Browse > Article
http://dx.doi.org/10.56977/jicce.2022.20.4.280

Trends in Mobile Ransomware and Incident Response from a Digital Forensics Perspective  

Min-Hyuck, Ko (Department of Computer Engineering, Catholic University of Pusan)
Pyo-Gil, Hong (Department of Computer Engineering, Catholic University of Pusan)
Dohyun, Kim (Department of Computer Engineering, Catholic University of Pusan)
Publication Information
Journal of information and communication convergence engineering / v.20, no.4, 2022 , pp. 280-287 More about this Journal
Abstract
Recently, the number of mobile ransomware types has increased. Moreover, the number of cases of damage caused by mobile ransomware is increasing. Representative damage cases include encrypting files on the victim's smart device or making them unusable, causing financial losses to the victim. This study classifies ransomware apps by analyzing several representative ransomware apps to identify trends in the malicious behavior of ransomware. We present a technique for recovering from the damage, from a digital forensic perspective, using reverse engineering ransomware apps to analyze vulnerabilities in malicious functions applied with various cryptographic technologies. Our study found that ransomware applications are largely divided into three types: locker, crypto, and hybrid. In addition, we presented a method for recovering the damage caused by each type of ransomware app using an actual case. This study is expected to help minimize the damage caused by ransomware apps and respond to new ransomware apps.
Keywords
Mobile Ransomware; Incident Response; Ransomware Analysis; Digital Forensics;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Kaspersky. Kaspersky Security Bulletin 2016. The ransomware revolution. [Internet] Available: https://securelist.com/kasperskysecurity-bulletin-2016-story-of-the-year/76757/.
2 M. Kassner, TechRepublic, "Ransomware: Extortion via the Internet [Internet]. Available: https://www.techrepublic.com/article/ransomwareextortion-via-the-internet/.
3 J. Leyden, TheRegister, Ransomware getting harder to break [Internet]. Available: https://www.theregister.com/2006/07/24/ransomware/.
4 Ryan, Dancho, Nathan, ZdNet, Blackmail ransomware returns with 1024-bit encryption key [Internet]. Available: https://web.archive.org/web/20080803000014/http://blogs.zdnet.com/security/?p=1251.
5 J. Leyden, TheRegister, Russian cops cuff 10 ransomware Trojan suspects [Internet]. Available: https://www.theregister.com/2010/09/01/ransomware_trojan_suspects_cuffed/.
6 G. Keizer, ComputerWorld, Ransomware squeezes users with bogus Windows activation demand [Internet]. Available: https://www.computerworld.com/article/2507340/ransomware-squeezes-userswith-bogus-windows-activation-demand.html.
7 N. Hampton and Z. A. Baig, "Ransomware: Emergence of the yberextortion menace," in Proceedings of 13th Australian Information Security Management Conference, Perth, Australia, pp. 47-56, 2015. DOI: 10.4225/75/57b69aa9d938b.   DOI
8 E. Protalinski, TNW, Criminals push ransomware hosted on GitHub and SourceForge pages by spamming 'fake nude pics' of celebrities [Internet]. Available: https://thenextweb.com/news/criminals-pushransomware-hosted-on-github-and-sourceforge-pages-by-spammingfake-nude-pics-of-celebrities.
9 K. Jarvis, "CryptoLocker Ransomware," Viitattu 20, 2013. [Internet]. Available: https://www.secureworks.com/research/cryptolockerransomware.
10 oel Hruska, EXTREMETECH, Synology NAS devices targeted by hackers, demand Bitcoin ransom to decrypt files [Internet]. Available: https://web.archive.org/web/20140819084648/http://www.extremetech.com/extreme/187518-synology-nas-devicestargeted-by-hackers-demand-bitcoin-ransom-to-decrypt-files.
11 Lucian Constantin, PCWorld, Malvertising campaign delivers digitally signed CryptoWall ransomware [Internet]. Available: https://www.pcworld.com/article/435508/malvertising-campaign-deliversdigitally-signed-cryptowall-ransomware.html.
12 Lucian Constantin, CSO, Ryuk explained: Targeted, devastatingly effective ransomware [Internet]. Available: https://www.csoonline.com/article/3541810/ryuk-explained-targeted-devastatingly-effectiveransomware.html.
13 Chris Brook, threatpost, Author Behind Ransomware Tox Calls it Quits, Sells Platform [Internet]. Available: https://threatpost.com/author-behind-ransomware-tox-calls-it-quits-sells-platform/113151/.
14 SOPHOS, The current state of ransomware: CTB-Locker [Internet]. Available: https://news.sophos.com/en-us/2015/12/31/the-currentstate-of-ransomware-ctb-locker/.
15 Q. Chen and R. A. Bridges, "Automated behavioral analysis of malware: A case study of WannaCry ransomware," in Proceedings of 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), Cancun, Mexico, pp. 2017. DOI: 10.1109/ICMLA.2017.0-119.   DOI
16 Christopher Bing, Stephanie Kelly, REUTERS, Cyber attack shuts down U.S. fuel pipeline 'jugular,' Biden briefed [Internet]. Available: https://www.reuters.com/technology/colonial-pipelinehalts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/.
17 John Fokker, McAfee, McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - The All-Stars [Internet]. Available: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atranalyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/.
18 N. Roberts, "Ransomware: An evolving threat," Ph. D. Dissertations, Utica College, NY, USA, 2018.
19 Monica, P. Zavarsky, and D. Lindskog, "Experimental analysis of ransomware on windows and android platforms: Evolution and characterization," Procedia Computer Science, vol. 94, pp. 465-472, 2016. DOI: 10.1016/j.procs.2016.08.072.   DOI
20 J. Snow, Kaspersky, Ransomware on mobile devices: knock-knockblock [Internet]. Available: https://www.kaspersky.com/blog/mobile-ransomware-2016/12491/.
21 SLocker. Spyware Remove [Internet]. Available: https://www.spywareremove.com/removeslocker.html.
22 Philip Bates, MUO, Beware LeakerLocker: Ransomware That Locks Your Mobile [Internet]. Available: https://www.makeuseof.com/tag/beware-leakerlocker-ransomware-locks-mobile/.
23 Alyac, Estsecurity, Mobile ransomware disguised as WannaCry ransomware screen appears [Internet]. Available: https://blog.alyac.co.kr/m/1140.
24 KaVeh Waddell, The Computer Virus That Haunted Early AIDS Researchers, The Atlantic, 2016. [Internet]. Available: https://www.theatlantic.com/technology/archive/2016/05/the-computervirus-that-haunted-early-aids-researchers/481965/.
25 DomainTools. CovidLock Update: Deeper Analysis of Coronavirus Android Ransomware [Internet]. Available: https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware.
26 L. Kelion, Cryptolocker ransomware has 'infected about 250,000 PCs' [Internet]. Available: https://www.bbc.com/news/technology25506020.
27 L. Stefanko, New ransomware posing as COVID-19 tracing app targets Canada; ESET offers decryptor [Internet]. Available: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/.
28 Sauron Locker Ransomware [Internet]. Available: https://www.enigmasoftware.com/sauronlockerransomware-removal/.
29 R. Lipovsky, L. Stefanko, D Engineer, Android Ransomware: from Android Defender to DoubleLocker, infotech report, 2018. [Internet]. Available: https://www.welivesecurity.com/post_paper/androidransomware-android-defender-doublelocker/