• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.357-367
• /
• 2018

As information technology of modern society develops, various malicious codes with the purpose of seizing or destroying important system information are developing together. Among them, ransomware is a typical malicious code that prevents access to user's resources. Although researches on detecting ransomware performing encryption have been conducted a lot in recent years, no additional methods have been proposed to recover damaged files after an attack. Also, because the similarity comparison technique was used without considering the repeated encryption, it is highly likely to be recognized as a normal behavior. Therefore, this paper implements a filter driver to control the file system and performs a similarity comparison method that is verified based on the analysis of the encryption pattern of the ransomware. We propose a system to detect the malicious process of the accessed process and recover the damaged file based on the cloud storage.

• Journal of Software Assessment and Valuation
• /
• v.15 no.2
• /
• pp.43-50
• /
• 2019

With the development of IT technology, computer-related crimes are rapidly increasing, and in recent years, the damage to ransomware infections is increasing rapidly at home and abroad. Conventional security solutions are not sufficient to prevent ransomware infections, and to prevent threats such as malware and ransomware that are evolving, a combination of deep learning technologies is needed to detect abnormal behavior and abnormal symptoms. In this paper, a method is proposed to detect user abnormal behavior using CNN-LSTM model and various deep learning models. Among the proposed models, CNN-LSTM model detects user abnormal behavior with 99% accuracy.

• International journal of advanced smart convergence
• /
• v.8 no.4
• /
• pp.47-57
• /
• 2019

We examine the weaknesses of the existing OOXML-based MS-Word file structure, and analyze how data concealment and forgery are performed in MS-Word digital documents. In case of forgery by including hidden information in MS-Word digital document, there is no difference in opening the file with the MS-Word Processor. However, the computer system may be malfunctioned by malware or shell code hidden in the digital document. If a malicious image file or ZIP file is hidden in the document by using the structural vulnerability of the MS-Word document, it may be infected by ransomware that encrypts the entire file on the disk even if the MS-Word file is normally executed. Therefore, it is necessary to analyze forgery and alteration of digital document through internal structure analysis of MS-Word file. In this paper, we designed and implemented a mechanism to detect this efficiently and automatic detection software, and presented a method to proactively respond to attacks such as ransomware exploiting MS-Word security vulnerabilities.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.05a
• /
• pp.425-426
• /
• 2017

Ransomware has caused a lot of damage by attacking disks of government agencies, financial institutions and corporations. This has been exploited for monetary damages and Taking personal information. In this paper, we describe the NTFS. Also describe Petya as the example of Ransomware. We used forensic techniques to analyze post-infection status and describes the method for MBR area recovery.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.389-396
• /
• 2020

WannaCryptor is a type of ransomware which encrypts users' personal data or files and demands ransom payment in order to regain access. But it peculiarly spreads by itself like a Internet worm using Windows vulnerabilities of shared folder. In this paper, we analyzed and estimated the spread of WannaCryptor focusing on the wormable spread features different from the existed ransomware. Thus we observed its behaviors in virtual environments, and experimented the various spreads of WannaCryptor based on our prediction modeling.

• International journal of advanced smart convergence
• /
• v.12 no.1
• /
• pp.149-156
• /
• 2023

OOXML-based MS-Office digital files are extensively utilized by businesses and organizations worldwide. However, OOXML-based MS-Office digital files are vulnerable to forgery and corruption attack by including hidden suspicious information, which can lead to activating malware or shell code being hidden in the file. Such malicious code can cause a computer system to malfunction or become infected with ransomware. To prevent such attacks, it is necessary to analyze and detect the corruption of OOXML-based MS-Office files. In this paper, we examine the weaknesses of the existing OOXML-based MS-Office file structure and analyzes how concealment and forgery are performed on MS-Office digital files. As a result, we propose a system to detect hidden data effectively and proactively respond to ransomware attacks exploiting MS-Office security vulnerabilities. Proposed system is designed to provide reliable and efficient detection of hidden data in OOXML-based MS-Office files, which can help organizations protect against potential security threats.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.873-883
• /
• 2017

As Ransomware spreads, the target of the attack shifted from a single personal to organizations which lead attackers to be more intelligent and systematic. Thus, Ransomware's threats to domestic infrastructure, including the financial industry, have grown to a level that cannot be ignored. As a measure against these security issues, organizations use ISMS, which is an information protection management system. However, it is difficult for management to make decisions on the loss done by the security issues since amount of the damage done can not be calculated with just ISMS. In this paper, through FAIR-based loss measurement model based on scenario's to identify the extent of damage and calculate the reasonable damages which has been considered to be the problem of the ISMS, we identified losses and risks of Ransomeware on the financial industry and method to reduce the loss by applying the current ISMS and ISO 27001 control items rather than modifying the ISMS.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.3
• /
• pp.645-653
• /
• 2016

Ransomware was first created in 1999, but its existence become widely known in Korean by 2015. As information and communication technology have developed, the storage capacity of computer has enlarged, it accordingly is getting more important to effectively manage these information, rather than the information itself. In such situation, the ransomware break into other people's computer and encrypt an files without a user's permission. So, it adversely affect the user. In this paper, we monitor an access of a specific process to the file. And on the basis of this monitoring information, we detect whether the abnormal approach happened. Through the detection result, we block the permission about access to the file for a specific process. Using this method, we propose a blocking technique for the ransomeware's abnormal approach and encryption to the files.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.3
• /
• pp.521-530
• /
• 2017

In this paper, we propose a protection solution against intelligent Ransomware attacks by encrypting not only source files but also backup files of external storage. The system is designed to automatically back up to the cloud server at the time of file creation to perform monitoring and blocking in case a specific process affects the original file. When client creates or saves a file, both process identifiers, parent process identifiers, and executable file hash values are compared and protected by the whitelist. The file format that is changed by another process is monitored and blocked to prevent from suspicious behavior. By applying the system proposed in this paper, it is possible to protect against damage caused by the modification or deletion of files by Ransomware.

• Convergence Security Journal
• /
• v.23 no.1
• /
• pp.117-123
• /
• 2023

To detect advanced ransomware attacks with machine learning-based models, the classification model must train learning data with high-dimensional feature space. And in this case, a 'curse of dimension' phenomenon is likely to occur. Therefore, dimensionality reduction of features must be preceded in order to increase the accuracy of the learning model and improve the execution speed while avoiding the 'curse of dimension' phenomenon. In this paper, we conducted classification of ransomware by applying three machine learning models and two feature extraction techniques to two datasets with extremely different dimensions of feature space. As a result of the experiment, the feature dimensionality reduction techniques did not significantly affect the performance improvement in binary classification, and it was the same even when the dimension of featurespace was small in multi-class clasification. However, when the dataset had high-dimensional feature space, LDA(Linear Discriminant Analysis) showed quite excellent performance.