Title: Defence against crypto-ransomware families using dynamic binary instrumentation and DLL injection
Authors: Sundaresan Ramachandran; Jeet Rami; Abhinav Shah; Kyounggon Kim; Digvijaysinh Mahendrasinh Rathod
Addresses: Centre of Excellence in Cybercrimes and Digital Forensics, Naif Arab University for Security Sciences, Riyadh, Saudi Arabia ' School of Cybersecurity and Digital Forensics, National Forensic Sciences University, Gujarat, India ' School of Cybersecurity and Digital Forensics, National Forensic Sciences University, Gujarat, India ' Centre of Excellence in Cybercrimes and Digital Forensics, Naif Arab University for Security Sciences, Riyadh, Saudi Arabia ' School of Cybersecurity and Digital Forensics, National Forensic Sciences University, Gujarat, India
Abstract: In recent years, ransomware incidents are increasingly predominant among the nation's state-sponsored hacker groups. The expertise and ease of deploying ransomware continue to evolve. It is imperative to have comprehensive methods to defend against sophisticated ransomware attacks. This study focused on a two-step approach to classify and prevent file encryption caused by cryptographic ransomware. In this paper, the ransomware families such as Ryuk, Thanos, Cerber, Jigsaw, Teslacrypt, Wannacry, Satana and Lockergoga image loading sequences (ILS) in memory were identified using the Intel PIN tool and developed a method for association mapping to classify crypto-ransomware families. Furthermore, the windows application programming interface (WinAPI) were used for hooking crypto-ransomware samples. It was observed that Kernel32.dll, ADVAPI32.dll, Cryptsp.dll, rsaenh.dll and ws2_32.dll as the most common dynamic linked libraries (DLLs) in the ransomware families. An approach to hook the CreateFileW function in the Kernel32.dll was applied as a proof of concept to prevent file encryption. The results of the present study demonstrated the successful application of DBI to identify and classify new crypto-ransomware variants from similar families and hook the WinAPI function of the Jigsaw, Zemblax and Cerber ransomware.
Keywords: malware; ransomware; dynamic analysis; binary instrumentation; image loading sequences; ILS; API hooking; DLL injection.
DOI: 10.1504/IJESDF.2023.131961
International Journal of Electronic Security and Digital Forensics, 2023 Vol.15 No.4, pp.424 - 442
Received: 16 Jun 2022
Accepted: 05 Oct 2022
Published online: 05 Jul 2023 *