Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.2.347

A Study on a Method of Identifying a Block Cipher Algorithm to Increase Ransomware Detection Rate  

Yoon, Se-won (Soongsil University)
Jun, Moon-seog (Soongsil University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.2, 2018 , pp. 347-355 More about this Journal
Abstract
Ransomware uses symmetric-key algorithm such as a block cipher to encrypt users' files illegally. If we find the traces of a block cipher algorithm in a certain program in advance, the ransomware will be detected in increased rate. The inclusion of a block cipher can consider the encryption function will be enabled potentially. This paper proposes a way to determine whether a particular program contains a block cipher. We have studied the implementation characteristics of various block ciphers, as well as the AES used by ransomware. Based on those characteristics, we are able to find what kind of block ciphers have been contained in a particular program. The methods proposed in this paper will be able to detect ransomware with high probability by complementing the previous detection methods.
Keywords
Ransomware; Block Cipher; Optimization;
Citations & Related Records
연도 인용수 순위
  • Reference
1 "Trends of ransomware in 2016 and its outlook for next year," Korea Internet & Security Agency, Jan. 2017.
2 "Trends report on cyber threat in the third quarter 2017," Korea Internet & Security Agency, Oct. 2017.
3 Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda, "Unveil: a large-scale, automated approach to detecting ransomware," Proceedings of the 25th USENIX Security Symposium, pp. 757-772, Aug. 2016.
4 Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo, "Baiting inside attackers using decoy documents," ADA500672, Department of Computer Science, Columbia University, Sep. 2008.
5 Jae-Yeol Kim, "A study on the recovery of ransomware infected file through re- al-time file behavior analysis," Master's Thesis, Korea University, May. 2017.
6 "Advanced encryption standard (AES)," Federal Information Processing Standards Publication 197, Nov. 2001.
7 D. Hong, D. Kim, and D. Kwon, " 128-Bit block cipher LEA," TTAK.KO-12.0223, Dec. 2013.
8 Deukjo Hong, Jung-Keun Lee, Dong-Chan Kim, Daesung Kwon, Kwon Ho Ryu, and Dong-Geon Lee, "LEA: a 128-bit block cipher for fast encryption on common processors," Proceedings of the WISA 2013, pp. 3-27, Aug. 2013.
9 S. Lee, Y. Yeom, H. Park, and H. Kim, "64-Bit block cipher HIGHT," TTAK.KO-12.0040/R1, Dec. 2008.
10 "Wannacry report," https://www.pandasecurity.com/mediacenter/src/uploads/2017/05/WannaCry_Report-en.pdf
11 "Linux security: a closer look at the latest linux threats," https://www.trendmicro.com/vinfo/us/security/news/cybercrimeand-digital-threats/linux-security-a-closer-look-at-the-latest-linux-threats
12 "Mamba ransomware allows riders free e ntry to San Francisco Muni," https://usa.kaspersky.com/blog/mamba-hddcryptor-ransomware/10519/