Malware-Free Intrusion: A Novel Approach to Ransomware Infection Vectors Aaron Zimba Department of Computer Science and Technology University of Science and Technology Beijing Beijing 100083, China azimba@xs.ustb.edu.cn Abstract— The Internet is so diverse such that at any given instance someone is clicking a link, opening a file, downloading an email attachment and so forth. Such seemingly benign actions do not always return the expected outcome because attackers leverage these actions to spread their malware. And malware today casts a broad spectrum of software with varying characteristics some of which include Ransomware. Ransomware has come to claim its place in the malware wild due to the philosophy of extortion behind its operations. Ransomware threat actors are seeking ways to delivery their malware payload in ways that do not generate suspicion via unusual network traffic and system calls by involving less user input if any at all. Malware-free intrusions present attack vectors so desirable to Ransomware threat actors in this respect in that they do not employ an extra malicious code which otherwise would be detected by intrusion detection and prevention system. We in this paper explore the utilization of malware-free backdoors for Ransomware payload delivery over a network with RDP-based remote access. We further show that leveraging such backdoors does not require user input while providing high probability levels of success thus adding to the expansion of the available attack surface. Keywords- Ransomware; Attack Vector; Backdoor; Remote Access; I. INTRODUCTION The rise of the Internet has likewise seen the emergency related cyber-attacks and the two are seen not to occupy opposite ends of the continuum. The Internet was initially built without security in mind [1] implying that all technologies that jump onto this bandwagon need to address the associated security concerns in their respective niche, but unfortunately this is not the case. Due to the vast number of technologies integrated into the Internet today, the variety of attacks thereof are extensively wide correlating to the incepting technologies. There are many metrics and parameters used to classify cyber- attacks but they can broadly be classified as targeted or non- targeted attacks [2]. Non-targeted attacks usually don’t have a specific target and tend to be works of novices and script kiddies as opposed to targeted attacks. On the contrary, targeted attacks are the works of highly skilled technical people who might be working on individual basis, for organized crime groups, for big corporations or even governments. This class of attackers employ sophisticated techniques to compromise and victimize their targets. The use of malicious software in this domain is not uncommon. Attackers use a wide range of malware not limited to viruses, worms, trojans, rootkits etc to achieve their ultimate. One new breed of malware coined as Ransomware [3] employs a new philosophy altogether, that of extortion, as a means to achieve the end goal. Unlike conventional malware which usually seeks to replicate, delete files, exfiltrate data or extensively consume system resources, Ransomware on the other hand imposes some form of denial of service to either the system or system resources such as files until a ransom is paid. One class of Ransomware uses encryption to encrypt victim files and demands a ransom before decryption. This type of malware has targeted critical industries [4] where the victim has had to pay as the only way out due to the vitality of access to data on demand. Figure 1 below shows the distribution of Ransomware attacks on different sectors of the economy for 2016 [15]. Figure 1. Ransomware Infections by Organization Sector, January 2015 – April 2016 [15] It is estimated that Ransomware has costed millions of dollars to victims [5] while enriching the criminals that be. As with all cyber-attacks, attacks via Ransomware cast a wide spectrum of attack vectors. These are the ways and means through which Ransomware is spread and delivered to the potential victim. The attacker is therefore tasked with finding optimal ways of infecting victims and Ransomware is known to use some of the common attack vectors employed by other malware. Some of these attack vectors generate suspicious International Journal of Computer Science and Information Security (IJCSIS), Vol. 15, No. 2, February 2017 317 https://sites.google.com/site/ijcsis/ ISSN 1947-5500