Characteristic Behavioral Analysis of Malware: A Case study of Cryptowall Ransomware

CryptoWalls ranks first among the Ransomware in terms of its design, objectives, and damages. Cybercriminals use CryptoWalls in a wide range of applications, from cross-country cyberterrorism to demanding ransom from an ordinary Internet user. Despite all the measures taken, an effective protection against CryptoWalls has still not been developed. This motivates cyber criminals, and new versions of updated CryptoWalls are released every day, becoming a more difficult problem to be solved. Current research studies discuss the general characteristics and consequences of CryptoWalls. How do CryptoWalls work? How the CryptoWall detection and technical analysis are done? Detailed studies on the answers to these questions will contribute to solving this problem. This study discusses detailed analysis of CryptoWall detection on a real victim's computer, targeted by the CryptoWall attack of cybercriminals. The study is of importance since it addresses how the CryptoWall attack infiltrates the target system, shows the analysis steps of its characteristic actions, and identifies the originating company of the CryptoWall malware.


Introduction
Recently, all the world witness the increasing number of victims, who have been exposed to cyberattacks while opening fake emails or visiting unsafe websites [1][2][3][4][5][6]. This threat is widespread from commercial enterprises to individual Internet users. This type of malware is known as Ransomware. Today, new types of Ransomware are quite advanced compared to their initial versions [7,8]. A Ransomware that infiltrates the target system can cause severe damage and even make the system unusable [9][10][11]. Ransomware is a malware that prevents access to the files on the infected information systems by encrypting them and requesting ransom from the victims to decrypt the encryption [9,[12][13].
Ransomware has been a severe cyber threat for about twenty-five years [14,15]. Ransomware was first seen in 1989 under the name of AIDS Trojan horse [16]. The first modern Ransomware "Trojan.Gpcoder" has been seen in Russia in 2005 [17]. The Trojan.Gpcoder, which was first seen in May 2015, has been easily overcome since it had a simple and easy encryption. In time, improved versions of Ransomware were found to use the user's native language, and even some versions were found to contain voicemails in the user's native language [18]. In 2008, a Trojan.Gpcoder Ransomware called GPcode.AK emerged. It has been found that GPcode.AK uses a 1024-bit RSA key and leaves a text file containing instructions in each subdirectory of encrypted files. GPcode.AK has requested a $100 payment to decrypt the encrypted files of the victims [17].
Today, cybercriminals have modified Ransomware for different purposes. In addition to a ransom request, they have succeeded in developing Ransomware for the purpose of cyberterrorism and intimidating the political and official authorities through illegal harmful attacks to the computers and databases of official units [9,18]. Cybercriminals can send one or several files of the user back to convince them that they have the files and will give the password [19]. Thus, the victim sees this as a "proof of living cybercriminals" and accepts the payment by believing that the cybercriminals will recover their encrypted files when they send the money requested. "!!! All your files were encrypted by CryptoWall !!!" is a Ransomware that makes all photos, videos, personal information and commercial files on user's computer, network drive, USB drive and Network Attach Storage (NAS) devices encrypted [20].
CryptoWall encrypts the first 1 MB portion of files, as in the case of typical Ransomware. CryptoWall uses AES (Advanced Encryption Standard) encryption standard. This encryption uses a 256-bit standard AES algorithm used to encrypt electronic data [21]. AES encryption is used as the de facto encryption standard in the international arena by the American government. Recently there has been a serious increase in Ransomware attacks. In Europe, especially the CryptoWall Ransomware attacks are seen [22]. CryptoWall, a highly dangerous Ransomware type, increases the likelihood of paying a ransom, making it easier for cybercriminals to get "money", which is what they really want [19,23].

How Do Cryptowalls Spread?
CryptoWalls are rapidly spreading all over the world by attacking all Internet users. The most commonly used infiltration medium for spreading CryptoWalls is e-mailing with phishing tactics containing harmful attachments. The message may be localized according to the victims i.e., it may be customized according to the country where the victim is located. For instance, e-mail content for the targeted victims in Turkey seems like overpriced invoices coming from Turkish telecommunication companies.
The location of the potential victim can be identified using the country domain of the victim's e-mail address or the service provider hosting the domain. If the victim, tricked via social engineering, opens the e-mail attachment, which has not been detected by the antivirus program of the system, all important files in the system are encrypted. When the encryption process is over, a warning is shown to the victim, indicating that he/she must send money to recover his/her files.

Cryptowall Prevention And Protection
Files encrypted by CryptolWall are regarded as damaged beyond repair. Recommended measures to be taken against potential CryptolWall attacks are as follows: i. The only and best solution to make CryptoWall malware ineffective is having regular backups.
ii. CryptolWall Ransomware often comes with a file with .pdf or .exe extension. This incident is based on the fact that the Windows operating system hides known file extensions by default. Enabling the view of full file extensions on the system will make it easier to detect suspicious files.
iii. If your e-mail program is capable of filtering by file extension, filter out the emails with attachments with .exe, .scr, .pif, .js file extension and the files with two file extensions, ending with .exe (executable files).
iv. Users should be informed about not to open suspicious e-mail attachments coming from addresses that they do not know, not to click on suspicious links, and their awareness should be increased in this regard.
v. Ransomware can silently infiltrate systems that use out-of-date software.
vi. A remarkable feature of CryptoWalls is that they run the executable in the AppData or Local AppData folder. These folders can be blocked in Windows operating system or using intrusion protection systems.
vii. CryptoWalls often target the systems that use Remote Desktop Protocol (RDP) to remotely connect to systems with a Windows operating system. Cybercriminals are known to log on to the target system with RDP and disable security software. Therefore, disabling remote access would be an effective method. e-ISSN: 2148-2683 488

What Can Be Done After A Cryptowall Attack?
If the targeted system has a Windows operating system and System Restore is enabled, encrypted files can be recovered from "Shadow" files using the "Windows Shadow Volume Copies". However, CryptoWalls can quickly consider these possibilities and produce solutions. The new generation of CryptoWall can also delete these shadow file copies and prevent files from being recovered. CryptolWalls start the process of deleting the shadow files by running as a standard Windows Operating System process on boot, and completes the process of deleting files without being noticed by users or system administrators.
Antivirus and Antimalware programs can remove the malware in a system that has been exposed to a CryptoWall attack. However, the main problem here is to provide access to encrypted files. Even if the CryptoWall is removed by Antivirus and Antimalware programs, the files remain encrypted. Therefore, in a system that has been exposed to the CryptoWall attack, recovering the files should be the priority, not removing the CryptoWall Ransomware.
In order to develop an effective solution against CryptoWalls, one should begin with a detailed description of the threat. When we look at the related studies, we see that general features and consequences of CryptoWalls are discussed in general, but there is no empirical study about the methods used in the hacking victim's computer and the encryption process.
In this study, detection of the new generation CryptoWall Ransomware, its intrusion and cryptographic behavior were examined in detail by static and dynamic analysis methods. As a result of the investigations, the company that spreads the CryptoWall Ransomware has been identified, which has caused many Internet users to suffer.

Materials and Methods
As is known, there is no standard method for malware analyses. However, we first performed static analysis without running the malware. Secondly, we have performed a dynamic analysis in which its actions (file-directory movements) were examined by running the malware in a controlled environment. Finally, the code analysis, we have performed and architectural analysis of the malware.

Experıments And Results
In order to analyze the victim computer infiltrated with CryptoWall Ransomware, which is the subject of this study, the disk of the victim computer was copied in accordance with international standards by enabling write protection on the original disk for ensuring the data integrity. The copies of the files were analyzed on a virtual machine (virtual PC) installed on a workstation. Since the CryptoWall Ransomware would quickly attack against user data upon running it, we run it in a workstation that has been set to virtual machine mode. Characteristic behavior analysis of CryptoWall ransomware was performed through the "AccessData Forensic Toolkit v6.2.1.10" software. We presented the information about the static analysis on the CryptoWall Ransomware in Table 1 and  Table 2.  As a result of the analysis conducted in line with the international standards on IT practices, first the files encrypted by CryptoWall Ransomware were detected, and all documents, IP logs, Operating System services and logs were analyzed. In the first examinations, CryptoWall Ransomware was found to be in the "HELP_YOUR_FILES.HTML" file located under the directory "IMAGE.001/Partition1/NONAME[NTFS]/[root]/Documents and Settings/Administrator/Desktop/".  According to the analysis performed on the copy, the creation date of the files encrypted with CryptoWall Ransomware were found to be 30/11/2015 -08:04 UTC. The files that have been executed on this date were examined, and the CryptoWall Ransomware software was found to be located under the "IMAGE.001/Partition 1/NONAME [NTFS]/[root]/Documents and Settings/Administrator/Local Settings/Temp/" directory with the deleted filename of "88656522.exe". e-ISSN: 2148-2683 490 Technical information of "88656522.exe" is as follows. The MD5 hash value of the malware was queried via the website "www.virustotal.com" and it was found out which antivirus companies identify the malware detected (Table 4). The file-directory and registry logs of the malware named 88656522.exe were analyzed on the copy, and the findings were listed below (Table 5).
Since the sample examined was selected from a real cyberattack, the information was blurred (hidden) for privacy purposes. After recording and analyzing the network accesses of the respective malicious software shown in Table 7, it was determined that the malware tries to contact the domain names "astrxxxxx.ca, becktonescoxxxxx.eu, bloggerrexxxxx.info and chaletlesarmaxxxxx.com", without IP addresses associated with the domain names.
In order to find out companies that registered the identified domain names, WHOIS queries were performed via the website "http://internet.tib.gov.tr/" and the findings obtained are given below. According to data obtained from WHOIS queries of the identified domain names, the domain names "astrxxxxx.ca and ecktonescoxxxxx.eu" were found to be registered at "www.godxxx.com" website and "bloggerrexxxxx.info" was found to be registered at the "www.publicdomainregistry.com" website, and the "chaletlesarmaxxxxx.com" was found to be registered at the "www.exxx.com" website. The suspects can be found through international legal assistance with the representatives of the websites identified. The contact information of the websites identified were searched, but the respective websites were found to hide the contact information, and only the website of www.publicdomainregistry.com was found to have a contact form for communication.