• Title/Summary/Keyword: Ransomware

Search Result 88, Processing Time 0.03 seconds

Trends in Mobile Ransomware and Incident Response from a Digital Forensics Perspective

  • Min-Hyuck, Ko;Pyo-Gil, Hong;Dohyun, Kim
    • Journal of information and communication convergence engineering
    • /
    • v.20 no.4
    • /
    • pp.280-287
    • /
    • 2022
  • Recently, the number of mobile ransomware types has increased. Moreover, the number of cases of damage caused by mobile ransomware is increasing. Representative damage cases include encrypting files on the victim's smart device or making them unusable, causing financial losses to the victim. This study classifies ransomware apps by analyzing several representative ransomware apps to identify trends in the malicious behavior of ransomware. We present a technique for recovering from the damage, from a digital forensic perspective, using reverse engineering ransomware apps to analyze vulnerabilities in malicious functions applied with various cryptographic technologies. Our study found that ransomware applications are largely divided into three types: locker, crypto, and hybrid. In addition, we presented a method for recovering the damage caused by each type of ransomware app using an actual case. This study is expected to help minimize the damage caused by ransomware apps and respond to new ransomware apps.

Research on Minimizing the Damage from Ransomware Attack by Case Study (사례로 살펴본 렌섬웨어 공격에 의한 피해를 최소화하는 연구 고찰)

  • Choi, Heesik;Cho, Yanghyun
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.13 no.1
    • /
    • pp.103-111
    • /
    • 2017
  • Recently, new variants of Ransomware are becoming a new security issue. Ransomware continues to evolve to avoid network of security solutions and extort users' information to demand Bitcoin using social engineering technique. Ransomware is damaging to users not only in Korea but also in all around the world. In this thesis, it will present research solution to prevent and cope from damage by new variants Ransomware, by studying on the types and damage cases of Ransomware that cause social problems. Ransomware which introduced in this paper, is the most issued malicious code in 2016, so it will evolve to a new and more powerful Ransomware which security officers cannot predict to gain profit. In this thesis, it proposes 4 methods to prevent the damage from the new variants of Ransomware to minimize the damage and infection from Ransomware. Most importantly, if user infected from Ransomware, it is very hard to recover. Thus, it is important that users understand the basic security rules and effort to prevent them from infection.

An Efficient Decoy File Placement Method for Detecting Ransomware (랜섬웨어 탐지를 위한 효율적인 미끼 파일 배치 방법)

  • Lee, Jinwoo;Kim, Yongmin;Lee, Jeonghwan;Hong, Jiman
    • Smart Media Journal
    • /
    • v.8 no.1
    • /
    • pp.27-34
    • /
    • 2019
  • Ransomware is a malicious program code evolved into various forms of attack. Unlike traditional Ransomware that is being spread out using email attachments or infected websites, a new type of Ransomware, such as WannaCryptor, may corrupt files just for being connected to the Internet. Due to global Ransomware damage, there are many studies conducted to detect and defense Ransomware. However, existing research on Ransomware detection only uses Ransomware signature database or monitors specific behavior of process. Additionally, existing Ransomware detection methods hardly detect and defense a new Ransomware that behaves differently from the traditional ones. In this paper, we propose a method to detect Ransomware by arranging decoy files and analyzing the method how Ransomware accesses and operates files in the file system. Also, we conduct experiments using proposed method and provide the results of detection and defense of Ransomware in this paper.

How to Detect and Block Ransomware with File Extension Management in MacOS (MacOS에서 파일확장자 관리를 통한 랜섬웨어 탐지 및 차단 방법)

  • Youn, Jung-moo;Ryu, Jae-cheol
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.2
    • /
    • pp.251-258
    • /
    • 2017
  • Most malware, including Ransomware, is built for the Windows operating system. This is because it is more harmful to target an operating system with a high share. But in recent years, MacOS's operating system share has steadily increased. As people become more and more used, the number of malicious code running on the MacOS operating system is increasing. Ransomware has been known to Korea since 2015, and damage cases are gradually increasing. MacOS is no longer free from Ransomware, as Ransomware for MacOS was discovered in March 2016. In order to cope with future Ransomware, this paper used Ransomware's modified file extension to detect Ransomware. We have studied how to detect and block Ransomware processes by distinguishing between extensions changed by the user and extensions changed by the Ransomware process.

Automated Analysis Approach for the Detection of High Survivable Ransomware

  • Ahmed, Yahye Abukar;Kocer, Baris;Al-rimy, Bander Ali Saleh
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.14 no.5
    • /
    • pp.2236-2257
    • /
    • 2020
  • Ransomware is malicious software that encrypts the user-related files and data and holds them to ransom. Such attacks have become one of the serious threats to cyberspace. The avoidance techniques that ransomware employs such as obfuscation and/or packing makes it difficult to analyze such programs statically. Although many ransomware detection studies have been conducted, they are limited to a small portion of the attack's characteristics. To this end, this paper proposed a framework for the behavioral-based dynamic analysis of high survivable ransomware (HSR) with integrated valuable feature sets. Term Frequency-Inverse document frequency (TF-IDF) was employed to select the most useful features from the analyzed samples. Support Vector Machine (SVM) and Artificial Neural Network (ANN) were utilized to develop and implement a machine learning-based detection model able to recognize certain behavioral traits of high survivable ransomware attacks. Experimental evaluation indicates that the proposed framework achieved an area under the ROC curve of 0.987 and a few false positive rates 0.007. The experimental results indicate that the proposed framework can detect high survivable ransomware in the early stage accurately.

Modeling of Ransomware using Colored Petri Net (칼라 페트리 네트를 이용한 랜섬웨어의 모델링)

  • Lee, Yo-Seob
    • The Journal of the Korea institute of electronic communication sciences
    • /
    • v.13 no.2
    • /
    • pp.449-456
    • /
    • 2018
  • The advent of cryptography has become a means of obtaining real monetary benefits to hackers, which has recently led to a surge in the number of Ransomware and the associated damage has increased significantly. It is expected that malicious codes will be expanded to new areas by meeting passwords, and Ransomware will be further increased in the future. To solve these problems, we need a model that can detect and block intrusion of Ransomware by analyzing the intrusion path of Ransomware. In this paper, we collect and analyze the data of Ransomware, and create and analyze Ransomware's color Petri net model.

Graph Database Design and Implementation for Ransomware Detection (랜섬웨어 탐지를 위한 그래프 데이터베이스 설계 및 구현)

  • Choi, Do-Hyeon
    • Journal of Convergence for Information Technology
    • /
    • v.11 no.6
    • /
    • pp.24-32
    • /
    • 2021
  • Recently, ransomware attacks have been infected through various channels such as e-mail, phishing, and device hacking, and the extent of the damage is increasing rapidly. However, existing known malware (static/dynamic) analysis engines are very difficult to detect/block against novel ransomware that has evolved like Advanced Persistent Threat (APT) attacks. This work proposes a method for modeling ransomware malicious behavior based on graph databases and detecting novel multi-complex malicious behavior for ransomware. Studies confirm that pattern detection of ransomware is possible in novel graph database environments that differ from existing relational databases. Furthermore, we prove that the associative analysis technique of graph theory is significantly efficient for ransomware analysis performance.

Ransomware attack analysis and countermeasures of defensive aspects (랜섬웨어 공격분석 및 방어적 측면의 대응방안)

  • Hong, Sunghyuck;Yu, Jin-a
    • Journal of Convergence for Information Technology
    • /
    • v.8 no.1
    • /
    • pp.139-145
    • /
    • 2018
  • Ransomeware is a kind of malware. Computers infected with Ransomware have limited system access. It is a malicious program that must provide a money to the malicious code maker in order to release it. On May 12, 2017, with the largest Ransomware attack ever, concerns about the Internet security environment are growing. The types of Ransomware and countermeasures to prevent cyber terrorism are discussed. Ransomware, which has a strong infectious nature and has been constantly attacked in recent years, is typically in the form of Locky, Petya, Cerber, Samam, and Jigsaw. As of now, Ransomware defense is not 100% free. However, it can counter to Ransomware through automatic updates, installation of vaccines, and periodic backups. There is a need to find a multi-layered approach to minimize the risk of reaching the network and the system. Learn how to prevent Ransomware from corporate and individual users.

A study on the improvement ransomware detection performance using combine sampling methods (혼합샘플링 기법을 사용한 랜섬웨어탐지 성능향상에 관한 연구)

  • Kim Soo Chul;Lee Hyung Dong;Byun Kyung Keun;Shin Yong Tae
    • Convergence Security Journal
    • /
    • v.23 no.1
    • /
    • pp.69-77
    • /
    • 2023
  • Recently, ransomware damage has been increasing rapidly around the world, including Irish health authorities and U.S. oil pipelines, and is causing damage to all sectors of society. In particular, research using machine learning as well as existing detection methods is increasing for ransomware detection and response. However, traditional machine learning has a problem in that it is difficult to extract accurate predictions because the model tends to predict in the direction where there is a lot of data. Accordingly, in an imbalance class consisting of a large number of non-Ransomware (normal code or malware) and a small number of Ransomware, a technique for resolving the imbalance and improving ransomware detection performance is proposed. In this experiment, we use two scenarios (Binary, Multi Classification) to confirm that the sampling technique improves the detection performance of a small number of classes while maintaining the detection performance of a large number of classes. In particular, the proposed mixed sampling technique (SMOTE+ENN) resulted in a performance(G-mean, F1-score) improvement of more than 10%.

Study on Cryptographic Analysis of Erebus Ransomware (Erebus 랜섬웨어에 대한 암호학적 분석 연구)

  • Kim, Soram;Kim, Jihun;Park, Myungseo;Kim, Daeun;Kim, Jongsung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.2
    • /
    • pp.339-346
    • /
    • 2018
  • Ransomware is a malicious program that requires money by encrypting data. The damage to ransomware is increasing worldwide, and targeted attacks for corporations, public institutions and hospitals are increasing. As a ransomware is serviced and distributed, its various usually emerge. Therefore, the accurate analysis of ransomware can be a decryption solution not only for that ransomware but also for its variants. In this paper, we analyze a cryptographic elements and encryption process for Erebus found in June, 2017, and investigate its cryptographic vulnerability and memory analysis.