See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/333834813

A basic malware analysis method

Article in Computer Fraud & Security · June 2019

DOI: 10.1016/S1361-3723(19)30064-8

CITATIONS READS
11 2,283

1 author:

Ilker Kara
Çankırı Karatekin Üniversitesi
36 PUBLICATIONS 123 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Truva Atı Zararlı Yazılımlarının Tespit, Teknik Analiz ve Çözüm Önerileri Detection, Technical Analysis and Recommended Solutions of Trojan Horse Malware View project

TÜRKİYE’DE ZARARLI YAZILIMLARLA MÜCADELENİN UYGULAMA VE HUKUKİ BOYUTUNUN DEĞERLENDİRİLMESİ View project

All content following this page was uploaded by Ilker Kara on 14 December 2020.

The user has requested enhancement of the downloaded file.

 Cyber Fraud: Detection and Analysis of the
Crypto-Ransomware
Ilker KARA * Murat AYDOS
Department of Medical Services and Techniques Department of Computer Engineering
Eldivan Medical Services Vocational School Hacettepe University Beytepe 06800
18000 Cankiri Karatekin University Ankara TURKEY
Cankiri TURKEY [email protected]
Corresponding Author: [email protected]

Abstract—Currently as the widespread use of virtual monetary
units (like Bitcoin, Ethereum, Ripple, Litecoin) has begun, people
with bad intentions have been attracted to this area and have
produced and marketed ransomware in order to obtain virtual
currency easily. This ransomware infiltrates the victim’s system
with smartly-designed methods and encrypts the files found in the
system. After the encryption process, the attacker leaves a
message demanding a ransom in virtual currency to open access
to the encrypted files and warns that otherwise the files will not
be accessible. This type of ransomware is becoming more popular
over time, so currently it is the largest information technology
security threat. In the literature, there are many studies about
detection and analysis of this cyber-bullying. In this study, we
focused on crypto-ransomware and investigated a forensic
analysis of a current attack example in detail. In this example, the
attack method and behavior of the crypto-ransomware were
analyzed and it was identified that information belonging to the
attacker was accessible. With this dimension, we think our study
will significantly contribute to the struggle against this threat.
Index Terms—Ransomware Analysis, Crypto-Ransomware,
Cybersecurity.
section of files and entering an appropriate code key opens the
files for access again. Crypto-ransomware is the most popular
malware observed in recent times. With the spread of virtual
currency use around the world, it has become a focus of
interest for attackers. The convenience of virtual currencies
and inability to trace them forms the basis of the designed
malware. Crypto-ransomware can delete files from the victim’s
system after encryption [9].
When the user attempts to access the desired files, a message
is shown on the screen stating that the files are encrypted and
payment is required. After the encrypted files are deleted from
the victim’s system, they are stored in an area belonging to the
attacker and a promise is made that they will be reopened for
sharing when the ransom is paid. Investigated examples show
that even if the ransom is paid it is nearly impossible to access
the encrypted files [10].
II. HOW IS RANSOMWARE TRANSMITTED?

I. INTRODUCTION Unfortunately, currently internet and applications based on it

In addition to convenience created by rapid developments in
the field of technology and information, new threats have
emerged [1]. Attackers rapidly adapting to new technologies
have changed the target, type and methods of attack [2]. In
order for public organizations and institutions, private
companies and simple internet users to deal with these threats,
they need to use a new generation of security precautions [3].
are frequently used by people with bad intentions and these
digital platforms have become a great threat. One of the cyber
threats which is becoming more popular in recent times is
ransomware. Ransomware, with updated new versions offered
to the market every day, infiltrates the victim’s system with
many methods [11]. The best known and most commonly used
methods are given in Figure 1.

In spite of all precautions, cyber-attacks have continued to

increase. Currently the most commonly observed cyber-attacks
are ransomware [4]. Ransomware is harmful software or
malware which encrypts the victim’s personal files and folders
and demands a ransom [5]. Ransomware is generally
investigated in two categories [6] of crypto-ransomware and
crypto locker ransomware. Crypto-ransomware is accepted as
the first example of modern ransomware [7,8].

This malware obstructs the operating system or system entry of

the victim until the ransom is paid. Ransom is generally
demanded, with money transfer demanded by telephone Fig. 1. Crypto-ransomware infiltration methods into victim systems.
message, electronic card system or prepaid card system code. The general operating logic for crypto-ransomware is as
Crypto-ransomware prevents access by encrypting a certain follows:

978-1-7281-9656-5/20/$31.00 ©2020 IEEE 0764

0765
 i. Fake sharing on social media or digital platforms
directs users to fake or infiltrated sites and infiltrates
their computers.
ii. A fake mail is sent to the victim to download harmful
files to the computer and activate them. Most of
these fake mails cause curiosity and concern by
appearing to be a high telephone bill or from a cargo
company and clicking on message contents allows
infiltration into the computer.
iii. Imaging content on free film or tv series platforms
may allow infiltration via files due to opening an
additional program or messages about updating
programs used in the system.
iv. Another method is that infiltration occurs due to
applications previously attacked by the attacker and
appearing to be original or without knowledge of the
user while surfing the internet or by downloading or
updating a program for free.
In addition to these known infiltration methods, new methods
are being developed every day.
Crypto-ransomware includes a double key encoding program
(public key). The crypto-ransomware infecting the computer
creates a new key at random and encrypts the files belonging
to the user one-by-one with this key. After this procedure,
these keys are encrypted with a single key (public key) within
the crypto-ransomware. Later, the file keys and unencrypted
versions of the files are deleted. In this way, it is not possible
to open the files without the private key to the double-key
encryption system.
Fig.2. Crypto-ransomware encryption methods for files found on victim
systems.
The main contributions of this paper are summarized as
follows:
 We present a systematic approach that can be used for
identification and analysis of crypto-ransomware
 A sample case study is analyzed with the proposed
method and can be used for identification and
analysis of crypto-ransomware operating with similar
logic.
Rest of this paper is organized as follows. Section 3 reviews a
few similar studies in the literature. Section 4 investigates
identification of malware analysis methods in detail. Section 5
proposes an applicable method for identification analysis, then
explains how it is applied step-by-step with a real case study.
III. RELATED WORK
To date, many approaches have been used for identification
and analysis of ransomware. The approaches with most focus
are algorithms based on signature-based detection logic [11].
Success of this approach is debatable due to weaknesses. It is
impossible to identify new-generation (fileless) ransomware
with classic signature-based approaches. New types of
approaches continue to be developed to resolve these
deficiencies. These approaches encompass techniques
investigating the operating behavior of ransomware (dynamic
analysis).
Fatemah et al. presented a signature-based ransomware
identification method based on graphic mining. The study
concluded they had 96.6% rate of successful detection [12].
Daniele et al. developed a dynamic analysis approach working
with machine-learning logic for ransomware [13]. In 2015,
Donghyun et al. recommended a digitalized model to prevent
and identify crypto-ransomware [14].
Amin et al. developed a new approach for identification and
analysis of crypto-ransomware. With this approach the
encryption method and characteristic behavior features used by
the crypto-ransomware infecting the victim’s system are
defined [15].
Boldt et al. [16] proposed a viable method for crypto-
ransomware detection and analysis. The biggest deficiency of
this approach is that there is no case study to test the
applicability of the method and the programs used in the
approach cannot be used free of charge. We made the crypto-
ransomware case example examined in this study accessible to
everyone. In addition, attention was paid to using free versions
of the analysis tools used in the proposed method. Thus, we
aimed the applicability of the proposed method algorithm in
different studies.
0765
0766
Shaid and Maarof [17] executed ransomware within a virtual
machine environment, collected user-level API calls and
categorized.
In 2019, Kara et al. [18] used program tools Forensic Toolkit
(FTK) tools for detection and analysis of ransomware. In their
work, Akbanov et al. [19] have developed a framework to
detect ransomware on virtual machines that are hosted on
cloud systems.
In 2020, Hwang et al. [20] proposed a method that dynamic
analysis and machine learning techniques. Hwang has also
tested API classification on the dataset having 1176
ransomware files and reported 97.3% accuracy.
IV. OUR PROPOSED FRAMEWORK
A. SYSTEM OVERVIEW
In this section, we explain our proposed architectural system.
In the study, the proposed approach model was designed in
order to implement identification and analysis of crypto-
ransomware specifically. Our approach comprises three
modules. These are;
 Module 1. An image (forensic copy) is taken of the
computer attacked by the crypto-ransomware. An
image is the name given to a one-to-one copy of the
data storage unit of the material to be investigated.
There are two different methods used to take images
of physical and logical methods. All analyses are
performed on this image in a safe environment (on a
workstation). Thus, the aim is to prevent possible
harm to the live system.
 Module 2. After creating the analysis environment,
investigations of the image begin. In this step,
analyses are completed from simple towards
complicated methods. The first step is identification
of possible ransomware. If there is no threat identified
on the computer, the process ends at this step. If
ransomware is identified, the first stage is to collect
information about the ransomware without executing
it. Later the ransomware is executed and
characteristic behavior (file-array movements, code
architecture) analysis is performed. In the final step,
the possibility of contacting the ransomware attacker
is investigated in an attempt to obtain contact
information.
 Module 3. After completing analyses, the procedures
are reported for use against possible similar attacks or
communicated to investigation units.
The process in the recommended approach model is visualized
in Figure 3.
Fig. 3. The overall process of our proposed system.
V. EXPERIMENTS
In this section, we present the necessary analysis infrastructure
for the systematic approach to be used for identification and
analysis of crypto-ransomware and how it is applied. A sample
case was selected for analysis in order to research applicability
of this approach.
A. EXPERIMENTAL SETUP
All analyses in this study were completed on a Dell Precision
T7920 brand workstation with 2xXeon Gold 5118 /32 GB /
256 GB M.2 SSD running Windows 10 Pro operating system.
All investigations were completed in Virtual Machine mode in
order to prevent the workstation from being affected by
possible ransomware attacks. Analyses were completed with
the “Md5deep” “OllyDbg” and “Wireshark” programs. After
preparing the analysis environment, the investigation stage
began.
B. CASE STUDY
We obtained a sample case to research the applicability of the
proposed method. With this aim, a computer was chosen
which had experienced an attack from probable ransomware
with features given in Table 1. The chosen case was an
example of a real attack and the study blurred personal data
due to possible demands to begin legal procedures. The most
commonly used methods by crypto-ransomware to infiltrate
the victim’s systems is to reach the user through an infiltrated
website or fake email. As a result, first the internet history on
the victim’s computer should be investigated. Static
investigations of the internet history of the victim computer
observed a suspicious file had been downloaded in recent
times. Investigations focused on this suspicious file [15].
It was observed that the file content in
“SIFRE_COZME_TALIMATI.html” located at the
C:\Users\Admin\AppData\Local\Microsoft\Windows\Tempora
0766
0767
ry Internet Files\SIFRE_COZME_TALIMATI.html location SIFRE_COZME_TALIMATI.html After the creation
included a note belonging to the attacker (Figure 4). Static procedure, the procedure was performed by reading the “.enc”
investigations of the file called command. After the “.enc” command finished encryption, the
“SIFRE_COZME_TALIMATI.html” with the “Md5deep” note to the victim during the attack was created as the file
program identified the suspicious file was created in the time called C:\Windows\Temp\SIFRE_COZME_TALIMATI.html
interval “23.05.2020 14:11:49 (2020-05-23 14:11:49 UTC)” (Figure 7).
(Figure 4).
After the attacker successfully infiltrated the system, in order
to leave no trace, records or all procedures were deleted with
the C:\Users\Admin\AppData\Roaming\Microsoft\Windows\
SIFRE_COZME_TALIMATI.html command.

Fig. 4. Information about the SIFRE_COZME_TALIMATI.html.

Figure 7. Screen capture of some files encrypted with the suspicious “.enc”
software and located in C:\Users\Admin\AppData\Local\Microsoft\Windows\
copy”

Figure 7. Screen capture of some files encrypted with the

suspicious “.enc” software and located in
“[IMAGE]/[root]/hp_P1000_P1500_Full_Solution/
Fig. 5. Message content belonging to the attacker. NtwkPortMon/help/generic/zhcn/SIFRE_COZME_TALIMAT
I.html [NTFS]\[root]”
The note shown in Figure 4 belonging to the attacker stated
that the victim’s personal data was encrypted and that they Considering the crypto-ransomware would attempt to
should contact the mail address stated in the note. As a result, communicate with the attacker, registry log files were
investigations began to determine whether file encryption investigated with the “Wireshark” program. Investigations
procedures had been completed or not by the attacker. were completed on the log files “security.evtx” and
“Microsoft-Windows-TerminalServices-
Investigations with the Md5deep program showed that many RemoteConnectionManager%4Operational.evtx” located at
files located within “[IMAGE]/[root]/hp_P1000_P1500_Full_Solution/
C:\Users\Admin\AppData\Local\Microsoft\Windows\copy” NtwkPortMon/help/generic/zhcn/SIFRE_COZME_TALIMAT
had been encrypted by the suspect using software called “.enc” I.html [NTFS]/[root]/Windows/System32/winevt/Logs/”.
(Figure 5). Dynamic analysis with the OllyDbg program
investigated the behavior analysis by executing the
TABLE I. DEVICE AND WINDOWS OS INFORMATION.
ransomware (Figure 6). Process Name File Information Properties
Product Name Microsoft Windows 10
Registered Owner BXX
System Root C:\Windows\
Product ID 00372-41378-7789X-AXXX
Description Physical Disk, 745.709.156 Sectors 424,6 GB
Total Size 529.890.345.260 Bytes (424,6 GB)
Total Sectors 745.709.156
Acquisition MD5 2f5abcdbeabb456a555ec56ab2befcc134
VerificationMD5 2f5abcdbeabb456a555ec56ab2befcc134
Acquisition SHA1 712abbe382ca064f064e6c69ce63d92ab3124ac3
Verification SHA1 712abbe382ca064f064e6c69ce63d92ab3124ac3
Fig 6. File-directory and registry logs of the
SIFRE_COZME_TALIMATI.html.
When the code architecture in Figure 6 is investigated, the file The Wireshark program performs network protocol and packet
called “SIFRE_COZME_TALIMATI.html” firstly created analysis of computers and is popularly used for forensic
itself at the location C:\windows\temp\ investigations. The Wireshark program allows the possibility

0767
0768
to capture from the network, record online data and analyze
offline. Due to this feature of the application, it allows rapid
investigation of instantaneous network traffic. With the
thought that the investigated crypto-ransomware would attempt
to contact the attacker, all network traffic was stopped on the
Workstation before executing the Wireshark program. Later
the Wireshark program was executed and network traffic
investigated (Figure 8).
Fig. 8. Investigation of suspect network traffic with Wireshark program
Figure 8 shows suspicious network traffic with the Wireshark
program. It shows the Date, Time, Event, Computer, Target
User Name and IP Address in order, for the date and time of
investigation in milliseconds with event log records, name of
the system used, user name of the source system sending the
packet and finally the protocol (IP) addresses used.
Investigation of suspicious network traffic with the Wireshark
program identified that three different IP addresses were used
by the attacker for Brute Force attacks. Brute Force attacks
aim to identify the user name and password from the victim’s
computer. If the user name and password are identified, it is
possible to access the victim’s computer remotely. As seen on
Figure 8, the attacker used the user names “david” and
“owner” in an attempt to identify the password registered on
the victim’s computer.
Investigations of the log file named “Microsoft-Windows-
TerminalServices-
RemoteConnectionManager%4Operational.evtx” led to
consideration that access had been attempted from the IP
addresses “5.19X.4X.5X3” identified trying to access the
victim’s computer so investigations were completed on the log
file called “security.evtx”.
With identification that the attacker had gained unauthorized
access, the IP address “5.19X.4X.5X3” belonging to the
attacker was used for an WHOIS inquiry on the
www.domaintools.com website. The results of the inquiry
observed that the IP address of the service provider company
of the attacker was accessible (Figure 9).
Fig. 9. Screen capture of WHOIS inquiry of suspect IP address.
As a result of suspicious network traffic investigations and
based on the attacker’s IP address, it appeared the attacker was
traceable. However, attackers generally do not use a fixed IP
for these types of attacks. Special programs may be used in
order to make the attacker untraceable. The most popular of
these special programs are virtual private networks (VPN).
VPN allows data flow for the user with the resource they want
to connect to or server they want remote access to by checking
the identity information and are known to encapsulate and
encrypt information like IP. If the IP of the attacker is
detected, it is mandatory to confirm suspicious traffic.
VI. CONCLUSION AND DISCUSSION
A large increase in the number crypto-ransomware attacks has
been experienced, especially with the popularity of virtual
currency. This situation is due to the difficulty in legally
tracing virtual currency. Attackers encrypt the victim’s files
with crypto-ransomware and inform them that they need to buy
an encryption key to ensure access to their files again. Due to
the encryption type used in ransomware it is nearly impossible
to break the encryption through outside intervention and this is
accepted as technically impossible. The attacker deletes the
encrypted files from the victim’s computer and asserts that
they are held in a storage area they own. In recent times,
attackers have sent a message stating that they will unencrypt a
file of the victim’s choosing not above 100 MB in order to
make sure the victim believes the situation. When the victim
agrees, they are successfully given access to the file. However,
when the victim pays the desired ransom the attacker has
achieved their aim and communication ceases.
Analysis of ransomware encompasses detection of this
software, understanding how it works and reaching the
attacker. During crypto-ransomware analysis, reverse
engineering techniques are used and the structure of the
malware and interaction with the system are determined.
Attackers continuously develop new methods to prevent
identification and analysis of crypto-ransomware on the
market. This makes intervention against this threat difficult; in
fact, it may be hopeless in some situations. Detection and
0769
0768
analysis studies are very valuable but include certain
limitations of the methods used. Information about detection
and analysis of an example of a real attack is very limited. The
most important aim of the study is to focus on this problem
and develop an applicable approach.
In this study we proposed an applicable approach comprising
three modules for detection and analysis of crypto-
ransomware. The applicability of this approach was
investigated for a real crypto-ransomware attack. The analysis
results show the recommended approach will be useful for
detection and analysis of crypto-ransomware. It appears the
attacker could be traced from the obtained information. With
this aspect, it is considered that the study will contribute to
precautions taken and interventions made against crypto-
ransomware.
Conflict of Interest
No conflict of interest was declared by the authors.
REFERENCES
[1] M. Egele, T.Scholte, E. Kirda, & C. Kruegel, 2008. A survey on
automated dynamic malware-analysis techniques and tools. ACM
computing surveys (CSUR), 44(2), 1-42.
[2] D. Kim, D. Shin, D. Shin, & Y. H. Kim, 2019. Attack detection
application with attack tree for mobile system using log analysis.
Mobile Networks and Applications, 24(1), 184-192.
[3] F. L. Lévesque, S. Chiasson, A. Somayaji, & J. M. Fernandez, 2018.
Technological and human factors of malware attacks: A computer
security clinical trial approach. ACM Transactions on Privacy and
Security (TOPS), 21(4), 1-30.
[4] İ. Kara, M. Aydos, 2019. The ghost in the system: technical analysis of
remote access trojan. International Journal on Information Technologies
& Security, 11(1).
[5] I. Kara, M. Aydos, 2018, December. Static and dynamic analysis of
third generation cerber ransomware. In 2018 International Congress on
Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT)
(pp. 12-17). IEEE.
[6] B. A. S. Al-rimy, M. A. Maarof, S. Z. M. Shaid, 2018. Ransomware
threat success factors, taxonomy, and countermeasures: A survey and
research directions. Computers & Security, 74, 144-166.
[7] S. Baek, Y. Jung, A. Mohaisen, S. Lee, D. Nyang, 2018, July. SSD-
insider: Internal defense of solid-state drive against ransomware with
perfect data recovery. In 2018 IEEE 38th International Conference on
Distributed Computing Systems (ICDCS) (pp. 875-884). IEEE.
[8] M. A. S. Monge, J. M. Vidal, L. J. G. Villalba, 2018, August. A novel
Self-Organizing Network solution towards Crypto-ransomware
Mitigation. In Proceedings of the 13th International Conference on
Availability, Reliability and Security (pp. 1-10).
[9] K. İlker, M. Aydos. (2019, October). Detection and Analysis of Attacks
Against Web Services by the SQL Injection Method. In 2019 3rd
International Symposium on Multidisciplinary Studies and Innovative
Technologies (ISMSIT) (pp. 1-4). IEEE.on Electronic Crime Research
(eCrime) (pp. 1-13). IEEE.
[10] S. Mohurle, M. Patil, 2017. A brief study of wannacry threat:
Ransomware attack 2017. International Journal of Advanced Research
in Computer Science, 8(5).
[11] F. Karbalaie, A. Sami, and M. Ahmadi. 2012.Semantic malware
detection by deploying graph mining. International Journal of Computer
Science Issues,9(1):373-379.
[12] D. Sgandurra, L. Munoz-Gonz_alez, R. Mohsen, and E. C. Lupu. 2016.
Automated dynamic analysis of ransomware: Bene_ts, limitations and
use for detection. arXiv preprint arXiv:1609.03020.
[13] D. Kim and S. Kim. 2015. Design of quanti-cation model for ransom
ware prevent. World Journal of Engineering and Technology, 3(03):203.
View publication stats
[14] A. Kharraz, S. Arshad, C. Mulliner, W. K. Robertson, and E. Kirda.
2016.Unveil: A large-scal, automated approach to detecting
ransomware. In USENIX Security Symposium, pages 757-772.
[15] https://websitem.karatekin.edu.tr/ilkerkara/paylasimlar/dosya/0f7a100dc
f5c42d2
[16] M. Boldt, andB. Carlsson.2006 Analysing privacy-invasive software
using computer forensic methods. ICSEA, Papeetee.
[17] S. Z. M. Shaid, and M. A. Maarof. 2014. Malware behavior image for
malware variant identification”, 2014 International Symposium on
Biometrics and Security Technologies (ISBAST). IEEE, 2014.
[18] I. Kara. 2019. A basic malware analysis method. Computer Fraud &
Security, 2019(6), 11-19.
[19] M. Kbanov, V. G. Vassilakis, M. D. Logothetis. 2019. WannaCry
ransomware: Analysis of infection, persistence, recovery prevention and
propagation mechanisms. Journal of Telecommunications and
Information Technology.
[20] J. Hwang, J. Kim, S. Lee, K. Kim, K. 2020. Two-Stage Ransomware
Detection Using Dynamic Analysis and Machine Learning Techniques.
Wireless Personal Communications, 112(4), 2597-2609.
ALL BIOS ARE REQUIRED
Dr. Ilker KARA is a Assoc.Prof.Dr in Department
of Medical Services and Techniques, Eldivan
Medical Services Vocational School, Çankırı
Karatekin University since 2019. He was a Lecturer
in the Computer Science & Engineering at the
University of Hacattepe where he has been a
faculty member since 2017. By Kara completed his
Ph.D. at Gazi University, 2015. His research
interests lie in the area of digital investigation,
malware analysis and internet securty. He has collaborated actively with
researchers in several other disciplines of computer science, particularly
forensic security. 2001. He is the Head of Information Security Division at
the Informatics Institute. Dr. Kara is the author/co-author of more than 20
technical publications focusing on the applications of Cyber Security,
Malware Analysis; Data Security Mechanisms.
Dr. Murat AYDOS – Dr. Murat Aydos received the
B.Sc. degree from Yildiz Technical University
(Turkey) in 1991, and M.S. degree from Electrical
and Computer Engineering Department, Oklahoma
State University
(USA), in 1996. He completed his Ph.D. study in
Oregon State University, Electrical Engineering and
Computer Science Department in June 2001. Dr.
Aydos joined Informatics Institute @ Hacettepe
University in April 2013. He is the Head of Information Security Division at
the Informatics Institute. Dr. Aydos is the author/co-author of more than 30
technical publications focusing on the applications of Cryptographic
Primitives, Information & Data Security Mechanisms.
0769
0770