WIXLIB

2.2 RansomwareAny program or process that is made to affect operations of a computer, its operating system and hosted software, or to steal sensitive data is defined as Malwareor malicious software. Cyberattacks with malware that possess the intent of extorting user data, decrypt the user computer or holding it for ransom is categorized asransomware (6).Ransomware is an attack upon the files and data of organizations and individuals.This threat is a malicious program that encrypts a user’s hard drive and blocks accessto user’s files. The attacker who organizes the ransomware, holds the key to decryptinfected files until the victim will pay a ransom (7).Ransomware and locking user’s devices through malware is traceable to 1989.The PC CYBORG Trojan released on floppy disks, but this type of cyberattack hasincreased since 2007. The ransom is oftenly requested to be paid in electronic currency, cryptocurrency. The such as Bitcoin, to make it harder to track the attacker.Bitcoin is an electronic currency with little tracking capabilities. The nature of its existence solely in cyberspace make it difficult or even impossible to trace the attacker. Ithas the ability to anonymize the transactions (7). According to the computer securityfirm Symantec, the ransomware attack made hundreds of millions dollar from victimseach year (7). Cryptocurrency and advances in payment techniques and strong dataencryption techniques are some of the major factors leading to increased amount ofransomware (6). Ransomware attacks can be described in five stages:Infection - When a user open an attachment from a spam message or accessing acompromised website, the device will be infected by the ransomware software. Themalware needs to execute on a computer and it is necessary for an attack to be successful.Back-up spoliation When the malware is executed, the malware starts to removeand destroy the back-up files and folders from the system to prevent restoring frombackup stores. This is unique to ransomware. Other types of cyberattacks don’tbother to delete the back-up files (8).Data encryption - During this stage, the ransomware creates its encryption key. Itcan either be from contacting a command and control server (c2), or some of ransomware are able to create their own key (9). The ransomware begins to searchacross all folders on the computer, encrypting as many files as possible. Usuallythe malware will perform a secure key exchange with the command and control (C2)server, establishing those encryption keys that will be used on the local system. Notevery type of ransomware needs to contact a C2 server. The SamSam malware doesall the encryption locally without reaching out to the internet (8).Demand - A message displays on victim’s device demanding that a certain amountto be paid to release the encrypted device’s data and files.Outcome - The dependence on a victim’s action during a ransomware attack leadsthe following outcomes: a) The ransomware is eliminated from the victim’s devicewithout paying the ransom amount and the device is unlocked or the data/files are recovered from back-up. b) Ransom payouts are made through anonymous electronic7

channels such as Bitcoin or DarkCoin. c) Data/files are destroyed because paymentis not made, and the ransomware is not eliminated, without any backup in place thefiles/data are lost permanently .2.2.1 Ransomware TypesRansomware attacks use different type of methodology for corrupting the user dataand files. The goal is to create fear of the device becoming inaccessible. Differences in each type of ransomware can be due to the algorithms for encrypting dataor blocking access of to the device. The three main variants of Ransomware areRansomware-Crypto, Ransomware-Locker and Master Boot Record(MBR)-Ransomware.Ransomware-crypto is the most common ransomware. It encrypts files and dataon the target’s computer or mobile phone. This kind of ransomware search silentlyfor the victim’s files and data after being injected to user’s system. The victim’s device continues to work as usual until the malware start targeting the critical operatingsystem files and applications. The malware finds the end user data and files it willencrypt and make them unusable for the user and demand a ransom (10). The cryptoransomware encrypts the files and data on the victim’s device. If the malware is removed from the victim’s device, the data is not accessible. The attacker will typicallyrequire money to decrypt the data.Ransomware-locker is another type of ransomware that impacts the computingdevices such as end user computer systems or mobile devices. Ransomware-lockercan also lock the input interface like keyboard and mouse and deny access for theuser. It would allow limited functionality for the user, such as moving the mouse orkeeping the numbers button on the keyboard enabled, for the user to be able to paythe ransom. Unlike the ransomware-crypto, this malware keeps the data and filesuntouched. This means the data can be recovered by moving the storage device toanother computer (10).Master boot record-ransomware this type of ransomware encrypts the MBR tablethat holds the information on how the logical partitions, containing file systems, areorganized. Encrypting the MBR table will lead to not finding the files by operating system on the hard disk. MBR-ransoware encrypts the MBR table and not the files/data.This means that the data and files are actually safe and are not encrypted. In this typeof attack the key for the MBR is also encrypted. That makes the MBR ransomwarea dual encryption both for the MBR table and also for the key. The tandem formattedattack with dual encryption makes it very difficult for decryption without any access tothe key (11).The threat level of each type of ransomware depends on the type of encryption andthe mythology attackers use. Their methods to either encrypt the data or make thedevice inaccessible for the victim.8

2.2.2 Major Ransomware AttacksThe timeline shows some major ransomware attacks during past years.1989 AIDS Trojan or PC Cyborg— The first ransomware virus created by JosephL.Popp at the World Health Organization’s International Aids conference (7).2007 It was a locker attack that began to appear, this ransomware attack startedfrom Russia and displayed a pornographic image on the machine. Attackers requiredmoney to remove the picture. Locker-ransomware-attacks soon spread to Europe andthe US (7).2013 In this year the CryptoLocker released, this ransomware used private and publiccryptographic keys to encrypt the victims’ files. Attacker required two Bitcoin or 100at that time (7).2016 The Xbot ransomware was found to be targeting Android devices in Australiaand Russia (7).2017 A ransomware called WannaCry debuted. It launched in 2017 and infected,200000 devices in 150 countries. The attack encrypting victims’ files and the attackersrequired victims an amount from 300 to 600 to decrypt the infected files (12).2.3 PhishingThe cyberattack that most commonly target individuals is the Phishing cyberattack.Phishing cyberattack is a process of luring people into visiting fraudulent websitesand requests to enter personal information. Information such as username, passwords, social security numbers, addresses, personal identification numbers (PINs) orother identifying information. Phishing is defined as “a social engineering attack thatuses e-mail, social network webpages, and other media to communicate messagesintended to persuade potential victims to perform certain actions [e.g., entering login credentials in a cloned webpage, downloading an attachment embedded with amalware or opening an infected hyperlink] or divulge confidential information for theattacker’s benefit in the context of cybersecurity” (13).This type of attack sends emails to a target’s computer or phone to gain sensitiveprivate information. The emails are sent to victims with an appearance as originatingfrom a trusted brand, an official institution or a bank (14). These emails contains aURL link that directs victims to a modified or fake website. Victims are asked to enterpersonal information such as credit card number or password and this information willforward to the attacker. When the identity information of a user is forwarded to anattacker, it can be used to empty their bank account, launder money, run fraudulentactions, take out loans in the victim’s name or apply for credit cards (15).Unlike the ransomware attack, that target the victim’s device and encrypt the filesor block the whole device, the targets of phishing attack are the users. Regardlessof how high system security is or how many firewalls, encryption software and twofactor authentication mechanisms the system has, individuals can still fall for a phish.Anyone who is unsuspecting can be the target for an attacker (14). Phishing attacksaim to steal personal information, but it can also install a malware to the victim’s9

device. Sometimes the aim of the phishing attack is to gather login information ofan employee for a company. The target is deficiencies within the company. Manyransomware attacks start with phishing (16). This type of attack grows daily, and beyond spreading via emails, it is also spreading during SMS, instant messaging, socialmedia sites such as Facebook and even massively multiplayer games (14). Humaninteraction with the internet is one of the important aspect in this type’s attack. Thismeans that the attacker will use psychological tricks to making victims agree to interactions otherwise outside their normal patterns (17). According to (13) a studyfrom 2020, more than 91% of cyberattacks, from 2012 onwards, were inundated withphishing attacks. Training and knowledge is the most useful and crucial layer of protection against phishing (13). The study revealed users of cyberspace need to betrained and educated for heightened suspicions in regards to unsolicited emails andlinks. A scrupulous cyber interaction has to be questioned and assessed to minimizethe risk of being hacked by a phisher (13).The phishing attack typically include three key components:The lure An attacker or also called a phisher, will spam many users by sending emailsthat appears to be from an official and legitimate institution or a bank. The email willembed a link to a designated website . The format encourages the user to follow adirect URL to to a phishing website or download.The hook Phishers want to gather the personal information by making a legitimatewebsite appear similar to the original website from the original institution. The purpose of the hook is to disclose the identity information of the user to the site.The catch is the last stage of a phishing attack. The attacker will use the collectedinformation for financial gains, resource mining, or sell the data (18).2.3.1 Types of PhishingThere are different types of phishing attacks. In total, there are eleven types of phishing attacks (19). Each phishing attack uses various methodology for their implementation.A brief description of each type of phishing attack:Similar spoofing - the phisher develops a very similar website to a legitimate websiteto lure victims. The URL of the phishing site and the authentic site will look similar.The messages to users prompt me to change their password, validate security questions, or give business information. The tactic is to make it impossible to appear onthe surface as a feasible connection.Deceptive - this type of phishing attack is similar to instant spam phishing, because itasks for user information. Instead of asking outright for passwords, the attackers willmessage victim’s for verifying account information.Malware based - this is a phishing technique that installs and run malware on user’smachine. The malware will be scanning all the emails associated with the victim. Themalware will compile online account information.10

Key and screen logger - the attacker aims to get user information through keyboardinput in this type of phishing attack. The attacker is able to record all strokes of thekeyboard. The vulnerability can easily steal personal information either by recordingthe keyboard inputs or recording the screen.Web Trojan - the attacker places a time bomb that will explode during a normal operation such as opening a file or a link etc. The Trojan will record the local records ofthe user and thus transmit them to a phisher.Host file poisoning attack - the attacker has to intercept an actively queried URL before normal communication is established in a host file poisoning attack. The “hosts”file, in Microsoft Windows operating system, is analysed before resolving the DomainName System (DNS). The phisher is “poisoning” the host file to direct the victim to thephishing website. The counter direction to a fake site for theft of personal information.Content-injection - the phisher change the whole or part of a legitimate and a genuine website with fake content. This technique will misguide the user to voluntarilygive their personal information. This can be done by inserting a malware code touser’s PC or into the operating network for gathering information.Man-in-the-middle - the phishers places themselves between the user and a genuine website. Then recording of the information entered by the user is recorded, butnot the interface. It will not affect the normal user transaction. The information can beused, or the attacker will sell them when the user is not active anymore.Search engine - attackers build attractive websites and often include offers such assales pormotions. These website and offers are legitimately listed on search engines.The sites commonly ask for personal information and credit card numbers.Email/Spam based - sends a lot of emails to many people and asking them to entertheir personal information or updating the previous information.Web-based delivery - attackers detect all information and details that are transferredduring a transaction between a legal and genuine website and the user. The detailscan be gathered by the attacker as the user continues to pass information.Link manipulation - the phisher forwards a link to a malicious website in this type ofattack. By clicking on the link, it will open the phisher s website instead of the websitementioned in the link (20).11

2.4 Expert InterviewsThe aim of this study is to investigate the public’s conception about two cyberattacks, Ransomware and Phishing, the interview with experts and researchers is animportant part of the project. Varied types of information about each cyberattackis discussed and an idea about public impact was addressed. Interviews with experts, professionals and the literature review help us to have an understanding aboutthe subject, collect more data and have a good references to compare the realitywith understanding of these cyberattacks. The interview with field experts was asemi-structured interview. Experts could give us more information about the subject during the interview with firsthand experience. Three experts from the industryand one researcher were interviewed. The experts are Martin Bergling - coordinator for innovation node, Nils Daniels - Security coordinator for universities at SNIC(Swedish national infrastructure for computing), Fredrik Stengård - Security coordinator at Sveaskog and Sotirios Katsikeas- PhD student, researching cybersecuritymodelling and attack simulation.2.4.1 Phishing, a cheap and easy method for attackersAccording to Martin Bergling who is the coordinator for innovation node, using thePhishing method to target individuals are cheap and easy. ”Sending emails is cheap.To create a fake website looks legitimate is very easy, and this leads to an easyway to read a user’s password and username.” Furthermore Nils Daniels, a securitycoordinator for universities at SNIC (Swedish national infrastructure for computing)confirm that the Phishing method is cheap and easy for the attackers. “It is easy tomake legitimate emails that looks like an original.” “if we look at the extreme volumeof sending emails and other platforms it is enough for the attackers if a small percentof the people be the victim”2.4.2 Anyone Can Be a TargetExperts says that anybody can be a victim of this types av attack but to be a victimdepends on awareness and knowledge of these attacks. Martin Bergling says: “I personally get a Phishing mail yesterday, and I realize that it was a Phishing mail andof course I didn’t click on it”. “Anybody can receive these types of try to attack, butnot everybody can be a victim, and it depends on your knowledge about these typesof attack”. Additionally, Sotirios Katsikeas a phd student, researching cybersecuritymodelling and attack simulation says that Phishing attacks is very wide and can targetanybody. ””Phishing attacks are all over the places. It does not matter if you are anindividual or an employee of a big company. It will be equally probable that you are avictim of a Phishing attack. I think inexperienced people who actively use the internetare the most targeted group of these types of attack.” Fredrik Stengård, responsiblefor information security and taking care of IT security incidents – also active in education to protected employees against different types of cyberattack, explain that it is12

enough to have a email address to send a Phishing email. ”It is very probable thatyou receive a Phishing email. But if you are hacked by a Phishing mail, it dependson how educated and aware you are about Phishing emails. Anybody can be a targetby Phishing. As long as I have your email address, then you can receive a Phishingmail.”2.4.3 Spear PhishingResearchers and experts says that the Spear Phishing targets specific individuals isbecoming more popular. Marting Bergling says: “Spear phishing, which is targetedtowards specific individuals, for example leaders at a company, and usually attackershave found out more about the targeted people, so the design of the Phishing maillooks legitimate”. Furthermore Nils Daniels explain that spear Phishing is difficult todiffer from the original one. “Spear Phishing that directly aims at different people ina company with different role. So it seems very reliable because it is very personal.”“These types of Phishing are very difficult to differ from an original one” “In addition,the Phishing attacks become more directed, for example the attacker will use betterSwedish and differing from the original emails will be harder.”2.4.4 Ransomware InfectionsSotirios Katsikeas says that the Ransomware attack can spread itself to other computers. ”There are simple type of Ransomware that infect a single computer butalso more advanced one such as Wanna Cry Ransomware that has the ability to bespread to other computers connected to the same network for example by exploitingthe ability of operating system.” Nils Daniels explain aslo that there is a risk that manycomputers get infected by a Ransomware attack. ”If the network and a segment isshared by different types of groups, there is a risk that when a user is infected byRansomware, others can also get infected.But the goal is to prevent this by dividingthe network to different group and segment in an organization.”2.4.5 Ransomware CommonalityThe majoroty of the experts says that the Ransomware attack is not as probable asthe Phsishing attack. ”In the other hand, the Ransomware attack is not so probablebecause the Ransomware typically do not attack individuals, they target companiesand other organizations. It is more probable that it happen to companies and organizations where the attacker can cause some monetary impact by locking the data.” NilsDaniels says: ”Ransomware is not so common to target individuals and personal computer, but it is more common on companies and authorities”. ”But the spear Phishingattack tries to discover how the targeted organization is structured and informationabout the employees. These types of attack take more time, but it is very common.”13

2.4.6 Ransomware and Phishing MethodsSotirios Katsikeas says: ”Ransomware either sends an email or a USB-stick or somesort of communication that contains data. After clicking and running the file, thesoftware startup in your co

The offering of services in person to cyberspace is known as digitization. Digitization has had positive effects on efficacy. . Data stores are controlled, managed and exploited in the widely shared space (2). Any attacks in cyberspace would impact individuals both . firm Symantec, the ransomware attack made hundreds of millions dollar from .