Ransomware Detection, Avoidance, and Mitigation Scheme: A Review and Future Directions

: Ransomware attacks have emerged as a major cyber-security threat wherein user data is encrypted upon system infection. Latest Ransomware strands using advanced obfuscation techniques along with ofﬂine C2 Server capabilities are hitting Individual users and big corporations alike. This problem has caused business disruption and, of course, ﬁnancial loss. Since there is no such consolidated framework that can classify, detect and mitigate Ransomware attacks in one go, we are motivated to present Detection Avoidance Mitigation (DAM), a theoretical framework to review and classify techniques, tools, and strategies to detect, avoid and mitigate Ransomware. We have thoroughly investigated different scenarios and compared already existing state of the art review research against ours. The case study of the infamous Djvu Ransomware is incorporated to illustrate the modus-operandi of the latest Ransomware strands, including some suggestions to contain its spread.


Introduction
Increased connectivity and digitization have facilitated cyber-criminals in designing and launching large-scale cyber-attacks targeting individuals and corporations worldwide. While individual naivete and lack of awareness enable these attacks to bypass basic security mechanisms, security vulnerabilities in the IT systems of small and large corporations are increasingly being exploited to cause business disruptions. The cyber-attack canvas keeps expanding rapidly as cyber-criminals consistently circumvent security provisions designed and deployed by organizations. Increasingly, the target of the attacks is data that is critical to individuals and organizations alike. Threat actors are cashing in on opportunities that can help them seize control of valuable data to demand a ransom from the data owner. Ransomware is a form of malware that infects a computer or multiple computers over a network, encrypting files and folders, rendering them unusable. Users are then prompted for a ransom typically to be paid in cryptocurrency. Ransomware is not a new threat, but its use is surging and causing heavy financial losses all over the world [1]. It is a major challenge for cyber-security analysts and Reverse Engineers as typical Ransomware is not detected by anti-virus software due to its polymorphic nature.
According to [2], almost 51% of the organizations worldwide were hit by highly sophisticated Ransomware attacks in 2020. These attacks were using advanced command and control servers, making them challenging to reverse engineer. Among all the countries studied in the report, India was affected the most by the deadly Ransomware attacks, with almost eighty-two percent of organizations being hit by Ransomware. Netwalker is

Motivation of the Study
The motivation of this study is as follows: • There is a sudden surge in extremely dangerous Ransomware attacks that have crippled most businesses and individuals alike. Ransomware poses a high threat and needs to be tackled at a global level. • The existing literature contains solutions for mitigating either specific Ransomware or proposes generic solutions. A comprehensive analysis encompassing issues in securing individual users and corporations is lacking. • Ransomware avoidance techniques are the most effective and need specialized focus as mitigation and recovery from Ransomware is increasingly complex.

Research Contributions
In this article, we make the following contributions: • We present DAM, a theoretical framework to review and classify the tools, techniques, and strategies to detect, avoid and mitigate Ransomware.
• We put forward a continuum for the avoidance of Ransomware. This continuum can be adopted by different organizations ranging from critical deployments to small-scale organizations. • Finally, we present a case study on one of the recent Ransomware strands, Djvu, where we discuss the technical aspects related to Djvu and then apply the DAM framework to consider potential containment/response strategies. Table 1 maps the contributions to the sections they are discussed in.

Paper Organization
The research article is organized as follows: Section 2 presents the background. Section 3 discusses the state-of-the-art technologies and presents a comparative analysis of different survey articles with ours. Section 4 presents the DAM framework for classification and analysis of defense techniques against Ransomware. Section 5 provides some ideas for avoiding Ransomware infection and mitigating its impact. Section 6 presents a comprehensive case study of DJVU, while Section 7 concludes the paper. The complete structure of the paper is explained by Figure 2 while Table 2 defines all the acronyms to be used throughout the article.  Ransomware is considered one of the most dangerous variants of malware. This is primarily because it doesn't even require much user interaction for privilege escalation. Even the usage of industry-standard tools and technologies have not been able to contain the wrath of Ransomware. Once Ransomware infects the device, it becomes impossible for the victim to access the files. Due to the ransom being paid using cryptocurrency, there is no way to track the perpetrators of the Ransomware attacks. Figure 3 illustrates the monetary damage caused by Ransomware in the year 2020 as compared to its predecessors [7,8].

Ransomware Sources
Ransomware propagates primarily due to a lack of Cyber-hygiene at the individual level. Cyber-hygiene refers to all aspects of online safety [9] including browsing behavior, availability and consistent updating of antivirus software, installing third-party software, and user awareness. Cyber-hygiene must be practiced for keeping Ransomware and other strands of malware away. Despite improving security standards and protocols, Ransomware families have managed to penetrate the defense systems of organizations, governments, and individual users. Some of the main sources of Ransomware include:

Email Attachments
Email attachments usually contain Portable Document Format (PDF) documents, voicemails, images, e-invites, etc. These attachments using various steganographic techniques contain embedded malicious files. Ransomware perpetrators use techniques that make an email look like it was sent from a trusted and known sender. There are various tools available through which attackers with no technical knowledge can craft malicious emails.

Removable Media
Removable Media is not considered as an entry portal for Ransomware by many. However, Tischer et al. [10] conducted a survey, revealing that people are really intrigued by what might be there in a random Universal Serial Bus (USB) drives lying at a public place. A lot of Organizations that did not disable USB ports have been hit by Ransomware via this mode [11].

Malvertising
Malvertising [12] is the organized practice of infecting the advertising infrastructure that websites use for displaying online advertisements. Malvertising has proved to be another popular technique for infecting systems with Ransomware. It has infected systems even via browsing trusted sites like British Broadcasting Corporation (BBC) News, America Online (AOL) and Microsoft Network (MSN) [13]. It tricks the browser into downloading malicious file extensions automatically. Exploit rootkits like Angler, Magnitude and Nuclear are then able to help the attacker gain access to the victim's device [14,15].

Social Media & SMS
This type of Ransomware propagation falls under the category of Social Engineering, where the victim is lured into clicking links that they should not. Attackers use the technique of Uniform Resource Locator (URL) shortening in order to add obscurity to the original link. Users with poor Cyber-hygiene are lured into clicking these links. Sometimes, users also receive SMS messages that depict urgency and force them into clicking those links [16].

Ransomware as a Service
Like other hosting services on the Dark Web that offer anonymity, Ransomware-asa-Service (RaaS) has emerged as a marketplace exclusively for attackers with insufficient programming skills to easily propagate Ransomware. The RaaS service providers either take a cut from the buyer or charge service usage fees.

Ransomware Types
There are mainly two prevalent types of Ransomware, known as Crypto Ransomware and Locker Ransomware.

Crypto Ransomware
Crypto Ransomware uses encryption algorithms to encrypt the victims' data using two approaches. In case of a Symmetric Algorithm, there is just one key that is used for both encryption and decryption. The second algorithm which is more prevalent is the Asymmetric Algorithm through which the data is encrypted using a public key and the victim can only get their data back when they pay for the decryption key [17]. Over the years, attackers have made it difficult for reverse engineers trying to decrypt the data without paying the ransom. Attackers now use a combination of both symmetric and asymmetric algorithms to make the decryption process more challenging. Victim's data is encrypted using a symmetric algorithm due to its speed [18,19]. Then, the key used is encrypted using the public key possessed by the malicious actor [20].

Locker Ransomware
As the name indicates, Locker Ransomware locks the device instead of encrypting the files and folders. Upon being infected, the victim's device is prevented from bring accessed. The data inside is untouched. This type of Ransomware is less effective than Crypto Ransomware, because the data can still be accessed by moving the storage device to another computer [21].

Ransomware Operation
The various phases of Ransomware operation as shown in Figure 4 are detailed below:

Infection
The first stage is the spread of the Ransomware to the victim's device. As discussed in the earlier section, there are multiple sources through which Ransomware finds an infection vector. In this stage, the strategy of the Attacker is to get their Ransomware downloaded on the victim's machine. This stage is heavily dependent on the victim's activities and overall Cyber-hygiene. If the potential victim is cyber-aware [22], then it is highly possible that the Ransomware won't be able to infect the system.

Encryption/Locking
Upon infection, the Ransomware starts performing its programmed sequence of actions depending on its type. A very strong property of recent Ransomware strands is that it contacts a central command-and-control (C2C) server through which process of automation for the attacker becomes simple. The C2C Server also acts as a repository through which different victims can download their decryption keys after making the payment. After the first stage, the cryptographic keys are generated on either the victim's Personal Computer (PC) or in the C2C server. The attacker then proceeds to lock the files and folders or can straight away alter the master boot record so that the victim is unable to access their device.

Demand
During the third stage, a message starts getting displayed on the screen, which demands a ransom amount from the victim, so that they can get the access back to their system. The attacker provides a Bitcoin address for the payment of ransom. This increases the difficulty for law enforcement agencies to trace the payment back to the attacker.

Result
After the third stage, it is up to the user to either pay the ransom amount or not. There are three outcomes that result at this stage. If the victim decides to pay the ransom, then they will be provided with a decryption key to unlock access back to their devices. Another outcome can result when the victim has strong technical skills or can take the help of reverse engineers to reverse the Ransomware operations and get the files back. The third outcome results from the situation when the victim is unable to pay the ransom. This results in permanent damage and complete loss of data.

The Role of Cryptocurrencies
In the early days of Ransomware, attackers would demand money in the form of direct bank deposit or via money transfer agencies. These methods of payment could be traced back to the attacker. Since emergence of cryptocurrencies, Ransomware attacks have exploded. This is majorly due to the fact that cryptocurrencies introduce the concept of anonymity. Cryptocurrencies facilitate the creation of strong Ransomware which, instead of deploying a direct one-to-one payment method, used a third-party payment gateway so that the risk of being traced is minimized. The first ever Ransomware that proved to be really strong in terms of maintaining anonymity & use of a well-built encryption algorithm was CTB Locker. CTB locker stood for Curve, The Onion Routing (TOR) and Bitcoin locker. It used elliptic curve cryptography to encrypt the data, TOR Protocol for anonymous means of communication between the victim and the attacker and Bitcoin as a payment method for paying the ransom in a way that the transfer wouldn't be traced [23]. Usually, when a cryptocurrency is set up as a payment method, an attacker passively watches the blockchain, an enabler for cryptocurrencies to check if the ransom amount has been paid or not. Once, the payment is made, the process of sending the decryption key to the victim can be initiated via automation. This puts the theory of anonymity and un-traceability into practice. Cryptocurrencies also play a very important role in distribution of Ransomware via the dark web. Script Kiddies make use of platforms like RaaS to buy customized strands from exploit developers. Evidence suggests that most of the Ransomware families such as WannaCry have been successful because of the un-traceability provided to cyber-criminals by cryptocurrencies.

State-of-the-Art
Researchers, cyber-security firms and government agencies have researched all aspects of Ransomware propagation, operation and devising effective combat techniques. Although, a few of them were adopted by organizations and governments; most of the frameworks have not proved successful in practice. This is due to the fact that security is multi-dimensional encompassing network security, data security, application security and finally individual Cyber-hygiene practices [24]. It is therefore extremely challenging to design blanket security solutions. Several works have reviewed the impact of Ransomware and summarized techniques to counter its threat. Since, our work is focused on summarizing the existing detection, avoidance and mitigation techniques while providing insights to improve countermeasures, a comparative analysis with existing review papers is provided in Table 3. Table 3. Comparative analysis of the proposed survey with the state-of-the-art surveys on Ransomware detection, avoidance, and mitigation.

Contribution Pros Cons
Aurangzeb et al. [25] Evaluated attack methodologies for Windows Based Ransomware families.
The authors discussed all possible exploit vectors and kits used in creation of Windows based Ransomware families.
They did not specifically propose any technical solutions required to counter Ransomware.
Tailor et al. [26] Analyzed different encryption techniques used by modern Ransomware strands so as to develop better detection strategies.
The authors presented a comprehensive overview of different encryption techniques used by both Locker and Crypto Ransomware families.
Techniques proposed by the authors could include some implementation based details for effective detection of Ransomware.
Tandon et al. [27] Explained the modus-operandi and architecture of typical Ransomware attacks.
The authors gave a detailed view of MS-017 exploit and how it eventually used Double Pulsar to cause the spread of WannaCry.
Discussions are presented in the context of a single Ransomware. Broadbased countermeasure strategies not provided.
Genç et al. [28] Discussed the current Ransomware mitigation strategies and evaluated their effectiveness.
The authors explained the latest ransomware strands which can be generated using rootkits in addition to Ransomware of things.
Novel mitigation strategies for obfuscated Ransomware strands not suggested.
Oz et al. [29] The authors summarized all the different Ransomware families based on the exploits that helped them propagate.
The tables and the summaries presented by the authors can be adopted by researchers to create new mitigation frameworks.
The authors did not discuss the solutions with respect to the latest families that use offline encryption techniques.
Kok et al. [30] The authors' research was focused on finding out the effectiveness of preexisting detection techniques and thus highlighted the requirement of an ML based solution to create better detection techniques.
The authors explained the Ransomware lifecycle in a novel manner and mapped it to the different techniques to find out their effectiveness.
The authors outlined an ML based solution using linear regression but did not technically explain its effectiveness over existing solutions.

The proposed survey
The authors discuss all possible Ransomware propagation techniques and put forth a Ransomware avoidance Continuum that can be adopted by organizations and individuals alike.
The authors presented a good overview of the adversary methodologies and performed a case study of one of the recent Ransomware strands, Djvu. Novel suggestions are put forth to contain the spread of Ransomware. -

The DAM Framework for Ransomware Defense
We propose the DAM framework to classify potential defense techniques, tools and strategies for countering the menace of Ransomware.

Detection Techniques
Various Ransomware detection techniques have been proposed by both academic researchers and industrial security experts. Some of them are currently in use as well. These techniques mostly work via static or dynamic analysis of the executable suspected to be Ransomware. Static analysis of an executable is performed through examination of the code without actually running the executable. Static analysis of a binary consists of static linking, locating American Source Code Information Interchange (ASCII) strings, packer detection and memory relocation. Dynamic analysis is performed after execution of the suspected Ransomware. During its execution, the actions and system calls made by the suspected file are recorded and based on this information, a final report is generated.

Static Analysis
Subedi et al. [31] proposed a methodology that would utilize static analysis as an approach to detect Ransomware. The approach followed by the researchers contained a framework that would first reverse engineer the PE file using assembly language and then subsequently apply Dynamic Linkable Library (DLL) and function call extraction on the PE file. The Framework was developed as a tool called CRSTATIC. They analyzed forty-three Ransomware Samples with CRSTATIC using different parameters. This work was able to differentiate between Ransomware and Normal Programs via a Cosine similarity graph based on assembly instructions. Although, relatively new, CRSTATIC cannot detect the latest ransomware families which deploy signature evasion techniques. Despite its drawbacks, CRSTATIC used pre-parse, a lightweight parser that could detect malicious PE files with respect to different parameters like relocations and byte read operations. CRSTATIC was not able to detect Locker Ransomware families.
Zheng et al. [32] devised a tool called GreatEatlon for detecting Android Ransomware. This tool was created by combining the features present in Heldroid [33], APKTool and other open source analysis tools. GreatEatlon used four stages to identify the presence of Ransomware on an Android Device. The first stage was to follow the code flows of an executable suspected to be a Ransomware. Any Ransomware's first line of action is to find the files it wants to encrypt. GreatEatlon was easily able to identify the path of Ransomware by utilizing an extension of FlowDroid [34], a state-of-the-art technique used for analyzing code flows of Android applications. GreatEatlon then passed the Executable through the second stage in which DeviceAdmin APIs were inspected when the executable was allowed to run. If the APIs were misused by the executable to escalate its privileges, then it would be flagged as malicious. Last two stages deployed static and manual analysis techniques to finally identify the behavior of the suspected executable file.
Hsiao et al. [35] conducted reverse engineering experiments on the infamous Wan-naCry Ransomware to understand how the malicious binary works. The mode of analysis used by the authors was Static analysis. IDA Pro [36] was used for reverse engineering to understand the inner working of the Ransomware. The PE file which was initially used for the first stage of Ransomware operation converted itself into different formats in the subsequent stages. First, the PE file is delivered through the Eternal Blue exploit [37] which then uses a Windows API to embed itself. In the next phase, two services, mssecsvc.exe and tasksche.exe are responsible for further propagation by altering the environment settings. The third stage is responsible for the overall encryption of the victim's data where taskche.exe loads the encryption .dll in the device's memory. The last stage is maintained by C2C servers for tracing the payments and the course of infection.

Dynamic Analysis
Sgandurra et al. [38] tested 542 different samples of Ransomware families through EldeRan, a hybrid approach comprising of machine learning techniques and dynamic code analysis. EldeRan tested application samples against a set of parameters that would be able to identify if the sample is a Ransomware during the infection phase. EldeRan successfully analyzed Windows API calls, Registry Key operations, file and directory operations, dropped files and embedded strings. The next component of EldeRan involved the Machine Learning approach that comprised of feature selection that could distinguish Ransomware from a regular software via Mutual information criteria [39] and classification that used Regularized logistic regression. Overall, EldeRan achieved a great success rate in detection of new Ransomware families.
Maimó et al. [40] were the first authors to discuss the impact of Ransomware on Clinical environments. The first ever Ransomware to target the medical industry was WannaCry. Upon its outbreak, all the NHS operations were put to a halt and most of the appointments and surgeries were canceled. They devised a ML based technique compatible with Integrated Clinical Environment (ICE) architecture that could detect the presence of a Ransomware before it could even start propagating. Their technique was able to detect the changes in network traffic when the Ransomware was being run. These patterns were then fed to a probabilistic supervised Ransomware classifier to finally extract complex features of the sample being run. The solution proposed had four main components. The first module monitored traffic patterns resulting from a live sample. The next module required human supervision for generating a suitable dataset that would be fed to the ML algorithms for detection and classification of Ransomware. The third module identified the anomalous patterns and labeled them. The last module focused on mitigation techniques through the aid of Rule based ML models.
Kao et al. [41] conducted another reverse engineering experiment on WannaCry Ransomware through Dynamic mode of analysis. In this case, WannaCry sample was run on the system and its interactions with processes, file system, registry and network activity were recorded. The authors used a tool named YARA to record the signature of the sample. To carry out behavioral analysis dynamically, SysInternals Suite and Wireshark were made use of. WannaCry being a multi-stage Ransomware uses a process to load the tasksche.exe file that in turn launches different processes.
When a ransomware attack occurs, it is really important to detect it as early as possible because in this case, every second is significant as early detection results in a lesser degree of damage. Morato et al. [42] devised an algorithm called REDFISH which claimed to detect the presence of ransomware in an organizational setting way before all the frameworks till date through analysis of network traffic. The authors used around 19 ransomware families to test their algorithm. This algorithm was designed to tackle ransomware strands that were created to encrypt files and folders present in shared networking drives in Network Attached Storage. After carefully evaluating all the environments where Ransomware can persist, the authors found out that existence of SMB in a network indicated a possible habitat where Ransomware can dwell in. They used a network traffic inspection device to analyse the behaviour of incoming and outgoing traffic. They analysed the usage of SMB based commands very closely to look for anomalies in the traffic. The authors ran several tests on the algorithm and reported that REDFISH can detect ransomware within 20 s. The authors stated that although REDFISH proved to be fast but the strands were still able to lock 10 to 15 files before being detected. We believe REDFISH is a feasible algorithm for organizational settings and can be easily deployed because of its minimal impact on the server resources. Also, the network inspection device used by REDFISH stays out of the production network, so any malware which also has the ability to launch reverse shells for an attacker would not be able to deactivate the detection mechanism [43]. However, in the modern scenarios where ransomware is highly stealthy in nature, this algorithm can fail. Recently, there is a surge of Ransomware strands that use Microsoft Word and Excel based documents to deliver themselves onto the victims' machines. VBA and Excel macros can obfuscate PowerShell code within their streams so that when they are passed through antivirus scans, they are deemed to be benign. We strongly believe that in cases like these, REDFISH will not be able to detect the ransomware strands within the stipulated time frame.
Chen et al. [44] created an automated early detection tool with a novel feature of pattern extraction. Their tool was able to capture new strands and samples through the sandbox and was able to prepare an automated analytic report. The report was able to present the most unique patterns and behavioural paths followed by different ransomware families. For experimentation and validation, the authors used seven ransomware families. Through the results of experimentation, the authors were able to find out the efficiency of each of the algorithms used for pattern extraction. In order to unsheathe the features of different ransomware families, they used TF-IDF, ET and LDA to automate the whole process. The tool developed by the authors can be used in medium to large enterprises as it can easily handle large log data and detect ransomware before other industry standard solutions. The approach used by the authors focused on calculating the time efficiency of different algorithms but they did not compare their tool with other frameworks and algorithms in effect. Also, the algorithms used require training before they can make intelligent decisions. The algorithms will not work well for the latest strands like Darkside [45].
Imtiaz et al. [46] approached the problem of Android Ransomware by using a novel methodology called DeepAMD. DeepAMD used deep ANNs for detecting ransomware before it could exploit other applications on the smartphone. DeepAMD used a dataset to extract features [44] initially for feature selection. The cleansed data resulting from feature extraction was analysed both statically and dynamically to deem the nature of an application. Overall, DeepAMD proved to be a novel and effective approach for early detection of the most advanced ransomware families. This is because of a good rate of validation of DeepAMD using the latest and updated Android Malware dataset [47]. In addition to detection of Ransomware, DeepAMD can also detect scareware [48] and adware [49] families.
Kok et al. [50] developed a new algorithm called Pre-Encryption Detection Algorithm (PEDA) that was able to detect Crypto Ransomware which is the most dominant type of Ransomware. According to the authors, PEDA could detect almost all crypto Ransomware strands in their pre-encryption stage [51]. PEDA is a hybrid algorithm that first examines a suspicious binary via static analysis through checksum comparison and then dynamically via the usage of an algorithm that monitor pre-encryption [52] APIs. Along with this, PEDA also identified 3 APIs that could locate the presence of Ransomware. The algorithm's success held true for most of the Crypto strands. The only limitation of PEDA is its high dependence on Windows API. So, if PEDA is deployed as the only detection mechanism, it might not be able to detect the latest families.
Al-rimy et al. [53] also created a model for early detection of Crypto Ransomware but through a different approach. The model used two detection modules, one for analysing the behaviour and the second for estimation of anomalies. Fusion of both the results would then give a proper decision on whether the binary is malicious or benign. The authors claimed that this model would certainly be able to detect zero day attacks and advanced persistent threats. Through the results shown in the work, the model performed extremely well in detecting the ransomware strands from a dataset of 12,000 applications. One benefit of using this solution is that it can be used for other ecosystems too because of the extremely low false positive rate. Figure 5 illustrates the main analysis techniques for detection along with their sub types.   Table 4 sums up the popular detection techniques used by the researchers along with the mode of analysis used and the samples analyzed.
Ransomware detection techniques have matured in their combat effectiveness against major ransomware attacks. Detection techniques are now hybrid in nature and most of these deploy AI based strategies for improving detection effectiveness. Despite the advancement in the detection techniques, the latest Ransomware families continue to evade them as these techniques are not designed to contain all of the Ransomware strands at once. Solutions for Detection are created mostly to detect a single strand or a single type of Ransomware, so generic solutions do not exist as they are extremely challenging to develop. Some are even designed to just detect only one version of a particular Ransomware. So, it is evident that current state of the detection techniques is reactive in nature and developed in response to new ransomware releases. CryptoLocker UNVEIL [59] Dynamic analysis Generation of an artificial sandboxing environment which interacts with binaries to determine their behaviour.
The artificial sandboxing environment cannot always detect DLL hijacking.

Ransomware Avoidance Techniques
Ransomware attacks have been successful mostly because of poor Cyber-hygiene practices. The avoidance techniques available for the masses to protect their devices from the deadly Ransomware are very few in number and are generalized in nature. Researchers have proposed a few advanced techniques for Ransomware avoidance, but they are limited to specific environments and specific strands of Ransomware and hence do not qualify as one-for-all solution.
General techniques that can be followed by users to protect their devices from Ransomware are:

Regular Patches and Updates
When the WannaCry Ransomware hit the world in 2017, it created a chaos everywhere and rendered all the ICE computers useless, bringing the operations at most of the hospitals and clinics in UK to a halt. WannaCry caused infection of devices through the exploitation of a vulnerability in the SMB protocol. SMB is a Windows based protocol that allows the computers to share files when they are on the same domain. An exploit kit named as Eternal Blue was used to exploit the vulnerability and this is how WannaCry after entering one device, infected the whole network. Computing Platforms which are regularly patched and updated have an extremely low chance of being infected with a Ransomware as most of the attackers' prey upon vulnerabilities that have not been patched. Updating and Patching is not just limited to Operating Systems. Browsers and other applications that are live on the network should be updated and patched regularly.

Avoid e-Mails from Unknown Sources and Attachments
Emails from unknown senders should not be opened as they can carry links and attachments which if opened can install Ransomware on the devices. Emails meant for delivering Ransomware are usually very compelling and entice the recipient to click on the links or download the attachments. Organizations should conduct a training for employees to help them identify phishing emails. Attackers can attack a specific department of the organization. For example, the Inventory Department can receive an email with a billing attachment from an attacker posing to be a legitimate dealer [60]. Use of email filters and spam detection extensions should be deployed for all email services.

Disable JavaScript and Java for Browsers
Another important technique to prevent Ransomware spread is to disable JavaScript and Java on Browsers. Malvertising, as discussed in Section 2, tricks the browsers to download executable files which can then infect the whole system. Malvertising uses JavaScript for execution of the malicious code, so disabling it would prove beneficial in preventing Ransomware attacks. The disablement restricts scripting attacks that can lead to open redirects to Ransomware distribution websites.

Controlled Folder Access
This technique works best for organizational environments that deploy Windows based devices for work purposes. It enables the trusted applications to access the designated folders. Designated folders are mapped to different applications when Controlled Folder Access is configured initially. This technique works with a database of trusted applications maintained from time to time. If an application or an executable is not present in the trusted application database, it is barred from modifying the contents of the designated controlled folders. Controlled Folder Access is an excellent avoidance measure as it can protect boot sectors as well which are targeted by the latest Ransomware families. Controlled Folder Access also utilizes an audit mode that can further create a honeypot for the executables that are not present in the trusted application database trying to access protected folders.
As seen above, the Ransomware avoidance techniques are fairly generic in nature and Cyber-hygiene is the best policy to be followed, especially for individual users. Figure 6 depicts a Ransomware avoidance continuum for different organization types. Further, software updates can be controlled and distributed by the central IT team and individual users do not have root privileges to make system-level changes. Level 2 applies to mid-sized entities allows users to download files from the open internet but route the traffic through a Unified Threat Management (UTM) device for detecting malware and dropping traffic from suspicious sources. Level 1 applies to small organizations which do not have the necessary IT infrastructure or security policies in place [61]. Here apart from having individual anti-virus software, there is not much by way of security policies. These organizations are the most susceptible to Ransomware attacks and user education and awareness are the most effective strategies for avoiding Ransomware attacks.
Thus, Ransomware avoidance is typically a trade-off between the freedom of digital access and fool-proof security. The more the desired degree of freedom to end users in downloading and installing third-part software applications, the more difficult and complex the task of Ransomware avoidance becomes.

Ransomware Mitigation Techniques
Ever since the advent of Ransomware, cyber-defenders have been trying to come up with advanced security solutions that would counteract different Ransomware strands. On the other hand, Ransomware designers have exploited new vulnerabilities, preying on lack of cyber-security awareness of a vast majority of the population to wreak havoc. Mitigation of Ransomware attacks involve recovering encrypted data most likely through reverse engineering or not allowing the Ransomware to complete the encryption process. However, in the real-world mitigation techniques have had limited success. A vast majority of individual victims of Ransomware typically end up paying the ransom demand or losing their data permanently. Still several mitigation techniques that can enable removal of Ransomware and recovery of devices in an efficient manner have been proposed. Figure 7 sums up the main mitigation methodologies based on the techniques they use. Cabaj et al. [62] devised a mitigation technique that made use of Software defined networking to counteract Ransomware. This method was applied to CryptoWall Ransomware, but was applicable to almost all types of Crypto Ransomware. The technique used dynamic blacklisting of C&C servers when the sample was being run. Without the C&C server, infected machine cannot access the public key that will be used to encrypt it. This technique however could not identify any servers that have not been used previously as C&C servers. The blacklisting technique worked with a list of available proxy servers. The implementation of such a mitigation system was made possible through two SDN based applications, SDN1 and SDN2. SDN1 evaluated DNS responses from the inbound traffic and checked if the domain was already present in the database of illicit proxies. SDN2 enhanced the functionality of SDN1 by reconfiguring the whole network infrastructure to block the Ransomware activity. SDN2 utilized OpenFlow protocol to block the traffic associated with a malicious sample.
Zimba et al. [63] made use of reverse engineering to uncover the actual operation followed by different strands of Ransomware. The authors stated that option for data recovery exists inside the attack structure and the underlying code of the Ransomware, despite how complex the Ransomware looks. The approach followed by them comprised of two modules. The first module used reverse engineering to find out the functions for data deletion and recovery in the source code of the malware. Through the first module, the authors were able to identify various properties of a Ransomware by deploying various scans like Virus scans, obfuscation checks, meta-data extraction etc. The second module used sandboxing for analyzing the behavior of the Ransomware. This module comprised a server-side environment and client-side environment. In the server-side environment, Cuckoo server [64] and Volatility were being run. Cuckoo was responsible for delivering the Ransomware. In the client-side environment, there were various Virtual Machines running Windows 7 Desktop Edition. Through Volatility, Ransomware was being analyzed dynamically. Various behavioral features of the sample were collected through the second module. The authors then proceeded to discuss the file hiding techniques used by the attackers. They found out that the attackers don't use secure file deletion techniques which make file recovery impossible [65]. Through their experiment, they were able to recover data because of the weak deletion methodologies used by the Ransomware. In the samples analyzed by the authors, almost all of the samples deleted the volume shadow copies; but due to timely offline backup of those copies led them to restore the victim's device. Even in the cases where Ransomware was able to evade sandboxes, the authors were able to restore captive data using the methodology of generation of public key pairs on the victim's device.
Baykara et al. [66] developed an application called Safe Zone in which a single file, kept all the files of a user by compressing them. The file created by the authors was known as safezone.safe and was kept in a non-stop write mode so that no other sources could modify it. The application made use of a logging system called File Watcher that would log all events in the Safe Zone as well as track the modifications made in the parent folders of the files added to the Safe Zone. The application had another feature that would check for integrity in safezone.safe. The application had an interface that even a non-technical user would be able to understand easily. In case of a Ransomware attack, victims can safely go back to the last backup logged in Safe Zone and recover the system to its previous state.
Akbanov et al. [67] made use of Software Defined Networking to mitigate WannaCry Ransomware in a network. The authors deployed two Windows 7 virtual machines along with REMnux to simulate the propagation of WannaCry via EternalBlue exploit in a test bed network. In their experiment, the authors restricted the spread of Ransomware to only one device. Thus, in order to combat the further expansion, they devised a SDN based technique which dynamically inspected DNS traffic for anomalies. Since EternalBlue exploit results from flaws in the SMB server, SMB traffic is also looked into very carefully so as to detect the presence of any botnet activity. Initially, all the malicious traffic is sent to the controller which then parses all the packets and matches the malicious ones against blacklisting database. It then checks for WannaCry indicators like dropper and C2C server file. TCP port 445 is monitored by the controller and as soon as any traffic from this port or TCP port 139 arrives, it is restricted by the controller so that Ransomware cannot propagate further from the infected host. It is however not able to detect the newer versions of WannaCry that use advanced exploits like EternalRomance and EternalIce because of the evasion mechanisms deployed by them.
Sophos developed an endpoint mitigation tool called Intercept X that claims to eliminate Zero-day APT families. Intercept X uses behavioral analysis to prevent Ransomware families from modifying registries. According to Endpoint Security's Testing Guide [68], Intercept X has a success rate of 99.7% in detection and mitigation with just one false alarm in the real world test. Intercept X also deploys exploit prevention techniques that help in finding out extremely advanced adversary shell-coding patterns and blocking them before they are able to gain access into the registry. Along with these features, Intercept X brings a new feature called Crypto Guard that can recover encrypted files. Despite the extremely high efficiency, further research needs to be conducted into how and whether it can detect and mitigate the latest families that deploy anti analysis techniques.
Microsoft released two products called Defender for Endpoint and Defender for Identity for extensive protection against Ransomware attacks. They have been thoroughly tested against the largest malware database in the world, AV-TEST. Both of them scored 100% protection level in the October 2020 test. This test included new 12316 malware samples along with 339 Zero Day strands. However, the rate of introduction of new strains of Ransomware makes it virtually impossible to build fool-proof solutions. McAfee LLC [69] patented a framework that was able to identify if any unauthorized executable was trying to modify the local files on the system and create a security event for the same. The framework used entropy values to distinguish between files and their modified form. Any value above the threshold would denote a security breach and thus, the framework would create a security event accordingly. The security event would then be monitored and if the entropy value was way too high, then the system would be taken back to the last snapshot in order to mitigate the Ransomware attack. System baselining, checkpointing and rollbacks require significant storage requirements.
Dell EMC [70] invented a framework that replicated all the appends and writes from a server to two different copies, a local and a remote. The local copy resided in a local production site whereas the remote copy was kept in a remote disaster recovery site. A sliding time window was used to measure the deduplication ratio in an arbitrary chosen length of data. If this ratio was on the increasing end of the threshold, the framework claimed to have detected a Ransomware. In order to mitigate the attack, the framework would stop any pending appends and writes designated for the remote site. While such schemes work well for data files, retrieving licensed applications and ensuring complete system recovery has not been attempted by existing mitigation techniques and mechanisms.
While some mitigation strategies have proved effective against existing strains of Ransomware, their effectiveness has been demonstrated in a controlled lab environment. In real-world scenarios Ransomware spreads because of unpredictable human responses and actions and a divergence of security policies, devices and deployments across vendors. This is due to the lack of standardization efforts in devising security mechanisms and large-scale collaborative efforts involving governments, security organizations and researchers.

The Notorious Djvu Ransomware: A Case Study
Recently, a lot of individual users have been subjected to one of the most widespread ransomware strands, Djvu. Djvu, alternatively known as STOP, is a huge ransomware family with almost 250 variants, updated on a weekly basis. It was released in the last quarter of 2018 and its initial success led to development of different sub-strands. The widespread nature of Djvu is due to multiple distribution sources. The most common sources include e-mail attachments, cracks and keygens for bootlegged software. Ransomware authors of Djvu place the encryption source code in the crack packages and distribute them via torrent websites.

The Djvu Modus Operandi
Djvu variants use different encryption techniques. The earlier variants used AES, a symmetric encryption algorithm. Since AES uses a single key for both encryption and decryption, researchers were able to extract the key from victims and were able to contain the virus. Later variants used RSA for encryption. A novel aspect of Djvu's RSA variant is that it encrypts only the initial portion of the files, say 2 to 5 MB of the file, so that file carving would become challenging. Another reason for this approach is that RSA is computationally intensive, thus making it difficult for reverse engineers to create a decryption tool. Djvu details are summarized in Table 5 below: In the infection phase, once the strand is delivered to the victim's device, the next sub phase is where the encryption file is dropped from the skeleton program. As soon as the deliverable is executed by the potential victim, Djvu gets activated and starts manipulating various files. Figure 8 depicts the sequence of operations followed by Djvu. In order to prevent carving attempts, Djvu deletes the OS's shadow volume and renders the important Windows registry entries unusable. Considering the typical encryption scenario, Djvu encrypts the common files and folders, thereby appending extensions like .djvu, .udjvu, .djvur, etc. to them. As soon as the encryption process is complete, which takes around forty-five seconds to one minute after the execution of the deliverable, a ransom note in the form of a .txt file is stored on the desktop and contains a message regarding the encryption of victim's files. The message also contains the email addresses of the Ransomware authors which need to be contacted in order to get the files decrypted. If the victim pays the ransom amount within 72 h of encryption of the files, then the authors promise a 50% discount on the ransom amount. Upon contacting the email addresses provided in the ransom note, a cryptocurrency wallet is provided by the authors where the payment is to be made. As stated in the previous section, the authors can passively watch the blockchain for tracking the payment, this technique promises anonymity to them.
With the previous versions, since AES was being used, a single decryption tool could be created and be replicated to help other victims. It is interesting to note that Djvu strands using AES create victim IDs with t1 appended to the end. These IDs are used for making payments. Thus, for victim IDs ending in t1, it is possible to use decryption tools available on the internet. This is due to lack of any C2C activity in the Ransomware. However, the authors learnt from the drawbacks and started using asymmetric cryptographic techniques along with C2C server activity.

Tackling Djvu
Currently there are only a few detection strategies that can detect the presence of Djvu. We suggest that reverse engineers can use both static and dynamic analysis techniques. Using static analysis, we can identify the Indicators of Compromise (IOC) parameters like varied checksums and email addresses etc. Along with this, malicious strings if any can be examined. Djvu can also be analyzed using dynamic techniques where, using Wireshark, its network activity or any interactions with a C2C server can be measured. Tools like Process Hacker can give us very important information like the local API calls Djvu will make for DLL hijacking and API hooking. The Ghidra tool [71] can help us reverse engineer a strand as well as enable us to find the language it is written in.
One main reason for Djvu's success is poor Cyber-hygiene practiced by end users. A lot of users still use cracked software to avoid paying for the licenses. Plus, recovery is never guaranteed if you are hit by a Ransomware attack. Since Djvu resides in malicious email attachments as well as cracked software present on Peer-to-Peer (P2P) websites, basic security awareness among users goes a long way in preventing such attacks. An AI-based prevention tool/browser extension that advises/warns users and helps them practice better Cyber-hygiene would be a good start in this direction. A further extension to the tool can be envisaged to download any file to a sandbox, transfer the downloaded file to industry-standard Ransomware analysis tools like ANY.RUN, get the analysis results and allow or prevent the users from installing the downloaded software.
As discussed in the previous section, most Ransomware attacks are extremely hard to mitigate because of the absence of strand specific solutions. Also, it is hard to decide between network-level or host-level mitigation strategies for effective removal of Ransomware. In case of the earlier versions of Djvu that use Advanced Encryption Standard (AES), host level solutions need to be looked into whereas for RSA based Djvu, networklevel strategies come into play. Further, backup and restore options, similar to ones on smartphones, need to be explored for individual systems to truly mitigate the impact of Ransomware. Table 6 presents a summary of potential detect, avoid and mitigate strategies for Djvu.

Future Directions in Ransomware Protection
The DAM framework evaluates different combat strategies for preventing ransomware attacks and widespread financial losses. Out of all the combat strategies, avoidance techniques are the most desirable in protecting users and organizations from ransomware. However, effective avoidance techniques at an organizational level entail significant cost, large IT teams, multiple levels of security and some restricted user access privileges. At the individual level practicing Cyber-hygiene is the only effective avoidance strategy. Since avoidance is the holy grail for ransomware security, detection and mitigation are more viable real-world strategies. Early and fool-proof detection of ransomware attacks is desirable if effective mitigation strategies are to be implemented. Even though, most of the techniques discussed above detect ransomware within a timeframe of 50 to 60 s of their initial spread, advanced strands can perform DLL hijacking and UAC bypassing within five to ten seconds and are able to encrypt the files within fifteen seconds. Once the files are encrypted, it is extremely difficult to reverse engineer the operations performed. Thus, mitigation techniques can be deployed only if detection is extremely fast and that is always a challenge as early inferencing can lead to false positives.
It is safe to say that current technology does not offer an end-to-end security blanket protecting individuals and large organizations from the threat of ransomware. Therefore, organizations need to consistently invest in legal penetration testing services in addition to purchase of cyber insurance policies. The former leads to rigorously testing the defense perimeter and constantly upgrading and tuning the security policies to cater to new security threats. Future directions in the evolution of ransomware protection are outlined below:

Browsers as the First Line on Defense
Files downloaded from the internet through the Internet Browser are primarily responsible for ransomware infection. Little to no research has been conducted till now to detect ransomware inside the browser or even have the capability to warn the users. Ren et al. [72] designed a three-layer-security solution that in its first stage used a browser extension that could identify malicious websites and also kept track of unauthorized down-loads that occurred through these websites. A major downside of this extension is that it can only block websites that are already residing in a predefined list. Malvertising is known to occur through trusted websites as well. It utilizes the JavaScript execution capabilities of the browser to trick it to download the malicious file. That is why the browser should be equipped with security features so that as soon as an executable is downloaded, it should be moved into a sandbox so that its behavior can be analyzed. Hence, extensive research needs to be carried out for building ransomware detection and isolation features inside the browser.

Trusted and Non Trusted Sources
Although this counts as a preventive measure, maintaining a database of trusted and non-trusted sources through a global collaboration/crowdsourcing between credible entities will help in improving alert systems for potentially malicious sites and internet sources. The database can be created by incroporating Qualys' SSL Labs APIs [73] which will ensure the trustworthiness of a website. This database can be similar to the one created by Alexa [74] that ranks websites based on different parameters. Then, this database can be used by web-browsers and anti-malware extensions that will monitor the activities of a user and issue an alert when a potentially dangerous website is browsed.

Avoiding Privilege Escalation in Windows Based Platforms
Traditionally Windows based devices are the most susceptible to ransomware attacks due to weak authorization and authentication policies which can be abused by malicious users. One of the techniques used by malicious executables to gain unauthorized access into the systems is privilege escalation. DLL Hijacking and bypassing UAC mechanism are the two main ways by which Windows Privilege Escalation is carried out to gain folder and registry access in order to encrypt them.
Despite the existence of avoidance strategies like Controlled Folder Access and cloud powered Windows Defender AV [75], malicious portable executables can use extremely advanced techniques like Anti-Analysis mechanisms, API hooking and Process Injections to infect the system. Also, the concept of secure registry needs to be looked into so as to develop better prevention strategies. The notion of hierarchy-based file-system standard needs to be incorporated into such platforms so that role-based access control and privilegebased access control can be defined and enforced.

Adoption of AI Based Chat-Bot Assistants for Ensuring Cyber-Hygiene among Users
When it comes to dangerous attacks like Ransomware in cyberspace, prevention is the best cure. Prevention of Ransomware attacks is highly dependent on the behavior of the users on the Internet. This, in turn is governed by Cyber-hygiene practices. In this context, AI-based chat-bot assistants that can warn users against the repercussions of downloading files from untrusted sources can be useful. Such tools will be able to monitor the web activity of the user and help improve their Cyber-hygiene. Educating users and preventing them from performing actions leading to cyber-attacks will probably be one of the most effective avoidance solutions.

Use of a Sanitized Software Download Service
A repository of sanitized open-source software packages available for download as a service can be designed which users can use to download popular software packages without the fear of malware infection. The repository may employ a list of File Lock PEA trusted keys. For verification purposes, each package can be matched against the stored keys and checksums.

Backup and Restore
It is very common for mobile devices to be backed up completely and to restore new devices with the data and applications from the backed-up image of the device. We believe that such a service is viable for individual laptops/desktops as well. Users shall be able to quickly recover their data in case their system is compromised by reformatting the hard disk and performing a restore from the last backup. Microsoft with its large installed base can contemplate offering such a service to users. This backup is different from a data backup on Google Drive for instance as it involves the backup and management of installed and maybe licensed third-party applications as well. In all the operating systems, the backup functionality is present as a recurring process, such as a cronjob in Linux or scheduled task in Windows. All a user has to do is to set up the backup functionality so that it gets automated and occurs in a timely manner. Although the physical operating systems do not have capability of working with snapshots, but the concept of Last Known Good Configurations work here, which help in mitigating the effect of Ransomware.

CVE Monitoring
Most of the Ransomware attacks are successful because of two major factors, poor Cyber-hygiene and unpatched system vulnerabilities. Ethically, penetration testers try to find out Zero Day vulnerabilities before the malicious actors, and these vulnerabilities are fed into a database of Common Vulnerabilities and Exploits (CVE). But most of these vulnerabilities are not patched by developers thus leading to highly advanced and chained attacks. Thus, a server for latest CVEs can be created which may be used to retrieve real time information regarding patching possible exploits and vulnerabilities.

Conclusions
In this article, we presented the DAM framework for analyzing Ransomware combat strategies. Different strategies, their modus-operandi and limitations are also discussed. Ransomware is rapidly increasing in complexity, adversity and multiplicity. Ready-to-go RaaS has even equipped the unskilled attacker in launching effective attacks. Detection and mitigation techniques have not kept pace with the increasing sophistication of the Ransomware and remain both cost and resource intensive making it feasible only for large organizations to adopt them. For small organizations and individuals' simpler interventions like trusted sources for software downloads, sanitized downloads, assistants to improve Cyber-hygiene, automated backup and restore and use of screening services such as ANY.RUN, Cloudflare etc. are the only feasible protection options for now. Future work will focus on creation of an Artificial Intelligence based browser extension that will be used for monitoring Cyber-hygiene of individuals and organizations alike.
Author Contributions: Conceptualization: A.K., A.G. and S.T.; writing-original draft preparation: A.K. and R.G. methodology: R.G. and G.S.; writing-review and editing: A.G., S.T. and I.E.D. All authors have read and agreed to the published version of the manuscript.