Skip to main content
SpringerLink
Log in

dptCry: an approach to decrypting ransomware WannaCry based on API hooking

  • Regular Paper
  • Published:
CCF Transactions on Networking

Abstract

Recently, the wanton outbreak of ransomware WannaCry caused great harm to the network users. How to prevent and decrypt ransomware WannaCry brings a big challenge to security practitioners and researchers. In this paper, we first study the detailed encryption and decryption process of ransomware WannaCry, and then propose a novel method called dptCry to decrypt and free the damaged data. dptCry monitors and tracks all the running processes of an operating system, performs API hooking for key operations, records key information with the customized hook functions. When ransomware WannaCry infected, Using the recorded key information, dptCry can decrypt the damaged files. Our experimental results show that dptCry can be effectively used to mitigate users from the damages caused by WannaCry. dptCry can also be applied to other ransomware using similar mechanisms.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  • Antiy, C.E.R.T.: A brief history of ransomware. China Inf. Secur. 4, 50–58 (2016)

    Google Scholar 

  • Guinet, A.: A WannaCry flaw could help some victim get files back[EB/OL]. https://www.wired.com/2017/05/wannacry-flaw-help-windows-xp-victims-get-files-back/ (2019)

  • Hoglund, G., Butler, J.: Rootkits: Subverting the Windows kernel. Addison-Wesley Professional, Boston (2006)

    Google Scholar 

  • Jianzhang, Cai, Qiang, Wei, Yuefei, Zhu: Identification of encrypted function in malicious software. J. Comput. Appl. 33(11), 3239–3243 (2013)

    Google Scholar 

  • Kesheng, L., Zhongshou, W.: The analysis of API Hook central technique. Netw. Secur. Technol. Appl. 11, 48–50 (2006)

    Google Scholar 

  • Kharraz, A., Arshad, S., Mulliner, C. et al.: UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. USENIX Security Symposium. 757-772 (2016)

  • Kolodenker, E., Koch, W., Stringhini, G. et al.: PayBreak: Defense against cryptographic ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 599-611 (2017)

  • Kruegel, C.: Full system emulation: Achieving successful automated dynamic analysis of evasive malware. Proc. BlackHat USA Security Conference. (2014)

  • Lanzi, A., Sharif, M.I., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. NDSS, San Diego (2009)

    Google Scholar 

  • Lei, Shi, Liang, Sun: Research on ransomware. Wirel. Internet Technol. 21, 41–42 (2016)

    MathSciNet  Google Scholar 

  • Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. 5(2), 40–45 (2007)

    Article  Google Scholar 

  • Qiao, Y., Yang, Y., He, J. et al.: CBM: free, automatic malware analysis framework using API call sequences. In: Sun, F., Li, T., Li, H. (eds.) Knowledge Engineering and Management, pp. 225–236. Springer, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-642-37832-4_21

    Chapter  Google Scholar 

  • Salehi, Z., Sami, A., Ghiasi, M.: MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values. Eng. Appl. Artif. Intell. 59, 93–102 (2017)

    Article  Google Scholar 

  • Shaid S.Z.M., Maarof, M.A.: In memory detection of windows API call hooking technique. Computer, Communications, and Control Technology (I4CT), 2015 International Conference on. IEEE, 2015, pp. 294-298 (2015)

  • Su, X.L., Yuan, D.: Research and implementation of two API-Hooking technologies based on Windows. Compur. Eng. Des. 32(7), 2548–2552 (2011)

    Google Scholar 

  • Wang, X., Yu, H.: How to break MD5 and other hash functions. Eurocrypt 3494, 19–35 (2005)

    MathSciNet  MATH  Google Scholar 

  • Wright, W., Schroh, D., Proulx, P. et al.: The Sandbox for analysis: concepts and methods. Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 801-810 (2006)

Download references

Funding

This research was supported by National Key R&D Plan Program of China (Grant 2018YFB1800602, 2017YFB0801703), Ministry of Education-China Mobile Research Fund Project (Grant MCM20180506), the National Natural Science Foundation of China (Grant 61602114), the CERNET Innovation Project (Grant NGIICS20190101, NGII20170406).

Author information

Authors and Affiliations

  1. School of Cyber Science and Engineering, Southeast University, Nanjing, 211189, People’s Republic of China

    Guang Cheng & Chunsheng Guo

  2. Key Lab of Computer Network and Information Integration (Southeast University), Ministry of Education, Nanjing, People’s Republic of China

    Guang Cheng & Chunsheng Guo

  3. School of Information Technology, Illinois State University, Normal, USA

    Yongning Tang

Authors
  1. Guang Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chunsheng Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yongning Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guang Cheng.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cheng, G., Guo, C. & Tang, Y. dptCry: an approach to decrypting ransomware WannaCry based on API hooking. CCF Trans. Netw. 2, 207–216 (2019). https://doi.org/10.1007/s42045-019-00024-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s42045-019-00024-8

Keywords

Search

Navigation