Master thesis

Master's Programme (60 credits) in

Network Forensics

Investigation of Ransomware
in Digital Forensic tools

Thesis in Network Forensics, 15 Credits

Halmstad 2023-01-24

Stibu Stephen
1
 Abstract
The term digital forensics was first coined as a synonym for computer forensics. Since then, it has
expanded to cover the investigation of any device capable of storing digital data. Although the first
computer crime was reported in 1978, followed by the Florida Computer Act, it did not become an
accepted term until the 1990s. National policies on digital forensics emerged only in the early 21st
century.

The growth of digital technology has both positive and negative effects. Virus attacks and cyber crimes
are increasing with the advancement of computer technology. Understand the term digital forensics and
its relation to malware/ransomware. It is a branch of forensic science that focuses on the recovery and
investigation of material found on digital devices related to cyber crime. Everyday malware is spreading
through the network like wildfire. We also know that all processes performed in a digital system must at
some point operate in memory.

Memory analysis techniques retrieve artifacts to analyze inappropriate behaviors. Collecting, analyzing
and presenting data from various devices for each crime takes a long time, as the number of devices and
the amount of data is constantly growing, adding to the backlog of devices to test and analyze. This
malware research and analysis may help prevent further infections and improve system security.

I
Acknowledgments

Our profound gratitude goes to Mark Dougherty for his supervision and guidance throughout this
thesis work. And also my thanks go to Eric Jarpe for his role as the examiner and our program
director, Olga Torstensson, for the excellent learning opportunity. Additionally, we are grateful for
the support of God, our families, and friends.

II
Table of Contents
Abstract ............................................................................................................................................I
Acknowledgments .......................................................................................................................... II
1. Introduction ................................................................................................................................. 1

Preface ......................................................................................................................................... 1

Project Aims and Scope ............................................................................................................... 2

Project Limitation ........................................................................................................................ 3

2. Background and Literature review .............................................................................................. 4

Analysis and Detection of Ransomware .................................................................................. 7

Crypto-ransomware behavior and functionality ...................................................................... 7

Analysis and Detection of Ransomware ...................................................................................... 8

Proposed Approach ......................................................................................................................... 9

Analysis of zCrypt ....................................................................................................................... 9

Infection vector for zCrypt....................................................................................................... 9

zCrypt's installation process ..................................................................................................... 9

Stabilizing .............................................................................................................................. 10

Propagation of zCrypt ............................................................................................................ 10

Encryption .............................................................................................................................. 12

Static analysis......................................................................................................................... 12
3. Design of the proposed approach .............................................................................................. 13

Enumeration of drives ............................................................................................................ 14

Enumeration of processes ...................................................................................................... 14

Placing files to monitor changes ............................................................................................ 14

Transferring files to VirusTotal ............................................................................................. 15

Global API hook .................................................................................................................... 15

III
 Evaluation of Proposed Approach ............................................................................................. 16

Detection of known sample hashes ........................................................................................ 17

Sample hashes are found by looking for the sum of the virus. .............................................. 17

Detection of worm-based propagation ................................................................................... 18

Performance of basic monitoring ........................................................................................... 18

Detecting unknown samples using file monitoring ............................................................... 19

4. Result ......................................................................................................................................... 24

Table 2 compares several ransomware detection techniques................................................. 24

5. Discussion ................................................................................................................................. 26

Pragmatics of the Propose Approach ..................................................................................... 26

Evaluation of NoCrypt against other approaches .................................................................. 26

5. Conclusions ............................................................................................................................... 27

Future Work ............................................................................................................................... 27

References ..................................................................................................................................... 28

IV
 1. Introduction
Preface

Generally, a banking trojan causes temporary financial loss, however, ransomware can cause
irretrievable, catastrophic loss of the victim's data.. The rapid development of technology has helped
law enforcement agencies and forensic investigators solve new crimes more efficiently. Digital
forensics is used for the analysis of data such as audio, video and images. Assists in legal process
after analyzing data from electronic devices. The use of advanced technology is increasing rapidly.
Electronic devices have various products like tablet, flash memory, memory card and SD card. Data
must be secure while performing forensic analysis. Additionally, obtaining evidence from individual
devices requires a lengthy data extraction process, which then results in analysis. This requires
specific knowledge and skills for each tool.
Ransomware can be considered a major type of malware that helps victimize users while accessing
computer systems by locking the system's screen or locking the victim's data and files unless an
extort payment (ransom) is paid [2].Ransomware is often highly automated, and the inherent
ubiquity of modern computing systems enables criminals to target not only individuals, but also
industries and government agencies, causing them significant economic losses. Therefore, the need
for a comprehensive method to detect ransomware activity and prevent infection arises in modern
computer systems, Thus significantly limiting the loss of data within an organization[1].

Furthermore, law and enforcement authorities take twelve months to analyze, prepare and present
the evidence in the court due to a lack of resources, knowledge, and high workload [4]. Delays and
inefficiencies create a huge backlog that spans twelve months. Many organizations and researchers
are focusing on eliminating such backlog issues to streamline the process.

1
Project Aims and Scope
Detecting Ransomware is a very challenging process [5], thus failure to detect and identify
Ransomware activity can lead to catastrophic loss of data. For corporate and enterprise
victims, this means a significant loss in revenue and a significant loss in consumer
confidence. For the individual user, this can result in years of lost personal memories and
personal data.

Current detection methods are signature-based detection and anomaly-based detection.

Anomaly-based detection focuses on known malware infection processes that may lead to
false positives [6][7].

How to find sensible and valuable artifacts from extracted compromised memory images?

• This objective helps to perform malicious operations on a given memory image. The
activities or artifacts extracted at this stage will be the data set for train and modeling
machine learning algorithms.

1. Hybrid cryptosystem ransomware – uses a dynamically generated symmetric key to

encrypt the victim's data and files and a preloaded public key to encrypt the symmetric key
itself.
2. Symmetrical Cryptosystem Ransomware – Uses the same encryption key generated on the
infected computer as the decryption key to encrypt the victim's data and files using a
symmetric encryption algorithm. Typically, file encryption ransomware uses a 256-bit long
AES (Advanced Encryption Standard) key or DES (Data Encryption Standard) key. So, in
this way, even the victim can recover the secret key by applying reverse engineering or
memory scanning techniques.

The scope of this project is to create a tool to classify memory artifacts and output results as
evidence of how to apply a machine learning model approach to memory forensics
investigation and analysis.

2
Project Limitation

The project requires standardized physical forensics that analyzes computers and peripherals
to maintain confidentiality, availability, and integrity.

- Checksum is performed at the beginning and end of each operation, maintaining integrity
during the process.
The project focuses on driving results rather than creating beautiful interfaces due to time
constraints.

3
 2. Background and Literature review

Digital forensics covers a wide range of areas ranging from the assessment of digital crimes. It
also provides opportunities for criminals. Therefore, digital forensics is considered in all types of
investigations[8]. By comparison, ransomware is a second-generation malware that targets a set of
files, Manley said, looking for system vulnerabilities that its predecessors might have caused. It
makes the victim inaccessible to the system by encrypting the files and locking the system [9].
Ransomware attacks can vary depending on the method used to corrupt the victim's data files. It
replaces the computer's autoexec.bat file and counts the number of system reboots. If the
calculated value is greater than 90, it hides directories and encrypts all filenames in the system
root directory [10].

This chapter explores an overview of technical concepts, background, literature study, and related
works. It covers architecture, acquisition, analysis methods and related frameworks.

Types of Ransomwares

Ransomware can be classified into several groups based on the variants used to prevent victims
from interacting with computers and the actions it performs on devices [10]:
Master Boot Record (MBR) Ransomware: They attack the part of the hard disk where the
operating system boot is located and change the boot state by displaying a different type of
message.
• Screen Lock Ransomware: A Trojan with constantly generated messages using APIs
(Application Program Interfaces) from the OS (Operating System) locks the computer screen by
executing a continuous loop. It requires a ransom but the data and files on the computer are not
encrypted.
• Browser Lock Ransomware/Web Server: They attack web servers and encrypt their files.
Sometimes, however, ransomware is actually executable, so only a ransom message page pops up
with images and HTML codes running on JavaScripts running background threads and
applications.
• Mobile Phone Ransomware: Recently, ransomware has expanded not only to target computer
systems, but also into insecure areas such as mobiles and M2M (machine-to-machine

4
communication). They are usually embedded downloaded applications.

After the development of this first ransomware PC Cyborg, different aspects and features were
added for the ransomware to exploit more vulnerabilities related to cybercrime in computer
systems as shown in Table 1.
Table 1. Timeline of Representative Ransomware [13]
Name Year Notable Features
WinLock 2010 Blocks PCs by displaying a ransom message
Reveton 2012 Warning purportedly from a law enforcement
DirtyDecrypt Summ. 2013 Encrypts eight different file formats
CryptLocker Sept. 2013 Fetches a public key from the C&C
CryptoWall Nov. 2013 Requires TOR browser to make payments
Android De- 2013 First Android locker-ransomware
Fender
TorDroid 2014 First Android crypto-ransomware
Critroni July 2014 Similar to CryptoWall
TorrentLocker Aug. 2014 Stealthiness: indistinguishable from SSH con-
nections
CTB-Locker Dec. 2014 Uses Elliptic Curve Cryptography, TOR and
Bitcoins
CryptoWall 3.0 Jan. 2015 Uses exclusively TOR for payment
TeslaCrypt Feb. 2015 Adds the option to pay with PayPal My Cash
Cards
Linux.Enoder.1 Nov. 2015 Encrypts Linux’s home and website directories
DMA-Locer Jan. 2016 Comes with a decrypting feature built-in
PadCrypt Feb. 2016 Live Chat Support
Locky Ransom- Feb. 2016 Installed using malicious macro in a Word
Ware document
CTB-Locker for Feb. 2016 Targets Wordpress
WebSites
KeRanger Mar. 2016 First ransomware for Apple’s Mac computers
Cerber Mar. 2016 Offered as RaaS (& quote in Latin)
5
Samas Mar. 2016 Pentesting on JBOSS servers
Petya Apr. 2016 Overwrites MBT with its own loader and en-
crypts MFT
CryptXXX May 2016 Monitors mouse activities and evades sand- boxed
environment
Mischa May 2016 Installed when PETYA fails to gain administra-
tive privileges
RAA June 2016 Entirely written in Javascript
Satana June 2016 Combines the features of PETYA and MISCHA
Stampado July 2016 Promoted through aggressive advertising cam-
paigns on the Dark web
Fantom Aug. 2016 Uses a rogue Windows update screen
Cerber3 Aug. 2016 Third iteration of the Cerber ransomware

Some of the major crypto ransomware considered to be very dangerous [11], [12] include:
Crypto Wall, CTB Locker, Cryptolocker, Locky, WannaCry, Petya and zCrypt.
• CTB Locker – CTB stands for Curve Tor Bitcoin, where curve stands for Elliptic Curve
Cryptography. This creates an environment for a TOR network that hides users' identities and their
online activities from network traffic analysis. It can initially process the victim without internet
connection. Along with encryption, it also disables the Volume Shadow Copy feature in Windows.
• Crytolocker – This is also a threat now and was used by Operation Tower in 2014.
• Petya – Petya ransomware has a low payload and therefore a low detection rate by anti-virus
search engines.

• Loky – This type of ransomware is distributed through spam emails. These emails contain a
Microsoft Office document as an attachment. When the file is downloaded, the macro locky
written in it creates the ransomware. It can delete shadow volume copies and encrypt external hard
drives and database files.
• WannaCry – This (also known as WCry or WanaCryptor) is one of the most dangerous types of
ransomware. It has spread across 200000 systems across the UK and worldwide. It is a
ransomware program that first uses CVE- 2017-0199, then adds vulnerabilities to Microsoft

6
Office on Windows machines and finally spreads via EternalBlue.

• zCrypt - This type of ransomware behaves like a virus. It focuses on a general propagation
method and does not rely on malicious emails to find victims. Also, it will span USB sticks.
Another ransomware zCrypt doesn't attack all files, instead it finds key directories it can change
and destroys them.

Moreover, crypto-ransomware can encrypt any file located on mapped and unmapped network
drives in addition to encrypted files on the victim's computer;
The most deadly and aggressive ransomware is crypto ransomware that encrypts the victim's data
and locker ransomware, which completely locks the victim's computer, preventing users from
accessing the system or input devices. Often crypto ransomware does not encrypt the entire hard
disk, but only searches for specific extensions. For example, files containing text documents,
presentations, and images (with extensions such as .doc, .jpg, and .pdf) usually contain valuable
information about a user [13].

Analysis and Detection of Ransomware

Ransomware detection is a very challenging process [5], so failure to detect and identify
ransomware activity can lead to catastrophic loss of data. Existing techniques used for analysis
and detection of ransomware First, the nature and operation of ransomware are briefly introduced.
Second, existing techniques used to detect ransomware are classified, reviewed, and briefly
discussed.

Crypto-ransomware behavior and functionality

The most notable feature of crypto-ransomware is that it silently encrypts the actual data and files
on the victim's device using strong cryptography. After encrypting the data and files, this malware
informs the user that his data and files have been encrypted and demands a ransom to decrypt and
release the original data and files.
However, some kind of timer or deadline warning is posted to the user. If the user is unable to
settle the ransom within the given interval, the data and files will no longer be accessible for
recovery via the recovery key. Therefore, any victim can retrieve his data only with anonymous
payment (e.g., Bit-Coin [14][15]). Crypto-ransomware activity is divided into three types based on
the processes used by the cryptosystem: symmetric cryptosystem ransomware, asymmetric
cryptosystem ransomware, and hybrid cryptosystem ransomware.
7
 Analysis and Detection of Ransomware
Ransomware is usually analyzed using two main methods: (i) Static Analysis and (ii) Dynamic
Analysis.
Static Analysis – Study of malicious files without executing the files. Packers and ambiguity
make this type of analysis difficult.
Dynamic Analysis – Study of malicious files by executing the file in a controlled environment
such as a sandbox or virtual machine. Anti-debugging techniques and anti-virtual machine can
make dynamic analysis harder to finish.

Basically, the techniques used to classify ransomware activities can be discussed under three
categories[16].
1. Local Static Information – Information is extracted from the malware before the program is
executed.
2. Dynamic Information – Extracts information based on the activity of the ransomware taken on
the affected computer while the program is running.
3. Information Extracted from Network Traffic – This is information obtained from the network
traffic generated by the operating ransomware.

8
 Proposed Approach

Analysis of zCrypt

ZCrypt was analyzed mainly to find a method to identify crypto-worm behavior. A 32-bit
Windows 7 Malware Lab VM was used for analysis. The common infection vector for the
analyzed samples was distributed as an infected email attachment. zCrypt tries to hide itself and
spread as much as possible. It applies hidden attributes to dropped files. It uses PKI (Public Key
Infrastructure) which means decryption is very difficult. Unlike some other ransomware variants
where the key is hardcoded into the program, it generates a unique key for each victim.

Infection vector for zCrypt

In general, Ransomware may infect a victim using various methods such as vulnerability
exploitation, social engineering, infected email attachments, and infected external media.
However, zCrypt is interesting because it can be downloaded from the Internet via spam emails,
macro malware, and fake Flash. The player is installed or propagated using removable drives.
Then, zCrypt tries to confuse the user by displaying a popup while encrypting files. This macro-
based malware acts as a distraction to the user.

zCrypt's installation process

Normally, zCrypt puts a copy of itself into the following location with hidden attributes.
• C:\Users\Lab\AppData\Roaming\zcrypt.exe
• C:\Users\Lab\AppData\Roaming\btc.addr
• C:\Users\Lab\AppData\Roaming\cid.ztxt
• C:\Users\Lab\AppData\Roaming\public.key
• C:\Users\Lab\AppData\Roaming\private.key
The computer's personal identifier or Computer ID (CID) in the "cid.ztxt" file is used to uniquely
identify cybercriminals. This CID is found embedded in the contact URL. This CID is retrieved
from the client machine.
9
During the public/private key encryption process, the strings are examined and four references are
found, basically as shown in Figure 1 . They are RSA routines used in encryption, Diffie-Hellman
routines used for key exchanges, and SSL routines. It forms the secure socket layer and the
random number generator, which is often used as the seed for the key generator.

Fig. 1. Indicators of Key Exchange and Encryption

Stabilizing
Once zCrypt is successfully installed on the victim's computer, it takes precautionary measures to
ensure full and complete infection. zCrypt adds a registry entry to ensure that it starts
automatically when the system reboots. Along with this entry, several registry entries are created
for smooth propagation of zCrypt. A file named system with hidden attributes is also dropped. It
was found to contain the same strings as zCrypt. Also, start-up folder and contains a shortcut link
to zcrypt.exe to ensure execution after system reboot.

Propagation of zCrypt

After enumerating all connected drives using Windows API GetDriveTyp-eA, zCrypt copies itself
to all removable drives with hidden attributes, ie F:\system.exe. This proves that zCrypt counts the
currently executing drives in order to map out other available drives. By hooking an API, get-
DriveTypeA. If a removable drive is pre-shipped, the "autorun.inf" file will be dropped. However,
when this autorun.inf file is created, the attributes are changed to hidden, so it is not visible to the
user. This process was further confirmed using OllyDbg as shown in Figure 2.

10
 Figure 2. Setting hidden attributes to "Autorun.inf".

BinText, as sown in Figure 3, was used to analyze strings found in a "system" application
downloaded to removable media. The strings showed an equivalent instructions for payment
found within the original zCrypt sample. http[.]//qwertyuiop[.]gp also showed URL strings
demanding ransom. A domain name is the opposite of a contact domain for key exchange.
sample. http[.]//qwertyuiop[.]gp also showed ransom demand URL strings. The domain name is
the opposite of the contact domain for key exchange.

Figure 3. Strings showing instructions similar to the zCrypt sample

11
 Encryption
ZCrypt attempts to download an RSA public key from the C2 server. If this fails, the scheme has a
contingency to allow offline execution. If it cannot connect to the C2 server, ZCrypt tries to use
the hidden public key in the AppData folder. This Ransomware is permanently linked to
OpenSSL, which can be tested by generating a public/private key pair in OpenSSL and replacing
the dropped public key in the AppData folder. ZCrypt will terminate if the user's files cannot be
encrypted. Files are encrypted slowly as a result of using RSA. Once encryption is complete,
zCrypt checks to see if the private key has been released, indicating that payment has been made.

Static analysis

DIE is an IDA Python plugin that enriches IDA's static analysis with dynamic data. DIE was used
to check whether the samples were packed. The sample is not packed but was found to have
explicit compression/encryption.

12
 3. Design of the proposed approach
NoCrypt uses zCrypt's analysis to detect and identify known Ransomware samples as well as
detect unknown variants. It is primarily designed to counter crypto-worm variants using an
enumeration of drives to propagate up to removable media and network shares. The program was
written in C/C++ using Microsoft Visual Studio 2015. It is designed to run in a Windows 7 32-bit
VM Lab environment with 4 GB RAM, 4 processors, 60 GB pre-allocated memory, and
NAT.NoCrypt starts by enumerating the drives to determine which drives need protection. To
display the main features of this program, the currently logged in user directory is used as the
protected directory. When the baseline is crossed, files are placed in a protected directory for
future reference by NoCrypt.

Figure 4. Flow control of the NoCrypt program

13
A global hook is used to monitor API calls to GetDriveType using NoCrypt.dll. After the program
is terminated at a user's request, all implant files are deleted from the protected directory to
prevent the accumulation of unused files over time.

Enumeration of drives
The first task the NoCrypt program performs is to enumerate the drives on the client machine.
This creates a complete list of associated drives, which the program uses to show which drives the
files are mounted on. Here, the GetLogicalDriveStrings function is used to fill a buffer with
strings specifying any valid drives in the system [17]. The function's return value is passed to the
GetDriveType function, which identifies whether a disk drive is removable, fixed, CD-ROM,
RAM disk, or network drive [18].

Enumeration of processes

The program performs an enumeration of all processes currently running on the client machine to
identify processes that are already whitelisted and to further check for new processes. This is
usually the whitelist population. However, since processes vary from system to system and are
created at an exponential rate, hardcoding for known processes will not work. The number of
process identifiers (PIDs) used by Microsoft is counted and used as the maximum value in a 'for'
loop [19]. The system ignores processes at this point as each process passes to processpathfinder()
and hash_process().

A handle is made to require control of this process. A query of the open process is performed
using GetModuleFileNameEx to retrieve the full path name of the file containing the specified
module [20]. Returns a handle to the process. This process enumeration is used to generate
SHA256 hashes used to identify trusted processes. Any processes found to be unreliable are
further investigated by querying Virustotal using a public API code or by monitoring file activity
for suspicious increases in file renaming.If any of the enumerated processes modify the implanted
files, it is immediately considered malicious.

Placing files to monitor changes

One of the main features of the execution of this program is the placement of files throughout the
14
system. These files are used to detect ransomware activity by identifying file name changes. The
ListDirectoryContents() function is used to list the directory contents of a directory path argument
iteratively. Result
Paraphrased Text. For this program, the directory is that the root directory of the drive. The
FindFirstFile function searches for a file or subdirectory using a specific name and attributes [21].
The function uses the fact that the current directory always has "" and ".." as its first directories.If
these directories exist, the file path is constructed using the parent directories in the name.
A check is performed to see if the entity is a file or folder. FILE_ATTRIBUTE-_DIRECTORY is
used to determine whether an entity is a folder.
The use of recursion ensures that files are dispersed throughout the subtree into child folders. This
prevents ransomware from traversing directories to avoid detection. The gen_random() function
fixes the problem of generating files with the same name as user files. The create_file function
creates an implanted file with a randomly generated file extension. The final step of this function
addresses the problem of how to minimize the impact of implanted files on user activity. The
GetFileAttributes function is employed to retrieve the file's system attribute. The SetFileAttributes
function is used to set file attributes to hidden [22]. If the user tries to open any of these files, the
system will fail as the files do not contain any information.

Transferring files to VirusTotal

This program section uses a modified version of the program "check_first" written by Adam
Kramer. The program is licensed under the GNU General Public License version 3, dated June 29,
2007. The source code has been modified for use in this program [23]. VirusTotal.com provides a
public API that allows files to be uploaded and scanned to access the information generated by
VirusTotal. The API uses HTTP POST requests with JSON responses. Public API requests are
limited to 4 per minute.
Misuse of this key will result in banning from using VirusTotal public API [24].
The reason file size is important is that VirusTotal has imposed file size limits on its public API.
Checks if the file to be uploaded is more significant than 32 MB. A warning are going to be
displayed if the file is just too large.

Global API hook

A global or system-wide API hook is used to intercept specific function calls from running
processes [25]. First, the registry key values of AppInit_DLLs and LoadAppInit_DLL need to be
15
changed. The RegSetValueEx function is called to set the LoadAppInit_DLLs value data specified
with the on variable [26]. An extra character is added to the strlen parameter for the NULL
terminator. When the program executes, the AppInit_DLLs infrastructure is used to load a custom
DLL that contains a hook to all user-mode processes linked to User32.dll.
There are four distinct steps when using a hook [27] initialize the hook, hook the API, unhook the
API, and remove the hook. A data structure is used in the header file to manage API hooks. When
a hook is initialized, it monitors the entire system for a specific function call. Once the hook
function is executed, execution resumes from the original function address, known as
trampolining. The data structure stores the function address of the original function and the hook
function, as well as an array for the first six bytes containing the opcodes for execution. Once the
choice function has completed its execution, the UnhookAPIHook function is employed to return
the flow of execution to the primary 5 bytes of the first function. This leads to the normal
execution of the previously hooked function. The final step in the hooking process is to remove
the hook using the RemoveAPIHook function.

Evaluation of Proposed Approach

Checking the global API hook

The global API hook checks to determine if all processes are hooking the NoCrypt DLL file.
Notifications of successful injection into processes are outputs to the debug view, which helps
monitor the hooking process. DebugView was used to confirm that the new processes were also
hooked as shown in Figure 5. When a process terminates, the ExitProcess hook is executed, and
the hook is released after outputting to DebugView.

16
 Figure 5. Debug view showing hooked processes

Detection of known sample hashes

Each of these samples was tested for detection rates using VirusTotal 60 AV (antivirus) vendors.
NoCrypt detects these samples and identifies the family they belong to. NoCrypt warns the user in
each instance to confirm the detection of known Ransomware hashes. When a sample is found to
be malicious, the process is immediately terminated and the user is warned.

Sample hashes are found by looking for the sum of the virus.
As each process is hooked, NoCrypt checks the whitelist or blacklist for a match, and if still
unknown, passes the hash to VirusTotal. Testing was performed to confirm NoCrypt's
performance in querying VirusTotal. Task Manager monitored to make sure the sample was
running. The NoCrypt DLL is injected into the "invoice-order.x" sample. Line 28 of DebugView's
output shows that the sample calls the GetDriveType function. If a VirusTotal match is found, the
results page will launch in Google Chrome. This allows the user to identify the malicious file as
shown in Figure 6, with an indication at the top right of the page whether the other user has
flagged the process as malicious or legitimate.

17
 Figure 6. VirusTotal's results page

Detection of worm-based propagation

Since detecting the GetDriveType function is not an indicator for ransomware activity, crypto
worms use the same system calls as legitimate functions. The global hook detects this function
call. In all three cases, the GetDriveType function call was detected and the user was warned.
Function call detection causes the ransomware to monitor file activity further to ensure there are
no false positives.

Performance of basic monitoring

Windows Resource Monitor was used to assess NoCrypt's impact on system resources while
monitoring primary file activity. First, CPU usage can be viewed before running NoCrypt. When
NoCrypt is not running, it uses an average of 4% of the system's CPU capacity. This is the result
of the number of all running processes, as files are implanted into protected directories. After
checking the implanted files the CPU usage will be normal.
The baseline is set at four file changes per second. CPU usage was found to be acceptable, with
little impact on normal user activity. However, if many files are deleted or renamed, the implanted
files will be checked.
18
 Detecting unknown samples using file monitoring

File monitoring is the third line of defense against ransomware activity. A check was performed to
ensure that the changes made to the implanted files were detected. When checking the
watch_directory function, one of the implanted files was changed, and the implanted files crossed
the baseline for forced checking. The implanted files were checked using the check_implants
function and verbose output was displayed on the console as file number 352 had changed.

Figure 7. Demonstration of the hash change of the implanted file

An anonymous sample of "CryptoHasYou" was used to further test the performance of the
baseline monitoring. NoCrypt works when the ransomware sample is run, but VirusTotal doesn't
see it. This test confirmed that baseline monitoring successfully detects encrypted files. When a
change is detected in the im-planted files, all non-essential processes are terminated and the file is
replaced.
Sample Output Screens

Behavioral analysis

19
20
21
22
23
 4. Result
Table 2 compares several ransomware detection techniques.

Result
Detection Method
Sample Hash
VirusTotal File
Detecti Encrypted Remarks
Detection Monitoring
on Files

zCrypt ✓ 0
Over 5
Cloudsword ✓ min
BTCWare ✓ 0
Z2 ✓ 0
CryptoHasYou ✓ 0
GoldForYou ✓ 40
Dcry ✓ 15
Nemesis ✓ 1 Admin

Heldroid uses machine learning to detect ransomware using threat text detectors, encryption
detectors, and blocking detectors . Due to the system's reliance on linguistics, our tests failed to
detect 19 of the 375 ransomware samples. Systems can be fooled by using another language, but
NoCrypt uses file activity as an indicator of malicious behavior. NoCrypt specifically deals only
with ransomware, so it is not a replacement for AV software. CryptoDrop is a program that checks
file encryption using a similar file monitoring method. In our tests with 492 samples, we lost an
average of 10 files per sample run. This performance outperforms NoCrypt, which suffers from
high file loss due to time lags in VirusTotal's public API. However, this system does not use
known hashes to detect or identify ransomware.

The development and testing of NoCrypt has brought to light the advantages of utilizing a hybrid
system that combines signature-based and anomaly-based detection. Signature-based detection
quickly identifies known threats and is ineffective against new threats. On the other hand,
anomaly-based detection has the disadvantage of causing false positives. NoCrypt tries to take
advantage of these two techniques.
24
Comparing detection rates for ransomware samples from AV vendors shows the drawbacks of
using signature-based detection alone. Worm-like propagation is detected and prevented using
global API hooks. This anti-proliferation method is successful because processes calling drive
enumeration APIs that are deemed malicious are terminated and users are warned if they attempt
to enumerate a drive.

25
 5. Discussion

Pragmatics of the Propose Approach

NoCrypt can be used as an analytical tool for the immediate identification of known samples and
monitoring of unknown samples. This can be used to confirm if the sample is Ransomware and if
the sample is blacklisted. NoCrypt is not a replacement for AV software as it only deals with
Ransomware.

Evaluation of NoCrypt against other approaches

Heldroid uses machine learning to detect Ransomware using threatening text detectors, encryption
detectors, and locking detectors [28]. 19 out of 375 Ransomware samples were detected during
testing because the system relies on linguistics. Cryptodrop is a program that uses a similar file
monitoring method to check file encryption. Of the 492 samples tested, an average of 10 files were
lost per sample [29].
This system does not use known hashes to detect or identify ransomware.
Although these systems are very effective at detecting ransomware using a single detection
technique, there is a clear advantage to using a combination of signature-anomaly-based detection.
On the other hand, anomaly-based detection has the disadvantage of causing false positives.
NoCrypt tries to take advantage of the advantages of using these two technologies while
mitigating the disadvantages associated with them.

26
 5. Conclusions

• Design and validation of NoCrypt highlight the benefits of using a hybrid signature and
anomaly-based detection system.
• NoCrypt uses three lines of defense, known hashes, hash query, and file monitoring. Monitoring
implanted files to detect file changes eliminates false positives associated with anomaly-based
detection. While the proof of concept works, file surveillance is only effective if the files are
encrypted.
• Known samples are immediately identified, and the user is shown the name of the sample, the
location of the malicious file, and a link to a decryptor where applicable. Eliminates detection and
mitigation of unknown Ransomware variants of data loss.
• Detects and prevents worm-like propagation using a global API hook. This method of preventing
propagation is successful because if the process calling the API to enumerate drives is deemed
malicious, it terminates and warns the user about the attempt to enumerate drives.

Future Work

 The public API key provided by VirusTotal limits the user to 4 queries per minute,
resulting in a significant delay in the number of processes. Using a private API key can
improve NoCrypt's performance and the speed at which it detects threats.
 Mitigate against users accidentally removing implanted files, which causes errors in the
file monitoring function, which compares implanted file hashes to reference file hashes.
 The option to whitelist a process will eliminate any false positives if VirusTotal users
consider it to be a false positive. The option to add trusted applications will improve
NoCrypts functionality and efficiency while reducing the number of queries VirusTotal
needs.

27
References

1. Nhien-An Le-Khacand,Anca D Jurcut, “Forensic Investigation of Ransomware

Activities—Part 2” Chapter · July 2020(DOI: 10.1007/978-3-030-47131-6_5)
2. Detection and prevention of cryptoransomware,'' in Proc. IEEE 8th Annu. Ubiquitous
Comput., Electron. Mobile Commun. Conf. (UEMCON), Oct. 2017, pp. 472-478.
3. Ligh, H. M., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics:
Detecting Malware and Threats in Windows, Linux, and Mac Memory (1st ed.). Wiley.
pp. 1-26
4. Salman Iqbal and Soltan Abed Alharbi (2019). [TITLE] Advancing Automation in Digital
Forensic Investigations Using Machine Learning Forensics. Digital ForensicScience.
[ONLINE]
5. L.Y. Connolly and D. S.Wall, “The rise of crypto-ransomware in a changing cybercrime
landscape: Taxonomising countermeasures”, Computers & Security, vol. 87, Elsevier,
Nov. 2019, DOI: 10.1016/j.cose.2019.101568
6. E. Schaefer, N-A. Le-Khac, M. Scanlon (2017) “Integration of Ether Unpacker into Rag-
picker for Plugin-Based Malware Analysis and Identification”, 16th European Conference
on Cyber Warfare and Security, Dublin, Ireland, June 2017
7. Linke, N-A. Le-Khac, (2016) “Control Flow Change in Assembly as a Classifier in
Malware Analysis”, 4th IEEE International Symposium on Digital Forensics and
Security,Arkansas, USA, April 2016, DOI: 10.1109/ISDFS.2016.7473514
8. N. Beebe, “Digital forensic research: The good, the bad and the unaddressed,” inAdvances
in digital forensics V, pp. 17–36, Springer, 2009.
9. Jagmeet Singh Aidan, Zeenia, Urvashi Garg, "Advanced Petya Ransomware and
Mitigation Strategies", Secure Cyber Computing and Communication (ICSCCC) 2018
First International Conference, 2018, pp. 23-28.

10. R. Shinde, P. Van der Veeken, S. Van Schooten, J. van den Berg, "Ransomware: Studying
transfer and mitigation", Computing Analytics and Security Trends (CAST) International
Conference, 2016, pp. 90-95.
11. Kok, S.H.; Abdullah, A.; Jhanjhi, N.Z.; Supramaniam, M. Ransomware, Threat and

28
 Detec- tion Techniques: A Review. Int. J. Comput. Sci. Netw. Secur. 2019, 19, 136–146.
12. J. Dunn, T. Macaulay and T. Magee, “The worst types of ransomware attacks”,
Computer- world, Jun. 12, 2018
https://www.computerworlduk.com/galleries/security/worstransomware- attacks-we-name-
internets-nastiest-extortion-malware3641916/
13. D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, ‘‘Automated dynamic
analy- sis of ransomware: Benefits, limitations and use for detection,’’ Sep. 2016,
arXiv:1609.03020. [Online]. Available: https://arxiv.org/abs/1609.03020.
14. S. Zollner, K-K R. Choo, N-A. Le-Khac, An Automated Live Forensic and Postmortem
Analysis tool for Bitcoin on Windows Systems, IEEE Access, Vol.7, 2019, DOI:
10.1109/ACCESS.2019.2948774
15. L. V. der Horst, K-K R. Choo, N-A. Le-Khac, Process memory investigation of the
Bitcoin Clients Electrum and Bitcoin Core, IEEE Access, Vol.5, 2017, DOI:
10.1109/ACCESS.2017.2759766

16. E. Berrueta, D. Morato, E. Magaña, M. Izal, " A Survey on Detection Techniques

for Cryp- tographic Ransomware", IEEE Access., vol. 7, 2019, pp. 44925-44.
17. Msdn.microsoft.com. (2017). GetLogicalDriveStrings function (Windows). [online]
Availa- ble at: https://msdn.microsoft.com/en-
us/library/windows/desktop/aa364975(v=vs.85).aspx
18. Msdn.microsoft.com. (2017). GetDriveType function (Windows). [online] Available at:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa364939(v=vs.85).aspx
19. Msdn.microsoft.com. (2017). Enumerating All Processes (Windows). [online] Available
at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx.
20. Msdn.microsoft.com. (2017). GetModuleFileNameEx function (Windows). [online]
Availa- ble at: https://msdn.microsoft.com/en-
us/library/windows/desktop/ms683198(v=vs.85).aspx.
21. Msdn.microsoft.com. (2017). FindFirstFileEx function (Windows). [online] Available at:
https://msdn.microsoft.com/en-us/library/aa364419(VS.85).aspx.
22. Msdn.microsoft.com. (2017). Retrieving and Changing File Attributes (Windows).
[online] Available at: https://msdn.microsoft.com/en-
us/library/windows/desktop/aa365522(v=vs.85).aspx.
23. Kramer, A. (2015). adamkramer/check_first. [online] GitHub. Available at:

29
 https://github.com/adamkramer/check_first/blob/master/check_first.cpp.
24. Virustotal.com. (2017). Public API version 2.0 - VirusTotal. [online] Available at:
https://www.virustotal.com/en/documentation/public-api/#getting-url-scans .
25. Podobry, S. (2012). Easy way to set up global API hooks - CodeProject. [online]
Codepro- ject.com. Available at: https://www.codeproject.com/Articles/49319/Easy-way-
to-set-up- global-API-hooks.
26. Msdn.microsoft.com. (2017). RegSetValueEx function (Windows). [online] Available at:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724923(v=vs.85).aspx.
27. rohitab.com - Forums. (2013). Header file for API hooking - Source Codes. [online]
Availa- ble at: http://www.rohitab.com/discuss/topic/40192-header-file-for-api-
hooking/#entry10106168.
28. Andronio, N. (2012). Heldroid: Fast and Efficient Linguistic-Based Ransomware
Detection. [online] Indigo.uic.edu. Available at:
http://indigo.uic.edu/bitstream/handle/10027/19676/Andronio_Nicolo.pdf?sequence=1.

29. Scaife, N., Carter, H., Traynor, P. and Butler, K. (2016). Stopping Ransomware Attacks
on User Data. [online] https://www.cise.ufl.edu/. Available at:
https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf .
30. J. Wang, F. Zhang, K. Sun, and A. Stavrou, “Firmware-assisted memory acquisition and
analysis tools for digital forensics,” in Systematic Approaches to Digital Forensic
Engineering (SADFE), 2011 IEEE Sixth International Workshop on, pp. 1–5, IEEE, 2011.
31. Awad, M., & Khanna, R. (2015). Efficient Learning Machines: Theories, Concepts,and
Applications for Engineers and System Designers (1st ed.). Apress.
32. Bhatnagar, R. (2018). Machine Learning and Big Data Processing: A Technological
Perspective and Review. The International Conference on Advanced Machine Learning
Technologies and Applications (AMLTA2018), 468–478. https://doi.org/10.1007/978-3-
319-74690-6_46
33. Samuel, A.L (1959). Some studies in machine learning using the game of checkers.
[Online].
http://www2.stat.duke.edu/~sayan/R_stuff/Datamatters.key/Data/samuel_1959_B- 95.pdf
[Accessed 3/10/2021]
34. Sadek, I., Chong, P., Rehman, S. U., Elovici, Y., & Binder, A. (2019). Memory snapshot
dataset of a compromised host with malware using obfuscation evasiontechniques. Data in
30
 Brief, 26, 104437. https://doi.org/10.1016/j.dib.2019.104437
35. Subham Kapiswe (March 27, 2019). [TITLE] 3 Best Memory Forensics Tools For
Security Professionals. [ONLINE] https://www.technotification.com/2019/03/best-
memory-forensics-tools.html
36. Barabosch, T., Bergmann, N., Dombeck, A. and Padilla, E.(2017). Quincy: Detectinghost-
based code injection attacks in memory dumps. In International Conference on Detection
of Intrusions and Malware, and Vulnerability Assessment. pp. 209-229. Springer, Cham

31