Journal of Internet of Things and Convergence (사물인터넷융복합논문지)

The Korea Internet of Things Society (한국사물인터넷학회)
권호 표지
DOI QR코드

DOI QR Code

Cryptography Module Detection and Identification Mechanism on Malicious Ransomware Software

악성 랜섬웨어 SW에 사용된 암호화 모듈에 대한 탐지 및 식별 메커니즘

  • Hyung-Woo Lee (Division of Computer Engineering, Hanshin University)
  • 이형우 (한신대학교 컴퓨터공학부)
  • Received : 2022.10.28
  • Accepted : 2022.12.08
  • Published : 2023.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Cases in which personal terminals or servers are infected by ransomware are rapidly increasing. Ransomware uses a self-developed encryption module or combines existing symmetric key/public key encryption modules to illegally encrypt files stored in the victim system using a key known only to the attacker. Therefore, in order to decrypt it, it is necessary to know the value of the key used, and since the process of finding the decryption key takes a lot of time, financial costs are eventually paid. At this time, most of the ransomware malware is included in a hidden form in binary files, so when the program is executed, the user is infected with the malicious code without even knowing it. Therefore, in order to respond to ransomware attacks in the form of binary files, it is necessary to identify the encryption module used. Therefore, in this study, we developed a mechanism that can detect and identify by reverse analyzing the encryption module applied to the malicious code hidden in the binary file.

랜섬웨어에 의해 개인용 단말 또는 서버 등이 감염되는 사례가 급증하고 있다. 랜섬웨어는 자체 개발한 암호화 모듈을 이용하거나 기존의 대칭키/공개 키 암호화 모듈을 결합하여 공격자만이 알고 있는 키를 이용하여 피해 시스템 내에 저장된 파일을 불법적으로 암호화 하게 된다. 따라서 이를 복호화 하기 위해서는 사용된 키 값을 알아야만 하며, 복호화 키를 찾는 과정에 많은 시간이 걸리므로 결국 금전적인 비용을 지불하게 된다. 이때 랜섬웨어 악성코드는 대부분 바이너리 파일 내에 은닉된 형태로 포함되어 있어 프로그램 실행시 사용자도 모르게 악성코드에 감염된다. 그러므로 바이너리 파일 형태의 랜섬웨어 공격에 대응하기 위해서는 사용된 암호화 모듈에 대한 식별 과정이 필요하다. 이에 본 연구에서는 바이너리 파일 내 은닉된 악성코드에 적용 된 암호화 모듈을 역분석하여 탐지하고 식별할 수 있는 메커니즘을 연구하였다.

Keywords

Acknowledgement

이 성과의 일부는 2022년도 정부(과학기술정보통신부)의 재원으로 한국연구재단의 지원을 받아 수행된 연구임 (No 2021R1F1A1046954).

References

  1. 'Ransomware Latest Trend Analysis and Implications', Digital & Security Policy, KISA Insight, Vol.02, 2021, Korea Internet & Security Agency, https://www.kisa.or.kr/20301/form?postSeq=4&page=1
  2. C. Beaman, A. Barkworth, T. D. Akande, S. Hakak, M. H. Khan, "Ransomware: Recent advances, analysis, challenges and future research directions," Computer & Security, Vol.111, 2021, 102490
  3. H. Alshaikh NR, Nagy, H. Hefny, "Ransomware prevention and mitigation techniques." International Journal of Computer Applications, Vol.117, No.40, pp.31-39, 2020. https://doi.org/10.5120/ijca2020919899
  4. P. Bajpai, R. Enbody, "An empirical study of API calls in ransomware," IEEE International Conference on Electro Information Technology (EIT); 2020, pp. 443-448.
  5. B. Qin, Y. Wang, C. Ma, "API call based ransomware dynamic detection approach using textCNN," 2020 International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE); 2020. pp.162-166.
  6. J. Y. Moon and Y. H. Chang, "Ransomware analysis method for minimize the damage," The Journal of the Convergence on Culture Technology, Vol.2, No.1, pp.79-85, 2016. https://doi.org/10.17703/JCCT.2016.2.1.79
  7. J. Y. Kim, "A study on the recovery of ransomware infected file through real-time file behavior analysis," Master's Thesis, Korea University, May. 2017.
  8. S. W. Yoon, M. S. Jun, "A Study on a Method of Identifying a Block Cipher Algorithm to increase Ransomware Detection Rate," Journal of The Korea Institute of Information Security & Cryptology, Vol.28, No.2, Apr. 2018.
  9. "Wannacry report," https://www.pandasecurity.com/ mediacenter/src/uploads/2017/05/WannaCry_Report-en.pdf
  10. "SimpleLocker Ransomware Encryption Function Analysis Report," July. 2019, Korea Internet & Security Agency,
  11. "immuni Ransomware Encryption Function Analysis Report," Dec. 2020, Korea Internet & Security Agency,
  12. Hassannataj Joloudari, J., Haderbadi, M., Mashmool, A., GhasemiGol, M., Shahab, S., and Mosavi, A., "Early detection of the advanced persistent threat attack using performance analysis of deep learning", arXiv e-prints, 2020.
  13. Md Sahrom Abu, Siti Rahayu Selamat, Aswami Ariffin, Robiah Yusof, "Cyber Threat Intelligence - Issue and Challenges," Indonesian Journal of Electrical Emgineering and Computer Science, Vol.10, No.1, pp.371-379, 2018. https://doi.org/10.11591/ijeecs.v10.i1.pp371-379
  14. H.Lee, "Intrusion Artifact Acquisition Method based on IoT Botnet Malware," Journal of The Korea Internet of Things Society, Vol.7, No.3, pp.1-8, 2021.
  15. Maria Stoyanova, Yannis Nikoloudakis, Spyridon Panagiotakis, Evangelos Pallis, and Evangelos K. Markakis, "A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches, and Open Issues," IEEE COMMUNICATIONS SURVEYS & TUTORIALS, Vol.22, No.2, pp.1191-1221, 2020.  https://doi.org/10.1109/COMST.2019.2962586