Abstract
Ransomware is a particularly predatory form of Cybercrime which feeds on a person’s sentimental value for personal data such as family photos, videos and sometimes a lifetime’s collection of data. In general, a banking Trojan causes a temporary monetary loss, Ransomware however, has the potential to have irreversible, catastrophic loss of data for the victim. Ransomware has grown exponentially since 2015, and it is this staggering growth that poses a problem for future detection. Signature-based detection alone cannot cope with the number of signatures that will continue to be created. Distribution of databases becomes a greater task with the growth of signatures. Anomaly-based detection is another option to consider as it looks at behaviour traits rather than signatures alone. However, many traits found in malware are just as easily found in legitimate software. This fact leads to the possibility of false positives which in turn leads to a lack of confidence from the user. This chapter proposes an approach that uses a hybrid detection system of both signature based detection and anomaly based detection. Analysis was carried out on the crypto-worm variant known as zCrypt, with the goal of analysing attack vectors to counter them effectively. The main aim of this work is to maximize detection rates, minimise false-positives, and protect the best defence against Ransomware—online backups.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alabdulsalam, S., Schaefer, K., Kechadi, M.-T., Le-Khac, N.-A.: Internet of things forensics: challenges and case study. In: Gilbert, P., Sujeet, S. (eds.) Advances in Digital Forensics XIV. Springer Berlin Heidelberg, New York (2018). https://doi.org/10.1007/978-3-319-99277-8_3
Gonzalez, D., Hayajneh, T.: Detection and prevention of crypto-ransomware. In: Proceedings of IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), Oct 2017, pp. 472–478
Aidan, J.S., Garg, Z.U.: Advanced Petya ransomware and mitigation strategies. In: 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC), 2018, pp. 23–28
Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection (2016). arXiv:1609.03020. [Online]. Available: https://arxiv.org/abs/1609.03020
Shinde, R., Van der Veeken, P., Van Schooten, S., van den Berg, J.: Ransomware: studying transfer and mitigation. In: Computing Analytics and Security Trends (CAST) International Conference, 2016, pp. 90–95
Faheem, M., Le-Khac, N.-A., Kechadi, M.-T.: Smartphone forensics analysis: a case study for obtaining root access of an android Samsung S3 device and analyse the image without an expensive commercial tool. J. Inf. Secur. 5(3), 83–90 (2014). https://doi.org/10.4236/jis.2014.53009
Kok, S.H., Abdullah, A., Jhanjhi, N.Z., Supramaniam, M.: Ransomware, threat and detection techniques: a review. Int. J. Comput. Sci. Netw. Secur. 19, 136–146 (2019)
Dunn, J., Macaulay, T., Magee, T.: The worst types of ransomware attacks. Computerworld, 12 June 2018. https://www.computerworlduk.com/galleries/security/worstransomware-attacks-we-name-internets-nastiest-extortion-malware3641916/
Connolly, L.Y., Wall, D.S.: The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures. Comput. Secur. 87 (2019). https://doi.org/10.1016/j.cose.2019.101568
Schaefer, E., Le-Khac, N.-A., Scanlon, M.: Integration of ether unpacker into ragpicker for plugin-based malware analysis and identification. In: 16th European Conference on Cyber Warfare and Security, Dublin, Ireland, June 2017
Linke, A., Le-Khac, N.-A.: Control flow change in assembly as a classifier in malware analysis. In: 4th IEEE International Symposium on Digital Forensics and Security, Arkansas, Apr 2016. https://doi.org/10.1109/isdfs.2016.7473514
Zollner, S., Choo, K.-K.R., Le-Khac, N.-A.: An automated live forensic and postmortem analysis tool for bitcoin on windows systems. IEEE Access 7 (2019). https://doi.org/10.1109/access.2019.2948774
Van der Horst, L., Choo, K.-K.R., Le-Khac, N.-A.: Process memory investigation of the bitcoin clients electrum and bitcoin core. IEEE Access 5 (2017). https://doi.org/10.1109/access.2017.2759766
Almashhadani, A., Kaiiali, M., Sezer, S., O’Kane, P.: A multi-classifier network-based crypto ransomware detection system: a case study of locky ransomware. IEEE Access 7, 47053–47067 (2019)
Berrueta, E., Morato, D., Magaña, E., Izal, M.: A survey on detection techniques for cryptographic ransomware. IEEE Access 7, 44925–44944 (2019)
Andronio, N.: Heldroid: fast and efficient linguistic-based ransomware detection. Master Thesis. [Online]. Indigo.uic.edu. Available at: http://indigo.uic.edu/bitstream/handle/10027/19676/Andronio_Nicolo.pdf?sequence=1 (2012)
Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: Proceedings of IEEE 36th International Conference on Distributed Computing Systems (ICDCS), June 2016, pp. 303–312. https://doi.org/10.1109/icdcs.2016.46
Alazab, A., Hobbs, M., Abawajy, J., Khraisat, A.: Malware detection and prevention system based on multi-stage rules. Int. J. Inf. Secur. Privacy (IJISP) 7(2), 29–43 (2013)
Yagi, T.: Website protection schemes based on behavior analysis of malware attackers. Master Thesis. [Online]. /ir.library.osaka-u.ac.jp. Available at: http://ir.library.osaka-u.ac.jp/dspace/bitstream/11094/51137/1/25863_%e8%ab%96%e6%96%87.pdf (2013)
Fadsli Marhusin, M.: Improving the effectiveness of behaviour-based malware detection. Master of Information Technology (Computer Science), UKM, Malaysia. [Online]. Unsworks.unsw.edu.au. Available at: http://unsworks.unsw.edu.au/fapi/datastream/unsworks:10868/SOURCE02?view=true (2012)
Kinable, J.: Malware Detection Through Call Graphs. [Online]. Brage.bibsys.no. Available at: https://brage.bibsys.no/xmlui/bitstream/handle/11250/262290/353049_FULLTEXT01.pdf?sequence=1&isAllowed=y (2010)
Hu, X.: Large-scale malware analysis, detection, and signature generation. Doctor of Philosophy (Computer Science and Engineering), The University of Michigan. [Online]. Deepblue.lib.umich.edu. Available at: https://deepblue.lib.umich.edu/bitstream/handle/2027.42/89760/huxin_1.pdf?sequence=1&isAllowed=y (2011)
Blount, J.: Adaptive rule-based malware detection employing learning classifier systems. Masters Theses. 5008. https://scholarsmine.mst.edu/masters_theses/5008 (2011)
Paleari, R.: Dealing with next-generation malware. PhD Thesis. [Online]. air.unimi.it. Available at: https://air.unimi.it/retrieve/handle/2434/155496/138529/phd_unimi_R07627.pdf (2010)
Stafford, J.: Behaviour-based worm detection. PhD Thesis. [Online]. Scholarsbank.uoregon.edu. Available at: https://scholarsbank.uoregon.edu/xmlui/bitstream/handle/1794/12341/Stafford_oregon_0171A_10322.pdf?sequence=1&isAllowed=y (2012)
Msdn.microsoft.com: GetLogicalDriveStrings Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364975(v=vs.85).aspx (2017)
Msdn.microsoft.com: GetDriveType Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364939(v=vs.85).aspx (2017)
Msdn.microsoft.com: Enumerating All Processes (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx (2017)
Msdn.microsoft.com: GetModuleFileNameEx Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms683198(v=vs.85).aspx (2017)
Msdn.microsoft.com: FindFirstChangeNotification Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364417(v=vs.85).aspx (2017)
Msdn.microsoft.com: FindFirstFileEx Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/aa364419(VS.85).aspx (2017)
Msdn.microsoft.com: Retrieving and Changing File Attributes (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365522(v=vs.85).aspx (2017)
Kramer, A.: adamkramer/check_first. [Online]. GitHub. Available at: https://github.com/adamkramer/check_first/blob/master/check_first.cpp (2015)
Virustotal.com: Public API Version 2.0—VirusTotal. [Online]. Available at: https://www.virustotal.com/en/documentation/public-api/#getting-url-scans (2017)
Podobry, S.: Easy way to set up global API hooks—CodeProject. [Online]. Codeproject.com. Available at: https://www.codeproject.com/Articles/49319/Easy-way-to-set-up-global-API-hooks (2012)
Msdn.microsoft.com: RegSetValueEx Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724923(v=vs.85).aspx (2017)
rohitab.com—Forums: Header file for API hooking—Source Codes. [Online]. Available at: http://www.rohitab.com/discuss/topic/40192-header-file-for-api-hooking/#entry10106168 (2013)
Andronio, N.: Heldroid: Fast and Efficient Linguistic-Based Ransomware Detection. [Online]. Indigo.uic.edu. Available at: http://indigo.uic.edu/bitstream/handle/10027/19676/Andronio_Nicolo.pdf?sequence=1 (2012)
Scaife, N., Carter, H., Traynor, P., Butler, K.: Stopping Ransomware Attacks on User Data. [Online]. https://www.cise.ufl.edu/. Available at: https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Boyton, C., Le-Khac, NA., Choo, KK.R., Jurcut, A. (2020). Forensic Investigation of Ransomware Activities—Part 2. In: Le-Khac, NA., Choo, KK. (eds) Cyber and Digital Forensic Investigations. Studies in Big Data, vol 74. Springer, Cham. https://doi.org/10.1007/978-3-030-47131-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-47131-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-47130-9
Online ISBN: 978-3-030-47131-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)