Ransomware Analysis and Defense-WannaCry and the Win32 environment

Year 2017, Volume: 6 Issue: 4, 57 - 69, 01.12.2017

Justin Jones

Abstract

Ransomware is a specific type of malware that threatens the victim’s access to her data unless a ransom is paid. Itis also known as a cryptovirus due to its method of operation. Typically, ransomware encrypts the contents of the victim’s hard drive thereby rendering it inaccessible to the victim. Upon payment of the ransom, the decryption key is released to the victim.This is therefore also called cryptoviral extortion. The ransomware itslef is delivered to the victim using several channels. The mostcommon channel of delivery is by masquerading the malware as a trojan horse via an email attachment. In this paper, we study ahigh-profile example of a ransomware called the WannaCry worm. This ransomware is particularly malicious since it had the ability to traverse computing equipment on a network without any human intervention. To better understand the inner workings of thishigh-profile ransomware, we obtain a sample of WannaCry and dissect it completely using advanced static and dynamic malwareanalysis techniques. This effort, we hope, will shed light on the inner workings of the malware and will enable cyber security expertsto better thwart similar attacks in the future. Our analysis is conducted in a Win32 environment and we present our detailed analysisso as to enable reproduction of our work by other malware analysts. Lastly, we present a protoype software that will enable a userto prevent this malware from unleashing its payload and protect the user on a Win32 environment.

Keywords

Ransomware, cryptovirus, extortion, static and dynamic analysis, malware analysis, cyber security

References

• [1] Chen, Q. and Bridges, R. A. (2017). Automated behavioral analysis of malware a case study of wannacry ransomware. arXiv preprint arXiv:1709.08753.
• [2] Filiol, E. and Raynal, F. (2008). Malicious cryp- ´ tography... reloaded. In CanSecWest Conference, Vancouver, Canada.[online] http://cansecwest. com/csw08/csw08-raynal. pdf.
• [3] Kumar, S. M. and Kumar, M. R. (2013). Cryptoviral extortion: A virus based approach. International Journal of Computer Trends and Technology (IJCTT), 4(5):1149–1153.
• [4] McCormack, M. (1996). Europe hit by cryptoviral extortion. Computer Fraud & Security, 6(1996):3.
• [5] Pascariu, C., BARBU, I.-D., and Bacivarov, I. C. (2017). Investigative analysis and technical overview of ransomware based attacks. case study: Wannacry. Int’l J. Info. Sec. & Cybercrime, 6:57.
• [6] Salvi, M. H. U. and Kerkar, M. R. V. (2016). Ransomware: A cyber extortion. Asian Journal of Convergence in Technology, 2(2).
• [7] Young, A. L. (2006). Cryptoviral extortion using microsoft’s crypto api. International Journal of Information Security, 5(2):67–76.
• [8] Young, A. L. and Yung, M. (2017). Cryptovirology: The birth, neglect, and explosion of ransomware. Communications of the ACM, 60(7):24–26.
• [9] Young, A. L. and Yung, M. M. (2005). An implementation of cryptoviral extortion using microsoft’s crypto api.