• Proceedings of the Korea Information Processing Society Conference
• /
• 2016.04a
• /
• pp.292-293
• /
• 2016

랜섬웨어는 현재 보안 문제 중 가장 뜨거운 이슈로 떠오르고 있다. 러시아에서 처음으로 등장한 랜섬웨어 공격은 거의 4,000가지 유형을 가지고 있으며, 전 세계 3억7천만 원의 피해를 가져왔다. 또한, 기존의 공격보다 더 발달 된 기술은 계속해서 등장하고 있다. 본 논문에서는 랜섬웨어의 Cryptolocker 공격 방법을 분석했다. 전체 시나리오에 대한 이해와 분석은 대책을 위한 새로운 계획을 위해 제안하고자 한다.

• Journal of IKEEE
• /
• v.27 no.3
• /
• pp.239-245
• /
• 2023

Whitelist-based ransomware solution is known as being vulnerable to false impersonation attack using DLL injection attack. To solve this problem, it is proposed to monitor DLL injection attack and to integrate the monitoring result to ransomware solutions. In this paper, we show that attackers can easily bypass the monitoring mechanism and then illegally access files of a target system. It means that whitelist-based ransomware solutions are still vulnerable.

• Journal of Digital Contents Society
• /
• v.19 no.2
• /
• pp.363-370
• /
• 2018

Ransomware detection has become a hot topic in computer security for protecting digital contents. Unfortunately, current signature-based and static detection models are often easily evadable by compress, and encryption. For overcoming the lack of these detection approach, we have proposed the dynamic ransomware detection system using data mining techniques such as RF, SVM, SL and NB algorithms. We monitor the actual behaviors of software to generate API calls flow graphs. Thereafter, data normalization and feature selection were applied to select informative features. We improved this analysis process. Finally, the data mining algorithms were used for building the detection model for judging whether the software is benign software or ransomware. We conduct our experiment using more suitable real ransomware samples. and it's results show that our proposed system can be more effective to improve the performance for ransomware detection.

• The Journal of the Convergence on Culture Technology
• /
• v.2 no.1
• /
• pp.79-85
• /
• 2016

Ransomware was a malicious code that active around the US, but now it spreads rapidly all over the world and emerges in korea recently because of exponential computer supply and increase in users. Initially ransomware uses e-mail as an attack medium in such a way that induces to click a file through the spam mail Pam, but it is now circulated through the smart phone message. The current trend is an increase in the number of damage, including attacks such as the domestic large community site by ransomware hangul version. Ransomware outputs a warning message to the user to encrypt the file and leads to monetary damages and demands for payment via bitcoin as virtual currency is difficult to infer the tracking status. This paper presents an analysis and solutions to damage cases caused by ransomware.

• The Journal of Korean Institute of Next Generation Computing
• /
• v.15 no.5
• /
• pp.7-19
• /
• 2019

Ransomware is a malicious program that requires the cost of decryption after encrypting files on the user's desktop. Since the frequency and the financial damage of ransomware attacks are increasing each year, ransomware prevention, detection and recovery system are needed. Baek et al. proposed SSD-Insider, an algorithm for detecting ransomware within SSD. In this paper, we propose an AdvanSSD-Insider algorithm that substitutes a hash table used for the overwriting check with a bloom filter in the SSD-Insider. Experimental results show that the AdvanSSD-Insider algorithm reduces memory usage by up to 90% and execution time by up to 77% compared to the SSD-Insider algorithm and achieves the same detection accuracy. In addition, the AdvanSSD-Insider algorithm can monitor 10 times longer than the SSD-Insider algorithm in same memory condition. As a result, detection accuracy is increased for some ransomware which was difficult to detect using previous algorithm.

• Journal of Internet of Things and Convergence
• /
• v.9 no.1
• /
• pp.1-7
• /
• 2023

Cases in which personal terminals or servers are infected by ransomware are rapidly increasing. Ransomware uses a self-developed encryption module or combines existing symmetric key/public key encryption modules to illegally encrypt files stored in the victim system using a key known only to the attacker. Therefore, in order to decrypt it, it is necessary to know the value of the key used, and since the process of finding the decryption key takes a lot of time, financial costs are eventually paid. At this time, most of the ransomware malware is included in a hidden form in binary files, so when the program is executed, the user is infected with the malicious code without even knowing it. Therefore, in order to respond to ransomware attacks in the form of binary files, it is necessary to identify the encryption module used. Therefore, in this study, we developed a mechanism that can detect and identify by reverse analyzing the encryption module applied to the malicious code hidden in the binary file.

• KIPS Transactions on Computer and Communication Systems
• /
• v.11 no.10
• /
• pp.363-372
• /
• 2022

Since the recent COVID-19 Pandemic, the ransomware fandom has intensified along with the expansion of remote work. Currently, anti-virus vaccine companies are trying to respond to ransomware, but traditional file signature-based static analysis can be neutralized in the face of diversification, obfuscation, variants, or the emergence of new ransomware. Various studies are being conducted for such ransomware detection, and detection studies using signature-based static analysis and behavior-based dynamic analysis can be seen as the main research type at present. In this paper, the frequency of ".text Section" Opcode and the Native API used in practice was extracted, and the association between feature information selected using K-means Clustering algorithm, Cosine Similarity, and Pearson correlation coefficient was analyzed. In addition, Through experiments to classify and detect worms among other malware types and Cerber-type ransomware, it was verified that the selected feature information was specialized in detecting specific ransomware (Cerber). As a result of combining the finally selected feature information through the above verification and applying it to machine learning and performing hyper parameter optimization, the detection rate was up to 93.3%.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.347-355
• /
• 2018

Ransomware uses symmetric-key algorithm such as a block cipher to encrypt users' files illegally. If we find the traces of a block cipher algorithm in a certain program in advance, the ransomware will be detected in increased rate. The inclusion of a block cipher can consider the encryption function will be enabled potentially. This paper proposes a way to determine whether a particular program contains a block cipher. We have studied the implementation characteristics of various block ciphers, as well as the AES used by ransomware. Based on those characteristics, we are able to find what kind of block ciphers have been contained in a particular program. The methods proposed in this paper will be able to detect ransomware with high probability by complementing the previous detection methods.

• Proceedings of the Korea Contents Association Conference
• /
• 2017.05a
• /
• pp.91-92
• /
• 2017

발전하는 IoT시대에 컴퓨터의 사용은 현대인들과 밀접한 관계가 되어 있다. 이로 인해, 우리는 다양한 문서들을 직접 종이에 일일이 적는 불편함을 컴퓨터를 통해 편하게 문서화를 할 수 있게 되었다. 그러나 모든 문서가 컴퓨터에 저장이 되어 있다 보니 이를 악용한 바이러스가 바로 랜섬웨어이다. 본 논문에서는 랜섬웨어의 의미와 동작원리에 대해 알아보고, 예방 대책을 제안하고자 한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.254-256
• /
• 2017

본 논문에서는 소셜 네트워크 서비스 중 트위터를 마이닝하여 실시간으로 랜섬웨어 위험도 분석을 하는 시스템을 설계한다. 이를 위해 2017년 5월 12일에 가장 피해가 컸던 워너크라이 랜섬웨어를 중심으로 5월 10일에서 20일 사이의 트윗 데이터를 마이닝하고, 기존 시스템인 구글 트렌드와의 유사성을 비교 실험하여 트윗 데이터의 가치를 확인한다. 마지막으로 제안하는 시스템에 대한 향후 연구주제를 제시한다.