The Technical Landscape of Ransomware: Threat Models and Defense Models

Ransomware has become a global problem, striking almost every sector that uses computers, from industry to academia to government. These attacks affect the smallest businesses, the largest corporations, research labs, and have even shut down IT operations at entire universities. While there have been many studies of the threats and risks associated with ransomware, in this document we take a more detailed technical approach. We start with a discussion of the basic attack goals of ransomware and distinguish ransomware from purely malicious vandalism. We present a canonical model of a computing system, representing the key components of the system such as user processes, the file system, and the firmware. We also include representative external components such as database servers, storage servers, and backup systems. This system model then forms the basis of
our discussion on specific attacks.

We then use the system model to methodically discuss ways in which ransomware can attack each component of the system that we identified. For each attack scenario, we describe how the system might be subverted, the ransom act, the impact on operations, difficulty of accomplishing the attack, the cost to recover, the ease of detection of the attack, and frequency in which the attack is found in the wild (if at all). We also describe strategies that could be used to detect these attacks and recover from them.

Our goal is to present the broad landscape of how ransomware can affect a computer system and suggest how the system designer and operator might prepare to recover from such an attack.

Note that in this document, we are focused on detection, recovery, and resilience. As such, we are explicitly not discussing how the ransomware might enter a computer system, nor are we discussing system vulnerabilities as there are extensive bodies of work on these topics. The topic of vulnerabilities that allow the attacker to enter the system is outside the scope of the document. The assumption is that the attacker did enter the system and rendered it inoperative to some extent using an attack based on human engineering, an unpatched known vulnerability, or even a zero-day vulnerability.

Based on our study, we present our major takeaway observations and best practices that can help make a system more resilient to attack and easier to recover after an attack.