Forensic Analysis of Ransomware Families Using Static and Dynamic Analysis

Forensic analysis of executables or binary files is the common practice of detecting malware characteristics. Reverse engineering is performed on executables at different levels such as raw binaries, assembly codes, libraries, and function calls to better analyze and interpret the purpose of malware code segments. In this work, we applied data-mining techniques to correlate multi-level code components (derived from reverse engineering process) for finding unique association rules to identify ransomware families. However a reverse process and analysis of code structure do not always provide run-time behavior of executables so we used a combined approaches (static and dynamic) to better unveil hidden intent of the program. We performed analysis of 450 samples of ransomware and experimental results reported some important correlation among different code components from our combined analysis.

[1]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[2]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[3]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[4]  Elizabeth Lennon The Advanced Encryption Standard (AES): A Status Report , 1999 .

[5]  Miss. Harshada U Salvi,et al.  Ransomware: A Cyber Extortion , 2016 .

[6]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[7]  Mohammad Mehdi Ahmadian,et al.  Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares , 2015, 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC).

[8]  Eldad Eilam,et al.  Reversing: Secrets of Reverse Engineering , 2005 .

[9]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[10]  Matt Pietrek,et al.  An in-depth look into the win32 portable executable le format , 2002 .

[11]  Wojciech Mazurczyk,et al.  Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall , 2016, IEEE Network.

[12]  Yeonseung Ryu,et al.  Design and Development of a Command-line Tool for Portable Executable File Analysis and Malware Detection in IoT Devices , 2015 .

[13]  Wojciech Mazurczyk,et al.  Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics , 2016, Comput. Electr. Eng..

[14]  Chris Moore,et al.  Detecting Ransomware with Honeypot Techniques , 2016, 2016 Cybersecurity and Cyberforensics Conference (CCC).

[15]  Antonella Santone,et al.  Ransomware Inside Out , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[16]  Bo Chen,et al.  RDS3: Ransomware defense strategy by using stealthily spare space , 2017, 2017 IEEE Symposium Series on Computational Intelligence (SSCI).