Criminal justice and the processes that it involves is one of the most multi-layered, controversial, and ever topical areas of legal procedures in general. A discussion of trends and significant threats in this field remains a challenge since the classification itself for cybercrimes remains a matter of contest. This paper aims to discuss the problem of cybercrime as a major threat to the modern criminal justice system. It then highlights one of the biggest cybercrime trends, ransomware, to deliver a literature review. Later sections explore the potential solutions to the ransomware problem, as well as the criticism of the said solutions.
Cybercrime: A Problem Description and Classification
This section briefly discusses the existing contradictions with the precise definition, or lack thereof, of ‘cybercrime.’ Since the ongoing digital transformation has irreversibly affected the entire microcosm of criminal offenses, this topic is ongoing and actively significant. Many specialists have argued on the precise definition of the term and unsuccessfully so far, so this essay will instead undertake a classification-based approach. This part, on the other hand, serves to frame the definitional method taken in this study. After defining the problem and briefly going over the established classifications for the cybercrimes, this section concludes with a statement on the focus trend.
At the moment, the legislation systems worldwide lack a globally accepted definition of the term “cybercrime,” as there is no agreement on what kinds of offenses may be classified as such. The word itself is frequently used to refer to a variety of illegal actions that make use of information and communication technologies (further referred to as ICTs). Among the synonyms used interchangeably figure such terms as ‘virtual crime,’ ‘internet crime,’ ‘high-tech crime,’ and ‘computer crime.’ Lack of transparency can be puzzling and unpleasant, especially when it adds to the complexity of the criminal justice system. Because of this uncertainty, some people have taken to labeling any offense that involves a computer or a part of one as a cybercrime. To address this, the European Commission appointees recommend that instead of focusing on the crime itself, one should analyze how ICT transforms it (European Commission, 2019). The council suggests the elimination test use, which requires process participants to imagine that the ICT-based material is not present in the process.
Based on these notions, two of the popular cybercrime classifications exist, with both of the widely adopted ones classifying cybercrime into three groups. One of these classifications divides cybercrime into conventional, hybrid, and true. The first is “behaviors commonly referred to as cybercrimes,” which are “conventional” crimes that involve the use of a computer. The second category is “hybrid cybercrime,” which includes typical crimes for which network technology has opened up totally new worldwide opportunities, such as international fraud. Spam, phishing, and other types of social engineering are the examples of cybercrimes that are present exclusively due to the specifics and opportunities of the Internet space. The alternative classification follows the similar lines of conditionally distinguishing between the true cyber-specific criminal offenses and the traditional ones in a new, digitally enabled form. Alternative classification can be presented as below:
- common crimes that were moved to and enabled by the digital environment, such as online child pornography, content piracy, or intellectual property theft (plagiarism), and identity fraud
- coordinated attacks on databases and computer networks (i.e. hacking)
- traditional criminal cases supported by digital evidence, such as kidnapping, blackmail, or drug trafficking
The definition-related arguments tie into one of the most significant and most dangerous trends in the modern cybercrime environment. One of the current trends in the field consists in the prevalence and the pervasiveness of cybercrime, which has continuously risen every year within the last two decades. Cybercrime’s prevalence in modern times is generally linked to an enabling environment for these crimes given by a changing and expanding attack surface brought on by the rise of ICTs and new technologies. According to most of the policy literature, increasing individual and national reliance on digital technologies generates additional opportunities for evil behavior (European Commission, 2017a). Academic studies as far back as the beginning of 2011 indicated that wealthier countries with higher numbers of active Internet users have greater levels of cybercrime. And, above all other forms, ransomware remains the most prevalent, most frequently encountered by law enforcement, example of cybercrime.
Ransomware, a Literature Review
Ransomware is a kind of malware, which encrypts, locks, or requires payment for accessing the affected files. The existing ransomware strains are numerous but tend to fall under the two main types: crypto-ransomware and locker ransomware. Crypto-ransomware restructures the code in the files, often altering the programming language they were written with. Locker ransomware, as follows from the title, prevents the user from accessing their files (Al-rimy et al.., 2018). Whatever strain, ransomware is a criminal money-making scheme that triggers the use of social engineering tactics or vulnerabilities by clicking on disappointed links. There are certain strains, and the files are marked for permanent removal. The perpetrators then require ransom payments for the private key required to decrypt files, usually in untraceable cryptocurrencies like Bitcoin.
Ransomware remains the key malware threat both in law enforcement and industry, despite the LEA accounts of its decrease in rate (European Commission, 2019). Cybersecurity vendors describe ransomware as a “cybercriminal business model” and “one of the true threats to the NextGen” since technologically, it has been supported by a number of tools and techniques of attack as well as anonymization. These technologies include cryptocurrencies and networks of mesh (Tor/I2P) that have “triggered higher use of ransomware” (Kaspersky Lab, 2018). Both law enforcement agencies and businesses find that ransomware continues unabated, becoming the key tool for attacking computer users. The ransomware is created and distributed for the reduction of the ransom payment to cybercriminals that then spread the malware as ‘affiliates.’ It is supported by a broad range of affiliate programs (Al-rimy et al.., 2018). Furthermore, professional ransomware criminals market their criminal activities as s a form of business service, partnering with knowledgeable data engineers that are able to unlock or decrypt the damaged files.
Various factors regulate the categorization of ransomware, such as severity, extortion methods, victims, and affected systems. Based on the severity of ransomware, the former tries to lead the victims to pay for fake warnings, whereas the latter constitutes a real threat. The latter is a real threat. The real threat is also divided into a simple attack and a different encryption key attack. In a different approach, researchers have divided ransomware into cryptographic and non-cryptographical systems based on extortion methods, i.e., whether or not user data are used for encryption. Yet another three types of ransomware, including scareware, locked ransomware, and cryptography-based ransomware, were distinguished in 2016. They are locking and cryptographing ransomware use digital mechanisms against victims’ data, while fake warnings deceive the victim in terms of paying for false threats.
As established above, ransomware as a technological system relies on a set of enablers to deliver its harmful effects to computer users. The existing body of the literature review dedicates a considerable degree of attention to the discussion of said enablers, as their understanding is crucial for the outlining and understanding of potential solutions to the issue. Some of the most frequently identified and discussed enabling factors are examined below as follows:
Key-to-Use Cryptography Techniques
Given the many encryption approaches available, such as symmetric-key, asymmetric-key, and unkeyed primitives, crypto-ransomware authors have a lot of alternatives when it comes to carrying out their assaults by creating distinct ransomware strains with varying degrees of severity. Many ransomware attacks are successful because they use a single encryption/decryption key, public/private keys, or a combination of the two. As a result of these tactics, attackers have been pushed to create ransomware that is both strong and unbreakable.
Untraceable Payment Methods
Due to the existence of anonymous, P2P, and decentralized eCyberns such as Bitcoin, ransomware developers are encouraged, without anxiety, to perform broad attacks and to be paid safely by the authorities. In particular, a reasonable degree of anonymity ensures cyber currency that makes it valuable for attackers. Virtual currency is not the only method used for ransoming victims by opponents. In some cases, the victim is called upon to buy products or call premium numbers from certain online shops that are difficult to trace.
Availability of Ransomware Development Kits
The availability of P2P, decentralized and anonymous Cybercurrencies Motivated by large and simple financial benefits, various development kits were created for ransomware. These off-shelf tools allow unqualified individuals to construct their own ransomware versions. These free and easy-to-use ransomware packages are an example of Torlocker, TOX, and Hidden Tear. Ransomware-as-a-Service has recently developed as a cloud-based ransomware development platform that offers criminals an environment of development and distribution. The success story of RaaS is predicted to boost the rate of generating new ransomware families and ransomware attacks.
Potential Solutions
The existing and potential solutions to the ransomware issue can be categorized into prevention techniques, detection techniques, and prediction techniques. These three approaches differ in their priorities and methodologies used, as well as the rates of success in combating ransomware in cybercrime. This section is dedicated to a detailed analysis of each of these solution groups, as well as the potential improvements that can be undertaken by the cybersecurity systems in relation to these groups.
Prevention
One of the ways used to combat the problem of ransomware is attack prevention. Prevention, as the name implies, tries to safeguard potential victims from ransomware attacks by preventing the damage from occurring in the first place. Several research projects have advocated various methods and regulations to safeguard consumers from being targeted by ransomware and blackmailed. Proactive and reactive procedures are the two sorts of procedures.
Several preventive steps, such as restricting and monitoring access to cryptographic tools, were suggested to reduce the likelihood of ransomware infection. The proposed solutions, however, will not be able to stop advanced ransomware strains that rely on cryptographic primitives incorporated in their payload (Al-rimy et al.., 2018). In order to find effective countermeasures to ransomware assaults, the researchers used NIZK proof, which requires the coexistence of private and public keys before encryption can take place.
Furthermore, experts recommended that public keys be obtained from reputable sources such as the public Certificate Authority (CA). As a result, the system is able to block any encryption operations that do not meet these requirements. However, as previously indicated, ransomware can include its own encryption code within its payload rather than relying on OS native cryptography APIs. The criticisms of the approach are depicted in greater detail in the further section but generally entail discussion of the ease with which advanced ransomware can bypass these preventive measures.
The PayBreak program, which proactively safeguards users from being attacked by ransomware, is based on the fact that ransomware requires an encryption key in order to carry out its attack against victims’ files. The system keeps track of how the victims’ devices use symmetric session keys (Kolodenker et al., 2017). These keys are kept in a unit called Valve, and the user can use them to decrypt files if ransomware has encrypted them. PayBreak, on the other hand, fails when the ransomware uses advanced packers and obfuscation techniques because it relies on evaluating the statically and dynamically linked libraries encoded in the malware’s payload, according to the authors.
Detection
While ransomware analysis is concerned with known malware samples, detection is concerned with both harmful and benign software samples and focuses on how to distinguish between them. Currently, there are two methods for detecting ransomware: structural and behavioral. Furthermore, numerous research studies combine both methodologies to attain the most efficiency feasible (Mbol et al., 2016). The combinatory mechanic allows the scientists to capitalize on the stronger sides of the research while backing up the weaker points of the individual approaches.
Structural-based detection relies on digital software and structural signatures developed within the statistical analysis framework. Because it does not require the malicious application to be executed or mimicked, it is safer and more efficient. The Domain Generation Algorithm (DGA) string used to generate domain names from the ransomware payload was detected using this method in 2015 (Al-rimy et al., 2018). Later, the same statistical technique was used to detect the threatening text within the ransomware payload, i.e., the ransom claim. However, because the financial claim text is received from the ransomware’s C&C server, it is not necessarily included within the ransomware’s payload. To identify an Android ransomware breach, the scientific team has used static analysis to extract API packages and constructed R-BackDroid. This methodology isn’t reliant on prior knowledge about ransomware’s encryption capabilities. Furthermore, it is a lightweight solution that is compatible with mobile devices.
Because it monitors what malware does rather than what it looks like, the behavioral method is more effective in detecting the true goal of the program and more resistant to evasion. Behavioral detection is based on the idea that programs from the same family with different syntaxes may exhibit similar behavior that can be captured as behavioral signatures. As a result, rather than representing individual members of the malware family, the behavioral signature may be comparatively generic. As a result, behavioral signature detection is more resistant to changes than signature-based detection (Kolodenker et al., 2017). Furthermore, using the dynamic technique aids in the detection of previously undiscovered variants based on the ransomware family’s overall behavioral profile. In behavioral-based detection, the malicious program is run in a controlled environment so that the genuine behavior of the program and its interactions with the underlying system can be observed.
Prediction
Early detection, also known as early prediction, focuses solely on data retrieved during the malware’s early phases of execution. The inadequacy of existing detection approaches to deal with the irreversible nature of ransomware assaults is a prevalent flaw. That is, these tactics rely on information gathered during the ransomware attack. As a result, the detection occurs after the event, i.e., after the encryption, and thus this form of detection is ineffective against ransomware (Sgandurra et al.., 2016). What is truly needed to effectively identify ransomware is early prediction, which allows for timely preventive interventions.
Several research projects have offered early detection and containment strategies so that ransomware can be recognized before it encrypts files or causes significant damage. Kharraz et al. (2016); Scaife et al. (2016) were able to detect modifications to user files and tell the user about them before more files were attacked by focusing on user files. Kharraz et al. (2016) used entropy measurement to create the UNVEIL system, which looks at the entropy differential between input and output buffers. When user files are accessed, the system is activated. If the difference is significant, the file has most likely been encrypted.
Criticism and Implications
All of the aforementioned groups have attracted criticism based on their imperfect efficiency, often resulting in comparative unpredictability of the measures involved. Ransomware remains a persistent threat in the cybercrime landscape, implying that the currently established solutions aren’t enough to guarantee public security in the area. Furthermore, many of the outlined measures have the capacity to easily damage the files. This trend of a double-edged application of the protective software has resulted in an understandable user backlash, with the implication of preventive measures oftentimes being the source of harm they are trying to combat. These criticisms should primarily be answered by further research into the detection, prediction, and prevention techniques, which is ongoing in the relevant scientific field. As of 2021, researchers have dedicated a significant portion of their attention to the combinatory approach, hoping they will be able to balance out individual strengths and weaknesses.
Conclusion
In conclusion, ransomware persists to be one of the largest threats to digital security and one of the most topical concerns for the criminal justice system. Since this form of cybercrime affects all sorts of personal data files, the blackmail and fraud involved have the capacity to affect some of the most sensitive information that private figures possess. As is typical with sensitive subjects in criminal offenses, this factor further complicates investigation and persecution, simultaneously serving as a power source for the offender. However, it is important to remember that the yearly spike in ransomware crimes began to slow down in 2018. Although this type of offense remains incredibly dangerous and topical, this shift in dynamic speaks in favor of the efficiency of the outlined techniques. As digital technology and software applications continue to evolve, so do the data protection methods. And since data privacy and sensitive personal and corporate information are on the line, further improvements in the ransomware combating tactics will never struggle to obtain the necessary resources.
References
Al-rimy, B. A. S., Maarof, M. A., & Shaid, S. Z. M. (2018). Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Computers & Security, 74, 144-166.
European Commission. (2017). Joint Communication to the European Parliament and the Council – Resilience, Deterrence and Defence: Building strong cybersecurity for the EU. Brussels.
European Commission. (2019) ‘E-evidence – cross-border access to electronic evidence, improving cross-border access to electronic evidence. European Commission Council.
Kaspersky Lab. (2018). Reality vs Delusion: A Guide to the Modern Threat Landscape. Web.
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., and Kirda, E. (2016). UNVEIL: A LargeScale, Automated Approach to Detecting Ransomware. In n 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER) (pp. 1-1). IEEE Computer Society.
Kolodenker, E., Koch, W., Stringhini, G., & Egele, M. (2017). Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (pp. 599-611). ACM Digital Library
Mbol, F., Robert, J.-M., and Sadighian, A. (2016). An efficient approach to detect TorrentLocker ransomware in computer systems. In S. Foresti and G. Persiano (Eds.), Cryptology and Network Security: 15th International Conference, CANS 2016, Milan, Italy, November 14-16, 2016, Proceedings (pp. 532-541). Springer International Publishing.
Scaife, N., Carter, H., Traynor, P., & Butler, K. (2016). CryptoLock (and Drop It): Stopping ransomware attacks on user data. 2016 IEEE 36Th International Conference On Distributed Computing Systems (ICDCS). Web.
Sgandurra, D., Muñoz-González, L., Mohsen, R., and Lupu, E. C. (2016). Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. ArXiv Preprint, Cornell University.