A Survey of Ransomware Resilience: Strategies for Prevention and Recovery

Abstract

Ransomware and mobile malware have rapidly evolved into critical cybersecurity challenges, leveraging encryption, obfuscation, and self-updating techniques to evade detection[1]. Detection methods, such as static and dynamic analysis[2] and machine-learning-based anomaly detection [3], show promise in mitigating threats. Proactive approaches, including behavior-based detection and hybrid cryptography like PayBreak [4], are essential for early threat identification and recovery. AI-driven defenses and situational awareness models [5] can improve detection rates, while socio-technical solutions and NIST recommendations offer enhanced recovery strategies [6]. Future research should focus on automated detection systems and mitigating zero-day threats

Introduction

Cybersecurity Overview

Cybersecurity refers to protecting digital systems—such as computers, networks, and mobile devices—from cyberattacks. As cyber threats grow more sophisticated, cybersecurity is essential, particularly in high-risk sectors like healthcare, finance, and government. Tools include firewalls, encryption, antivirus software, and intrusion detection systems.

2. What is Ransomware?

Ransomware is a type of malware that encrypts files or locks systems, demanding payment (often in cryptocurrency) to restore access. It commonly spreads through phishing emails, compromised websites, or weak remote access systems.

3. Types of Ransomware

• Crypto Ransomware: Encrypts files and demands payment for the decryption key.

• Locker Ransomware: Locks users out of their systems without encrypting files.

• Ransomware-as-a-Service (RaaS): Commercialized ransomware offered to attackers with minimal technical skill.

4. Notable Examples

• WannaCry: A global ransomware attack that affected hospitals and government agencies.

• Petya: Locks users out during the boot process.

• CryptoLocker: Targeted individuals and small businesses through file encryption.

5. Spread Mechanisms

• Phishing Emails

• Malicious Websites/Ads

• Remote Desktop Protocol (RDP) Exploits

6. Challenges in Combatting Ransomware

• Early detection is difficult due to stealth tactics like code obfuscation.

• Traditional antivirus tools struggle with modern ransomware.

• New variants can bypass signature-based detection.

• Many small businesses lack the resources to defend effectively.

7. Applications of Ransomware Research

• Improved Detection Tools: Use of AI and behavior-based monitoring.

• User Education: Training to avoid phishing/social engineering.

• Policy Development: Government and industry security frameworks.

• Mobile Security: Enhanced app sandboxing and permissions.

Research Methodology

• Combined multiple research studies to propose a layered defense model.

• Used machine learning, behavior-based anomaly detection, static/dynamic analysis, and memory forensics.

• Honeypot environments, virtual machine quarantine, and live-forensic hypervisors were tested.

• Simulated phishing scenarios to evaluate user awareness and response.

• Used public/private malware datasets to test and refine detection models.

Gaps & Challenges

• Difficulty detecting zero-day ransomware and encrypted payloads.

• Obfuscation and Windows API misuse hinder detection.

• Aging infrastructure and low cybersecurity budgets in small organizations.

• IoT and mobile devices lack proper defenses.

• False positives in detection tools remain problematic.

• Global legal enforcement of cybercrime is weak.

Advantages of the Research

• Detailed classification of ransomware types and evasion tactics.

• Case studies like WannaCry and Petya illustrate real-world impact.

• Highlights advanced techniques (e.g., AI, memory forensics).

• Suggests future research directions (e.g., automated response systems).

Limitations

• Limited exploration of mobile and IoT ransomware.

• General recommendations not always tailored to industry-specific needs.

• Some references are outdated.

• Lack of technical depth in certain areas (e.g., ML model architecture).

• Insufficient coverage of international laws and collaboration frameworks.

Conclusion

Ransomware and mobile malware are still constantly evolving, proving to be formidable challenges to cybersecurity. Although advancements in behavior-based detection, pre-encryption algorithms, and memory forensics have enhanced the detection rate, zero-day ransomware is still hard to tackle [14],[29]. AI-powered models and response automation systems bring promise for enhanced mitigation and threat detection in the future [3],[18]. The proactive measures of tools such as PayBreak reflect encouraging defense measures for file recovery after an attack [4]. Further, extending the application of honeypot technologies can assist in misleading attackers and safeguarding important assets [20]. In order to boost cybersecurity defenses, combining sophisticated detection mechanisms with socio-technical solutions is crucial in mitigating the effects of ransomware [12]. User training and awareness are vital in building resilience against ransomware attacks [5]. User training on phishing, social engineering techniques, and safe behavior can minimize vulnerabilities. Additionally, the necessity for international cooperation and regulation has become more urgent than ever to counter the globalized nature of ransomware attacks[10],[11]. There needs to be more cooperation among private organizations and government organizations for building strong countermeasures[8] The regulatory guidelines need to address enhancing cross-border cooperation and streamlining responses to ransomware attacks [30]. Subsequent research should focus on augmenting AI-based anomaly detection, incident response systems, and lowering false positive rates for ransomware detection [2],[21]. Organizations can better shield themselves against the continually evolving world of ransomware attacks by using a multi-layered method that encompasses technical and non-technical safeguards[22],[25],[31]. Through ongoing improvement, user training, and international coordination, cybersecurity practitioners can build better defenses against the ongoing threat of ransomware.

References

[1] Zheng, N. Dellarocca, N. Andronio, S. Zanero, and F. Maggi, “GreatEatlon: Fast, Static Detection of Mobile Ransomware.” [2] S. Sen, E. Aydogan, and A. I. Aysan, “Coevolution of Mobile Malware and Anti-Malware.” [3] A. Shabtai, L. Tenenboim-Chekina, D. Mimran, L. Rokach, B. Shapira, and Y. Elovici, “Mobile malware detection through analysis of deviations in application network behavior,” Comput Secur, vol. 43, pp. 1–18, 2014, doi: 10.1016/j.cose.2014.02.009. [4] E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, “PayBreak?: Defense against cryptographic ransomware,” in ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, Inc, Apr. 2017, pp. 599–611. doi: 10.1145/3052973.3053035. [5] J. A. H. Silva, L. I. B. López, Á. L. V. Caraguay, and M. Hernández-álvarez, “A survey on situational awareness of ransomware attacks-detection and prevention parameters,” Remote Sens (Basel), vol. 11, no. 10, May 2019, doi: 10.3390/rs11101168. [6] D. F. Sittig and H. Singh, “A socio-technical approach to preventing, Mitigating, and recovering from Ransomware attacks,” Appl Clin Inform, vol. 7, no. 2, pp. 624–632, Jun. 2016, doi: 10.4338/ACI-2016-04-SOA-0064. [7] A. Qamar, A. Karim, and V. Chang, “MOBILE MALWARE ATTACKS: REVIEW, TAXONOMY & FUTURE DIRECTIONS.” [8] [8] N. Sharma and R. Shanker, “Analysis of Ransomware Attack and Their Countermeasures: A Review,” in Proceedings of the International Conference on Electronics and Renewable Systems, ICEARS 2022, Institute of Electrical and Electronics Engineers Inc., 2022, pp. 1877–1883. doi: 10.1109/ICEARS53579.2022.9751949. [9] A. K. Muslim, D. Z. Mohd Dzulkifli, M. H. Nadhim, and R. H. Abdellah, “A Study of Ransomware Attacks: Evolution and Prevention,” Journal of Social Transformation and Regional Development, vol. 1, no. 1, Jun. 2019, doi: 10.30880/jstard.2019.01.01.003. [10] H. Alshaikh, N. Ramadan, and H. A. Hefny, “Ransomware Prevention and Mitigation Techniques General Terms,” 2020. [11] A. Alqahtani and F. T. Sheldon, “A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook,” Mar. 01, 2022, MDPI. doi: 10.3390/s22051837. [12] M. Ashawa and S. Morris, “Analysis of Mobile Malware: A Systematic Review of Evolution and Infection Strategies,” Journal of Information Security and Cybercrimes Research, vol. 4, no. 2, pp. 103–131, Dec. 2021, doi: 10.26735/krvi8434. [13] A. L. Y. Ren, C. T. Liang, I. J. Hyug, S. N. Brohi, and N. Z. Jhanjhi, “A three-level ransomware detection and prevention mechanism,” EAI Endorsed Transactions on Energy Web, vol. 7, no. 26, 2020, doi: 10.4108/eai.13-7-2018.162691. [14] S. H. Kok, A. Abdullah, N. Z. Jhanjhi, and M. Supramaniam, “Prevention of crypto-ransomware using a pre-encryption detection algorithm,” Computers, vol. 8, no. 4, Dec. 2019, doi: 10.3390/computers8040079. [15] V. Kouliaridis, K. Barmpatsalou, G. Kambourakis, and S. Chen, “A survey on mobile malware detection techniques,” IEICE Trans Inf Syst, vol. E103D, no. 2, pp. 204–211, 2020, doi: 10.1587/transinf.2019INI0003. [16] F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft comput, vol. 20, no. 1, pp. 343–357, Jan. 2016, doi: 10.1007/s00500-014-1511-6. [17] N. Shah and M. Farik, “Ransomware-Threats, Vulnerabilities And Recommendations,” INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH, vol. 6, no. 06, 2017, [Online]. Available: www.ijstr.org [18] W. Z. A. Zakaria, M. F. Abdollah, O. Abdollah, and S. M. W. M. S.M.M, “Ransomware Behavior on Windows Endpoint: An Analysis,” Journal of Social Science and Humanities, vol. 6, no. 5, pp. 25–31, Oct. 2023, doi: 10.26666/rmp.jssh.2023.5.4. [19] D. Paul Joseph and J. Norman, “A Review and Analysis of Ransomware Using Memory Forensics and Its Tools,” in Smart Innovation, Systems and Technologies, Springer, 2020, pp. 505–514. doi: 10.1007/978-981-13-9282-5_48. [20] R. Moussaileb, R. Navas, and N. Cuppens, “Watch Out! Doxware on The Way,” 2020. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212620308206 [21] M. Hirano and R. Kobayashi, “Machine Learning-based Ransomware Detection Using Low-level Memory Access Patterns Obtained From Live-forensic Hypervisor,” May 2022, doi: 10.1109/CSR54599.2022.9850340. [22] F. Teichmann, “Ransomware attacks in the context of generative artificial intelligence—an experimental study,” International Cybersecurity Law Review, vol. 4, no. 4, pp. 399–414, Dec. 2023, doi: 10.1365/s43439-023-00094-x. [23] T. Yan Lin and M. Fadli, “Study on Prevention and Solution of Ransomware Attack.” [24] John Oluwafemi Ogun, “Advancements in automated malware analysis: evaluating the efficacy of open-source tools in detecting and mitigating emerging malware threats to US businesses,” International Journal of Science and Research Archive, vol. 12, no. 2, pp. 1958–1964, Aug. 2024, doi: 10.30574/ijsra.2024.12.2.1488. [25] L. Y. Connolly and D. S. Wall, “The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures,” Comput Secur, vol. 87, Nov. 2019, doi: 10.1016/j.cose.2019.101568. [26] X. Luo and Q. Liao, “Awareness education as the key to ransomware prevention,” Information Systems Security, vol. 16, no. 4, pp. 195–202, 2007, doi: 10.1080/10658980701576412. [27] V. Ramteke and N. Gupta, “A study on Defacing Ransomware: Are we aware and ready?,” 2021. [Online]. Available: https://www.researchgate.net/publication/353878947 [28] D. Hinderaker, M. Olsvik, D. Sarjomaa, S. Skylstad, and L. E. Pedersen, “Exploring Destructive Malware: A Practical Approach to Wiper Malware Developing wiper malware to identify weaknesses and improve security in Windows systems Bachelor’s thesis in Digital Infrastructure and Cybersecurity Supervisor: Eigil Obrestad and,” 2024. [29] A. Arabo, R. Dijoux, T. Poulain, and G. Chevalier, “Detecting ransomware using process behavior analysis,” in Procedia Computer Science, Elsevier B.V., 2020, pp. 289–296. doi: 10.1016/j.procs.2020.02.249. [30] J. A. Gómez Hernández, P. García Teodoro, R. Magán Carrión, and R. Rodríguez Gómez, “Crypto-Ransomware: A Revision of the State of the Art, Advances and Challenges,” Nov. 01, 2023, Multidisciplinary Digital Publishing Institute (MDPI). doi: 10.3390/electronics12214494. [31] U. Tariq, I. Ullah, M. Yousuf Uddin, and S. J. Kwon, “An Effective Self-Configurable Ransomware Prevention Technique for IoMT,” Sensors, vol. 22, no. 21, Nov. 2022, doi: 10.3390/s22218516. [32] M. Alam, S. Sinha, S. Bhattacharya, S. Dutta, D. Mukhopadhyay, and A. Chattopadhyay, “RAPPER: Ransomware Prevention via Performance Counters,” Apr. 2020, [Online]. Available: http://arxiv.org/abs/2004.01712 [33] S. Haque, Z. Eberhart, A. Bansal, and C. McMillan, “Semantic Similarity Metrics for Evaluating Source Code Summarization,” in IEEE International Conference on Program Comprehension, IEEE Computer Society, 2022, pp. 36–47. doi: 10.1145/nnnnnnn.nnnnnnn. [34] H. Hangaard, H. M. Rånes, M. Staveland, and L. E. Pedersen, “Recovery Solutions for Ransomware and Wiper Attacks in Large, Heterogeneous IT Infrastructures Bachelor’s thesis in Digital Infrastructure and Cyber Security Supervisor: Eigil Obrestad Co-supervisor,” 2024. [35] M. Conti, A. Gangwal, and S. Ruj, “On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective,” Apr. 2018, doi: 10.1016/j.cose.2018.08.008. [36] Kumari, M. Z. A. Bhuiyan, J. Namdeo, S. Kanaujia, R. Amin, and S. Vollala, “Ransomware Attack Protection: A Cryptographic Approach,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer Verlag, 2019, pp. 15–25. doi: 10.1007/978-3-030-24907-6_2. [37] C. Seifert, J. W. Stokes, C. Colcernian, J. C. Platt, and L. Lu, “ROBUST SCAREWARE IMAGE DETECTION.” [38] A. Tandon and A. Nayyar, “A Comprehensive Survey on Ransomware Attack: A Growing Havoc Cyberthreat,” in Advances in Intelligent Systems and Computing, vol. 839, Springer Verlag, 2019, pp. 403–420. doi: 10.1007/978-981-13-1274-8_31. [39] M. Anghel and A. Racautanu, “A note on different types of ransomware attacks.” [40] P. O’Kane, S. Sezer, and D. Carlin, “Evolution of ransomware,” IET Networks, vol. 7, no. 5, pp. 321–327, Sep. 2018, doi: 10.1049/iet-net.2017.0207.

Copyright

Copyright © 2025 Atharva Abhijit Kelkar, Palavi Manohar Adhav, Yogesh Madhukar Upare, Pratiksha Sawant. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.