically designed to gain access or damage victim machine. Today's malware is created mainly for profit. Malware can be used to stole information such as spyware, advertising such as Ad-ware and sending spam emails such as zombie computer. Ransomware is a very important topic in information technology security. There are a lot of methods which are used and tested to protect against ransomware (Jesper,2017;Matthias,2018). Ransomware is a very dangerous attack, for example, CryptoWall3 damage estimated to be over 320 million Dollar (Cyber Threat Alliance,2018).
Since individual security procedures taken in place are not considerable comparing with organization's security. users are thought to be the most victims of ransomware (KSN Report,2016; Internet security threat report,2019). Knowing that most users are not specialized in information technology and security means that these people didn't take enough procedures to protect themselves. No doubt that targeting big organization which has several defense stages (depth and breadth) such as firewall, anti-viruses and anti-spyware is not as easy as targeting individual who has nothing except built in windows 10 firewall (IBM Ransomware,2016). Some researchers say that ransomware has two types (Jesper,2017). First type called locker ransomware, which aims at locking the user from accessing the system. Then the attacker asks the victim to pay to unlock the system. Other type of ransomware is crypto ransomware. Crypto ransomware aims at encrypting some or all the files in the victim machine. Then the attacker asks the victim to pay for unencrypting the files.
Ransomware, mainly, spread through different methods such as phishing emails which contain malicious content and attachments, downloading suspected files, visiting infected web site and other methods. Besides that, nowadays ransomware spread through social media, web based instant messages.
Attackers with malicious intentions attack people for several decades and for several reasons. When online exploiting is started, several techniques and application such as anti-virus and anti-spyware claim that they can detect any malicious software. Most of these applications can detect malicious software but they ask for money to remove it (Jesper,2017;Hirra Sultan,2018). Ransomware affected all types of operation systems such as windows and Unix based systems. After infecting victim machine attackers ask for money and mainly payment done using bitcoins.

Monitoring File Activity and Event Tracing
Detecting ransomware can be done by monitoring file system activity. The System Service Descriptor Table  (SSDT) is a table that contain information about the service tables which used by operating system for dispatching system calls. By filtering out process name and id, it could be possible to identify suspicious requests. One importance thing to mention here is that, if a log of the SSDT calls is done, it is possible to remove ransomware spread. This is done by shut down all related process (Jesper,2016Matthias,2018Brandon Lee, 2019). CyberPoint (Ben Lelonek & Nate Rogers,2016) research team conduct a research in 2016 and present that ransomware can be detected by Event Tracing in windows operating systems. Their approach was based on analyzing the event generated by files such as read, write and change in size. They developed an algorithm to do this task. One major drawback of this algorithm is high number of false positive. Method of detection based on looking at changes in file size when compared to the original size. But the encrypted file size is depending on encryption method and in initial vector used. CyberPoint research team says that their method can detect, almost, every ransomware.

Honeypots
Honeypots is a decoy network system used to attract attackers and then to detect them. The idea of honeypots is place files on the network with the intention of trap the attacker. If the attacker access files of honeypot, the system will react and know that there is an intruder. This type of detection is more helpful for organization than individual. For many people detecting ransomware by honeypot may sound strange but it is a valid security measure.

Educate Users
Most cyber security attack, including ransomware, conducted on careless employees. Some employees may share password with family and friends, other may write it on a piece of paper on his office, and most employees use easy and predictable password. Author believes that many cyber-attacks can be prevented by educating and training user on security policy. In addition, users have a critical role in cybersecurity. Using security guidelines is very important in all organization. All organization must follow up a clear security strategy to protect against malicious software. For example, developing a security policy, training new employees, create a security-conscious culture, and monitoring the effectiveness of security policy.

Using Antiviruses
Antiviruses are most common techniques used to protect against malicious software. Several companies developed several anti-virus programs. Anti-virus programs work using several techniques such as heuristic detection method and signature-based detection (Jesper,2017). Every anti-virus has an its own database. When a file is examined, it is analyzed, and it is signature is compared to signature database. Some anti-virus analyzes the code itself in the heuristic module. Unfortunately, the problems of malicious program and ransomware are not completely solved with any anti-virus programs. Detecting ransomware using anti-virus are based on analysis of the ransomware behavior. Most anti-virus can detect ransomware, but it cannot stop it once it is taking control of your system. The answer for if antiviruses can stop ransomware? is yes and no, antiviruses can prevent many types of ransomware, but it cannot stop ransomware once it is taken control.

Machine Learning Methods
Machine learning is a branch of artificial intelligence. Machine learning methods used in several applications such as pattern recognition, text classification, decision making and spam detection (Adel Hamdan,2011;Raed Abu-Zitar,2011;Adel Hamdan,2016). Absolutely, detection of ransomware using machine learning methods can be done.
According to Jaimin Modi (Jaimin Modi,2014) network traffic can be divided into three categories which are connection based, encryption based, and certificate based. Based on analyzing these characteristics Jaimin explore a model for detecting ransomware.
Machine learning can be used and adapted to solve any problem. The challenge is how to use machine learning, and what is the suitable algorithms to hire. Detecting ransomware is a challenge which needs a method and tools for monitoring network and files activity. Author thinks that machine learning methods which based on learning by example, common patterns can be adapted and used for ransomware detection. By analyzing normal behaviors of ransomware creating a tool to predict ransomware is highly possible.
Subash Poudyal (Subash Poudya,2018) develop a reverse engineering framework for ransomware detection. This framework is based on acting multi-level analysis such as row binaries, assembly codes, libraries and function mas.ccsenet.org Vol. 14, No. 3;2020 call. Experiments results for ransomware detection varied between 76% and 97%. Authors in this research use eight machine learning classifiers.

Conclusion and Future work
In this work author talks about one the main threats which can affect all users and organizations. No doubt that ransomware is a very complicated malicious programs which may affect your device. in this research several studies about ransomware and ransomware protection are mentioned. Nowadays. Users and organizations use several methods, tools, and procedures to minimize the probability of ransomware attacks. According to several antiviruses' companies and according to up to date researcher who are talking about ransomware detection, there is no anti-virus, method, and tool guarantee to detect ransomware. Most of methods used to fight against ransomware success in detecting some types of ransomware and fails for detecting other types. most of researchers and companies demonstrate that there is no single method or tool guarantee to protect against ransomware. So, author conclude that, up to this moment, the best thing you can do to protect against ransomware is to consider a good backup strategy. Besides that, author think that because of the nature of ransomware, developing any active method to protect against ransomware mainly will be an artificial intelligent method. So, author future work will be adapting a machine learning method to detect ransomware.