An Empirical Study of Ransomware Vulnerabilities Descriptions

Cyber threat awareness requires the building of an accurate knowledge and analysis of the vulnerabilities used by the attackers and their respective attack toolkits. Ransomware are today one of the most significant threats faced by information systems and their number continues to grow. They are a type of malware targeting the information system by locking its equipment and users data and claiming a ransom for its release. They have been becoming more and more sophisticated and mainly relying on software vulnerabilities to access and lock the system data. In this paper we have carried out an empirical analysis of the Common Vulnerabilities Enumeration (CVE) exploited by known ransomware using a semantic annotation technique in order to create the condition from which to start to build a knowledge base of ransomware behaving processes. The main focus of this paper is towards the way vulnerabilities are commonly exploited by ransomware, their sharing ratio and the definition of their common causes and impacts. We have built a database, by scrapping multiple publicly available security reports, which associates each known ransomware to its used vulnerability contained in the CVE. We have applied a semantic annotation methodology which encompasses a semantic analysis of the CVE dataset through a pattern recognition process. This latter has enabled the extraction for each CVE of its key features, i.e., the cause, the performed exploit action and effect, as well as its impact. In the resulting collected and extracted knowledge we show a twofold analysis, statistical and semantic, of the CVE descriptions and their extracted features.