Skip to main content
SpringerLink
Log in
Book cover

Cyber and Digital Forensic Investigations pp 79–108Cite as

Forensic Investigation of Ransomware Activities—Part 2

  • Chapter
  • First Online:

  • 831 Accesses

Part of the book series: Studies in Big Data ((SBD,volume 74))

Abstract

Ransomware is a particularly predatory form of Cybercrime which feeds on a person’s sentimental value for personal data such as family photos, videos and sometimes a lifetime’s collection of data. In general, a banking Trojan causes a temporary monetary loss, Ransomware however, has the potential to have irreversible, catastrophic loss of data for the victim. Ransomware has grown exponentially since 2015, and it is this staggering growth that poses a problem for future detection. Signature-based detection alone cannot cope with the number of signatures that will continue to be created. Distribution of databases becomes a greater task with the growth of signatures. Anomaly-based detection is another option to consider as it looks at behaviour traits rather than signatures alone. However, many traits found in malware are just as easily found in legitimate software. This fact leads to the possibility of false positives which in turn leads to a lack of confidence from the user. This chapter proposes an approach that uses a hybrid detection system of both signature based detection and anomaly based detection. Analysis was carried out on the crypto-worm variant known as zCrypt, with the goal of analysing attack vectors to counter them effectively. The main aim of this work is to maximize detection rates, minimise false-positives, and protect the best defence against Ransomware—online backups.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Alabdulsalam, S., Schaefer, K., Kechadi, M.-T., Le-Khac, N.-A.: Internet of things forensics: challenges and case study. In: Gilbert, P., Sujeet, S. (eds.) Advances in Digital Forensics XIV. Springer Berlin Heidelberg, New York (2018). https://doi.org/10.1007/978-3-319-99277-8_3

  2. Gonzalez, D., Hayajneh, T.: Detection and prevention of crypto-ransomware. In: Proceedings of IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), Oct 2017, pp. 472–478

    Google Scholar 

  3. Aidan, J.S., Garg, Z.U.: Advanced Petya ransomware and mitigation strategies. In: 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC), 2018, pp. 23–28

    Google Scholar 

  4. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection (2016). arXiv:1609.03020. [Online]. Available: https://arxiv.org/abs/1609.03020

  5. Shinde, R., Van der Veeken, P., Van Schooten, S., van den Berg, J.: Ransomware: studying transfer and mitigation. In: Computing Analytics and Security Trends (CAST) International Conference, 2016, pp. 90–95

    Google Scholar 

  6. Faheem, M., Le-Khac, N.-A., Kechadi, M.-T.: Smartphone forensics analysis: a case study for obtaining root access of an android Samsung S3 device and analyse the image without an expensive commercial tool. J. Inf. Secur. 5(3), 83–90 (2014). https://doi.org/10.4236/jis.2014.53009

    Article  Google Scholar 

  7. Kok, S.H., Abdullah, A., Jhanjhi, N.Z., Supramaniam, M.: Ransomware, threat and detection techniques: a review. Int. J. Comput. Sci. Netw. Secur. 19, 136–146 (2019)

    Google Scholar 

  8. Dunn, J., Macaulay, T., Magee, T.: The worst types of ransomware attacks. Computerworld, 12 June 2018. https://www.computerworlduk.com/galleries/security/worstransomware-attacks-we-name-internets-nastiest-extortion-malware3641916/

  9. Connolly, L.Y., Wall, D.S.: The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures. Comput. Secur. 87 (2019). https://doi.org/10.1016/j.cose.2019.101568

  10. Schaefer, E., Le-Khac, N.-A., Scanlon, M.: Integration of ether unpacker into ragpicker for plugin-based malware analysis and identification. In: 16th European Conference on Cyber Warfare and Security, Dublin, Ireland, June 2017

    Google Scholar 

  11. Linke, A., Le-Khac, N.-A.: Control flow change in assembly as a classifier in malware analysis. In: 4th IEEE International Symposium on Digital Forensics and Security, Arkansas, Apr 2016. https://doi.org/10.1109/isdfs.2016.7473514

  12. Zollner, S., Choo, K.-K.R., Le-Khac, N.-A.: An automated live forensic and postmortem analysis tool for bitcoin on windows systems. IEEE Access 7 (2019). https://doi.org/10.1109/access.2019.2948774

  13. Van der Horst, L., Choo, K.-K.R., Le-Khac, N.-A.: Process memory investigation of the bitcoin clients electrum and bitcoin core. IEEE Access 5 (2017). https://doi.org/10.1109/access.2017.2759766

  14. Almashhadani, A., Kaiiali, M., Sezer, S., O’Kane, P.: A multi-classifier network-based crypto ransomware detection system: a case study of locky ransomware. IEEE Access 7, 47053–47067 (2019)

    Article  Google Scholar 

  15. Berrueta, E., Morato, D., Magaña, E., Izal, M.: A survey on detection techniques for cryptographic ransomware. IEEE Access 7, 44925–44944 (2019)

    Google Scholar 

  16. Andronio, N.: Heldroid: fast and efficient linguistic-based ransomware detection. Master Thesis. [Online]. Indigo.uic.edu. Available at: http://indigo.uic.edu/bitstream/handle/10027/19676/Andronio_Nicolo.pdf?sequence=1 (2012)

  17. Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: Proceedings of IEEE 36th International Conference on Distributed Computing Systems (ICDCS), June 2016, pp. 303–312. https://doi.org/10.1109/icdcs.2016.46

  18. Alazab, A., Hobbs, M., Abawajy, J., Khraisat, A.: Malware detection and prevention system based on multi-stage rules. Int. J. Inf. Secur. Privacy (IJISP) 7(2), 29–43 (2013)

    Google Scholar 

  19. Yagi, T.: Website protection schemes based on behavior analysis of malware attackers. Master Thesis. [Online]. /ir.library.osaka-u.ac.jp. Available at: http://ir.library.osaka-u.ac.jp/dspace/bitstream/11094/51137/1/25863_%e8%ab%96%e6%96%87.pdf (2013)

  20. Fadsli Marhusin, M.: Improving the effectiveness of behaviour-based malware detection. Master of Information Technology (Computer Science), UKM, Malaysia. [Online]. Unsworks.unsw.edu.au. Available at: http://unsworks.unsw.edu.au/fapi/datastream/unsworks:10868/SOURCE02?view=true (2012)

  21. Kinable, J.: Malware Detection Through Call Graphs. [Online]. Brage.bibsys.no. Available at: https://brage.bibsys.no/xmlui/bitstream/handle/11250/262290/353049_FULLTEXT01.pdf?sequence=1&isAllowed=y (2010)

  22. Hu, X.: Large-scale malware analysis, detection, and signature generation. Doctor of Philosophy (Computer Science and Engineering), The University of Michigan. [Online]. Deepblue.lib.umich.edu. Available at: https://deepblue.lib.umich.edu/bitstream/handle/2027.42/89760/huxin_1.pdf?sequence=1&isAllowed=y (2011)

  23. Blount, J.: Adaptive rule-based malware detection employing learning classifier systems. Masters Theses. 5008. https://scholarsmine.mst.edu/masters_theses/5008 (2011)

  24. Paleari, R.: Dealing with next-generation malware. PhD Thesis. [Online]. air.unimi.it. Available at: https://air.unimi.it/retrieve/handle/2434/155496/138529/phd_unimi_R07627.pdf (2010)

  25. Stafford, J.: Behaviour-based worm detection. PhD Thesis. [Online]. Scholarsbank.uoregon.edu. Available at: https://scholarsbank.uoregon.edu/xmlui/bitstream/handle/1794/12341/Stafford_oregon_0171A_10322.pdf?sequence=1&isAllowed=y (2012)

  26. Msdn.microsoft.com: GetLogicalDriveStrings Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364975(v=vs.85).aspx (2017)

  27. Msdn.microsoft.com: GetDriveType Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364939(v=vs.85).aspx (2017)

  28. Msdn.microsoft.com: Enumerating All Processes (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx (2017)

  29. Msdn.microsoft.com: GetModuleFileNameEx Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms683198(v=vs.85).aspx (2017)

  30. Msdn.microsoft.com: FindFirstChangeNotification Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364417(v=vs.85).aspx (2017)

  31. Msdn.microsoft.com: FindFirstFileEx Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/aa364419(VS.85).aspx (2017)

  32. Msdn.microsoft.com: Retrieving and Changing File Attributes (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365522(v=vs.85).aspx (2017)

  33. Kramer, A.: adamkramer/check_first. [Online]. GitHub. Available at: https://github.com/adamkramer/check_first/blob/master/check_first.cpp (2015)

  34. Virustotal.com: Public API Version 2.0—VirusTotal. [Online]. Available at: https://www.virustotal.com/en/documentation/public-api/#getting-url-scans (2017)

  35. Podobry, S.: Easy way to set up global API hooks—CodeProject. [Online]. Codeproject.com. Available at: https://www.codeproject.com/Articles/49319/Easy-way-to-set-up-global-API-hooks (2012)

  36. Msdn.microsoft.com: RegSetValueEx Function (Windows). [Online]. Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724923(v=vs.85).aspx (2017)

  37. rohitab.com—Forums: Header file for API hooking—Source Codes. [Online]. Available at: http://www.rohitab.com/discuss/topic/40192-header-file-for-api-hooking/#entry10106168 (2013)

  38. Andronio, N.: Heldroid: Fast and Efficient Linguistic-Based Ransomware Detection. [Online]. Indigo.uic.edu. Available at: http://indigo.uic.edu/bitstream/handle/10027/19676/Andronio_Nicolo.pdf?sequence=1 (2012)

  39. Scaife, N., Carter, H., Traynor, P., Butler, K.: Stopping Ransomware Attacks on User Data. [Online]. https://www.cise.ufl.edu/. Available at: https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf (2016)

Download references

Author information

Authors and Affiliations

  1. Irish Defence Forces, Newbridge, Ireland

    Christopher Boyton

  2. University College Dublin, Dublin, Ireland

    Nhien-An Le-Khac & Anca Jurcut

  3. University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

Authors
  1. Christopher Boyton
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nhien-An Le-Khac
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kim-Kwang Raymond Choo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anca Jurcut
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christopher Boyton .

Editor information

Editors and Affiliations

  1. School of Computer Science, University College Dublin, Dublin, Ireland

    Nhien-An Le-Khac

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Boyton, C., Le-Khac, NA., Choo, KK.R., Jurcut, A. (2020). Forensic Investigation of Ransomware Activities—Part 2. In: Le-Khac, NA., Choo, KK. (eds) Cyber and Digital Forensic Investigations. Studies in Big Data, vol 74. Springer, Cham. https://doi.org/10.1007/978-3-030-47131-6_5

Download citation

Publish with us

Policies and ethics

Search

Navigation