Advertisement

Ransomware Analysis Using Reverse Engineering

  • S. NaveenEmail author
  • T. Gireesh KumarEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1046)

Abstract

Ransomware threat continues to grow over years. The existing defense techniques for detecting malicious malware will never be sufficient because of Malware Persistence Techniques. Packed malware makes analysis harder & also it may sound like a trusted executable for evading modern antivirus. This paper focuses on the analysis part of few ransomware samples using different reverse engineering tools & techniques. There are many automated tools available for performing malware analysis, but reversing it manually helped to write two different patches for Wannacry ransomware. Execution of patched ransomware will not encrypt the user machine. Due to new advanced evading techniques like Anti-Virtual Machine (VM) & Anti-debugging, automated malware analysis tools will be less useful. The Application Programming Interface (API) calls which we used to create patch, were used to create Yara rule for detecting different variants of the same malware as well.

Keywords

Advanced Encryption Standard (AES) Application Programming Interface (API) Cryptors Decompile Disassembly Dynamic analysis Dynamic linked library Malware Message-Digest Algorithm 5 (MD5) Packed executable Packers Ransomware Static analysis Virtual Machine (VM) Yara rule .NET executables 

References

  1. 1.
    Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC, Los Angeles, CA (2016)Google Scholar
  2. 2.
    Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRefGoogle Scholar
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Noriben github repository. https://github.com/Rurik/Noriben
  7. 7.
    Running scripts from the command line with idascript blog. http://www.hexblog.com/?p=128
  8. 8.
    9 best reverse engineering tools for 2018 blog. https://www.apriorit.com/dev-blog/366-software-reverse-engineering-tools
  9. 9.
    Monnappa, K.A.: Learning Malware Analysis: Explore the Concepts, Tools, and Techniques to Analyze and Investigate Windows Malware (2018)Google Scholar
  10. 10.
    Malware initial assessment tool. https://www.winitor.com/
  11. 11.
    Gregory Paul, T.G., Gireesh Kumar, T.: A framework for dynamic malware analysis based on behavior artifacts. In: Satapathy, S.C., Bhateja, V., Udgata, S.K., Pattnaik, P.K. (eds.) Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications. AISC, vol. 515, pp. 551–559. Springer, Singapore (2017).  https://doi.org/10.1007/978-981-10-3153-3_55CrossRefGoogle Scholar
  12. 12.
    Ali, P.D., Kumar, T.G.: Malware capturing and detection in dionaea honeypot. In: Power and Advanced Computing Technologies (i-PACT) (2017)Google Scholar
  13. 13.
    Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. MWR labs whitepaper (2017)Google Scholar
  14. 14.
  15. 15.
    Unpacking cerber ransomware video. https://www.youtube.com/watch?v=g3Cf3cfBxKM
  16. 16.
    Stack solver tool github repository. https://github.com/fireeye/flare-floss

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa VidyapeethamCoimbatoreIndia

Personalised recommendations