| Abstrakt: |
In recent years, ransomware incidents are increasingly predominant among the nation's state-sponsored hacker groups. The expertise and ease of deploying ransomware continue to evolve. It is imperative to have comprehensive methods to defend against sophisticated ransomware attacks. This study focused on a two-step approach to classify and prevent file encryption caused by cryptographic ransomware. In this paper, the ransomware families such as Ryuk, Thanos, Cerber, Jigsaw, Teslacrypt, Wannacry, Satana and Lockergoga image loading sequences (ILS) in memory were identified using the Intel PIN tool and developed a method for association mapping to classify crypto-ransomware families. Furthermore, the windows application programming interface (WinAPI) were used for hooking crypto-ransomware samples. It was observed that Kernel32.dll, ADVAPI32.dll, Cryptsp.dll, rsaenh.dll and ws2_32.dll as the most common dynamic linked libraries (DLLs) in the ransomware families. An approach to hook the CreateFileW function in the Kernel32.dll was applied as a proof of concept to prevent file encryption. The results of the present study demonstrated the successful application of DBI to identify and classify new crypto-ransomware variants from similar families and hook the WinAPI function of the Jigsaw, Zemblax and Cerber ransomware. |
