• Title/Summary/Keyword: 랜섬웨어

Search Result 101, Processing Time 0.028 seconds

Analysis and Countermeasures for the Ransomware Cryptolocker (랜섬웨어 Cryptolocker에 대한 분석과 대응방안)

  • Kim, yongki;Ham, donggyun;Joo, younghwan;Lee, Keun-Ho
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2016.04a
    • /
    • pp.292-293
    • /
    • 2016
  • 랜섬웨어는 현재 보안 문제 중 가장 뜨거운 이슈로 떠오르고 있다. 러시아에서 처음으로 등장한 랜섬웨어 공격은 거의 4,000가지 유형을 가지고 있으며, 전 세계 3억7천만 원의 피해를 가져왔다. 또한, 기존의 공격보다 더 발달 된 기술은 계속해서 등장하고 있다. 본 논문에서는 랜섬웨어의 Cryptolocker 공격 방법을 분석했다. 전체 시나리오에 대한 이해와 분석은 대책을 위한 새로운 계획을 위해 제안하고자 한다.

Hierarchical Threads Generation-based Bypassing Attack on DLL Injection Monitoring System (계층화된 쓰레드 생성을 이용한 DLL 삽입 탐지기술 우회 공격 기법)

  • DaeYoub Kim
    • Journal of IKEEE
    • /
    • v.27 no.3
    • /
    • pp.239-245
    • /
    • 2023
  • Whitelist-based ransomware solution is known as being vulnerable to false impersonation attack using DLL injection attack. To solve this problem, it is proposed to monitor DLL injection attack and to integrate the monitoring result to ransomware solutions. In this paper, we show that attackers can easily bypass the monitoring mechanism and then illegally access files of a target system. It means that whitelist-based ransomware solutions are still vulnerable.

Offline Based Ransomware Detection and Analysis Method using Dynamic API Calls Flow Graph (다이나믹 API 호출 흐름 그래프를 이용한 오프라인 기반 랜섬웨어 탐지 및 분석 기술 개발)

  • Kang, Ho-Seok;Kim, Sung-Ryul
    • Journal of Digital Contents Society
    • /
    • v.19 no.2
    • /
    • pp.363-370
    • /
    • 2018
  • Ransomware detection has become a hot topic in computer security for protecting digital contents. Unfortunately, current signature-based and static detection models are often easily evadable by compress, and encryption. For overcoming the lack of these detection approach, we have proposed the dynamic ransomware detection system using data mining techniques such as RF, SVM, SL and NB algorithms. We monitor the actual behaviors of software to generate API calls flow graphs. Thereafter, data normalization and feature selection were applied to select informative features. We improved this analysis process. Finally, the data mining algorithms were used for building the detection model for judging whether the software is benign software or ransomware. We conduct our experiment using more suitable real ransomware samples. and it's results show that our proposed system can be more effective to improve the performance for ransomware detection.

Ransomware Analysis and Method for Minimize the Damage (랜섬웨어 분석과 피해 최소화 방안)

  • Moon, Jaeyeon;Chang, Younghyun
    • The Journal of the Convergence on Culture Technology
    • /
    • v.2 no.1
    • /
    • pp.79-85
    • /
    • 2016
  • Ransomware was a malicious code that active around the US, but now it spreads rapidly all over the world and emerges in korea recently because of exponential computer supply and increase in users. Initially ransomware uses e-mail as an attack medium in such a way that induces to click a file through the spam mail Pam, but it is now circulated through the smart phone message. The current trend is an increase in the number of damage, including attacks such as the domestic large community site by ransomware hangul version. Ransomware outputs a warning message to the user to encrypt the file and leads to monetary damages and demands for payment via bitcoin as virtual currency is difficult to infer the tracking status. This paper presents an analysis and solutions to damage cases caused by ransomware.

AdvanSSD-Insider: Performance Improvement of SSD-Insider using BloomFilter with Optimization (블룸 필터와 최적화를 이용한 SSD-Insider 알고리즘의 탐지 성능 향상)

  • Kim, JeongHyeon;Jung, ChangHoon;Nyang, DaeHun;Lee, KyungHee
    • The Journal of Korean Institute of Next Generation Computing
    • /
    • v.15 no.5
    • /
    • pp.7-19
    • /
    • 2019
  • Ransomware is a malicious program that requires the cost of decryption after encrypting files on the user's desktop. Since the frequency and the financial damage of ransomware attacks are increasing each year, ransomware prevention, detection and recovery system are needed. Baek et al. proposed SSD-Insider, an algorithm for detecting ransomware within SSD. In this paper, we propose an AdvanSSD-Insider algorithm that substitutes a hash table used for the overwriting check with a bloom filter in the SSD-Insider. Experimental results show that the AdvanSSD-Insider algorithm reduces memory usage by up to 90% and execution time by up to 77% compared to the SSD-Insider algorithm and achieves the same detection accuracy. In addition, the AdvanSSD-Insider algorithm can monitor 10 times longer than the SSD-Insider algorithm in same memory condition. As a result, detection accuracy is increased for some ransomware which was difficult to detect using previous algorithm.

Cryptography Module Detection and Identification Mechanism on Malicious Ransomware Software (악성 랜섬웨어 SW에 사용된 암호화 모듈에 대한 탐지 및 식별 메커니즘)

  • Hyung-Woo Lee
    • Journal of Internet of Things and Convergence
    • /
    • v.9 no.1
    • /
    • pp.1-7
    • /
    • 2023
  • Cases in which personal terminals or servers are infected by ransomware are rapidly increasing. Ransomware uses a self-developed encryption module or combines existing symmetric key/public key encryption modules to illegally encrypt files stored in the victim system using a key known only to the attacker. Therefore, in order to decrypt it, it is necessary to know the value of the key used, and since the process of finding the decryption key takes a lot of time, financial costs are eventually paid. At this time, most of the ransomware malware is included in a hidden form in binary files, so when the program is executed, the user is infected with the malicious code without even knowing it. Therefore, in order to respond to ransomware attacks in the form of binary files, it is necessary to identify the encryption module used. Therefore, in this study, we developed a mechanism that can detect and identify by reverse analyzing the encryption module applied to the malicious code hidden in the binary file.

A Study on the Cerber-Type Ransomware Detection Model Using Opcode and API Frequency and Correlation Coefficient (Opcode와 API의 빈도수와 상관계수를 활용한 Cerber형 랜섬웨어 탐지모델에 관한 연구)

  • Lee, Gye-Hyeok;Hwang, Min-Chae;Hyun, Dong-Yeop;Ku, Young-In;Yoo, Dong-Young
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.11 no.10
    • /
    • pp.363-372
    • /
    • 2022
  • Since the recent COVID-19 Pandemic, the ransomware fandom has intensified along with the expansion of remote work. Currently, anti-virus vaccine companies are trying to respond to ransomware, but traditional file signature-based static analysis can be neutralized in the face of diversification, obfuscation, variants, or the emergence of new ransomware. Various studies are being conducted for such ransomware detection, and detection studies using signature-based static analysis and behavior-based dynamic analysis can be seen as the main research type at present. In this paper, the frequency of ".text Section" Opcode and the Native API used in practice was extracted, and the association between feature information selected using K-means Clustering algorithm, Cosine Similarity, and Pearson correlation coefficient was analyzed. In addition, Through experiments to classify and detect worms among other malware types and Cerber-type ransomware, it was verified that the selected feature information was specialized in detecting specific ransomware (Cerber). As a result of combining the finally selected feature information through the above verification and applying it to machine learning and performing hyper parameter optimization, the detection rate was up to 93.3%.

A Study on a Method of Identifying a Block Cipher Algorithm to Increase Ransomware Detection Rate (랜섬웨어 탐지율을 높이기 위한 블록암호 알고리즘 식별 방법에 관한 연구)

  • Yoon, Se-won;Jun, Moon-seog
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.2
    • /
    • pp.347-355
    • /
    • 2018
  • Ransomware uses symmetric-key algorithm such as a block cipher to encrypt users' files illegally. If we find the traces of a block cipher algorithm in a certain program in advance, the ransomware will be detected in increased rate. The inclusion of a block cipher can consider the encryption function will be enabled potentially. This paper proposes a way to determine whether a particular program contains a block cipher. We have studied the implementation characteristics of various block ciphers, as well as the AES used by ransomware. Based on those characteristics, we are able to find what kind of block ciphers have been contained in a particular program. The methods proposed in this paper will be able to detect ransomware with high probability by complementing the previous detection methods.

Operating principle and preventive measures of Ransomware (랜섬웨어의 동작 원리와 예방 대책)

  • Cho, Young-Ju;Kim, Jin-Hyuk;Oh, Ji-Hoon;So, Youn-Jeong;Sun, A-Young
    • Proceedings of the Korea Contents Association Conference
    • /
    • 2017.05a
    • /
    • pp.91-92
    • /
    • 2017
  • 발전하는 IoT시대에 컴퓨터의 사용은 현대인들과 밀접한 관계가 되어 있다. 이로 인해, 우리는 다양한 문서들을 직접 종이에 일일이 적는 불편함을 컴퓨터를 통해 편하게 문서화를 할 수 있게 되었다. 그러나 모든 문서가 컴퓨터에 저장이 되어 있다 보니 이를 악용한 바이러스가 바로 랜섬웨어이다. 본 논문에서는 랜섬웨어의 의미와 동작원리에 대해 알아보고, 예방 대책을 제안하고자 한다.

  • PDF

Design of a Real-time Risk Analysis System for Ransomware Using Mining based on Social Network Service (소셜 네트워크 서비스 기반 마이닝을 이용한 실시간 랜섬웨어 위험도 분석 시스템 설계)

  • Na, Jaeho;Kim, Mihui
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2017.11a
    • /
    • pp.254-256
    • /
    • 2017
  • 본 논문에서는 소셜 네트워크 서비스 중 트위터를 마이닝하여 실시간으로 랜섬웨어 위험도 분석을 하는 시스템을 설계한다. 이를 위해 2017년 5월 12일에 가장 피해가 컸던 워너크라이 랜섬웨어를 중심으로 5월 10일에서 20일 사이의 트윗 데이터를 마이닝하고, 기존 시스템인 구글 트렌드와의 유사성을 비교 실험하여 트윗 데이터의 가치를 확인한다. 마지막으로 제안하는 시스템에 대한 향후 연구주제를 제시한다.