Early Detection of Ransomware by Indicator Analysis and WinAPI Call Sequence Pattern

Sharma, Harshit; Kant, Shri

doi:10.1007/978-981-13-1747-7_20

Harshit Sharma⁵ &
Shri Kant⁶

Part of the book series: Smart Innovation, Systems and Technologies ((SIST,volume 107))

1506 Accesses
4 Citations

Abstract

In the present paper, an analytical study has been done on a specific type of malware that is ransomware. Recent events all over the globe suggest ransomware as the growing threat because it encrypts targeted data of victim and keeps the decryption key with itself until a fair amount of ransom is paid, generally through cryptocurrency. Also its new variants keep coming up with better and stronger application, stay undetected of anti-malware software and intrusion detection systems. The idea for this paper was to develop an early detection system dedicated to ransomware. We took dynamic malware analysis approach for this paper. Behavioral study was done on 300 downloaded ransomware, also by making our own ransomware and understanding its background working (for Windows platform) and general modus operandi. Sets of behavioral indicators and Microsoft Detours libraries were used to hook Windows API call sequences to understand run-time behavior and filter out the ransomware from Benign software. The achievement of the present work is an automated framework which can be used to make user’s system protected from ransomware.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 169.00; Price excludes VAT (USA)

Hardcover Book: USD 219.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Scaife, N., Carter, H., Traynor, P., Butler, K.: CryptoLock (and Drop It): stopping ransomware attacks on user data. In: IEEE 36th ICDCS (2016)
Google Scholar
Gupta, S., Sharma, H., Kaur, S.: Malware characterization using windows API call sequences. In: Carlet, C., Hasan, M., Saraswat, V. (eds.) Security, Privacy, and Applied Cryptography Engineering. SPACE 2016. Lecture Notes in Computer Science, vol. 10076. Springer, Cham (2016)
Chapter Google Scholar
Detours. https://www.microsoft.com/en-us/research/project/detours/
Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2011)
Google Scholar
Bitcoin—Open source P2P money. https://bitcoin.org/
Zebpay Bitcoin India. https://www.zebpay.com/
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. DIMVA (2015)
Google Scholar
Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digit. Invest. 6, Supplement (2009)
Google Scholar
Trend Micro Inc. https://www.trendmicro.com/
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Int. J. Inf. Comput. Secur. 6(3) (1998)
Article Google Scholar
Jana, S., Shmatikov, V.: Abusing file processing in malware detectors for fun and profit. In: IEEE Symposium on Security and Privacy (S&P) (2012)
Google Scholar
Zeltser Security Corp. https://zeltser.com/malware-sample-sources/
GitHub Inc. https://github.com/fabrimagic72/malware-samples
Contagiodump. http://contagiodump.blogspot.in/2016/03/ransomwareosxkeranger-samples.html
Malware Tips. https://malwaretips.com/forums/malware-vault-samples.104/
Virus Total. https://www.virustotal.com/
AnalyzeIT. http://www.shockingsoft.com/AnalyzeIt.html
Kempthorne, D., Steele, A.: An evaluation of different delivery methods for teaching binary, hex and decimal conversion. J. Appl. Comput. Inf. Technol. 18(2) (2004)
Google Scholar
Zhang, D., Bi, Y., Jiang, L.: Influence of hexadecimal character and decimal character for power waveform data compression. In: IEEE International Conference on Sustainable Power Generation and Supply (2009)
Google Scholar
WinMerge. http://winmerge.org/
Hex-Rays. https://www.hex-rays.com/products/ida/
Visual Studios. https://www.visualstudio.com/
William, B., Cavnar, J., Trenkle, M.: N-gram-based text categorization. Environ. Res. Inst. Michigan. (1995)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer Science and Engineering, School of Engineering and Technology, Sharda University, Greater Noida, 201306, India
Harshit Sharma
Research and Technology Development Center, School of Engineering and Technology, Sharda University, Greater Noida, 201306, India
Shri Kant

Authors

Harshit Sharma
View author publications
You can also search for this author in PubMed Google Scholar
Shri Kant
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Harshit Sharma .

Editor information

Editors and Affiliations

School of Computer Engineering, KIIT Deemed to be University, Bhubaneswar, India
Suresh Chandra Satapathy
Sabar Institute of Technology, Gujarat Technological University, Ahmedabad, Gujarat, India
Amit Joshi

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Sharma, H., Kant, S. (2019). Early Detection of Ransomware by Indicator Analysis and WinAPI Call Sequence Pattern. In: Satapathy, S., Joshi, A. (eds) Information and Communication Technology for Intelligent Systems . Smart Innovation, Systems and Technologies, vol 107. Springer, Singapore. https://doi.org/10.1007/978-981-13-1747-7_20

Download citation

DOI: https://doi.org/10.1007/978-981-13-1747-7_20
Published: 15 December 2018
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1746-0
Online ISBN: 978-981-13-1747-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)

Publish with us

Policies and ethics