https://labs.bitdefender.

com/2017/09/btcware-
decryption-tool-now-available-for-free/
Illustration of (CryptoLocker) Ransomware
 CryptoLocker is a relatively new strain of an existing
and highly effective cyber criminal attack tool known
as Ransomware.

 Ransomware not only steals and Exfiltrate

information, but also locks the user out from
accessing that information (or their entire computer in
some cases), extorting money in return for access.

 Users are promised restored access once a monetary

ransom is received. This is usually in the form of a
‘Bitcoin’, a virtually untraceable online currency that
holds significant value in the depths of the deep web.

http://www.phirelight.com/cryptolocker-ransomwares-trendy-cousin/
 TeslaCrypt

WannaCry
SamSam

Ransomware Attack on the Rise

5
KARO RANSOMWARE – WHICH PLAYED HIDE N
SEEK BEHIND “PETYA” WIPER WAVES!
• In between the waves of Petya Ransomware-wiper, another
serious ransomware were spreading across, The
“Karo Ransomware”. The initial vector being spam mails with a
document file.
• The document file is password protected and this malware is
Virtualization aware and refuses to run in sandboxes.
• Once infected Karo encrypts the files with
the (.ipygh) extension and it will communicate with the TOR
Command and communication server.
https://cysinfo.com/karo-ransomware-played-hide-n-seek-behind-petya-
wiper-waves/
 Crypto-Locking Kraken Ransomware Looms Larger
Jeremy Kirk (jeremy_kirk) • October 31, 2018

"Kraken's goal is to
encourage more
cybercriminals to
purchase this RaaS and
conduct their own
attacks, ultimately
leading to more money
in the developers'
pockets," writes Gary
Davis, chief consumer
security evangelist for
McAfee, in a blog post.
7
Decryption Fee: Up to $7,800
History of Ransomware Attacks

Figure 2: History of Ransomware

https://twitter.com/mikko/status/864110940781936641

8
 Families Propagation Strategy Date Appeared Cryptographic Technique C and C Server
REVENTON Accused of illegal activities 2012 RSA and DES Using MoneyPak
GPCODE Email Attachments 2013 660-bit RSA and AES Tor Network
CRYPTOLOCKER Compromised websites and email 2013 2014-bit RSA Tor Network
Ransomware Families
attachments
CRYPTOWALL Compromised websites and email 2013 2014-bit RSA Tor Network
attachments
FILECRYPTO Compromised websites and email 2013 2014-bit RSA Tor Network
attachments
TELSACRYPT Compromised websites and email 2013 2014-bit RSA Tor Network
attachments
CTB-LOCKER Email Attachments 2014 Elliptic Curve Cryptography Onion Network
CRYPTOMIX Spear-Phishing Email 2014 2048-RSA and AES-256 and P-2-P Network
ROT-13
CERBER Compromised websites and email 2013 2048-bit RSA and RC4 Hardcoded IP
attachments range
PETYA Link in an Email purporting to be a 2016 Elliptic Curve Cryptography and Tor Network
job application Salsa
SATANA Email Attachments 2016 256-bit AES in ECB Hardcoded IP
Address
JIGSAW Word Document with Javascript 2016 RSA and AES Onion Network
SHADE Spam Email 2015 RSA-3072 and AES-256 Fixed Server as C
and C server
WANNACRY Samba Vulnerability 2017 RSA and AES combination Onion Network
SAMSAM Remote Desktop Protocol (RDP) 2018 RSA and AES combination Tor-Onion 9
brute force Network
Cryptographic Techniques used in Ransomware
Encryption (Confidentiality) Authentication(Integrity)

Private Key Blocks (DES, AES-ECB, -CBC,-CTR) Key-Based (CBC-MAC)

Stream (PRNG and OTP) Hashing (MD5, SHA)

Public Key Key Exchange (RSA, DH) Digital Signature

10
 2
PHISHING EMAIL
Run Payload and Download Code

1
Generate Key and Encrypt
Display message in
6
Victim Desktop 3
4
Select different file types 5 Communicate with C&C
for encryption
14
Detection of Ransomware
• File Hashes (full or Portion)
• Portable Executable(PE) Headers/Sections/Resources
• Byte Signatures
• System Behavior • Static analysis of PE file for different levels
• Assembly (e.g. mov, lea, xor, imul etc)
• Network Signatures • Library (e.g. advapi32, wininet, comctl32 etc)
• Function calls (e.g. CryptGenRandom,CryptEncrypt etc)

• Dynamic Analysis
• Process Hierarchy
• Comparing process execution block and virtual address descriptor structure

40
Crypto-Ransomware Detection

Figure 5: Detection component

41
Binary Files
• Windows Binary
Files
• Linux Binary Files
• Mac OSX Binary Files

Windows format
MacOSX format
Linux format

Figure 6: Binary files format used in different operating system

42
Common Windows Portable Executable (PE)
File Extensions
Extension Description
exe Executable file
dll Dynamic Link Library
sys System file
drv Kernel driver
ocx ActiveX Control
cpl Control Panel
scr Screensaver

43
Binary file execution steps

Source Object
Source Compiler Object Binary
Code
Source File
Object Linker
Code File
Code File

Binary Loader
Running
Program

Libraries
Libraries
Libraries

44
Sample Collection
• 440 Samples of 15 different families
• ShieldFS (Andrea Continella et al., 2016)
• VirusTotal (VirusTotal, 2015)
• 15 different families of normal binaries
• Similar as size of ransomware samples

• Categorization
• RESTful API: https://www.virustotal.com/vtapi/v2/file/report

https://fossbytes.com/googles-virustotal-can-now-scan-firmware-infection/

45
Determining
Family of ransomware
List of Hashes

Make request
NO

Get Response

Write to a file

finished?

FINISH
• Challenge
• Allow only 4 requests per
minute
47
Assembly Level
Assembly Language Machine Language

Assembler + Linker
mov eax, ebx 011101011010
xor eax, eax 10100110
Translator
add eax, 0xff 10010000

48
Analysis Methods
𝑛𝑛
• Frequency Analysis
𝑓𝑓 = � 𝑋𝑋𝑘𝑘
𝑘𝑘=0
• Cosine Similarity Measure
• A measure of similarity between two non-zero vectors

• Association Rule
• Relationship between instructions, dynamic link libraries (dlls)
• Set of frequent instructions, dlls
• Example: X => Y such that X ∩ Y = ∅
• [imul, test, and, add, call, lea, adc, or] => [mov]
• Support and confidence are used to measure the association rule correctness
| 𝑡𝑡 ∈ 𝑇𝑇; 𝑋𝑋 ⊆ 𝑡𝑡 | 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠(𝑋𝑋∪𝑌𝑌)
𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠(𝑋𝑋) = conf(𝑋𝑋 => 𝑌𝑌) =
|𝑇𝑇| 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠(𝑋𝑋)

49
Detection Result using cosine similarity

Evaluation Result
TOTAL SAMPLES 405

Number of CRYPTO-RANSOMWARE used 56 (56/405)

to calculate
FALSE POSITIVE 50.40%

FALSE NEGATIVE 32.45%

NEW SAMPLE DETECTION (35 crypto) 12% (6/56)

54
Association Rules for Library Level with support=0.6
Association Rules Confidence

[ COMCTL32.DLL, SHELL32.DLL, USER32.DLL] => [ KERNEL32.DLL] 1.0

[ SHLWAPI.DLL, OLE32.DLL, ADVAPI32.DLL, SHELL32.DLL] => [ 1.0
KERNEL32.DLL]
[MPR.DLL, VERSION.DLL] => [ ADVAPI32.DLL] 0.84
[ COMCTL32.DLL, SHELL32.DLL, KERNEL32.DLL] => [ADVAPI32.DLL] 1.0
[SHELL32.DLL, KERNEL32.DLL, USER32.DLL] => [ADVAPI32.DLL] 0.90

[ SHLWAPI.DLL, OLE32.DLL, ADVAPI32.DLL, KERNEL32.DLL, USER32.DLL] 0.8

=> [ SHELL32.DLL]
[ADVAPI32.DLL, SHELL32.DLL, KERNEL32.DLL] => [USER32.DLL] 1.0
61
Ransomware Sample: Function Call Level

64
Function calls in DLLs used in Crypto-
Ransomware
Name of DLL Functions
ADVAPI32 CryptReleaseContext,CryptAcquireContextA
CryptGenRandom,CryptEncrypt
CryptGetKeyParam,CryptAcquireContextW
CryptDestroyKey,CryptCreateHash
CryptHashData, CryptDestroyHash
CryptGetHashParam,CryptReleaseContext
CryptSetKeyParam,CryptImportKey
CRYPT32 CryptQueryObject,CertFreeCertificateContext
CertFindCertificateInStore,CryptMsgGetParam
CryptDecodeObjectEx, CryptImportPublicKeyInfo
CryptBinaryToStringA, CryptStringToBinaryA
CertGetNameStringW,CertCloseStore,CertFreeCertificateContext
CRYPTNET CryptGetObjectUrl
CRUYPTUI CryptUIDlgSelectCertificateFromStore 65
Experimental Analysis using function calls

• Pattern generation
• To build the signature from the crypto-ransomware samples using function
calls
• Validate pattern using binary files
• To demonstrate that CRDETECTOR can detect previously unknown crypto-
ransomware samples (new 35 crypto-ransomware samples)

66
 Dynamic Analysis
• To capture dynamic run-time behavior
• Process Hierarchy: Child and Parent relationship
• Comparing process execution block(PEB) and virtual address
descriptor(VAD) structure
Memory Image
File

Target
Machine 1.Acquire
RAM data as 2.Parse and analyze
an image the image offline

https://www.digitaltsunamillc.com/computer-repair/
68
Detection Result for dynamic analysis

Evaluation Result
TOTAL SAMPLES 405

Number of CRYPTO-RANSOMWARE used 56 (56/405)

to calculate
FALSE POSITIVE 43.81%

FALSE NEGATIVE 21.19%

NEW SAMPLE DETECTION (35 crypto) 21.42% (12/56)

74
Overall Results

Evaluation Result
TOTAL SAMPLES 405

Number of CRYPTO-RANSOMWARE used 56 (56/405)

to calculate
FALSE POSITIVE 7.4%

FALSE NEGATIVE 1.9%

NEW SAMPLE DETECTION (35 crypto) 57.14% (32/56)

76
 High Level Approaches for Security Testing
• Approaches
• White Box
• Black Box
• Gray Box
• Differences among these approaches can be determined
by the resources to which you have access.

No single approach is correct and no single method can uncover all possible vulnerabilities for a given target.

77
 White Box Testing

• Access to source code

• Design specification
• Development team

• Advantages
• Coverage
• Shortcomings
• Complexity
• Availability

78
Black Box Testing
• Manual Testing
• Automated Testing / Fuzzing
• Pros:
• Availability
• Reproducibility
• Simplicity
• Cons:
• Coverage
• Intelligence

79
Gray Box Testing
• Binary Auditing
• Automated Binary Auditing
• Pros:
• Availability
• Coverage
• Cons:
• Complexity

80