WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms

• Autorzy: Akbanov Maxat , Vassilakis Vassilios G. , Logothetis Michael D.

Identyfikatory

DOI

10.26636/jtit.2019.130218

• Języki publikacji: EN

Abstrakty

EN

In recent years, we have been experiencing fast proliferation of different types of ransomware targeting home users, companies and even critical telecommunications infrastructure elements. Modern day ransomware relies on sophisticated infection, persistence and recovery prevention mechanisms. Some recent examples that received significant attention include WannaCry, Petya and BadRabbit. To design and develop appropriate defense mechanisms, it is important to understand the characteristics and the behavior of different types of ransomware. Dynamic analysis techniques are typically used to achieve that purpose, where the malicious binaries are executed in a controlled environment and are then observed. In this work, the dynamic analysis results focusing on the infamous WannaCry ransomware are presented. In particular, WannaCry is examined, during its execution in a purpose-built virtual lab environment, in order to analyze its infection, persistence, recovery prevention and propagation mechanisms. The results obtained may be used for developing appropriate detection and defense solutions for WannaCry and other ransomware families that exhibit similar behaviors.

Słowa kluczowe

EN

dynamic malware analysis; ransomware; WannaCry

• Wydawca: Instytut Łączności - Państwowy Instytut Badawczy
• Czasopismo: Journal of Telecommunications and Information Technology
• Rocznik: 2019
• Tom: nr 1
• Strony: 113--124
• Opis fizyczny: Bibliogr. 27 poz., rys., tab.

Twórcy

autor

Akbanov Maxat

• Department of Computer Science, University of York, Deramore Lane, Heslington, York YO10 5GH, United Kingdom

autor

Vassilakis Vassilios G.

• University of York York, YO10 5DD, United Kingdom

autor

Logothetis Michael D.

• Wire Communications Laboratory, Department of Electrical and Computer Engineering, University of Patras, 265 04 Patras, Greece

Bibliografia

• [1] D. O'Brien, „Ransomware 2017", Internet Security Threat Report, Symantec, July 2017 [Online]. Available: https://www.symantec.com/content/dam/symantec/docs/security- center/white-papers/istr-ransomware-2017-en.pdf
• [2] K. Savage, P. Coogan, and H. Lau, „The evolution of ransomware", Security Response, Symantec, June 2015 [Online]. Available: http://www.symantec.com/content/en/us/enterprise/ media/security response/whitepapers/the-evolution-of-ransomware.pdf
• [3] A. Zeichnick, „Self-propagating ransomware: What the WannaCry ransomworm means for you", May 2017 [Online]. Available: https://www.networkworld.com/article/3196993/security/self- propagating-ransomware-what-the-wannacry-ransomworm-means- for-you.html
• [4] „Ransom.Wannacry", Symantec, May 2017 [Online]. Available: https://www.symantec.com/security-center/writeup/2017-051310- 3522-99/
• [5] „Petya - taking ransomware to the low level", Malwarebytes Labs, Jun. 2017 [Online]. Available: https://blog.malwarebytes.com/ threat-analysis/2016/04/petya-ransomware/
• [6] „Petya ransomware eats your hard drives", Kaspersky Labs, Jun. 2017 [Online]. Available: https://www.kaspersky.com/blog/ petya-ransomware/11715
• [7] „Bad Rabbit: A new ransomware epidemic is on the rise", Kaspersky Labs, Oct. 2017 [Online]. Available: https://www.kaspersky.com/ blog/bad-rabbit-ransomware/19887/
• [8] M. Akbanov, V. G. Vassilakis, I. D. Moscholios, and M. D. Lo- gothetis, „Static and dynamic analysis of WannaCry ransmware", in Proc. IEICE Inform. and Commun. Technol. Forum ICTF 2018, Graz, Austria, 2018.
• [9] C. Everett, „Ransomware: To pay or not to pay?", Comp. Fraud & Secur., vol. 2016, no. 4, pp. 8-12, 2016 (doi: 10.1016/S1361-3723(16)30036-7).
• [10] „Understanding ransomware and strategies to defeat it", McAfee Labs, White Paper, 2016 [Online]. Available: https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-understanding-ransomware-strategies-defeat.pdf
• [11] „What you need to know about the WannaCry ransomware", Symantec, Threat Intelligence, Oct. 2017, [Online]. Available: https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack
• [12] Microsoft Security Bulletin MS17-010 - Critical, March 14, 2017 [Online]. Available: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
• [13] ViRus Share malware repository [Online]. Available: https://virusshare.com (accessed Nov. 30, 2018).
• [14] „REMnux: A Linux toolkit for reverse-engineering and analyzing malware" [Online]. Available: https://remnux.org (accessed Nov. 30, 2018).
• [15] SysAnalyzer - Automated malcode analysis system [Online]. Available: https://github.com/dzzie/SysAnalyzer (accessed Nov. 30, 2018).
• [16] Pestudio, Malware Assessment Tool [Online]. Available: https://www.winitor.com (accessed Nov. 30, 2018).
• [17] OllyDbg - A 32-bit assembler level debugger for Microsoft Win- dows [Online]. Available: http://www.ollydbg.de/ (accessed Nov. 30, 2018).
• [18] IDA: Pro [Online]. Available: https://www.hex-rays.com/ products/ida (accessed Nov. 30, 2018).
• [19] Tor Project [Online]. Available: https://www.torproject.org (accessed Nov. 30, 2018).
• [20] „WinHex: Computer forensics and data recovery software" [On- line]. Available: https://www.x-ways.net/winhex (accessed Nov. 30, 2018).
• [21] B. Nunes, M. Mendonca, X. N. Nguyen, K. Obraczka, and T. Turletti, „A survey of software-defined networking: Past, present, future of programmable networks", IEEE Commun. Surveys & Tutor., vol. 16, no. 3, pp. 1617-1634, 2014 (doi: 10.1109/SURV.2014.012214.00180).
• [22] V. G. Vassilakis, I. D. Moscholios, B. A. Alzahrani, and M. D. Logo- thetis, „A software-defined architecture for next-generation cellular networks", in Proc. IEEE Int. Conf. on Commun. ICC 2016, Kuala Lumpur, Malaysia, 2016 (doi: 10.1109/ICC.2016.7511018).
• [23] C. Yoon, T. Park, S. Lee, H. Kang, S. Shin, and Z. Zhang, „Enabling security functions with SDN: A feasibility study", Comp. Netw., vol. 85, pp. 19-35, 2015 (doi: 10.1016/j.comnet.2015.05.005).
• [24] J. M. Ceron, C. B. Margi, and L. Z. Granville, „MARS: An SDN- based malware analysis solution", Proc. IEEE Symp. on Comp. and Commun. ISCC 2016, Messina, Italy, 2016 (doi: 10.1109/ISCC.2016.7543792).
• [25] V. G. Vassilakis, I. D. Moscholios, B. A. Alzahrani, and M. D. Logo- thetis, „On the security of software-defined next-generation cellular networks", in Proc. IEICE Inform. and Commun. Technol. Forum ICTF 2016, Patras, Greece, 2016.
• [26] K. Cabaj and W. Mazurczyk, „Using software-defined networking for ransomware mitigation: The case of CryptoWall", IEEE Network, vol. 30, no. 6, pp. 14-20, 2016 (doi: 10.1109/MNET.2016.1600110NM).
• [27] K. Cabaj, M. Gregorczyk, and W. Mazurczyk, „Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics", Comp. & Elec. Engin., vol. 66, pp. 353-386, 2018 (doi: 10.1016/j.compeleceng.2017.10.012).

Uwagi

Opracowanie rekordu w ramach umowy 509/P-DUN/2018 ze środków MNiSW przeznaczonych na działalność upowszechniającą naukę (2019).