Ransomware is a dangerous malware which causes high financial loses for organizations. It is usually installed using a type of privilage esclation attack and then it encrypts data, asking for a ransom. In this paper, we will analyze ransomware life cycle and answer the question how to arrange your information security defences to combat ransomware outbreak.
Information is an important asset for individuals, organisations, and governments. Stealing confidential information such as credit card numbers or Intellectual properties can cause financial loss or reputation damage. For example, Organisations invest in research creating intellectual property to secure their future earnings and pursue innovation. Because of that, Rao & Nayak (2014) state that intellectual property is valuable assets that need to be protected from theft or unauthorised access as it will cost mainly a severe financial loss. Chai, et al. (2016) state that individuals might be subjected to electronic bullying and harassments through internet social media like Facebook and Twitter. Most of the cases, protecting customer’s information is protected by law which means that the theft of customer’s sensitive information such as personal identifiable information (PII) and protected health information (PHI) will cause organisations to pay fines that consider also as a financial loss and reputation damage. In Healthcare industry, unauthorised modification on medical records can cause human life losses.
Hammondl (2013) states that effective information security addresses the security triad (Confidentiality, Integrity & Availability). Confidentiality grantees that sensitive information (e.g. PHI, PII, Credit card, etc.) accessed by those who have the authority to access them. On the other hand, Integrity is making sure that data is protected against unauthorised malicious or non-intention modifications (Hammondl, 2013). Finally, availability grantees that information is available for the right person when it's needed and access granted.
BBC (2017) reported in 12th of May an example that shows how important information security is to our life. Information security was violated by a massive cyber-attack hit NHS services across England and Scotland resulting hospital operation disruption and GP appointments that make staff uses pen and papers.
Table of Contents
Part 1:
A. The Importance of Information Security
B. What is Ransomware, its history and how does it works?
C. In-depth discussion of the vulnerability of the system which led to the wanacry ransomware attack
D. The impacz of this type of attack on confidentiality, integrity and availability of data and resources being attacked
Part 2:
Discussion of basic guidelines and security safeguard measures that can be applied to this scenario to mitigate the chances of future attack
Research Objectives and Topics
This report examines the conceptual foundations of information security and provides a detailed analysis of ransomware, specifically focusing on the mechanisms, vulnerabilities, and impact of the WannaCry attack, while proposing mitigation strategies through a defense-in-depth approach.
- Fundamental principles of the CIA security triad (Confidentiality, Integrity, Availability).
- Historical evolution and operational phases of ransomware attacks.
- Technical analysis of the SMBv1 vulnerability and the EternalBlue exploit.
- Security measures, including sandboxing, patching, and network perimeter controls.
Excerpt from the Book
C. In-depth discussion of the vulnerability of the system which led to the wanacry ransomware attack
In April 2017, gigabytes of software exploits tools have been leaked from National Security Agency (NSA) by Shadow Broker, among these tools one tool called Eternal Blue was used to exploit a vulnerability found in Sever Message Block version 1 (SMB) which enable uploading code to a writable share and then load it into the memory and execute it (Goodin, 2017). The Eternal blue toolkit was used by Wannacry ransomware authors to exploit this vulnerability to replicate itself in the network (Sophos KB, 2017) like a worm. The Eternal Blue runs along with Eternal Rocks in a multistage process starting by a communication to command and control server through TOR browsing service to download and install additional exploit pack, following that, it starts to scan the local area network and the internet about opened port 445, then, it tries to repeat this process to other machines that have been found during the scan (Heller, 2017). In fact, Microsoft announced this vulnerability on March 14, 2017 by number MS17-010 and it released security critical update that will patch Microsoft different versions of windows against it by changing how SMBv1 handles specially crafted requests. (Microsoft , 2017). As per as this announcement, this vulnerability allows remote code execution and information disclosure and they have recommended disabling SMBv1 and relay on SMBv2 & SMBv3.
Summary of Chapters
Part 1: Provides a theoretical overview of information security, a detailed history of ransomware, an investigation into the technical vulnerabilities exploited by WannaCry, and an analysis of the consequences for data confidentiality, integrity, and availability.
Part 2: Discusses practical security safeguard measures and a defense-in-depth architecture aimed at mitigating future ransomware threats.
Keywords
Ransomware, WannaCry, Information Security, CIA Triad, EternalBlue, SMBv1, Vulnerability, Cyber-attack, Defense-in-depth, Encryption, Network Security, Malware, Phishing, Patch Management, Sandboxing
Frequently Asked Questions
What is the core focus of this publication?
The paper provides a comprehensive study on the management of information security with a specific focus on understanding and defending against ransomware attacks, using the 2017 WannaCry incident as a primary case study.
What are the primary themes discussed in the text?
The main themes include the security triad (Confidentiality, Integrity, and Availability), the lifecycle of ransomware attacks, vulnerability management, and the implementation of robust defense-in-depth strategies.
What is the ultimate objective of this research?
The objective is to analyze how ransomware exploits system vulnerabilities and to propose effective mitigation strategies that organizations can implement to prevent future infections.
Which methodologies are referenced for security?
The text relies on industry-standard concepts such as the defense-in-depth architecture, which includes the integration of firewalls, IDS/IPS, patch management, and endpoint security solutions.
What topics are covered in the main body?
The main body covers the importance of information security, the history and mechanics of ransomware, the technical details of the EternalBlue/SMBv1 exploit, and the impact of these attacks on business operations.
Which keywords define this document?
The document is best characterized by terms such as Ransomware, WannaCry, CIA Triad, EternalBlue, and Defense-in-depth.
How does the WannaCry attack utilize the SMBv1 vulnerability?
WannaCry utilizes the EternalBlue toolkit to exploit the SMBv1 vulnerability, allowing the malware to execute remote code and replicate itself automatically across unpatched networks like a worm.
What role does the 'Defense-in-depth' approach play in mitigation?
Defense-in-depth provides multiple layers of security, such as network firewalls and sandboxing, ensuring that if one control fails, others are in place to detect or block malicious activities during the different stages of an attack.
Why is the CIA triad significant in this context?
The CIA triad serves as a framework to measure the severity of the damage caused by ransomware, specifically showing how such attacks violate data confidentiality, integrity, and availability.
- Citation du texte
- Haitham Ismail (Auteur), 2017, Ransomware life cycle and how to combat it, Munich, GRIN Verlag, https://www.grin.com/document/455229
