SlideShare a Scribd company logo

Functional and Behavioral Analysis of Different Type of Ransomware.pptx

Download as PPTX, PDF
T
tarkovtarkovski

Functional and Behavioral Analysis of Different Type of Ransomware

Internet
1 of 27
Functional and Behavioral Analysis of Different Type of Ransomware Beril TÜRKEŞ Main Supervisor: Cemal YILMAZ Main Supervisor: Cemal Yılmaz
Outline • Introduction • Evolution of Ransomware • Motivation • Ransomware Scope • Methodology • Deploying Analysis Environment • Determining Indicators • Analyzing Phase • Additional Work • Evaluation • Results 11.8.2022 Faculty of Engineering and Natural Science 2
Introduction Ransomware: Ransomware is a type of malicious software/malware that infects a system and prevent victims’ access to a system or data them their datas or system until a ransom is paid to unlock it. 11.8.2022 Faculty of Engineering and Natural Science 3 Table 1: Mindsight report
11.8.2022 Faculty of Engineering and Natural Science 4 Table 2: Securitboulevard report Table 2: Datto’s Global State of the Channel Ransomware Report Introduction
Evolution of Ransomware The first known incidence of ransomware is the AIDS Trojan developed and distributed by Dr. Joseph Popp in 1989 (Mungo and Clough 1992). Whilst this is the first known instance of a ransomware attack, it required manual delivery of the malicious software and physical payment of the ransom. 11.8.2022 Faculty of Engineering and Natural Science 5
Evolution of Ransomware 11.8.2022 Faculty of Engineering and Natural Science 6 Threatens to delete a number of files for every hour the ransom is not paid. Arrives as a macro embedded in spam attachment, a new method identified at that time. Delivered via Dropbox; Boot Record(MBR) of infected machines and encrypted physical driver; ransom doubled if payment not received in 7 days. First ransomware to alow resilliency and persistence on victim machines. Encyrpts files.Biggest ransomware attack in history.Infected voer 230,000 computers in more than 150 countries.Spread without any user interaction Gandcrab is a Ransomware as a Service (RaaS) which allows any cybercriminal to utilize the software to execute attacks.44 GandCrab is spread via malicious emails where the victim is prompted to download a zip file containing the ransomware. REvil ransomware, also known as Sodinokibi, was first discovered in Italy in May 2019 and is known as the successor of GandCrab.REVil is a RaaS model for distribution and employs anti-kill technology to avoid detection by anti-malware software. Maze also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics. The Analysis indicates that GoldenEye/Petya uses the same EternalBlue exploit employed by WannaCry to replicate laterally, in what IT folk refer to as the “worm” component of the malware.
Motivation Ransomware is a class of malware that has significantly impacted enterprises and consumers. The aim of ransomware is making a financial gain that blackmailed by encrypting the victim’s files or locking the victim’s systems. Recent statistics of ransomware shows that damaging cost by ransomware has been increasing annualy. In this project, aims to facilitate the detection of ransomware by dynamically&statically analyzing and classifying the ransomware behavior. 11.8.2022 Faculty of Engineering and Natural Science 7
Ransomware Scope • Sample selection • 42 ransomwares was selected to analyze during project period. In this set 11 ransomwares have no decryptor tool in «https://www.nomoreransom.org/» 31 one of them may be able to decrypt without paying ransom. 11.8.2022 Faculty of Engineering and Natural Science 8 # Ransomwares 1 Fantom 2 Golden Eye 3 Locky 4 Maze 5 Notpetya 6 Petya 7 Pysa 8 Ransomexx 9 Revil 10 Wannacry 11 Lockfile Table :Unbroken ransomwares # Ransomwares 12 777 23 Dharma 33 Paradise 13 Alpha 24 DragonCyber 34 Pewcrypt 14 Amnesia 25 Gomasom 35 Puma 15 Annabella 26 Grandcrab 36 Rotor 16 Aurora 27 Jaff 37 Satana 17 Bart 28 Jigsaw (Dolf version) 38 Sava 18 Bigbobross 29 Jigsaw 39 Tesla v1 19 Cerber 30 Mira 40 Thanatos 20 Chimera v2 31 Nemty 41 Zorab 21 Cryptxxx 32 Ouroboros 42 Djvu 22 Darkside Table :Broken Ransomwares
• Collecting Ransomware Binaries • I collected ransomware binaries using the following sites. • https://any.run/ • https://github.com/ytisf/theZoo • https://github.com/Endermanch/MalwareDatabase • https://www.tutorialjinni.com/ • Orçun Çetin also helped me to collect ransomware binaries. 11.8.2022 Faculty of Engineering and Natural Science 9 Ransomware Scope
Methodology Tools and Strategies for Analyzing Ransomwares • Cuckoo Sandbox  Cuckoo Sandbox is the leading open-source automated malware analysis system. • Flare tools  FLARE VM is a freely available and open-sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicates, and penetration testers. • Intezer  Intezer has created the world’s first cyber immune system against malicious code. The company detects mutations of any threat seen in history by recognizing even the slightest amount of code reuse. • Virustotal  Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. • Ghidra*  Ghidra is one of many open-source software (OSS) projects developed within the National Security Agency. • Ida Pro*  The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research and commercial-off-the-shelf validation. 11.8.2022 Faculty of Engineering and Natural Science 10
11.8.2022 Faculty of Engineering and Natural Science 11 • Cuckoo Sandbox Methodology How is it work?
Deploying Analysis Environment • 9 Ransomware could not perform malicious activity on Cuckoo Sandbox environment. 11.8.2022 Faculty of Engineering and Natural Science 12 • Setting up Cuckoo Sandbox Environment • Cuckoo Sandbox installed on Ubuntu 18.04.05 Operating System.(Image of environment as follows) https://drive.google.com/file/d/1tFAVcjeZNko8rNHrKGtG8yAcKjQoJZ_o/view?usp=sharing • Setting up Flare VM environment • Flare VM installed Windows 10 Operating System in virtual machine. (Image of environment as follows https://drive.google.com/file/d/16fJpQe8AJFIYJcLJaCyoWJ1f8EFuY5kD/view?usp=sharing Each ransomwares was analyzed Cuckoo Sandbox and Intezer. Virustotal, Flare VM, Ghidra and Ida Pro was not used to analyze whole Ransomware samples.
Determining Indicators 11.8.2022 Faculty of Engineering and Natural Science 13 • Static Analysis Indicators  String Obfuscation  Packed(Y/N)  Known Packed (Y/N) (If it is packed)  One or more of the buffers contains an Embedded PE file  Import Library  Total Library count  Import function (for less library)  Manipulation in Imports (Y/N)  System  Compilation Time Stamp
Determining Indicators # Signature # Signature # Signature 1 Prevent Recovery 10 Install itself for autorun Starting Windows 20 Steals information 11 Modify security settings 21 Cryptographic algorithm 2 Create Executible Files 12 Network communications for possible code injection 22 Encrypt type 3 Executable File (which are created by ransomware) location (if it is yes) 13 Modifies WPAD proxy autoconfiguration file for traffic interception 23 Cannot Performed Dynamic Analysis 4 VM check (Y/N) 14 Remote process injection 24 Direct-Cpu-Clock-Access 5 Libraries used for VM check 15 Create a process named as a common system process 25 Change desktop background 6 Sandbox check (Y/N) 16 Connects dead host 26 Check anti virus 7 Libraries used for Sandbox check 17 Unpacking Itself code injection 27 Inject malware( keylogger/trojan) 8 Debugger checks (Y/N) 18 Cmd Line 28 Run Time Delayed 9 Libraries used for debugger check 19 Using Windows API generate crytographic key 29 Anti-VM Check 11.8.2022 Faculty of Engineering and Natural Science 14 • Dynamic Analysis Indicators
Analyzing Phase 11.8.2022 Faculty of Engineering and Natural Science 15 1. Collecting Ransomware samples 2. Uploading Cuckoo Environment https://any.run/
Analyzing Phase 11.8.2022 Faculty of Engineering and Natural Science 16 3. Uploading Intezer Environment 4. Checking via Virus Total and Flare Tools
Analyzing Phase 11.8.2022 Faculty of Engineering and Natural Science 17 5. Gathering analyzed datas
Evaluation 11.8.2022 Faculty of Engineering and Natural Science 18 1. Classify datas with respect to determined indicator 1. Following tables display how many indicators detected in Cuckoo and Intezer platform. Indicator Count Packed 34 Create Executable File 32 Cmd usage 27 Code injection processing while unpacking 26 VM check 25 Install itself autorun starting Windows 24 Debugger Check 23 Privilege enumeration 22 Clean the evidence 21 Sandbox check 20 Known Packed 18 Created a process named as a common system process 18 Hidden Import 16 Prevent Recovery 15 Least import function 15 Indicator Count Buffer containing PE file 13 Connects dead host 12 Steals Information 12 Can not performed malicious activity on Cuckoo 12 Direct Cpu clock access 12 Change background 12 Delayed executing 14 Remote process injection 11 Inject malicious program 11 Check Antivirus Tool 10 Modify Security Settings 9 Network Communication for Possible code injection 9 Using Windows API generate cryptographic key 9 String Obfuscating 6 Modifies WPAD proxy autoconfiguration file for traffic interception 6 Check system whether using anti virtualization technic or not 5
Results 11.8.2022 Faculty of Engineering and Natural Science 19 Known Packed Algorithm Distribution 4 3 3 2 1 1 1 1 Confuser Armadillo v1.71 malicious packer UPX SmartAssembly BobSoft Mini Delphi PureBasic 4.x -> Neil Hodgson MinGW GCC 3.x Libraries(for Suspicious imports*)(Top 5) 14 6 6 4 3 kernel32.dll mscoree.dll user32.dll ws2_32.dll advapi32.dll *It is checked import function number in order to determine suspicious imports.
Results 11.8.2022 Faculty of Engineering and Natural Science 20 Prevent Recovery Methods 11 6 4 4 2 1 1 1 1 vssadmin delete shadows /all /quiet bcdedit.exe /set {default} recoveryenabled no C:Windowssystem32wbemwmic.exe" shadowcopy delete SELECT * FROM Win32_ShadowCopy wbadmin DELETE SYSTEMSTATEBACKUP "C:akitkfguwkeh......Windowsmm..system3 2yw....wbemlsbbpfhov......wmic.exe" shadowcopy delete bcdedit.exe /set {current} recoveryenabled no wbadmin DELETE SYSTEMSTATEBACKUP - deleteOldest
Results 11.8.2022 Faculty of Engineering and Natural Science 21 Created Executible File Locations and Created Executible Common Files 17 11 9 5 5 ..AppDataLocalTemp.. ..AppDataRoaming.. C:Python27Libtestempty.vbs C:Python27Libtestcheck_soundcard.vbs C:UsersAdministratorAppDataRoaming MicrosoftWindowsStart MenuProgramsStartup C:Windows Methods for installing itself for autorun Starting Windows 11 8 3 2 1 1 HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRun C:UsersAdministratorAppDataRoamingMicrosoft WindowsStart MenuProgramsStartup HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindo wsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRunOnce schtasks /Create /SC once /TN "" /TR "C:Windowssystem32shutdown.exe /r /f" /ST 12:50 HKEY_LOCAL_MACHINESOFTWAREWow6432Node MicrosoftWindowsCurrentVersionRun
Results 11.8.2022 Faculty of Engineering and Natural Science 22 Cleaning Evidence Methods 7 3 2 2 Deletes original binary from disk C:UsersAdministratorAppDataLocalMicrosoft ***:Zone.Identifier Clear Web History C:Users..AppDataRoamingMicrosoftWindow sCookies Deleting Windows Event Logs Environment Check/Defense Methods Windows API to check Virtual Machine GlobalMemoryStatusEx 18 GetDiskFreeSpaceExW 8 GetAdaptersAddresses 6 Sandbox Check c:agent.py 15 Process32NextW 11 c:tmpfpoxbganalyzer.py 4 Debugger Check IsDebuggerPresent 23 Delaying Process Trying to sleep process 14 Inject Malicious Software  Bootkit 5  Keylogger 4  Hupigon file (Backdoor) 1  Tor Browser 1 Created a process named as a common system process  explorer.exe 6  firefox.exe 3  svchost.exe 3  iexplorer.exe 1  rundll32.exe 1
Results 11.8.2022 Faculty of Engineering and Natural Science 23  LookupPriviligeValueW 20 16 2 2 8 4 SeBackupPrivilege SeDebugPrivilege SeRestorePrivilege SeSecurityPrivilege SeShutdownPrivilege SeTcbPrivilege Enumarating Priviliges SeBackupPrivilege allows file content retrieval, even if the security descriptor on the file might not grant such access. SeRestorePrivilege allows file content modification, even if the security descriptor on the file might not grant such access. This function can also be used to change the owner and protection. SeDebugPrivilege requires to debug and adjust the memory of a process owned by another account. SeTcbPrivilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. Privilige Escalation Defense Evasion Credential Access Persistence Collection SeShutDownPrivilige allows to shut down the system. SeSecurityPrivilege lets you use Event Viewer to both view and clear the Security log and edit the audit control list of objects such as files, folders, printers, registry keys, and Active Directory (AD) objects.
11.8.2022 Faculty of Engineering and Natural Science 24 Additional Work Ransomwares were also classified Mitre Attack framework categories in this project. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real- world observations. Execution  Shared Modules 18  Native API 8  Command and Scripting Interpreter :: Unix Shell 6 Initial Access  Replication Through Removable Media 4 Persistence  Boot or Logon Autostart Execution :: Registry Run Keys / Startup Folder 18  Create or Modify System Process :: Windows Service 1 Defense Evasion  Process Injection 6  Deobfuscate/Decode Files or Information 4  Pre-OS Boot :: Bootkit 4  Software Packing 4  Impair Defenses :: Disable or Modify Tools 3 Credential Access  Unsecured Credentials :: Credentials In Files 7  Credentials from Web Browsers ::Steals credentials from Web Browsers 1  Steal Web Session Cookie 1  OS Credential Dumping 1 Discovery  Process Discovery 19  Software Discovery :: Security Software Discovery 10  Query Registry 8  System Information Discovery 7  File and Directory Discovery 1 Collection  Data Staged 12  Data from Local System 2  Input Capture :: Keylogging 2  Archive Collected Data 2 Command And Control  Encrypted Channel 2  Application Layer Protocol 2  Proxy :: Multi-hop Proxy 1
11.8.2022 Faculty of Engineering and Natural Science 25 Static Analysis Windows API Mitre Attack Framework Registry Modification Conclusion Classification
berilturkes@sabanciuniv.edu 11.8.2022 Faculty of Engineering and Natural Science 26
berilturkes@sabanciuniv.edu 11.8.2022 Faculty of Engineering and Natural Science 27 Thank you for listening

Recommended

how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Detecting Windows Operating System’s Ransomware based on Statistical Analysis...
Detecting Windows Operating System’s Ransomware based on Statistical Analysis...Detecting Windows Operating System’s Ransomware based on Statistical Analysis...
Detecting Windows Operating System’s Ransomware based on Statistical Analysis...IJCSIS Research Publications
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 

Recommended

how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Detecting Windows Operating System’s Ransomware based on Statistical Analysis...
Detecting Windows Operating System’s Ransomware based on Statistical Analysis...Detecting Windows Operating System’s Ransomware based on Statistical Analysis...
Detecting Windows Operating System’s Ransomware based on Statistical Analysis...IJCSIS Research Publications
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterAbdessabour Arous
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirusUltraUploader
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-PatchworkBrandon Levene
 
Slingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routersSlingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routersK. A. M Lutfullah
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Research Publish Journals (Publisher)
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
Windows 8 kasp1248
Windows 8 kasp1248Windows 8 kasp1248
Windows 8 kasp1248Anatoliy Tkachev
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsMehrdad Jingoism
 
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | PropagationAnalysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | PropagationGayan Weerarathna
 
Ransomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceRansomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceZubair Baig
 
Spn year8 notes
Spn year8 notesSpn year8 notes
Spn year8 noteslatifah2001
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 

More Related Content

Similar to Functional and Behavioral Analysis of Different Type of Ransomware.pptx

On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterAbdessabour Arous
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 
Slingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routersSlingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routersK. A. M Lutfullah
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Research Publish Journals (Publisher)
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsMehrdad Jingoism
 
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | PropagationAnalysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | PropagationGayan Weerarathna
 
Ransomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceRansomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceZubair Baig
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 

Similar to Functional and Behavioral Analysis of Different Type of Ransomware.pptx (20)

On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
Slingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routersSlingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routers
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Windows 8 kasp1248
Windows 8 kasp1248Windows 8 kasp1248
Windows 8 kasp1248
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | PropagationAnalysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
 
Ransomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceRansomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion Menace
 
Spn year8 notes
Spn year8 notesSpn year8 notes
Spn year8 notes
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 

Recently uploaded

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 

Recently uploaded (20)

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 

Functional and Behavioral Analysis of Different Type of Ransomware.pptx

  • 1. Functional and Behavioral Analysis of Different Type of Ransomware Beril TÜRKEŞ Main Supervisor: Cemal YILMAZ Main Supervisor: Cemal Yılmaz
  • 2. Outline • Introduction • Evolution of Ransomware • Motivation • Ransomware Scope • Methodology • Deploying Analysis Environment • Determining Indicators • Analyzing Phase • Additional Work • Evaluation • Results 11.8.2022 Faculty of Engineering and Natural Science 2
  • 3. Introduction Ransomware: Ransomware is a type of malicious software/malware that infects a system and prevent victims’ access to a system or data them their datas or system until a ransom is paid to unlock it. 11.8.2022 Faculty of Engineering and Natural Science 3 Table 1: Mindsight report
  • 4. 11.8.2022 Faculty of Engineering and Natural Science 4 Table 2: Securitboulevard report Table 2: Datto’s Global State of the Channel Ransomware Report Introduction
  • 5. Evolution of Ransomware The first known incidence of ransomware is the AIDS Trojan developed and distributed by Dr. Joseph Popp in 1989 (Mungo and Clough 1992). Whilst this is the first known instance of a ransomware attack, it required manual delivery of the malicious software and physical payment of the ransom. 11.8.2022 Faculty of Engineering and Natural Science 5
  • 6. Evolution of Ransomware 11.8.2022 Faculty of Engineering and Natural Science 6 Threatens to delete a number of files for every hour the ransom is not paid. Arrives as a macro embedded in spam attachment, a new method identified at that time. Delivered via Dropbox; Boot Record(MBR) of infected machines and encrypted physical driver; ransom doubled if payment not received in 7 days. First ransomware to alow resilliency and persistence on victim machines. Encyrpts files.Biggest ransomware attack in history.Infected voer 230,000 computers in more than 150 countries.Spread without any user interaction Gandcrab is a Ransomware as a Service (RaaS) which allows any cybercriminal to utilize the software to execute attacks.44 GandCrab is spread via malicious emails where the victim is prompted to download a zip file containing the ransomware. REvil ransomware, also known as Sodinokibi, was first discovered in Italy in May 2019 and is known as the successor of GandCrab.REVil is a RaaS model for distribution and employs anti-kill technology to avoid detection by anti-malware software. Maze also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics. The Analysis indicates that GoldenEye/Petya uses the same EternalBlue exploit employed by WannaCry to replicate laterally, in what IT folk refer to as the “worm” component of the malware.
  • 7. Motivation Ransomware is a class of malware that has significantly impacted enterprises and consumers. The aim of ransomware is making a financial gain that blackmailed by encrypting the victim’s files or locking the victim’s systems. Recent statistics of ransomware shows that damaging cost by ransomware has been increasing annualy. In this project, aims to facilitate the detection of ransomware by dynamically&statically analyzing and classifying the ransomware behavior. 11.8.2022 Faculty of Engineering and Natural Science 7
  • 8. Ransomware Scope • Sample selection • 42 ransomwares was selected to analyze during project period. In this set 11 ransomwares have no decryptor tool in «https://www.nomoreransom.org/» 31 one of them may be able to decrypt without paying ransom. 11.8.2022 Faculty of Engineering and Natural Science 8 # Ransomwares 1 Fantom 2 Golden Eye 3 Locky 4 Maze 5 Notpetya 6 Petya 7 Pysa 8 Ransomexx 9 Revil 10 Wannacry 11 Lockfile Table :Unbroken ransomwares # Ransomwares 12 777 23 Dharma 33 Paradise 13 Alpha 24 DragonCyber 34 Pewcrypt 14 Amnesia 25 Gomasom 35 Puma 15 Annabella 26 Grandcrab 36 Rotor 16 Aurora 27 Jaff 37 Satana 17 Bart 28 Jigsaw (Dolf version) 38 Sava 18 Bigbobross 29 Jigsaw 39 Tesla v1 19 Cerber 30 Mira 40 Thanatos 20 Chimera v2 31 Nemty 41 Zorab 21 Cryptxxx 32 Ouroboros 42 Djvu 22 Darkside Table :Broken Ransomwares
  • 9. • Collecting Ransomware Binaries • I collected ransomware binaries using the following sites. • https://any.run/ • https://github.com/ytisf/theZoo • https://github.com/Endermanch/MalwareDatabase • https://www.tutorialjinni.com/ • Orçun Çetin also helped me to collect ransomware binaries. 11.8.2022 Faculty of Engineering and Natural Science 9 Ransomware Scope
  • 10. Methodology Tools and Strategies for Analyzing Ransomwares • Cuckoo Sandbox  Cuckoo Sandbox is the leading open-source automated malware analysis system. • Flare tools  FLARE VM is a freely available and open-sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicates, and penetration testers. • Intezer  Intezer has created the world’s first cyber immune system against malicious code. The company detects mutations of any threat seen in history by recognizing even the slightest amount of code reuse. • Virustotal  Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. • Ghidra*  Ghidra is one of many open-source software (OSS) projects developed within the National Security Agency. • Ida Pro*  The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research and commercial-off-the-shelf validation. 11.8.2022 Faculty of Engineering and Natural Science 10
  • 11. 11.8.2022 Faculty of Engineering and Natural Science 11 • Cuckoo Sandbox Methodology How is it work?
  • 12. Deploying Analysis Environment • 9 Ransomware could not perform malicious activity on Cuckoo Sandbox environment. 11.8.2022 Faculty of Engineering and Natural Science 12 • Setting up Cuckoo Sandbox Environment • Cuckoo Sandbox installed on Ubuntu 18.04.05 Operating System.(Image of environment as follows) https://drive.google.com/file/d/1tFAVcjeZNko8rNHrKGtG8yAcKjQoJZ_o/view?usp=sharing • Setting up Flare VM environment • Flare VM installed Windows 10 Operating System in virtual machine. (Image of environment as follows https://drive.google.com/file/d/16fJpQe8AJFIYJcLJaCyoWJ1f8EFuY5kD/view?usp=sharing Each ransomwares was analyzed Cuckoo Sandbox and Intezer. Virustotal, Flare VM, Ghidra and Ida Pro was not used to analyze whole Ransomware samples.
  • 13. Determining Indicators 11.8.2022 Faculty of Engineering and Natural Science 13 • Static Analysis Indicators  String Obfuscation  Packed(Y/N)  Known Packed (Y/N) (If it is packed)  One or more of the buffers contains an Embedded PE file  Import Library  Total Library count  Import function (for less library)  Manipulation in Imports (Y/N)  System  Compilation Time Stamp
  • 14. Determining Indicators # Signature # Signature # Signature 1 Prevent Recovery 10 Install itself for autorun Starting Windows 20 Steals information 11 Modify security settings 21 Cryptographic algorithm 2 Create Executible Files 12 Network communications for possible code injection 22 Encrypt type 3 Executable File (which are created by ransomware) location (if it is yes) 13 Modifies WPAD proxy autoconfiguration file for traffic interception 23 Cannot Performed Dynamic Analysis 4 VM check (Y/N) 14 Remote process injection 24 Direct-Cpu-Clock-Access 5 Libraries used for VM check 15 Create a process named as a common system process 25 Change desktop background 6 Sandbox check (Y/N) 16 Connects dead host 26 Check anti virus 7 Libraries used for Sandbox check 17 Unpacking Itself code injection 27 Inject malware( keylogger/trojan) 8 Debugger checks (Y/N) 18 Cmd Line 28 Run Time Delayed 9 Libraries used for debugger check 19 Using Windows API generate crytographic key 29 Anti-VM Check 11.8.2022 Faculty of Engineering and Natural Science 14 • Dynamic Analysis Indicators
  • 15. Analyzing Phase 11.8.2022 Faculty of Engineering and Natural Science 15 1. Collecting Ransomware samples 2. Uploading Cuckoo Environment https://any.run/
  • 16. Analyzing Phase 11.8.2022 Faculty of Engineering and Natural Science 16 3. Uploading Intezer Environment 4. Checking via Virus Total and Flare Tools
  • 17. Analyzing Phase 11.8.2022 Faculty of Engineering and Natural Science 17 5. Gathering analyzed datas
  • 18. Evaluation 11.8.2022 Faculty of Engineering and Natural Science 18 1. Classify datas with respect to determined indicator 1. Following tables display how many indicators detected in Cuckoo and Intezer platform. Indicator Count Packed 34 Create Executable File 32 Cmd usage 27 Code injection processing while unpacking 26 VM check 25 Install itself autorun starting Windows 24 Debugger Check 23 Privilege enumeration 22 Clean the evidence 21 Sandbox check 20 Known Packed 18 Created a process named as a common system process 18 Hidden Import 16 Prevent Recovery 15 Least import function 15 Indicator Count Buffer containing PE file 13 Connects dead host 12 Steals Information 12 Can not performed malicious activity on Cuckoo 12 Direct Cpu clock access 12 Change background 12 Delayed executing 14 Remote process injection 11 Inject malicious program 11 Check Antivirus Tool 10 Modify Security Settings 9 Network Communication for Possible code injection 9 Using Windows API generate cryptographic key 9 String Obfuscating 6 Modifies WPAD proxy autoconfiguration file for traffic interception 6 Check system whether using anti virtualization technic or not 5
  • 19. Results 11.8.2022 Faculty of Engineering and Natural Science 19 Known Packed Algorithm Distribution 4 3 3 2 1 1 1 1 Confuser Armadillo v1.71 malicious packer UPX SmartAssembly BobSoft Mini Delphi PureBasic 4.x -> Neil Hodgson MinGW GCC 3.x Libraries(for Suspicious imports*)(Top 5) 14 6 6 4 3 kernel32.dll mscoree.dll user32.dll ws2_32.dll advapi32.dll *It is checked import function number in order to determine suspicious imports.
  • 20. Results 11.8.2022 Faculty of Engineering and Natural Science 20 Prevent Recovery Methods 11 6 4 4 2 1 1 1 1 vssadmin delete shadows /all /quiet bcdedit.exe /set {default} recoveryenabled no C:Windowssystem32wbemwmic.exe" shadowcopy delete SELECT * FROM Win32_ShadowCopy wbadmin DELETE SYSTEMSTATEBACKUP "C:akitkfguwkeh......Windowsmm..system3 2yw....wbemlsbbpfhov......wmic.exe" shadowcopy delete bcdedit.exe /set {current} recoveryenabled no wbadmin DELETE SYSTEMSTATEBACKUP - deleteOldest
  • 21. Results 11.8.2022 Faculty of Engineering and Natural Science 21 Created Executible File Locations and Created Executible Common Files 17 11 9 5 5 ..AppDataLocalTemp.. ..AppDataRoaming.. C:Python27Libtestempty.vbs C:Python27Libtestcheck_soundcard.vbs C:UsersAdministratorAppDataRoaming MicrosoftWindowsStart MenuProgramsStartup C:Windows Methods for installing itself for autorun Starting Windows 11 8 3 2 1 1 HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRun C:UsersAdministratorAppDataRoamingMicrosoft WindowsStart MenuProgramsStartup HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindo wsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRunOnce schtasks /Create /SC once /TN "" /TR "C:Windowssystem32shutdown.exe /r /f" /ST 12:50 HKEY_LOCAL_MACHINESOFTWAREWow6432Node MicrosoftWindowsCurrentVersionRun
  • 22. Results 11.8.2022 Faculty of Engineering and Natural Science 22 Cleaning Evidence Methods 7 3 2 2 Deletes original binary from disk C:UsersAdministratorAppDataLocalMicrosoft ***:Zone.Identifier Clear Web History C:Users..AppDataRoamingMicrosoftWindow sCookies Deleting Windows Event Logs Environment Check/Defense Methods Windows API to check Virtual Machine GlobalMemoryStatusEx 18 GetDiskFreeSpaceExW 8 GetAdaptersAddresses 6 Sandbox Check c:agent.py 15 Process32NextW 11 c:tmpfpoxbganalyzer.py 4 Debugger Check IsDebuggerPresent 23 Delaying Process Trying to sleep process 14 Inject Malicious Software  Bootkit 5  Keylogger 4  Hupigon file (Backdoor) 1  Tor Browser 1 Created a process named as a common system process  explorer.exe 6  firefox.exe 3  svchost.exe 3  iexplorer.exe 1  rundll32.exe 1
  • 23. Results 11.8.2022 Faculty of Engineering and Natural Science 23  LookupPriviligeValueW 20 16 2 2 8 4 SeBackupPrivilege SeDebugPrivilege SeRestorePrivilege SeSecurityPrivilege SeShutdownPrivilege SeTcbPrivilege Enumarating Priviliges SeBackupPrivilege allows file content retrieval, even if the security descriptor on the file might not grant such access. SeRestorePrivilege allows file content modification, even if the security descriptor on the file might not grant such access. This function can also be used to change the owner and protection. SeDebugPrivilege requires to debug and adjust the memory of a process owned by another account. SeTcbPrivilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. Privilige Escalation Defense Evasion Credential Access Persistence Collection SeShutDownPrivilige allows to shut down the system. SeSecurityPrivilege lets you use Event Viewer to both view and clear the Security log and edit the audit control list of objects such as files, folders, printers, registry keys, and Active Directory (AD) objects.
  • 24. 11.8.2022 Faculty of Engineering and Natural Science 24 Additional Work Ransomwares were also classified Mitre Attack framework categories in this project. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real- world observations. Execution  Shared Modules 18  Native API 8  Command and Scripting Interpreter :: Unix Shell 6 Initial Access  Replication Through Removable Media 4 Persistence  Boot or Logon Autostart Execution :: Registry Run Keys / Startup Folder 18  Create or Modify System Process :: Windows Service 1 Defense Evasion  Process Injection 6  Deobfuscate/Decode Files or Information 4  Pre-OS Boot :: Bootkit 4  Software Packing 4  Impair Defenses :: Disable or Modify Tools 3 Credential Access  Unsecured Credentials :: Credentials In Files 7  Credentials from Web Browsers ::Steals credentials from Web Browsers 1  Steal Web Session Cookie 1  OS Credential Dumping 1 Discovery  Process Discovery 19  Software Discovery :: Security Software Discovery 10  Query Registry 8  System Information Discovery 7  File and Directory Discovery 1 Collection  Data Staged 12  Data from Local System 2  Input Capture :: Keylogging 2  Archive Collected Data 2 Command And Control  Encrypted Channel 2  Application Layer Protocol 2  Proxy :: Multi-hop Proxy 1
  • 25. 11.8.2022 Faculty of Engineering and Natural Science 25 Static Analysis Windows API Mitre Attack Framework Registry Modification Conclusion Classification
  • 26. berilturkes@sabanciuniv.edu 11.8.2022 Faculty of Engineering and Natural Science 26
  • 27. berilturkes@sabanciuniv.edu 11.8.2022 Faculty of Engineering and Natural Science 27 Thank you for listening