Analysis and Detection of Ransomware

Nambivelu, S. (2015). Analysis and Detection of Ransomware (MSc ASDF Dissertation). Edinburgh Napier University (Buchanan, B., Macfarlane, R.).



Ransomware are one of the sophisticated threats of today. They have been growing exponentially affecting individuals, organisations and governments across the globe because of the successful business model and lack of recovery mechanisms. The challenging part of file encryption ransomware is the decryption of encrypted files, particularly dealing with public key cryptography. This has made several security issues to companies of all sizes and government agencies as many have lost valuable documents and business proprietary information.
The current approaches towards ransomware detection and prevention are similar to malware detection. Few previous works on ransomware suggest detecting the cryptographic functions of ransomware programs using machine learning algorithms (Hosfelt, 2015). Contrariwise, another work on machine learning says existing machine learning methods are not effective against threats such as ransomware. One research on ransomware suggested to monitor abnormal kernel level system calls for detection (Kharraz, Robertson, Balzarotti, Bilge, & Kirda, n.d.). However, such methods can be effective in case of rootkits. But, once ransomware encrypts the files the decryption is only possible with private key. Therefore, the solution against ransomware attacks must be proactive, feasible, and should complement existing security solutions. A work on proactive approach to detect current threats using open source tools have shown it is possible to detect advanced malware by monitoring abnormal behaviour on the system and network (Gloster et al., 2014).
Considering the above information this thesis aims to examine the characteristics of recent file encryption ransomware and detect them using open source intrusion detection systems along with providing a holistic view on how encryption ransomware attacks have evolved over last couple of years. A number of recent ransomware samples consisting of CryptoWall, CTBLocker, TeslaCrypt, and CryptoFortress were analysed in an isolated environment through a number of controlled experiments, using both static and dynamic analysis. Throughout the experiment, the different characteristics of ransomware programs were logged, and an attempt was made to detect them using the signature based and anomaly based intrusion detection systems.
The experimental results show that with the use of open source tools it was possible to detect the ransomware infection at early stages. By this way it can also use to prevent the encryption of files. The study also helped to understand most of the ransomware fails to delete the Windows volume shadow copies and the recovery from shadow copy is possible with little effort. The study also shows the use of standard and robust encryption algorithms by ransomware for file encryption and communication with the C&C server. In addition, lot of advanced anti-debugging techniques and obfuscation were observed applied in the ransomware programs to avoid analysis and static detection.
[Read More]


Areas of Expertise

Associated Projects

    Keywords: security