*3.1. Ransomware Analysis*

To recover from a ransomware attack and mitigate its impacts, we should understand how Ransomware is staged and, in the process, analyze what takes place. Analysis can be achieved by looking at the structure of Ransomware and what it does by invoking a reverse-engineering approach for multiple occurrences. The authors of [26] used reverse engineering to study ransomware samples based on code quality, functionality, and cryptographic primitives, if any. In their study, they concluded that the code is relatively basic for the most part, with high-level languages used in most instances. Both symmetric and asymmetric cryptography were employed. The analyzed samples were mainly purposed to masses, with no specific objects being targeted. While reverse engineering provides an in-depth look inside the structure of Ransomware, it is not considered a cost-effective alternative to performing reverse engineering for every ransomware sample to find a way to prevent attacks due to the complications and overheads involved.

The work in [27] performed a long-term ransomware attack analysis and reports the results of examining over 1300 samples collected between 2006 and 2014 belonging to 15 separate Ransomware families. They show that monitoring the activities in the file system would help with Ransomware detection. They concluded that families of Ransomware share very similar features in their core part, though their implementation differs. The author of [28] conducted their study on malware samples, which is readily valid for Ransomware. They proposed TTAnalyze, which can analyze the behavior of malware that comes as a Windows-executable file process on a virtual processor under an isolated environment. Other researchers were involved in studying the behavior of ransomware families on the network rather than on the local machine. The authors of [29] have, in particular, sought to analyze the network behavior of the CryptoWall Ransomware family. Here, they used HoneyPot technology, which is based on dynamic analysis concepts and an automatic run-time malware analytical system. They completed their study with the conclusion that they could identify infected machines in a dedicated environment and understand ransomware samples' network behavior. Malicious parties commonly associate Ransomware with a particular type of server called Command and Control (C&C) servers. These are used to automatically control Ransomware and anonymously instruct it on what to do to infect other machines on the network. An approach is presented in [30] to detect communication activities between infected hosts and Command and Control servers by finding communication aggregates from multiple internal hosts that share common characteristics. The authors concluded that three aggregation functions could detect communication based on the hosts' destination, payload, and platform.

Another research effort was conducted in [31] to study how Command and Control servers operate. Instead of detecting communication activities to these servers, the authors proposed a way to make automata that can reveal the hidden specification of closed-type protocols. The solution they created does not require any information upfront, such as source code or specifications about the implementation, and was found to be able to successfully develop automata for FTP traces. The same principle could be applied to C&C servers, which are closed-type protocol automata that send replies to ransomware requests. The work in [32] presents the analysis of 14 strains of ransomware families that infect Windows platforms. This study compares the baseline of standard operating-system behavior operations, and Windows Application Programming Interface (API) calls made through Ransomware processes. This study reports notable features of Ransomware, as indicated by the frequency of API calls, without identifying code signatures within the ransomware code in order to provide a better understanding of what a particular Ransomware does to the system in API calls. The work in [33] applies data-mining techniques to connect components of multi-level code to find unique association rules to classify ransomware families through implementing static or dynamic reverse-engineering processes. The authors carried out this study using 450 ransomware samples in which they were able to identify the strong connection between the different code components that emerged from the experiments.

In [34], the authors examined ransomware attacks in a healthcare setting, duties, and the costs related to such infections as they would affect the healthcare business in general. They also discussed risk-impacts mitigation. They suggested that healthcare facilities should have a disaster plan with appropriate data backups and recovery plans and increase employees' awareness.
