ArticlePDF Available

Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry for Network and Information Security

DOI:10.33260/zictjournal.v1i1.19
Authors:
Aaron Zimba at ZCAS University
Aaron Zimba
  • ZCAS University
Luckson Simukonda at Gdansk University of Technology
Luckson Simukonda
Mumbi Chishimba at Mulungushi University
Mumbi Chishimba
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Encryption has protected the Internet for some time now and it has come to raise user trust on the otherwise unsecure Internet. However, recent years have seen the use of robust encryption as stepping stone for cyber-criminal activities. Ransomware has not escaped the headlines even as it has attacked almost every sector of the society using a myriad of infection vectors. Mission critical data has been held to ransom and victims have had to part away with millions of dollars. The advent of the anonymous Bitcoin network has made matters worse where it’s been virtually infeasible to trace the perpetrators. In this paper, we endeavor to perform dynamic analysis of WannaCry ransomware samples based on malware-free infection vectors. Further, we perform reverse-engineering to dissect the ransomware code for further analysis. Results show that despite the use of resilient encryption, the ransomware like other families in the wild uses the same attack structure and cryptographic primitives. Our analysis leads us to the conclusion that this ransomware strain isn't as complex as previously reported. This detailed practical analysis tries to raise awareness to the business community on the realities and importance of IT security whilst hinting on prevention, recovery and the limitations thereof.
Figures - uploaded by Aaron Zimba
Author content
All figure content in this area was uploaded by Aaron Zimba
Content may be subject to copyright.
Content uploaded by Aaron Zimba
Author content
All content in this area was uploaded by Aaron Zimba on Feb 16, 2018
Content may be subject to copyright.
Demystifying Ransomware Attacks: Reverse Engineering and Dynamic
Malware Analysis of WannaCry for Network and Information Security
Aaron Zimba1,2
Department of Computer Science and Technology
University of Science and Technology Beijing1
Beijing, China
azimba@xs.ustb.edu.cn
Luckson Simukonda2, Mumbi Chishimba2
Department of Computer Science and Information
Technology
Mulungushi University2
Kabwe, Zambia
{thezo1992, chishimba.mumbi}@gmail.com
Abstract Encryption has protected the Internet for some time
now and it has come to raise user trust on the otherwise
unsecure Internet. However, recent years have seen the use of
robust encryption as stepping stone for cyber-criminal
activities. Ransomware has not escaped the headlines even as it
has attacked almost every sector of the society using a myriad of
infection vectors. Mission critical data has been held to ransom
and victims have had to part away with millions of dollars. The
advent of the anonymous Bitcoin network has made matters
worse where it’s been virtually infeasible to trace the
perpetrators. In this paper, we endeavor to perform dynamic
analysis of WannaCry ransomware samples based on malware-
free infection vectors. Further, we perform reverse-engineering
to dissect the ransomware code for further analysis. Results
show that despite the use of resilient encryption, the
ransomware like other families in the wild uses the same attack
structure and cryptographic primitives. Our analysis leads us to
the conclusion that this ransomware strain isn't as complex as
previously reported. This detailed practical analysis tries to
raise awareness to the business community on the realities and
importance of IT security whilst hinting on prevention, recovery
and the limitations thereof.
Keywords-ransomware;encryption; malware; wannacry;
infection vector
I. INTRODUCTION
The Internet today is plagued with a myriad of malware
classes not limited to viruses, trojans, worms etc. Since it was
not built with security in mind [1], the Internet has seen an
incremental correlation between advancements in underlying
technologies and malware sophistication as technology
advances, so does malware. Encryption, one of the pillars of
secure technologies today, has likewise been integrated into
the malware fraternity thus introducing a new form of cyber-
attacks crypto ransomware attacks [2]. Cyber-attacks are no
longer the works of script kiddies or hacker-wannabes but
rather organized cybercriminals such as Advanced Persistent
Threat actors (APT) perpetuating all forms digital crimes [3].
Organized cybercrime groups attack networks for monetary
gains which is a far stronger motivation absent in amateurs.
This inherently implies that attackers are well organized and
have at their disposal not only the technical knowhow but
capable resources to attack networks than what a security
administrator might have. The philosophy behind ransomware
attacks is that of extortion, making the victim’s data
inaccessible via encryption until a ransom demand is met. The
tragedy of ransomware is that it employs the most robust and
resilient forms of encryption making it computationally
infeasible [4] to decrypt a victim’s data without consented
efforts of distributed computing. WannaCry, one of the
devastating ransomware attacks which plagued over 150
countries and traversed all continents [5] in May of 2017,
spared no industry niche owing to the indiscriminate nature of
the attack. It attacked universities, transport sector, health
sector, telecoms sector etc implying that the ICT industry
cannot burry its head in the sand but rather address the
emerged new challenge. Figure 1 below shows the severity
and distribution of reported WannaCry attacks world over.
Figure 1. Distribution of initial WannaCry attacks [6]
What made WannaCry effective is not only the robust
encryption schemes employed but the distribution
mechanisms as well. A resilient encryption scheme is just one
part needed for a successful ransomware attack but to reach
all the aforementioned sectors, an effective infection
mechanism is required. WannaCry used various forms of
infections vectors [7] and employed network traversal by
exploiting an SMB network vulnerability [8] to attack
network devices on port 445 and any other physically
connected devices. The media has not helped matters as it is
flooded with a lot of inaccuracies and hearsay on the effect,
infection vectors, prevention, mediation etc. History has
however shown that the primitives used to effectuate
ransomware attacks are not novel as cybercriminals tend to
35
Zambia (ICT) Journal, Volume 1 (Issue 1) © (2017)
ZAMBIA INFORMATION COMMUNICATION TECHNOLOGY (ICT) JOURNAL
Volume 1 (Issue 1) (2017) Pages 35-40
reuse malware code, ransomware inclusive [9]. Therefore, we
in this paper, endeavor to demystify WannaCry ransomware
attacks and operations. This gives insight not only into the
inner workings of a particular malware but its collective strain.
In light of this, we perform a full experimental dynamic and
static analysis of WannaCry samples. Based on local and
network behaviour of the malware samples, we suggest
defense and mitigation measures for security purposes.
The rest of the paper is organized as follows: Section II
discusses primitives of ransomware attack structures and
components whilst the attack model is presented in Section
III. The experimental test-bed and methodology are brought
forth in Section IV while results and analyses are discussed in
Section V and we conclude the paper in Section VI.
II. ATTACK STRUCTURE AND COMPONENTS
Ransomware attacks come mainly in two forms; locker
and crypto ransomware attacks [10]. WannaCry attacks
identify with the latter which employ encryption to effectuate
a denial of service (DOS) attack on victim data. Crypto
ransomware further subdivides into Private-key Crypto
Ransomware (PrCR) and Public-key Crypto Ransomware
(PuCR). PrCR inherits the challenge of symmetric key
distribution and management which has subsequently led
attackers to employ custom crafted classical substitution
stream or block cipher. In light of the aforementioned, PrCR
attacks are crackable through cryptanalysis. This has
consequently led to the widespread implementation of PuCR
against PrCR [11]. The diagram below in figure 2 illustrates
the generic structure of crypto ransomware payload common
in both PrCR and PuCR.
Figure 2. General structure of crypto ransomware
Depending on the attack structure, the encryption key* can
be generated from within the ransomware payload after a
successful attack or can be downloaded from a Command and
Control server (C2). Regardless of the attack structure, crypto
ransomware attacks rest on three main components;
encryption methodology, C2 servers and infection vectors.
A. Encryption Methodology
Encryption is the backbone component of the ransomware
business model. Therefore, attackers have sought to employ
the most resilient encryption algorithms not limited to RSA,
AES, ECC etc. Symmetric encryption methodologies have the
advantage of speed but do suffer from encryption/decryption
key management whilst the resilient asymmetric encryption
tends to be slower. Attackers have employed the advantages
of both worlds to deploy a hybrid encryption methodology
which when correctly implemented is deemed uncrackable
[12]. Figure 3 below illustrates the attack structure of hybrid
crypto ransomware.
Figure 3. Hybrid PuCR attack structure
In the above attack structure, the public key generated
from the PuCR key pair 󰇝󰇞 and implanted into the
payload is used to encrypt the symmetric key  which
actually encrypts the victim’s files. This is denoted by the
process  . In this approach, the key
 for decrypting user data, having been encrypted by ,
can only be decrypted by the private key residing on the
C2 servers. User data encryption, which is the actual
ransomware attack is denoted by the process
󰇛󰇜 . In other attack structures, the
ransomware payload generates an asymmetric key pair of
which the public key is used to encrypt user data whilst the
ransomware seeks to exfiltrate the private key to the C2
servers for future data decryption.
B. C2 Servers
At the centre of operation of ransomware attacks lies
Command and Control (C2) servers. C2 infrastructure may be
owned by the attacker or could be a botnet controlled by the
attacker. C2 are cardinal infrastructure and coordinating
resources that the attacker harnesses to communicate with the
ransomware payload once an infection is successful.
Furthermore, C2 are also used to handle encryption key
management and ransom payments via Bitcoin [13] and may
also house the ransomware payload before it’s delivered via
different infection vectors. When a ransomware payload is
successfully delivered to a victim, it usually beacons back to
the C2 for further instructions. Earlier families of ransomware
gave priority to confidentiality when communicating with C2
thus hinting on the cardinality of this component. Newer
family versions however leverage the victim’s system
resources such as SSL to secure C2 communications. C2 may
handle management of both the private and public key
depending on the attack structure.
36
Zambia (ICT) Journal, Volume 1 (Issue 1) © (2017)
Zimba A., Simukonda L.,Chishimba M., Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry
for Network and Information Security
C. Infection Vectors
Developing an effective crypto ransomware utilizing
strong encryption techniques supported by a resilient C2 is
only half the job for an effective ransomware attack. These
two aforementioned components need to be supplemented by
an impactful methodology that ensures that the ransomware is
effectively delivered to the targeted victim. Infection vectors
are the means through which attackers achieve this. Attackers
use both benign and complex methodologies to deliver the
ransomware payload to the victims. Malicious spam email
tops the infection vector list as the most effective ransomware
delivery mechanism [14]. The spam email usually carries the
payload as an attachment in form of a Word macro, executable
binary or even a dirty link pointing to some resource housing
the ransomware.
Figure 4. Bayesian network of various infection vectors
Attackers use a wide range of social engineering tactics to
implore the victim to open the attachment or to follow the link
which consequently results into installation of the ransomware
and subsequent infection. However, spam mails are subject to
filtering by email servers implying that not all sent spam mail
will reach the intended victim. Attackers therefore use other
infection vectors such as Exploit Kits (EK). The EternalBlue
EK was the main infection vector used to propagate
WannaCry [15] ransomware over the network on port 445
while the DoublePulsar EK ensued a backdoor [16]. Neutrino
EK is known to ferry a wide range of ransomware including
the famous Locky and Cryptowall [17]. We consider all these
infection vectors and others in the construction of the infection
Bayesian network of figure 4 as shown above and subsequent
deduction of the attack model in the proceeding section. It’s
worth noting that the Bayes network above is not exhaustive
and that some infection vectors harbor sub-infection vectors
which can further extended the Bayesian network. These
vectors tend to be interlinked in one way or the other.
III. THE ATTACK MODEL
Figure 4 represents a directed infection vector network
with various nodes sharing a relationship depicted by the
ransomware propagates through different nodes until it’s
executed on the victim thereby generating unique attack paths.
The inter-dependence of nodes in a path can be captured by a
Bayesian network in which the overall likelihood of executing
the ransomware on the target can be expressed as a function
of conditional probabilities in the associated attack path. The
infection vector Bayesian network (BiN) is thus expressed as:
 󰇛󰇜󰇛󰇜
where  is a directed acyclic graph (DAG) with nodes
as discrete random variables and edges nodes
denoting casual relationships.  is a set of quantitative
network parameters. Using Equation (1) and the network
structure in figure 4, we deduce an attack graph for the attack
model as illustrated below in figure 5.
Figure 5. Illustrative attack graph
The attack model comprises: the attacking agent at source
which is the ransomware itself; the assets which are nodes
exploited in the course of reaching the target; the goals which
are the sought after security breaches. We distinguish two
assets; pivot assets and critical assets. Pivot assets,
representative of the node set 󰇝󰇞 are not directly
connected to the target whereas the critical asset e.g. is
connected directly to the target. Each node casts a
conditional probability distribution 󰇛󰇛󰇜󰇜
quantifying the influence imposed by the parent’s sample
space, where the full joint probability distribution is given as:
󰇛󰇜󰇛󰇛󰇜󰇜
 󰇛󰇜
Therefore, the probability of compromising the target
given the incoming edges 󰇝󰇞 and 󰇝󰇞 can be expressed as:
󰇛󰇜󰇛󰇜
󰇛󰇜󰇛󰇜 (3)
Following from Equation (3), we assume Markov assumption
[18] that a child node depends only its parents and not the
history thereof. Thus the order of the attack events prior to
access of the parent node is not significant in our attack model.
Macro
Ransomware Exec.
Spam
EK
Web-Server
Flash
Zero-Day
Loaders
Freeware Trojan
Removable Media
Drive-by Download
Malvertising
Malware-Free
JavaScript
SMB
(Double Pulsar)
Backdoor
(Eternal Blue)
n0
nv
n1
n2
n3
e{2,v}
e{0,2}
e{0,1}
e{1,3}
e{0,3}
e{2,1} e{2,3}
e{3,v}
associated edges. Depending on the infection source, the
37
Zambia (ICT) Journal, Volume 1 (Issue 1) © (2017)
Zimba A., Simukonda L.,Chishimba M., Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry
In light of the above, the attack scenarios of our experiments
resume from the pivot nodes. Further, we use malware-free
intrusions [19] as the infection vector.
IV. EXPERIMENT TESTBED AND METHODOLOGY
The experiment setup for dynamic analysis is illustrated in
figure 6 below comprising the server-side component for
polling behavioral features from the client-side component
where the WannaCry ransomware runs. The server-side runs
Cuckoo sandbox and Volatility on Linux and we follow the
best practices [20] for malware containment. Our ransomware
samples are collected from Malwr and VirusTotal. We test the
ransomware samples on Windows virtual hosts (Windows
XP, Windows 7 and Windows 8).
Figure 6. Ransomware dynamic analysis test-bed setup
To acquire the pivot and critical assets depicted in the
attack model, we launch a reconnaissance attack using Nmap
on the target network. The results are shown in Table I below.
TABLE I. RECONNAISSANCE PROBE RESULTS
Host
Open Ports
Protocol
Service
VM Host 1
135
TCP
Msrpc
139
TCP
Netbios-ssn
3389
TCP
RDP
123
UDP
Ntp
VM Host 2
3389
TCP
Ms-wbt-server
445
TCP
Microsoft-ds
5357
TCP
Wsdapi
VM Host 3
554
TCP
Rtsp
2869
TCP
Icslap
3389
TCP
RDP
445
TCP
Microsoft-ds
With conditions (cf. Equation 3) satisfied that actualize the
pursued infection vector [19], we implant the ransomware on
the targeted victim and perform dynamic analysis. For reverse
engineering the ransomware code, we perform static code
dissection on the binary using an interactive disassembler IDA
Pro and a debugger Ollydbg. We discuss the results of both
analyses in the proceeding section.
V. RESULTS AND ANALYSES
WannaCry upon execution, unlike other ransomware
strains does not employ hibernation as a sandbox evasion
technique. In a couple of seconds, the ransomware encrypts
all directory contents on the system except those in the
SystemRoot and Program Files. It does not encrypt the *.exe
or *.dll file extensions. This is only logical considering that
WannaCry is not a locker ransomware. The product of the
encryption process are files with the *.WNCRY extension.
The ransomware note with a Bitcoin address of
{12t9YDPgwueZ9NyMgw519pAA8isjr6Mw}
is shown in
figure 7 below.
Figure 7. WannaCry ransom note after encryption
A. Dynamic Analysis
The main process Wncry2 PID 1844 spawns 3 child
processes; tasksche PID 1788, cmd PID 240, taskdl PID 224
and a couple more which terminate upon task completion. The
spawning activity is shown in figure 8 below.
Figure 8. WannaCry process tree decomposition
The Wncry2 process masquerades internally as the
Microsoft utility diskpart.exe. The process tree likewise
executes VB and batch scripts used to achieve a persistence
38
Zambia (ICT) Journal, Volume 1 (Issue 1) © (2017)
Zimba A., Simukonda L.,Chishimba M., Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry
for Network and Information Security
mechanism. The icacls.exe is used to grant global permissions
(777 Linux equivalent) to the directory in contention. Loaded
libraries at runtime include but not limited to kernel32,
shell32.dll, user32 etc after which calls are made.
The sample comes with an implanted master RSA public
key whose corresponding private key is retained by the
attacker. Upon infection, the ransomware uses a secure PRNG
function
CryptGenRandom
from the operating system
CryptoAPI
to generate a 2048-bit sub-RSA pair for use by the
cryptographic service provider (CSP). The public key from
this sub-pair is exported to
00000000.pky
in unencrypted
form. The private key thereof is exported and written to
00000000.eky
after being encrypted by the implanted master
RSA public key using the
CryptEncrypt
function. Further, a
128-bit AES key is generated in Cipher Block Chaining
(CBC) mode for encryption of the victim’s target files, with a
unique key per file. These symmetric keys are then encrypted
by the earlier public key from the sub-pair which was exported
to
00000000.pky.
The diagram below in figure 9 illustrates
the encryption process flow.
Figure 9. WannaCry encryption process
In total, the ransomware operates on four encryption keys:
one RSA public key from the master key pair, two keys from
the payload-generated sub-RSA pair and one AES symmetric
key. The AES key is only encrypted by the payload-generated
sub-RSA public key upon completion of encrypting the
victim’s targeted file extensions.
B. Static Analysis
The encryption routines of WannaCry run from address
0040F08C to 0040F110 as shown in figure 10 below.
Figure 10. WannaCry encryption calls
Granting of global permissions to the directory in
contention by icacls.exe is shown at address 0040F4FC in
figure 11 below.
Figure 11. Permission allocation to current directory
It’s worth noting that the current directory is set to hidden
by the attribute
h .
at address 0040F520. One of the
samples we evaluated had a kill-switch which basically is used
to detect sandboxing operations. The kill-switch domain is
seen at address 004313D0 as shown in figure 12 below.
Figure 12. WannaCry kill-switch domain
The ransomware variants without the kill-switch domain
seem to have had been hex-edited without changing other
parts of the code. This is to imply that encryption routines,
their associated functions and other aspects remain
unchanged. Summary characteristics of the analyzed samples
is shown in Table II below.
Remediation and Prevention: like all ransomware,
WannaCry is best prevented than cured. Prevention should
strongly be offline since the observed samples propagate on
the network via port 445 using the exploit CVE-2017-0145
[21] against the SMB service. Since the samples overwrite the
original files upon encryption, system restore efforts do not
yield fruition.
39
Zambia (ICT) Journal, Volume 1 (Issue 1) © (2017)
for Network and Information Security
Zimba A., Simukonda L.,Chishimba M., Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry
TABLE II. WANNACRY SAMPLES CHARACTERISTICS
Variant
Kill-Switch
Instant I/O
Dev. Attack
Attack
.exe/.dll
Sample 1
x
x
Sample 2
x
x
Sample 3
x
x
Sample 4
x
x
Sample 5
x
x
All observed samples do not attack system files not limited
to .exe and .dll extensions. It’s however impractical and
illogical to rename all user files to these extensions in an effort
to avoid the attack as opposed to offline backup. The
DoublePulsar backdoor and EternalBlue SMB propagation
are countered by patching MS17-010 which affects all
Windows versions prior to Windows 10. Since the sub-RSA
key pair are generated on the host, it is possible retain the
primes and modulus. WanaKiwi [22] uses such an approach
to derive the decryption key and subsequent decryption of the
affected files where the observed exponent in all the samples
was
65537 (0x10001)
. It should be noted however that this
method only works if the memory allocated to the WannaCry
process is not overwritten of flushed, i.e. no system restart or
reallocation of memory.
VI. CONCLUSIONS
WannaCry ransomware is not so different from other
ransomware families; it uses same encryption primitives and
attack methodologies. However, unlike other ransomware, it
generates a sub-RSA key pair which is used to encrypted the
generated symmetric key. What made WannaCry spread fast
and catch the attention of the world is the inclusion of the
worm component which enabled it to self-propagate in
networks with vulnerable SMB service. This infection vector
is persistent and still valid for unpatched systems.
The inclusion of the kill-switch for sandbox evasion led to
the demise of the initial variant of the ransomware. However,
both the initial strain and the enhanced version which exclude
the kill-switch are seen in the wild today on a daily basis [23].
Like other crypto ransomware, WannaCry does not encrypt
system files and directories. Further, it does not check the file
header before encryption but rather just the file extension. The
presence of residual RSA primes in the memory address space
of the WannaCry process makes it possible to derive a
decryption key and subsequent decryption. Nevertheless, this
recovery technique is only valid given the associated memory
space is not overwritten or flushed.
REFERENCES
[1] M. Gallo and W.M. Hancock. Networking explained. Digital Press.
Dec 2001.
[2] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda.
"Cutting the gordian knot: A look under the hood of ransomware
attacks." In International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, pp. 3-24. Springer, Cham,
2015.
[3] J.V. Chandra, N. Challa, and S.K. Pasupuleti. "Advanced persistent
threat defense system using self-destructive mechanism for cloud
security." In Engineering and Technology (ICETECH), 2016 IEEE
International Conference on, pp. 7-11. IEEE, 2016.
[4] A. Al Hasib and A.A.M. Mahmudul Haque. "A comparative study of
the performance and security issues of AES and RSA cryptography."
In Convergence and Hybrid Information Technology, 2008. ICCIT'08.
Third International Conference on, vol. 2, pp. 505-510. IEEE, 2008.
[5] T. Webb and S. Dayal. "Building the wall: Addressing cybersecurity
risks in medical devices in the USA and Australia." Computer Law &
Security Review (2017).
[6] "Cyber-attack: Europol says it was unprecedented in scale." BBC
News. (13th May 2017) [Online] Available:
http://www.bbc.com/news/world-europe-39907965 [Accessed 17th
June 2017]
[7] Adam McNeil. (19th May, 2017). "How did the WannaCry
ransomworm spread?" [Online] Available:
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-
wannacry-ransomworm-spread/
[8] S. Mansfield-Devine. "Leaks and ransomsthe key threats to healthcare
organisations." Network Security 2017, no. 6 pp. 14-19. Elsevier. 2017.
[9] D. Formby, S. Durbha and R. Beyah. "Out of control: Ransomware for
industrial control systems." (2017).
[10] A. Zimba. "Malware-Free Intrusion: A Novel Approach to
Ransomware Infection Vectors." International Journal of Computer
Science and Information Security 15, no. 2 (2017): 317.
[11] M.M. Ahmadian, H.R. Shahriari, and S.M. Ghaffarian. "Connection-
monitor & connection-breaker: A novel approach for prevention and
detection of high survivable ransomwares." In Information Security
and Cryptology (ISCISC), 2015 12th International Iranian Society of
Cryptology Conference on, pp. 79-84. IEEE, 2015.
[12] V. Palanisamy and A.M. Jeneba "Hybrid cryptography by the
implementation of RSA and AES." International Journal of Current
Research 33, no. 4 (2011): 241-244.
[13] K. Liao, Z. Zhao, A. Doupé and G.J. Ahn. "Behind closed doors:
measurement and analysis of CryptoLocker ransoms in Bitcoin." In
Electronic Crime Research (eCrime), 2016 APWG Symposium on, pp.
1-13. IEEE, 2016.
[14] A.W. Wijayanto, "Fighting cyber crime in email spamming: An
evaluation of fuzzy clustering approach to classify spam messages." In
Information Technology Systems and Innovation (ICITSI), 2014
International Conference on, pp. 19-24. IEEE, 2014.
[15] Spinellis Diomidis. "Software Reliability Redux." IEEE Software 34,
no. 4 (2017): 4-7.
[16] M. Revankar. (23rd May, 2017). "WannaCry 2.0: Detect and Patch
EternalRocks Vulnerabilities Now." [Online] Available:
https://www.tenable.com/blog/wannacry-2-0-detect-and-patch-
eternalrocks-vulnerabilities-now
[17] D. Sgandurra, L.M. González, R. Mohsen, and E.C. Lupu. "Automated
Dynamic Analysis of Ransomware: Benefits, Limitations and use for
Detection." arXiv preprint arXiv:1609.03020 (2016).
[18] Z. Ghahramani. "An introduction to hidden Markov models and
Bayesian networks." International journal of pattern recognition and
artificial intelligence 15, no. 01 (2001): 9-42.
[19] Aaron Zimba, Zhaoshun Wang,"Malware-Free Intrusions:
Exploitation of Built-in Pre-Authentication Services for APT Attack
Vectors", International Journal of Computer Network and Information
Security(IJCNIS), Vol.9, No.7, pp.1-10, 2017.DOI:
10.5815/ijcnis.2017.07.01
[20] C. Rossow et al. "Prudent practices for designing malware
experiments: Status quo and outlook." Security and Privacy (SP), 2012
IEEE Symposium on. IEEE, 2012.
[21] NVD - CVE-2017-0145. (16th March, 2017) [Online] Available:
https://nvd.nist.gov/vuln/detail/CVE-2017-0145
[22] Wanakiwi. (May 2017). [online] Available:
https://github.com/gentilkiwi/wanakiwi/releases [Accessed 13th June,
2017]
[23] "Note on WannaCrypt Infection Count Accuracy." Malware Intel
Botnet Tracker. (June 2017).[Online] Available:
https://intel.malwaretech.com/botnet/wcryp
40
Zambia (ICT) Journal, Volume 1 (Issue 1) © (2017)
Zimba A., Simukonda L.,Chishimba M., Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry
for Network and Information Security

Supplementary resources (2)

Dynamic Analysis Logs (Demystifying Ransomware Attacks Dataset)
Data
December 2017
Aaron Zimba · Luckson Simukonda · Mumbi Chishimba
RSA key - Blobs (Demystifying Ransomware Attacks Data-set)
Data
December 2017
Aaron Zimba · Mumbi Chishimba · Luckson Simukonda
... Initially, the ransomware searches for a vulnerability and relies on all the available mechanisms to penetrate the target system. Zimba et al. present different means of ransomware infection (spam, web-server, server message block, macro, backdoor, flash, zero-day vulnerability) [22,23]. ...
... Similarly to ransomware, Doxware's attack vectors are mainly phishing/spam emails or unpatched security vulnerabilities on a visited website or on the victim's system [23,200]. Then, once it is infiltrated on the system, it checks if the required libraries with the appropriate versions are installed on the computer to perform its destructive intents. ...
Log analysis for malicious software detection
Thesis
  • Oct 2020
Ransomware remains the number one cyberthreat for individuals, enterprises, and governments. Malware’s aftermath can cause irreversible casualties if the requirements of the attackers are not met in time. This thesis targets Windows ransomware. It affects users’ data and undermines many public services. Four stages of this malware attack are defined: delivery, deployment, destruction, and dealing. The corresponding countermeasures are assigned to each phase of the attack and clustered according to the techniques used. This thesis presents three contributions. The first detection mechanism is located in the file system layer. It is based on the system traversal that is sufficient to highlight the malicious behavior. This thesis proposes also an analysis of the network traffic. It is generated by collected ransomware samples to perform a packet-level detection. A study of the ransom notes is made to define where it takes place in a ransomware workflow. The last contribution provides an insight into plausible attacks, especially Doxware. A quantification model that explores the Windows file system in search of valuable data is presented. It is based on the term frequency-inverse document frequency solution provided in the literature for information retrieval. Honeypot techniques are also used to protect the sensitive files of the users. Finally, this thesis provides future perspectives granting a better roadmap for researchers.
View
... With a perfect rate for detection and a loss of 10 files out of a total of 5100, they analysis their method alongside 492 real-time Ransomware instances. [10] Shreya Chadha et.al. (2017), introducing a selflearning system that uses machine learning to identify ransomware attacks. ...
Implementation of Decoy Deception based Detection System for Ransomware Attack
Article
  • Aug 2023
Ransomware poses a dangerous threat to cybersecurity. Data as well as rights owned by the user are adversely impacted. The situation has become considerably more critical as a result of the emergence of new ransomware varieties and Ransomware-as-a-Service. In this paper, we presented a novel deception-based and behaviour-based method for real-time ransomware detection. In order to avoid any loss before ransomware is discovered, we build pretend files and directories for nefarious behaviours. We conducted a pilot study using Locky, and the results demonstrate the effectiveness of our strategy with little system resource usage and geographical cost.
View
... There are several reverse engineering-based malware analysis models that were used as a reference in this study. Dynamic analysis model of ransomware by Zimba et al. [13] was conducted on the client-side with virtualization using multiple virtual machines (VMs), to avoid damage due to the effects of running malware and virtual networks to connect with servers. The servers run Cuckoo Sandbox and Volatility on Linux to collect the behavior of the analyzed malware. ...
Utilizing Reverse Engineering Technique for A Malware Analysis Model
Article
Full-text available
  • Nov 2021
Purpose: Malicious software or malware is a real threat to the security of computer systems or networks. Researchers made various attempts to find information and knowledge about malware, including preventing or even eliminating it. One effort to detect it is using a malware dynamic analysis model based on reverse engineering techniques. However, there are many reverse engineering techniques proposed with various stages and requirements in the literature. Methods: This research uses an experimental method. The object of research is a malware analysis model using reverse engineering techniques. The experimental method used is qualitative, collecting data related to the advantages and disadvantages of the reverse engineering-based malware analysis models used as a reference in this study. The data is used as consideration to propose a new model of malware analysis utilizing reverse engineering techniques. Result: In this study an analysis model of malware was proposed by synthesizing several reverse engineering-based malware analysis models. Novelty: The proposed model was then tested in a virtual environment where it is proven to be more effective than previous models for analyzing malware.
View
... The cryptographic hashes generated for WannaCry, TeslaCrypt, and Jigsaw were all compared against the articles published by FireEye, Secureworks, and Trend Micro, respectively, to verify their authenticity [93][94][95]. WannaCry was used due to its lack of sandbox escapism or evasion mechanisms [96]. WannaCry's popularity means that sourcing and verifying an authentic copy is much easier than lesser-known ransomware variants. ...
Ransomware: Analysing the Impact on Windows Active Directory Domain Services
Preprint
Full-text available
  • Feb 2022
Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services
View
... The cryptographic hashes generated for WannaCry, TeslaCrypt, and Jigsaw were all compared against the articles published by FireEye, Secureworks, and Trend Micro, respectively, to verify their authenticity [93][94][95]. WannaCry was used due to its lack of sandbox escapism or evasion mechanisms [96]. WannaCry's popularity means that sourcing and verifying an authentic copy is much easier than lesser-known ransomware variants. ...
Ransomware: Analysing The Impact on Windows Active Directory Domain Services
Article
Full-text available
Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services.
View
... In the computing realm, SE attacks are achieved by baiting users into downloading an attachment or clicking a link which directs them to installing malware in their machines [14,25]. Typically, these malware links are delivered to the users via fradulent emails or social media ( [21]). ...
Common Vulnerabilities and Exposures in the Cloud
Preprint
Full-text available
  • Jan 2020
In this short report, we describe some vulnerabilities and exposures in the cloud, discussing some exploits between 2015 to 2018. We namely discuss two categories of attacks-social engineering attacks and cryptomiming attacks.
View
... Delivery: Initially, ransomware searches for a vulnerability and relies on all the available mechanisms to penetrate the target system. Zimba et al. present different means of ransomware infection (spam, web-server, server message block, macro, backdoor, flash, zero-day vulnerability) [106,110,124]. ...
A Survey on Windows-based Ransomware Taxonomy and Detection Mechanisms
Article
  • Jul 2021
Ransomware remains an alarming threat in the 21st century. It has evolved from being a simple scare tactic into a complex malware capable of evasion. Formerly, end-users were targeted via mass infection campaigns. Nevertheless, in recent years, the attackers have focused on targeted attacks, since the latter are profitable and can induce severe damage. A vast number of detection mechanisms have been proposed in the literature. We provide a systematic review of ransomware countermeasures starting from its deployment on the victim machine until the ransom payment via cryptocurrency. We define four stages of this malware attack: Delivery, Deployment, Destruction, and Dealing. Then, we assign the corresponding countermeasures for each phase of the attack and cluster them by the techniques used. Finally, we propose a roadmap for researchers to fill the gaps found in the literature in ransomware’s battle.
View
... Similarly to ransomware, Doxware's attack vectors are mainly phishing/spam emails or unpatched security vulnerabilities on a visited website or on the victim's system [4,55]. Then, once it is infiltrated on the system, it checks if the required libraries with the appropriate versions are installed on the computer to perform its destructive intents. ...
Watch out! Doxware on the way…
Article
  • Dec 2020
Malware remains the number one threat for individuals, enterprises, and governments. Malware’s aftermath can cause irreversible casualties if the requirements of the attackers are not met in time. Security researchers’ primary objective is protecting the assets that a person/company possesses. They are in a constant battle in this cyberware facing attackers’ malicious intent. To compete in this arms race against security breaches, we propose an insight into plausible attacks, especially Doxware (also called leakware). We present a quantification model that explores the Windows file system in search of valuable data. It is based on the Term Frequency–Inverse Document Frequency (TF–IDF) solution provided in the literature for information retrieval. The highest-ranked files will be then exfiltrated over the Internet to the attacker’s server. Then, we studied possible countermeasures including deception-based techniques. Amongst the existent ones, we implemented and tested one based on honeypot files and folders to protect users’ assets. We conclude by presenting future perspectives in this area with the possible counter-countermeasures that can be used by an attacker to bypass current detection mechanisms. Our approach delivers an observation of the evolution of malware throughout the last years. It enables users to prevent their sensitive information from being exposed to potential risks.
View
... To speed up the reverse engineering process, they further proposed a technique of clone-based analysis. In another study, Zimba et al. [30] conducted reverse engineering to decode the ransomware code. Outcome from their study shows that despite robust encryption, the ransomware utilizes the very same attack mechanism and cryptographic abstractions as with other families in the wild. ...
Evaluating the Impact of Malware Analysis Techniques for Securing Web Applications through a Decision-Making Framework under Fuzzy Environment
Article
Full-text available
  • Oct 2020
Nowadays, most of the cyber-attacks are initiated by extremely malicious programs known as Malware. Malwares are very vigorous and can penetrate the security of information and communication systems. While there are different techniques available for malware analysis, it becomes challenging to select the most effective approach. In this context, the decision-making process may be an efficient means of empirically assessing the impact of different methods for securing the web applications. In this research study, we have used a methodology that includes the integration of Fuzzy AHP and Fuzzy TOPSIS technique for evaluating the impact of different malware analysis techniques in web application perspective. This study uses different versions of a university's web application for evaluating the impact of several existing malware analysis techniques. The findings of the study show that the Reverse Engineering approach is the most efficient technique for analyzing complex malware. The outcome of this study would definitely aid the future researchers and developers in selecting the appropriate techniques for scanning the web application code and enhancing the security.
View
View
Malware-Free Intrusion: A Novel Approach to Ransomware Infection Vectors
Article
Full-text available
  • Feb 2017
The Internet is so diverse such that at any given instance someone is clicking a link, opening a file, downloading an email attachment and so forth. Such seemingly benign actions do not always return the expected outcome because attackers leverage these actions to spread their malware. And malware today casts a broad spectrum of software with varying characteristics some of which include Ransomware. Ransomware has come to claim its place in the malware wild due to the philosophy of extortion behind its operations. Ransomware threat actors are seeking ways to delivery their malware payload in ways that do not generate suspicion via unusual network traffic and system calls by involving less user input if any at all. Malware-free intrusions present attack vectors so desirable to Ransomware threat actors in this respect in that they do not employ an extra malicious code which otherwise would be detected by intrusion detection and prevention system. We in this paper explore the utilization of malware-free backdoors for Ransomware payload delivery over a network with RDP-based remote access. We further show that leveraging such backdoors does not require user input while providing high probability levels of success thus adding to the expansion of the available attack surface.
View
Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors
Article
Full-text available
  • Jul 2017
Advanced Persistent Threat (APT) actors seek to maintain an undetected presence over a considerable duration and therefore use a myriad of techniques to achieve this requirement. This stealthy presence might be sought on the targeted victim or one of the victims used as pawns for further attacks. However, most of the techniques involve some malicious software leveraging the vulnerability induced by an exploit or leveraging the ignorance of the benign user. But then, malware generates a substantial amount of noise in form of suspicious network traffic or unusual system calls which usually do not go undetected by intrusion detection systems. Therefore, an attack vector that generates as little noise as possible or none at all is especially attractive to ATP threat actors as this perfectly suits the objective thereof. Malware-free intrusions present such attack vectors and indeed are difficult to detect because they mimic the behavior of normal applications and add no extra code for signature detection or anomaly behavior. This paper explores malware-free intrusions via backdoors created by leveraging the available at pre-authentication system tools availed to the common user. We explore two attack vectors used to implant the backdoor and demonstrate how such is accessible over the network via remote access while providing the highest level of system access. We further look at prevention, detection and mitigation measures which can be implemented in the case of compromise.
View
Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection
Article
Full-text available
  • Sep 2016
Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim's system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of 582 ransomware belonging to 11 families, and with 942 goodware applications, show that EldeRan achieves an area under the ROC curve of 0.995. Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.
View
Behind Closed Doors: Measurement and Analysis of CryptoLocker Ransoms in Bitcoin
Conference Paper
Full-text available
  • Jun 2016
Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. Using information collected from online fora, such as reddit and BitcoinTalk, as an initial starting point, we generate a cluster of 968 Bitcoin addresses belonging to CryptoLocker. We provide a lower bound for CryptoLocker's economy in Bitcoin and identify 795 ransom payments totalling 1,128.40 BTC ($310,472.38), but show that the proceeds could have been worth upwards of $1.1 million at peak valuation. By analyzing ransom payment timestamps both longitudinally across CryptoLocker's operating period and transversely across times of day, we detect changes in distributions and form conjectures on CryptoLocker that corroborate information from previous efforts. Additionally, we construct a network topology to detail CryptoLocker's financial infrastructure and obtain auxiliary information on the CryptoLocker operation. Most notably, we find evidence that suggests connections to popular Bitcoin services, such as Bitcoin Fog and BTC-e, and subtle links to other cybercrimes surrounding Bitcoin, such as the Sheep Marketplace scam of 2013. We use our study to underscore the value of measurement analyses and threat intelligence in understanding the erratic cybercrime landscape.
View
View
Software Reliability Redux
Article
  • Jan 2017
The requirement for high reliability is no longer restricted to a few specialized and proven domains. Instead, ever more functions whose failure can hurt humans and damage property are cropping up in new areas. Avoiding problems and catastrophes in the new software reliability landscape is possible but won't be easy.
View
Leaks and ransoms – the key threats to healthcare organisations
Article
  • Jun 2017
Of all the personally identifiable information (PII) that could be leaked, healthcare data is arguably the most intimate and worrying. You would think that healthcare organisations would try their hardest to protect that information and yet they are constantly in the headlines following leaks and successful cyber-attacks. In this interview, Niall MacLeod, saes engineering manager EMEA at Anomali, explains how healthcare organisations are getting better at managing information security, but that the road ahead isn't easy.
View
Building the wall: Addressing cybersecurity risks in medical devices in the U.S.A. and Australia
Article
Cybersecurity in medical devices has become a pressing issue in modern times. Technological progress has simultaneously benefited health care and created new risks. Through examining regulatory guidance, this article establishes that stakeholders have a shared responsibility to address cybersecurity threats that can affect such devices. Manufacturers and health care providers should consider identification, detection and prevention steps at the pre-market and post-market stages. End users and medical practitioners should practice good cyber hygiene to mitigate cybersecurity risks. Collectively, increased collaboration across all stakeholders is fundamental to ensure effective protection.
View
Fighting cyber crime in email spamming: An evaluation of fuzzy clustering approach to classify spam messages
Conference Paper
  • Nov 2014
The rising of the modern Internet brought with it heap opportunities for attackers to gain illegal benefit from spreading spam mail. Spam is irrelevant or inappropriate messages sent on the Internet to a large number of recipients. Many researchers use a large number of classification method in machine learning to filter spam messages. But, there is still limited research which evaluate the use of clustering task in data mining to perform spam email segmentation. In this paper we endorse for fighting cyber crime by evaluating the fuzzy clustering approach in classifying spam emails using one of the most popular and efficient method in this field, Fuzzy C-Means. The experimental studies on public spam data set using various different parameter give promising result in this process.
View
Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares
Conference Paper
  • Sep 2015
Ransomwares have become a growing threat in recent years, and this situation continues to worsen. It rose awareness on a particular class of malwares which extort a ransom in exchange for a captive asset. Most widespread ransomwares make an intensive use of data encryption. Basically, they encrypt various files on victim’s hard drives, removable drives and mapped network shares before asking for a ransom to get the files decrypted. In this paper, at first we propose a comprehensive ransomware taxonomy. Then, based on this taxonomy and according to a principal feature which we discovered in high survivable ransomwares (HSR) in the key exchange protocol step, we present a novel approach for detecting high survivable ransomwares and preventing them from encrypting victim’s data. Experimental evaluation demonstrates that our framework can detect variants of recent dangerous ransomwares.
View