Professional Documents
Culture Documents
SADFE18 Paper 10
SADFE18 Paper 10
SADFE18 Paper 10
Abstract—Forensic analysis of executables or binary files Security Threat Report [2], the crypto-ransomware has now
is the common practice of detecting malware characteristics. dominated the ransomware family. Therefore in this work,
Reverse engineering is performed on executables at different we mainly focused on static analysis assisted with reverse
levels such as raw binaries, assembly codes, libraries, and engineering of crypto-ransomware families. Examples
function calls to better analysis and interpret the purpose of of typical crypto-ransomware includes CryptoWall [11],
code segments.
In this work, we apply data-mining techniques to correlate
CryptoLocker [16], and Locky [10], and typical locker
multi-level code components (derived from reverse engineering ransomware includes Winlocker [21]. In comparison, the
process) for finding unique signatures to identify ransomware crypto-ransomware is much more harmful than the locker
families. Such a reverse process and analysis of code structure ransomware, since locker ransomware only locks the victim
may not provide dynamic behavior of executables so we used system, and the victim can still have access to his/her data
combined approach to better unveil hidden intent of the pro- by removing the storage from the infected system to an
gram. Reported results show some correlation among different uninfected machine. Crypto-ransomware uses cryptographic
code components from our analysis. encryption algorithms to encrypt the victim’s data and the
key may be stored in a remote C&C server, rendering it
I. I NTRODUCTION difficult to recover the data without paying the ransom money.
Ransomware attack uses many tricks of Social
Engineering (to get into the system), Virus properties Most of the work on ransomware focus on dynamic
(propagation, triggering and execution), cryptographic analysis using sandbox, a technique for running untrusted
techniques (to lock system), use remote command and control program in safe environment without causing real harm to
channel and crypto-currencies. In addition, ransomware attack the system. Dynamic analysis have several drawbacks such
exploits system weakness such as SMB vulenerabilites (MS- as ransomware may detect the sandbox envirnoment and
17-010) to get into the system.Ransomware generally may not execute in sandboxing environment. In addition,
encrypts the data in victims computer and ask for ransom to we are unaware about the arguments required for some
get the decryption key. Cyber criminals are using ransomware command line malware unless we did a thorough analysis.
attacks frequently because it is very easy to make quick We claim that unless static analysis and reverse engineering
money. Moreover, the monetary transactions performed through understanding of ransomware is not possible.
remained intractable due to the use of crypto-currencies Figure 1 depicts the components of crypto-ransomware.
like bitcoin. Each year new ransomware are released with These components are specific to the ransomware execution
advanced exploit techniques and attack vectors. Recently in sequences. In Section VI We described our methodology
May 2017, a widespread ransomware campaign was launched to discover assembly instructions, libraries, and function
affecting as many as 150 countries including the United calls present in the code using objdump and pe-parser. In
state, United Kingdom, Spain, Russia, France and Japan. addition to these components, there is one very first step is
This latest version of ransomware is named as WannaCry, propagation strategy which is the avenue used to get into
WCry or WannaDecryptor and requested a ransom amount the victim machine. There are different methods being used
of 0.1781 bitcoins roughly $300 US dollars [1]. The another to propagate as shown in Table I shown in next page.
variant of ransomware is named as SamSam and impacted Table I depicts different Ransomware families based
multiple industries including Healthcare, Government and on following attributes: Propagation Strategy, Date Ap-
requested total of roughly $325K US dollars ransom [4]. peared, Cryptographic Techniques, and Command and Con-
Similar to malware, ransomware utilizes all types of means trol Server. These attributes are very crucial and useful to
(e.g., spam emails, mal-advertisements, social engineering) in-place multi-layer defense strategies against Ransomware
to propagate to a victim computing system. Then, it will attacks.
either lock the victim system (i.e., locker ransomware) or
encrypt the data (i.e., crypto-ransomware) in the victim II. R ELATED W ORK
systems. Finally, it will require the victim to pay the ransom
money in order to unlock the system or obtain the key Several works have been done in Malware Structural
for decrypting the data. According to the recent Internet Analysis using Reversing Engineering and Static Analysis.
TABLE I: The list of the ransomware families. different families, propagation strategies, date appeared, cryptographic
techniques used to encrypt date, and command and control (C and C) methods.
FAMILIES Propagation Strategy Date Appeared Cryptographic Techniques C and C Server
R EVETON Accused of illegal activities 2012 RSA and DES Using MoneyPak
G P C ODE Email Attachments 2013 660-bit RSA and AES Tor Network
C RYPTO L OCKER compromised websites and email attachments 2013 2048-bit RSA Tor Network
C RYPTOWALL compromised websites and email attachments 2013 2048-bit RSA Tor Network
F ILE C RYPTO compromised websites and email attachments 2013 2048-bit RSA Tor Network
T ELSAC RYPT compromised websites and email attachments 2013 2048-bit RSA Tor Network
CTB-L OCKER Email Attachments 2014 Elliptic Curve Cryptography Onion Network
C RYPTO M IX Spear-Phising Email 2014 2048-RSA and AES-256 and ROT-13 P-2-P Network
C ERBER compromised websites and email attachments 2013 2048-bit RSA and RC4 Hardcoded IP range
P ETYA Link in an Email purporting to be a job application 2016 Elliptic Curve Cryptography and Salsa Tor Network
S ATANA Email Attachments 2016 256-bit AES in ECB Hardcoded IP Address
J IG S AW Word Document with Javascript 2016 RSA and AES Onion Network
S HADE Spam Email 2015 RSA-3072 and AES-256 Fixed Server as C and C server
WANNAC RY Samba Vulnerability 2017 RSA and AES combination Onion Network
VI. R ESULT AND A NALYSIS Our dataset contains PE files which are the binary file
format used in windows operating system. These PE files
Table I shows different ransomware families based contain different sections as mentioned in Section IV. Our
on following attributes: Propagation Strategy, Date Ap- focus is in the code section of the PE file. We extracted corre-
peared, Cryptographic Techniques, and Command and Con- sponding assembly code from the code sections and calculated
trol Server. These attributes are very crucial and useful to the frequency distribution of instructions. We have leverage
in-place multi-layer defense strategies against ransomware build-in program in Linux: objdump. There are different types
attacks. The propagation strategy is very initial phase of of assembly languages: Intel, ARM, and MIPS. We are using
Intel format for cosine-similarity analysis. Figure 5 shows the etc. The operating system loader is responsible to execute the
similarity measure between ransomware families. The x-axis ransomware binaries and maps the address of DLLs used in
shows the vector elements which are assembly instructions the ransomware binary to memory.
and y-axis shows the cosine value.