Article: Defence against crypto-ransomware families using dynamic binary instrumentation and DLL injection Journal: International Journal of Electronic Security and Digital Forensics (IJESDF) 2023 Vol.15 No.4 pp.424 - 442 Abstract: In recent years, ransomware incidents are increasingly predominant among the nation's state-sponsored hacker groups. The expertise and ease of deploying ransomware continue to evolve. It is imperative to have comprehensive methods to defend against sophisticated ransomware attacks. This study focused on a two-step approach to classify and prevent file encryption caused by cryptographic ransomware. In this paper, the ransomware families such as Ryuk, Thanos, Cerber, Jigsaw, Teslacrypt, Wannacry, Satana and Lockergoga image loading sequences (ILS) in memory were identified using the Intel PIN tool and developed a method for association mapping to classify crypto-ransomware families. Furthermore, the windows application programming interface (WinAPI) were used for hooking crypto-ransomware samples. It was observed that Kernel32.dll, ADVAPI32.dll, Cryptsp.dll, rsaenh.dll and ws2_32.dll as the most common dynamic linked libraries (DLLs) in the ransomware families. An approach to hook the CreateFileW function in the Kernel32.dll was applied as a proof of concept to prevent file encryption. The results of the present study demonstrated the successful application of DBI to identify and classify new crypto-ransomware variants from similar families and hook the WinAPI function of the Jigsaw, Zemblax and Cerber ransomware. Inderscience Publishers - linking academia, business and industry through research

Title: Defence against crypto-ransomware families using dynamic binary instrumentation and DLL injection

Authors: Sundaresan Ramachandran; Jeet Rami; Abhinav Shah; Kyounggon Kim; Digvijaysinh Mahendrasinh Rathod

Addresses: Centre of Excellence in Cybercrimes and Digital Forensics, Naif Arab University for Security Sciences, Riyadh, Saudi Arabia ' School of Cybersecurity and Digital Forensics, National Forensic Sciences University, Gujarat, India ' School of Cybersecurity and Digital Forensics, National Forensic Sciences University, Gujarat, India ' Centre of Excellence in Cybercrimes and Digital Forensics, Naif Arab University for Security Sciences, Riyadh, Saudi Arabia ' School of Cybersecurity and Digital Forensics, National Forensic Sciences University, Gujarat, India

Abstract: In recent years, ransomware incidents are increasingly predominant among the nation's state-sponsored hacker groups. The expertise and ease of deploying ransomware continue to evolve. It is imperative to have comprehensive methods to defend against sophisticated ransomware attacks. This study focused on a two-step approach to classify and prevent file encryption caused by cryptographic ransomware. In this paper, the ransomware families such as Ryuk, Thanos, Cerber, Jigsaw, Teslacrypt, Wannacry, Satana and Lockergoga image loading sequences (ILS) in memory were identified using the Intel PIN tool and developed a method for association mapping to classify crypto-ransomware families. Furthermore, the windows application programming interface (WinAPI) were used for hooking crypto-ransomware samples. It was observed that Kernel32.dll, ADVAPI32.dll, Cryptsp.dll, rsaenh.dll and ws2_32.dll as the most common dynamic linked libraries (DLLs) in the ransomware families. An approach to hook the CreateFileW function in the Kernel32.dll was applied as a proof of concept to prevent file encryption. The results of the present study demonstrated the successful application of DBI to identify and classify new crypto-ransomware variants from similar families and hook the WinAPI function of the Jigsaw, Zemblax and Cerber ransomware.

Keywords: malware; ransomware; dynamic analysis; binary instrumentation; image loading sequences; ILS; API hooking; DLL injection.

DOI: 10.1504/IJESDF.2023.131961

International Journal of Electronic Security and Digital Forensics, 2023 Vol.15 No.4, pp.424 - 442

Received: 16 Jun 2022
Accepted: 05 Oct 2022
Published online: 05 Jul 2023 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Defence against crypto-ransomware families using dynamic binary instrumentation and DLL injection

Keep up-to-date