Analysis of Ransomware

Verified

Added on  2023/06/14

|139
|30604
|56
AI Summary
This article provides an in-depth analysis of ransomware, a malware function that affects documents stored in a system. It covers the impact of ransomware, methodologies to detect and prevent it, and risk mitigation techniques.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
ANALYSIS OF RANSOMWARE

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Abstract
In our world internet is the basic need for everyone to access the mobile phones, computers,
PDA’s, etc… With the help of this internet people can easily communicated with everyone and it
is an easy way to access the information. Internet provides more flexible, availability and speed.
But with the help of this internet many viruses will be created and it is easily affect our systems.
One of the most vulnerable virus called Ransomware. It would threaten the people, international
companies and many of the internet browsers in the year 2017.But now there are many solutions
to detect this virus. Here the analysis of ransomware will be performed. Ransomware is a
malware function that will affect our documents that are stored in our system. This malware will
be created by some network browsers and spread this virus in to other systems through
communications. It will affect the entire system manually. It is also called as the cyber-attack by
using WannaCry. This ransomware WannaCry affects fields like telecommunication, gas,
government, healthcare and financial. This type malware functions first encrypt our files in the
system. And then it demand the user to release those files. Here we will use some of the
methodologies for impact rejection from the external sources. The methodologies that are used
here was Sandbox approach, VMware, Reverse Engineering. Sandbox approach will used to
reject impacts from the external sources. The main goal of this approach is to provide more
visibility and scalability. And it also used to detect this malware. The second methodology that
will be used here was VMware. It is used to work with the software without any modification. It
is a cloud computing software and it is used to provide an virtualization software. VMware
provides many features when compared to Microsoft’s virtual software. VMware is mainly used
to provide security. The third methodology that are used here was Reverse Engineering with IDA
Pro. RE is a systematic approach. It is used to analyze the design of existing devices or systems.
There are three basic steps to perform reverse engineering. That are Encryptor, Static Analysis
and Dynamic analysis. Most of the virus programmers use this methodology for software design.
This method will mainly used to identify the malware that infect our systems are not. The
analysis of this malware is used to preventing the issues. Here different types of analysis will be
used to analyze this malware. That are code analysis and behavioral analysis. This both methods
are used to confirm whether the file is malicious are not.
1
Document Page
Table of Contents
1. Induction.............................................................................................................................................3
2. Literature Review................................................................................................................................6
3. Overview of Ransomware attack.......................................................................................................14
4. Wannacry..........................................................................................................................................16
5. Methodology.....................................................................................................................................17
6. Vmware.............................................................................................................................................27
7. Reverse Engineering..........................................................................................................................43
8. Operations of IDA Pro:.......................................................................................................................46
9. The Reverse Engineering process......................................................................................................50
10. ANALAYSIS OF MALWARE (Wannacry)..........................................................................................66
11. DIFFERENCE BETWEEN STATIC AND DYNAMIC ANALYSIS..............................................................70
12. Elements of the Malware..............................................................................................................73
13. Analysis of Wannacry.....................................................................................................................73
14. WannaCry analysis with IDA Pro....................................................................................................92
15. Ransomware Attack.....................................................................................................................109
16. Ransomware attack handling steps.............................................................................................111
17. Findings and Impact.....................................................................................................................113
18. Impacts of Ransomware attack....................................................................................................119
19. Risk Mitigation techniques..........................................................................................................120
20. Preventive measures:..................................................................................................................121
21. Forward look against Wannacry..................................................................................................122
22. Suggestion and Solutions.............................................................................................................122
23. Conclusion...................................................................................................................................125
24. References...................................................................................................................................128
2
Document Page
1. Induction
Now a days, many electronic devices are used in our daily life. For human, computer is the most
important electronic device. The computer is designed for work. That work is done by
information. Latin word for computer is 'computare'. The meaning of computare is performing
calculating machine. Without the help of programming, computer is nothing can do. Computer
language is full of binary numbers. It converts the decimal values into binary numbers. Central
processing Unit is a brain of the computer. The five generation of computer is briefly explained.
The first generation is vacuum tubes which is used in the time period 1940 to 1956. It may takes
to perform operations for many days. The input devices for first generation computer is punched
cards and paper tapes and output is printouts. The second generation is Transistors which is used
in time period 1956 to 1963. Transistor can make the computer cheaper, smaller, more energy
efficient and faster compared to Vacuum tubes. Punch card is used for internet and printout is
used for outputs. Integrated circuits is the third generation which is used in period of 1964 to
1971. For input keyboard is used. The output device is monitor is used. Fourth generation
computer is developed by microprocessor which is in the time period of 1971 to at present. In
this generation we are using microprocessor we can insert thousands of Integrated circuits. The
fifth generation is artificial intelligence. The time period is present and beyond. Here we can use
voice recognition.
The computer can be classified into 6 types. They are Personal computer, minicomputer,
microcomputer, mainframe, analog computer and workstation. Analog computer is represented
by only numbers. Personal computer is low cost and size is small. Minicomputer is not in small
size. Microcomputer is our personal computer (An Analysis and Averstion Of Highly Servivable
Ransomware, 2017). Mainframe is large size computer which is used to run Full Corporation.
And finally workstation is a client side computer. Computer can takes an input like numbers,
words etc. i.e. data and that data can be processing under some instruction set and produce the
output i.e. results. For future use, the output can be saved. The computer can perform both
arithmetical, numerical and logical calculations. The main usage of computer is email sending,
surfing in internet, document typing and gaming. We can create or alter the videos, spreadsheets
3

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
and presentations. Now a days, human are using internet with the help of computer and mobile
phones. Internet is the largest computer network that uses Internet protocol (IP/TCP) to link
various devices and it is the system of computer networks that connected each other. It is
considered as an inexpensive and effective communication way. It has various networks that
includes public, private, business and academic that are linked with the help of wireless, optical
networking and electronic technologies. In general internet provides various services such as
telephony, file sharing and electronic mail and it is also used to carry lot of information services
and resources. ARPANET, the primary network which connects military and academic networks.
The main usage of internet is it is widely used for academic and commercial purpose.
The service such as internet telephony, digital newspaper, online music, video streaming can be
achieved by redefining, reshaping process of information gathered from paper mail, radio,
newspapers and telephony. Internet forums, social messaging and instant messaging are the new
services which is used to improve interactions between peoples. The service provided by the
internet in the business sector is online shopping, financial services and business to business
service. It is defined by connecting millions of computers with various networks. It is easily
possible to create an account in ISP. Then the user can have the service such as chatting,
searching and e-mail services. The key advantages of internet is easy access of information. It is
possible for the client to get information easily by searching the internet, regarding the product
and they can check at any part of the day. The main features of internet are simple to use,
secured one, resource can be shared easily, flexible for communication, speed and availability,
economic simplicity and secured one. The various services provided by the internet is social
networking media, electronic mail, file transfer protocol, searching, net news, telnet, use net and
online chat.
Ransomware is one of the malware used to intimidate the data and the system is to be block by a
humble ransomware it not challenging for to recover the file, but progressive malware technique
is scramble all the file and is not be accessible. It occurrence with help of Trojan file which mean
spiteful processer program. When operator sweeping or moving that file it will robotically come
to email and it will access the computer to encrypt the file without any contact with operator. At
4
Document Page
the year of two thousand twelve this malware cheats can be developed internationally. The
advanced malware of extortion is having three procedure between enemies and target that is,
To release the malware vital is to be placed for necessary target and that vital is generated only
by the attacker. To encrypt the data with help of symmetric vital that is called mixture encryption
and it tips to minor occurrence. In this we recover the records with augmented persons.
The compensation conventional from the invader to activate the symmetric code to encrypt the
file and their by completion of occurrence. Without symmetric vital it not possible to access the
target details. The vital exposed only the target should generate that until it will not access. If
generate a small empty message will send to invader and then encrypted starts. It possible to
encrypted personal data and also details. First it distress the main server and then it take control.
If all data will encrypt it request the compensation to decrypt the data. The invader not get any
expense the intimidate data will be demolished. These malware are extent with help of email
messages or any file or buried in any word file. And also through way of inferior infection or if
computer previously attacked by any worm then it leads to further attacks. In this malware
occurrence also mobile, for her it will first to encrypt the android boards. But it can be simply
returned data by method of online harmonization. Here it will be in form of apk file. The law
administration assistance requested that what reason for attacking of ransomware is that using
the processer in unlawful actions and downloading the abandoned software. For this action law
enforcement introduced a new system to tracking the all computer and all activity should be
recorded. If this malware attack your system, first you have to backup the all file and folder and
then clean the computer, if advanced malware means the recovery is not possible. After the
payment file there is ten percent to recover the file, that regarding to invader action. The main
thing of this malware is to make a deal of payment.
5
Document Page
2. Literature Review
Architecture of ransom (malicious) ware
In this malware there are some planning for an execute, that is clearly explained below
structure,
First the invader should be creating a symmetric vital and that is passed to the average
number of system with help of server. It will be in secreted unit. If you going to online for any
work, in that time some message will occur like software update or anything else. In that you do
any click or ok icon and then that malware should enter in to your computer. It access your file
and folder that leads to encrypted all files. Later that it make a deal of payment in online. If you
make deal it will decrypt the all the file. This occur in advanced malware, now it not an advanced
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
mean simply recover the file will help of professional people. This all the things are happen by
your action only and another way to enter your processor is that downloading the unnecessary
file and folder or any abandoned software or any update in unwanted links. Another way hacking
is that message to your email that is an unwanted posts occur your mail if you respond that, it
automatically affect your computer. And directly attack the processor then it will be
uncontrollable for user. The recovering of files and folder is impossible in this malware. So you
should be very careful in your action or activities. The virtual attackers are hacked any company
details with help of this malware. The easy way is email message and internet perusing. Cyber
give various approaches for activate in that simple way is email supplement. Once your
computer attack with any virus that lead to be secondary management. There are various way of
attacking happen but without our action hacking is not possible, so our action should be legal
activates and lawful. So all action are done with help of us. Now a days this malware occurrence
the mobile also and it will the pin number of your phone for make a demand in advanced
version. But in normal malware easy to recover it by online synchronization. Using this invader
have hack all database of any company, industry, government agencies, academics, institution
through an individual person. For an efficacious malware the top encryption is required. Now a
day the technology should be protected with help of an encryption. The upsetting ransomware
attack is activate with help of WannaCry plagued one hundred fifty counties and all around the
continents. The main objective of this malware is online transaction illegally and it is encrypted
file is known as hacking. The first version of the malware is that identified in Russia ornographic
image in target apparatus. And request an expense to eradicate it. The result is that after analysis
maggot, try to notice and closed the announcement using analysis result. And enquiry sample are
given below,
This malware is only targeted the higher back ground people for a higher dealing not an
ordinary people. The file should be encrypt in one hundred twenty eight bits in cipher block
7
Document Page
chaining mode. The cipher block chaining method is mean encrypted the number of file into
simple part. The single bit error that affect all sequences of file and then demand of arrangement
should change leads to corrupted. (Zheng, 2017). The United States of America has to select the
(AES) advanced encryption standards to safe the important files and folder (Guo et al., 2015).
The evaluation of the ransomware was stared on the year of Nineteen eight nine. It was carried
out Joseph popp. It was named as AIDS Trojan. But it was not too effective, it simply hide the
data on the computer hard disk. And encrypt the file names alone. Then it shows the message to
the user license has finished for the usage access of the data on the computer. Then it asks some
money to repair the tool. Probably the money asked by the joseph was hundred and eighty nine
US dollars. After the completion of the payment the decryption code was created from the
Trojan. It is a “PC Cyborg”. He was announced as a mentally up normal person due to the
activities done by himself. On the other hand joseph assured that he want to donate part of his
earnings by the malware for the use of HIV research. (RANSOMWARE AND ITS IMPACT IN
INDIA – A LITERATUER STUDY, 2018). After three years latter (in Nineteen Ninety Two)
Sebastiaan von Solms and David Naccache they were developed the system to collect the money
electronically. The system was used to collects the currency securely for the human abduction.
This process was likewise planned for crypto viral coercion assaults. Here the NEWS paper was
used as the currency exchanging. After four years later (in Nineteen Ninety Six) another idea was
proposed by Adam L. Young and Moti Yung, which was use the public code cryptography for
information stealing assaults. He reviewed the first ransomware created by joseph as it only do
the symmetric cryptography, the decryption code was retrieved from Trojan. Crypto virus
contains opening code only, so the attacker must keep those files securely. But in his practice the
affected person need to send the unequal cipher text for the attacker, then attacker send the
refurbishing code for the exchange of money. Here the attacker can able to hold the process until
the partial payment completion.(Digital Extortion: An Empirical Investigation on Ransomware
Infection and Countermeasures, 2018)
In 2003 the attack conducted by Adam.L. Who create the virus that steals the data from the
attacked person’s computer, and send it to the attacker. Then the attacker threatens the victim to
give a money unless he leaks the data retrieved from the victim’s computer. This non encrypted
8
Document Page
type attack. During the attack if someone won’t pay the money he asked they lost their data and
reputations, ect. After the long time May-2005 the expensive ransomwares like GP Code,
Cryzip, TROJ RANSO. A, MayArchive, Krotten, and Archiveus uses the advanced RSA
techniques. The key code size were continuously increased. In Jun-2006 the repairing code was
encrypted by the 660 bit RSA technology. After the two years later next variant of the Gp-code
was released, that uses the 1024 bit RSA encryption technology. To repair the computer we need
the help from the attacker, it is impossible to break the malware (Ali, 2017). During the AUG-
2010, there are 9 persons are arrested by the Russian officers for the malware creation and
spreading. This not similar as the existing viruses they are called as Win-Lock. Here that restricts
the system and shows the porn images, then asks money to the users, probably the money asked
by the attackers was around ten US dollar. From this operation the attackers earned nearly
16000000 US dollars from the victims of Russia and its nearby countries. After one year JAN-
2011 another type of the method was carried out by the attackers. Here also there is no
encryption methods used. In this type the attacker shows the message regards to windows
activation. Here the internet based activation option was given to the victim. That makes the user
to call for an international no to input a 6 digit password. That leads to user lost huge amount for
the foreign calls. After two years later FEB-2013 the another version of the virus was created and
start to spread that shows the undressed picture of the famous heroines, pop singers, etc.… this
also don’t use encryption techniques, it simply feats the performance of browser. During the
JUL-2013 Virginia man can be arrested for his action related to child abuse. (Acharya, 2017)
Those kind of procedures are abandoned in yearly 2014, by the use of Crypto Locker. They use
the digital currency, bitcoins for the collection of the ransom currency. Based on the study
conducted by the ZDNet in DEC-2013 the fund transferred by the crypto lockers was nearly
2700000 US dollars. They are collected for the repairing code for the malware. That was used by
the large amount of virus writers. But it has one major fault, which is the decryption key was
stored in the affected computer. So the victim can able to retrieve the code. Then the malwares
are produced purposively for attack cloud based systems. On JAN-2015 that attacks the Linux
operated online-servers, and individual online sites by hacking it. Then the Microsoft
Corporation analyze the problem by it sub body named as Antimalware & cyber security. And
they found the .LNK files install the malware by autonomously infects the system, in earlier
9

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
method the victim download the .WSF files. So the attacks in the power shell windows
applications. That states that the windows based systems has a weakness that are used by the
criminals.Then criminals follow the advanced technology supplied by the darkweb dealers. That
gives more security for the criminals. If the criminal use those technology that is not possible to
locate the attackers locations easily. The famous cyber security company states the ransomware
was too dangerous threat for the modern computers. (“Ransomware becomes the most prevalent
form of malware and hits an ever-wider range of victims, 2017”)
The increasing no of mobiles and its features leads to cyber-attack on the mobile. It is
higher in android platforms because it was an open source software, which allow the third party
application (Android Malware Detection And Prevention, 2017). In apple phones it just luck the
phone, if we want to use the phone we need to pay the money for the attackers.
In the above time line shows the details about various ransomwares.
10
Document Page
Remarkable versions of ransomware
All the ransomware creates the huge loss to the computer users, corporate companies. But
some of the versions are totally collapse the world business. Here we would see about those
versions. (Chong, 2017)
Revton
This is a kind of ransom malware that states the victim need to give fine amount to the
Police. In 2012 it was created and started to spread. That was works based Zeus Trojan. That
show the message in victim’s computer through electronic mail which is send by the regulation
11
1989 AIDS Trojan by Joseph popp
1992
Electrical money collecting system by Sebastiaan von Solms and David
Naccache
1996
Public code cryptography for information stealing by Adam L. Young
and Moti Yung
2003 create the virus that steals the data from the attacked person’s computer
2005 GP Code, Cryzip
2010 Win-Lock
2011 windows activation call from forigen country scam
2013 Spreading fake nude pictures and lock the devices
2014 Crypto Locker
2015 Attack of cloud based servers.
Document Page
implementing activities like unauthorized application / regarding to child abuse. So it is called as
the “Police Trojan”. And it asks the fine amount for opening the computer. They uses the
“UKASH / Pay Safe Card”.
Crypto Locker
In SEP-2013 the ransom malware named Crypto Locker which generates the 2048 bit Rivest
Shamir Adleman code. And it up-loaded main-server, then it encrypt the data by the help of
“white list” to some formats. It threatens the user to give the money inside the three days unless
you need to lose the data stored on the computer. It has a very higher size repairing code so it is
very difficult repair. If we miss the dead line the amount continuously increases. Without the
payment has been made it is not possible to retrieve the data stored in the computer. (Orman,
2016)
Crypto Locker.F & Torrent Locker
In SEP-2014 ransom virus attacks the Australian users. They are called as Crypto Locker
Version 2.0. They are spreaded by the fake emails based on the user’s latest online search. That
asks the CAPTCHA to the user then it is started download on the user’s computer. ABC was the
noticeable victim of this malware.
Torrent Locker also similar to the Crypto Locker.F . That also use similar technique. At first it
starts encrypt the data in the computer, and then asks money to decrypt it again.
Crypto wall
Crypto wall also the ransom malware that specifically targets the windows based systems during
the year 2014. It is spread by the online sites (By Ad redirecting). It affects nearly thousand
users. The estimated loss was 18000000 US dollars. The advanced version of this software is
Crypto wall 4.0. That has a special features like escaping from anti-virus software searching.
Fusob
12

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
This the most dangerous mobile ransom malware. During the time period among APR-2015 to
MAR-2016, it affects the 56% of users. It asks the amount around two hundred bucks to the
users. After the installation completed it simply checks the operating language, if it is Russian /
some of the European languages it does nothing. It threatens the other language phones.
Wanna Cry
This the most dangerous ransom malware in the decade. Because it affects more than 200000
computers. Its impact was there throughout the world. That gives the deadline time as a week if
we failed to pay the amount our data will be erased. It affects the most of the big MNC
Company. (Collier, 2017)
Petya
This also a ransom malware identified in MAR-2016. It doesn’t encrypt the data like other
malwares, it simply affect Master Boot Record files. It creates the check point until the payment
would be completed. It only focused to create the destruction.
BadRabbit
It also similar to Wanna Cry and Petya. It encrypt the data as well encrypt the amount. It affected
the computers in Russian government organizations. It also expanded to other contries like
America, and some of the English countries. It was first detected on 24th OCT-2017.
Ransomware Attack
13
Document Page
This is one of the cyberattack using WannaCry. This attack is only done in Microsoft operating
systems only. The attack is like an encrypting the files. (Owens, 2016). And ask or demands the
payment for ransom. The payment is based on crypto currencies. There are many
cryptocurrencies are available the bitcoin is one of them. The ransomware demands the Bitcoin
for ransom payment. It affects the most of from IT field and much more. It affects the
Enterprises. It also affects the single person who using the computer with windows operating
systems. Most of the nations are affected by the Wannacry Ransomware they are counted as one
more than 149. Mainly the enterprise of National Health Services which is located in England
that is affected by this Ransomware. Also the car company of Renault-Nissan is affected by this
Ransomware that’s why they all are stop the production. Most of us thinking that the
ransomware spread by Email with ransom malware but that is not real. The truth is discovered by
Malware byte threat intelligence. They can analyze the wannacry spread in detail. The Microsoft
should find out the cause and effects on March. They can prepare a patch for fix the Ransom
error and also prevention from that attacks. But the people do not update their windows operating
systems so that the ransomware affects the Server Massage Block in windows machines. Again
the ransom attacks the windows machines. The above is a cause for affects the Kernel memory
by the attack of heap spray. The attacker targets the windows system and inject the shellcode for
identifies the user's IP address and use that IP address for communicating with Server Message
Protocol.
Events of ransomware WannaCry
A new ransomware affected on May 12, 2017. It was attacked a variety of sectors. The affected
field is healthcare, government, telecommunication and gas.it was globally affected over 150
countries.3,00,000 system was affected in this ransomware. The ransomware easily spread it.
The china and Russia was most affected in ransomware. If launch the attack to the ransomware
slowdown process in two days. The spread ransomware was stop it (Reverse Engineering
Epictemic Evaluations 2012).
14
Document Page
3. Overview of Ransomware attack
The ransomware name is wannacry.it is performed by encrypt files, disks and local computers.
The hacker was demands $300-600 to be paid to one of three bitcoin within account.it give only
three days’ time. If you transfer a bitcoin within account. (Ransomware hiding in the dark,
2015). After send the decrypting files will be given. Wannacry spreads via SMB, port 445 and
139 was operating server message block protocol. (UK major target for ransomware, 2016)
Window machine to communicate with file system typically over a network.it can install the
ransomware scan and propagate to other at risk devices. The ransomware test to see if backdoor
to the machine. (Brewer, 2016)
If check the machine was already on previously infected. Double pulsar and eternal blue both
are very exploit to the “Server Message Block” vulnerabilities. It is caused by the illegal
activities of shadow broker. The hacking groups entered in the month of April 2016.
(Ransomware claims more victims, 2016)
15

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Step 1: Initial attack vector not to be confirmed by attacker.
Step 2: Using AES-128 cypher encrypts files from victim’s machine. It delete all shadow
copies.it request a $300 or $600 in bitcoin. (Ransomware menace will grow says Google, 2017)
Step 3: “tor.exe” is specially used by “wannadecryptor .exe”.it initiating to connect with
prominence nodes in orderly connect back to attackers (it is very difficult and if not impossible
to track it) (ENERGETIC DATA SECURITY SCHEME VIA IMAGE AS CRYPTO KEY
NATURE, 2017).
Step 4: Infected machine is checked the ip address and then identify the additional vulnerabilities
on the computers to be connected by 445TCP port by performing the scanning operation on the
subnet.
ip address of the same subnet are scanned for additional vulnerable machines and connected to
the port 445 TCP
Step 5: That machine connected effectively and transferred the information contains exploit
money.
4. Wannacry
It attacks the whole cyber world. And this is the most dangerous malware in the century. Totally
it affects the whole world.These all are happen because of the computer worm called as
ransomware. It is mainly targets the worlds most used computer operating platform, and that is
Windows (Mansfield-Devine, 2017) (Orman, 2016). It encrypt the data or files in your computer
and they demand some ransom payments in Bit coin crypto currency. Microsoft already released
some patches for closing the exploit. The attack was stopped in few days. Because the Microsoft
releases the emergency patches. Rather than UNIX systems, the most of windows devices are
16
Document Page
affected recently by a worm. The worm was virally spread through many of methods like
phasing mail and etc. This virus is called Wannacry Ransomware. One of the major affected
multinational companies are Spain Company that is Telefonica and NHS and which is located on
England. (Ali, 2017). The major ways are used for propagation across the world via network is
SBM Eternal Blue remote code execution vulnerability.
Wannacry is a ransomware the unpatched SBM1 servers are mainly affected by this worm via
Eternal blue vulnerability. This worm in the form of Executable file as diskpart.exe. The files are
encrypted using one of two technics are Advanced Encryption Standard and RSA secure
algorithms. After download and extract the files and extension of all files are replaced with wcry
which indicates wannacry worm. The key is required for decrypting already encrypted files is
known as Decryption key. Ransomware also gives the stage-by-stage functional process to
retrieve the decryption key. Once the ransomware occurs on the system, in GUI application, it
demands payments through the Bitcoin address. There are below 10 days to retrieve the
decrypted key before delete it. Only the victim pay above 250 dollars to get the decryption key
for extract original files. To control the victim system, the wannacry malware use dot. Onion
command and control domains. This worm also install some software when propagate to the
system. (Ransomware defeated but new forms emerge, 2015)
Working of Wannacry
Email spread the virus.it has not to be conformed to validate the data. Other report suggest
another vector, like similar to public accessible SMB vulnerabilities. It was done to spread the
worms to many computers. The contamination takes place, it and wannacry shining example out
to kill the switch URL in ordered. The malware is sandbox environment (Westin, 2012). If not
respond to the URL, the ransomware was start a work.it encrypt a victim files using an AES-128
cipher. The encrypted files in the format of .wncry as well as others. Victim files continue to
encrypt all data in the computer. If the name of the file are any folders are updated automatically
it create the another virus in the file or folder. Here the random note was showed in victims
machine, and it was finished by the use of “Rich Text Format – RTF,because that gives the
feature to use many languages in the spreading of worms. Here the geographical location was
17
Document Page
also considered. A huge money was asked as ransom money from the affected company. They
ask nearly 600 bucks form the affected company. The money must be in the format of crypto
currency like bitcoins. (The WannaCry ransomware attack, 2017). Once the infected the system.
The system shows how to pay the randsome.it was created by NASA and released by the shadow
brokers. The malware checks the backdoors.it is propagate to the client network (Owens, 2016)
(“Ransomware becomes the most prevalent form of malware and hits an ever-wider range of
victims, 2017”).
Wannacry attack - significance
The globally indiscriminate targeting appears on the organization emphasizes. They need to pay
attention for all the company’s security essentials. Mainly the new update of soft wares like
antivirus etc. It can check to the regular backups of data and teach with user and do not press any
doubtful website link. (Mansfield-Devine, 2017)The money spent for the operational disruption
varied by sector and organization.it can't be calculated the actual cost of the organization and it
can differ from every victim. There is a minute consolation to large no of establishments they
will cost as well as information lost are happened due to the cybercriminal activity. (Kaur, Singh
and Dhir, 2017)
5. Methodology
Three methods are used here
Sandbox approach
Virtualized environment
Reverse engineering
Sandboxing approach
Isolated sandbox mechanism is designed to reject impacts from external source such as Internet
and analyzing the overall environment. Actual node represents actual computer that are not in
Virtualized manner. Virtualized environment is the efficient atmosphere with hardware
18

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
virtualizing techniques or OS virtualizing techniques. Sandbox analysis was also known as
dynamic analysis method (Thomas and Galligher, 2018).
Main objectives of sandbox (dynamic analyzing tool)
Here we are going to see about the main objectives of the dynamic analyzing tool like
sandbox. There are three main objectives are there. We would see all the three in the below
context.
Scalability
Visibility
Resistance to detection
Requirements for sand box construction
Two requirements needed to satisfy in sandbox. The first one is used to analyze malwares
and the second one is used to fool the mechanisms that are used for detecting.
Analyzing Malwares
Malware codes are used to attack sites and host. Live codes helps the sandbox to attack and
infect. Once the analyzing malwares is connected to internet, it suffers all the impacts from the
internet. So the environments that are used for analyzing malwares must insulated. And the
internet access must rejected. That is the only way to avoid the further spread of worms. To
remove the damage caused by the malware the examining atmosphere should be reconstructed to
get well the situation caused by damage. In malware motivation the live malware are identified
by the light of locales in different malware detection. In this way ,the sandbox majorly helps to
contaminate the malware detections and attacks. For examining the malware associated with web
it will experience the ill effects of the Web on the grounds that the Web empowers assaults. In
this way, situations for breaking down living worms should be segregated from Web for
maintain a strategic distance from effect to/from the Web. For investigating the malware
detection it will resulting in harms of the malware attacks. Along these lines, breaking down
situation is must be difficult to modify the attacked malwares. Here the virtualized dissecting
conditions has upsides of constructing it simple to develop a secluded “sandbox” on the grounds
that a virtualized domain normally has a shut executing condition, making it simple to remake a
domain utilizing snap shooting itself. And moving back past situations they are given in
19
Document Page
numerous usage of the virtualizing techniques and innovations (Mansfield-Devine, 2016).
Regardless of whether a dissecting domain would be developed in view of genuine hubs rather
than virtualized situations, these preferences must be kept or elective strategies for seclusion and
simple to reconstruct must be given.
Sandbox malware detection
The most ideal approach to recognize these obscure dangers was permit records in which the
well to accomplish in a sheltered, computer-generated condition. Here the executing procedure
of the sand box was watched as well as malignant conduct was distinguished. (Android Malware
Detection And Prevention, 2017). Once the vindictive conduct is recognized, marks can be
made so whenever that kind of assault is seen it can be hindered by a more customary
Interruption Anticipation Framework. Moreover, naturally refreshing IP address in a firewall or
intermediary is suggested. In sand box malware detection the detection of threads was carried out
by the creating the virtual environment. Because the higher safety environment was required to
inspecting those kind of extremely dangerous threads. (Application Security through Sandbox
Virtualization, 2014). Threats was mainly classified into two major types and they are explained
below,
Major threats
First type was recognized weakness. Because they have capability to morph very quickly.
It happens within the fraction of seconds. Antivirus software can’t give protection against these
kind of threats.
Second type was anonymous weakness. It plays major role in the cyber-attacks. Because
the actual reason for this problem was not understandable. Before we analyze the root cause the
attack was completed. So there is no time to analyze the problem and taking the corrective
action.
2. Threats based on unknown or zero-day vulnerabilities.
20
Document Page
Sandboxing should be possible locally on a maker gave machine or in the producer's cloud.
There are focal points to every one of these sending strategies. On the off chance that you center
on executable files as well as document file they were downloaded on the internet, cloud based
computing empowers additional extensive, fluctuated, & tedious investigation and is savvier. On
the off chance that you are worried about inside transmitted archives, at that point the apparatus
alternative gives more security (Ransomware: threat and response, 2016). At last, the truth was
identified was the limitations of many sand box software. Each sandbox have the different
capacity to distinguish virus and malwares. All the digital enemies have become savvy to the
computer generated executing conditions and now & again the worms or malwares are composed
to be torpid once it identifies any sandbox are nearer to this.
Advantages of analyzing environment
Construction of isolated sandbox is easy because of closed executing environment.
The virtualizing analyzing environment provides easy way to rebuilt with the help of back to
previous states and taking screenshots.
Fooling detecting mechanisms
It is a kind Virtualized environment detection used to check whether we reach the service and
targeted host. Two approach used for virtualized environmental detection. The first approach is
making virtualized environment as not virtualized to others. The second approach provides same
function for virtualized environment. (Owens, 2016)
21

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Two approaches is used for reachability check
Online approach
Offline approach
The first one is the online approach that is used to provide reachability to certain host and
services. Infecting and attacking from the malwares can be avoided by using traffic filters. The
second one is the offline approach that is used to provide reachability counterfeit. These
counterfeit host is prepared based on the target of the malwares.
Approach description
Description about online approach
Online approach uses the methods to check the reachability in sandboxes. The main merit of
online approach is easy isolation. This approach reaches the best sandbox malware identification
22
Document Page
in virtualized environments. (“Ransomware and IoT among leading threats, 2017”) (Ransom
ware and IoT among leading threats, 2017)
Description about offline approach
Offline approach uses functionality, a reachability checking was performed in the insulated
sandbox is known as simulated internet. The functions should provide services, targeted host etc.
The main demerit of online approach is difficult isolation. Because traffic filters needs to pass
infection and attack traffic. An executing environment is created which has the capacity to
provide functionality as similar in virtualized atmosphere was called as malware incubator.
Sandbox insulation as well as control nodes
A secluded sandbox in light of real hubs can without much of a stretch be worked to work as an
entirely disengaged dissecting condition. Be that as it may, in this disengaged condition,
administration of nature through activities, for example, presenting and executing examples, and
perceptions, for example, catching bundle rubbish dump and gathering the log related to the
dumb should be done with-out arrange associations with the earth. Our frame work furnishes the
disconnected sandbox with isolated VLANs, a security entryway and controller hubs. At first the
inspection zone was isolated from all other atmospheres. All the links need to be separated from
the virtual environment. Based on the control message given by the controller. It takes care of the
incubator for the worms as well as malwares. Here the history of the IDS was collected by the
software tools. They are capable of collecting the packet dumbs by the help of the packet
collecting soft wares. (Cabaj and Mazurczyk, 2016). The specimen of the malware or worms are
injected by the injecting node into the incubator that is designed to carry the analysis. All the
history of the incubator was collected by the collector nodes. For dispatching of the specimen
dispatching node was employed.
Mimetic Internet
23
Document Page
Mimetic Internet mimics the real Internet to the end-host (Kim, 2014) (Ransomware becomes the
most prevalent form of malware and hits an ever-wider range of victims,2017)
It encloses all the vital terms related to target-host. That was done to check the closeness of the
malware and host (Choudhary, 2018). So the developed mimetic network consists of the below
showed two parts. And they are listed below,
Emulated routes
Mimetic target hosts
Mimicking targeted host
The worm has the details about the host. They are used to cyber-attack. Here the host computers
they are mimicked on the mimetic net. But the worm has the limited capabilities to collect the
data about the host systems. Because the huge amount of details are involved in this process. So
it is not possible to have all the host details. So it performs the selection process to select the
suitable host. That was done by some of the strategies. That was described below (Ransomware
claims more victims, 2016). At first that check the accessibility of the host. Here the
complicated security was the major deciding factor. Based on that it omits the hosts it have
complicated security credentials. Then it check the major flaws in the selected host. That has
been used to perform the cyber-attack. Here the selected host was POP, DNS, SMTP and WEB.
They are prepared to attack. The details are retrieved from the generic websites. For the primary
24

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
class, global DNS service like as root DNS which is a default NTP server for Microsoft
Windows XP hosts, famous search engines yahoo and Google and Microsoft Web
site and Windows Update site were prepared. Here the functional outline of the target hosts are
collected. That are used to examine the pre examination process. Also the available logs of the
communications were collected. They were considered while discussing about the class for the
example purpose. The virtual atmosphere was preferred because they have a capability to
reconstruction within the shortest possible time. But it is not achievable in the actual node. It
consumes more time to perform the rework. At the same time it also causes the unwanted losses
of the assets. This are all the reason behind the development of malware incubator. That is
created to overcome these problems. That is the main purpose of this tool (Ransomware defeated
but new forms emerge, 2015).
Malware Incubator with Renewable Node
During the inspection of malware or worms the inspection atmosphere normally recreated to
overcome the damages make happen due to malware or worms. Typically it consumes more time
period. And also the huge amount of hard work was required to do this work. Here the required
work was reduced by implementing the new technique. That technology uses renewal process
frequently. So the required amount of work for the reconstruction was reduced to minimal
amount. Here the executables are in the form of disk image file. By using this image file the real
node required was established. That reduces the damage rate. Also the disk image was isolated
from the actual atmosphere created. Unless the changes in the actual atmosphere reflects on the
image file. Then there is no use to create and use the disk image (Ransomware becomes the most
prevalent form of malware and hits an ever-wider range of victims, 2017). After the completion
of the process the entire system rebooted. This process was carried out to clean the effects of the
specimen. This process must need to carry out because the specimen was very dangerous
malware. That have capability to disturb all the systems.
Multiple Sandboxing
25
Document Page
In parallel sandboxing, any number of isolated sandboxes are prepared because mimetic internet
is structured as virtual host in XEN host. (Kapil, 2016) (Ransomware defeated but new forms
emerge, 2015)
Hence large number of actual nodes are structured on StarBED. Then multiple isolated
sandboxes are managed by terminal such as specimens are dispatched to each sandbox.
The above table shows the collected specimens classification. In that 581 specimens are collected
that include 73 unknown specimens.
26
Document Page
The above table shows the observed behavior of specimens.
Implementation of isolated sandbox
Disconnection of isolated sandbox can be done with the help of VLANs. The management of
isolated gateway can be done with the help of controller nodes and the security gateway is
implemented in firewall router in simple manner (Ransomware hiding in the dark, 2015).
27

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Control nodes:
For capturing packets in bridge mode, sensor nodes uses snort and tcp dump.
An injector node is built on malware incubator.
For controlling the sensor and injector, a dispatcher node uses scp and ssh.
6. Vmware
VMware is a cloud computing and virtualization software provider. They provides many
soft wares on their respective filed. They uses the ESX, ESXi technologies in the x86-
Architecture. By using this software we can create the virtual platform. This virtual platform
helps to perform the analysis of various problems. It provides the cheaper solution to simulate
28
Document Page
the problems and solutions virtually. These kind of stuffs are really useful in the testing purpose.
Because no physical assert losses are involved in these kind of platforms. So they are highly
preferred.
Virtualized environment (VM ware)
A virtualized environment with VMware will build up for the testing laboratory without
affecting the production environment. All the data are copied from the production and snap-shot
will be captured for certain time to prevent any wrong process during the analysis process
("VMware Security Recommendations and Best Practices - IS&T Contributions - Hermes",
2018).
Reasons for using the VMware:
There are many suitable reasons are there behind the wide usage of the VMware. That contains
many advantages as well as some minor flaws. Even though it is preferred by the lot of
investigating personals. Here we are going to see about the major reasons to prefer the VM ware
software. The first and foremost reason was it is available at zero cost. But the same time they
provides lots and lots of features. It gives the chances to enhance the testing or simulating work
(Cohen and Nissim, 2018) (Roccia, 2018). Basically the feature given by the VM ware was bit
higher than the Microsoft virtual-server ("Enhanced Security Solutions for VMware - EMC",
2018). The key features provided by the VM ware was showed below.
They provides screenshot facility to capture the actual screen dialogue boxes during the
investigation or testing.
Huge no of versions available so we can select the most suitable version for our usage.
It has the highly matured platform provides bulk of features at the same time they has the
decent working environment.
They provides huge no of plugins to use with VM ware. They are really useful for carry
out different operations.
It also has the multitasking capabilities. At the same time we can simulate the multiple no
of VMs. That are controlled by the centralized management system.
By using this tool we can also simulate the x64 OS in the x32 bit OS systems.
29
Document Page
Also the different variety of OS are simulated using this software. Here the available OS
are Windows, Linux, Mac and UNIX.
Security level of VMware:
VMware gives the security in many ways. Some of the ways are given below:
MS authentication systems like “Active directory” are used in this software platform. It is
integration with Microsoft® Active Directory ("Enhanced Security Solutions for VMware -
EMC", 2018). If we assigning the users to the custom roles, the access restriction of inventory
pools, VMs, as well as server. It increases safety as well as elasticity with the user defined title
roles. We can export reports for event tracking .It maintains a configuration change’s records and
the administrator who initiated each one. VM ware technology was used to improve the safety of
the assets of the company in various fields, and also Session management. The security
procedures like LUN zone identification as well as masking was carried out to improve the
security credentials.
Infrastructure of the VMware:
VMware infrastructure delivers resource optimization, comprehensive virtualization
and management in an integrated offering. (Lee, Yim and Seo, 2017) .It is the first full
infrastructure virtualization collection of the industry. VMware infrastructure uses the
virtualization technique to allow small businesses to manage their IT system infrastructure. The
diagrammatic representation of the VMware architecture as shown in the following figure
30

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The components of the VMware infrastructure is given below
VMware VMFS was used in simulated machines as a high performance bunch file
scheme. VMware ESX-Server. It is an enterprise-level product developed by VMware Inc. that is
used for server virtualization (Kalil et al., 2016). VMware Virtual Symmetric Multi-Processing
(SMP) –It is able to use several physical CPUs concurrently. Virtual Center Management Server
was significant point for constructing, provisioning and handling simulated IT structure.
VMware DRS logically assigns and balance the processing capability with passion beyond
collections of hardware resources for virtual machines. A virtual machine that operates by the
client OS. And also the main control for this system was in the hand of sever OS. By using this
system we can perform the operations (Comparison between Virtualization and Cloud
Computing, 2016). VM ware also has the backup facility. By using this technology we can able
to store the data in the backup server and retrieve those data when it needed. So the required
physical devices are reduced. We can also able to work the various applications. Also it is very
simple software has the effective interface. That facilitates the many features for the users
31
Document Page
("VMware Security Recommendations and Best Practices - IS&T Contributions - Hermes",
2018). In virtualization field that creates the revolution.
Architectural considerations
Architectural consideration to address the problem based on three ways.
Transparent virtualization:
To run virtual machines inside operating system without any modification.
Para virtualization:
In Para virtualization is the concept of operating system to be modified and after virtual machine
run.
Hardware virtualization:
It provides explicit support by hardware.
CPU virtualization
The CPU virtualization is the purpose of VMware employs binary translation and direct
execution. The transparent virtualization techniques ensure major guest operating systems are
run without any modification, finally it gives high degree of operating system compatibility.
When the customers told to requalify and retest their solutions of the distributions. The AMD’s
Pacifica and Intel’s virtualization support the hardware. If the silicon can also delivered same
optimized performance (Chong, 2017).
32
Document Page
As the previous contains, to conclude the Para virtualization and hardware assist does not
exclusive mutually. (Parkinson, 2017). The announcement of VMware is planned to support for
AMD's Pacifica and Intel VT, and its fact the first vendor to give a working demonstration caring
VT at the intel. VMware also told its intent to support Para virtualized operating systems, when
they are available Novell, red hat and also Microsoft. The RHEL 5 and SLES 10 are the
performed well in Para virtualized operating systems.it is all without sacrificing the performance
and stability of the ESX server platform.
I/O virtualization
There are two key decisions in I/O virtualization. Here we can create the virtual hard disks to
store the data. But it really stored in the physical storage. But we can use a single physical
storage for many purposes. The I/O virtualization support hardware has to announce either AMD
or Intel. (Priya, 2017) (Collier, 2017).
33

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
The I/O architecture used by VMware provide drivers to give a high performance
I/O device into the hypervisor, and uses a service console for device not good performance -
critical. It protect hypervisor from driver faults. VMware to provide number of mechanism such
as private memory heaps for individual drivers. The use of Xen source's indirect I/O architecture
for the purpose of privileged virtual machine for all drivers.in addition, Xen source gives a
limited and nonstandard view of virtual device. This para virtualized approach its good working
for the network driver and in fact the VMware developed the VMXnet driver.
34
Document Page
The Xen source's approach in case of storage by compromises storage of I/O
compatibility for the guest access. In practice, this means that multi pathing, clustering, tape
backup and other SCSI commend based on fail in Xenforce virtual machine.in other hand the
accurate representation of SCSI device present by guest.
Memory Management
The fundamental question arrives in the virtualization memory is extent by the
change the account of operating system for the fact that it is virtualized, and to increase the
requirement of hardware support. In this approach leads to make the shadow page tables create
by VMware, which it’s acting on map between the underlying physical machine pages and
system's virtual memory pages. The ESX server maintain the shadow page table and effectively
used virtualize memory access.
35
Document Page
The use of shadow page table in VMware to minimizing the memory access due to hardware
problem. To reduce the actual cost spent for the MMU based operation we use the dynamic
binary translation. The virtual machine linear addresses and directly to the real machine
addresses are mapped for the using of shadow page tables. Shadow table also having an
important benefit. Because they resist guest operating systems depends on specific machine
memory.
Virtual hardware features
The VMware virtual machine s is extremely accurate by the operating system. It’s motivated to
physical servers works without change in virtual machine. For example, inside VMware virtual
machines can run clustering software without any modification on it. The VMware to take
advantage of physical server innovations by allow the accurate virtual hardware. The power
management have no natural home inside the virtualization platform by the BIOS controlled
functions. The VMware has taken advantage of CPU innovations are reasoned for hyper
threading and NUMA.
36

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Features
They developed virtually simulated machine has the same features like the actual machine.As a
matter of course, the default equipment similarity setting is the introduced Workstation form.
(YUN et al., 2017). Workstation picks the execution mode for the virtualization motor in view of
the visitor working framework and the host processor. An IDE drive that was used to control and
recognize the actual drive on the host computer. An floppy disk used to control the actual system
of the host as well as authentication purpose. Also there is a virtual connector was available to
identify the NAT values. The system they use these technology shares IP of the actual system.
And finally it has the USB facility to use the USB disk on the virtual machine. By using these
feature we can show settings of the actual system (host).
Virtual Application Features
We can able to perform the copy-pate or move options on the virtual machine by simply
drag the file and place it when it need to copied.
Remote access of the data in the server by the VNC clients are restricted. They can’t able
to access these data.
There is no encryption needed for the VM.
Additional tools as well as plugins are manually updated.
Implementation of VMware with a Fake Virtual Machine
In the previous methodology, we use sandbox box approach to detect the malware. In
some causes this process was not recommended because the worm can’t change its functions
(Obasuyi and Sari, 2015). Key of the registry was used to reduce the effects of worms. Here
consider an example, an earlier variety of locky was used a mutex with the string "locky" for the
checking purpose. By using the "locky" we check if the machine was already effected. If the
37
Document Page
ransomware did not affect the machine, locky verify if the local language was Russian. By using
this data, the protection was provided by the security analyzing professionals against the
suspicious files or application. Here the simple illustration was given in the below showed figure.
That is used to understand these topics more.
Lis
t of registry keys that malware can detect:
In the below context the highly harmful keys of registry was showed.
38
Document Page
Creating fake registry keys:
Some specific tools created a lot of registry keys. By using those tools the
duplicate keys are created by using the Windows API RegCreateKeyEx concept. In the below
context the registry keys are showed.
Fake processes creation:
For that purpose we need to make sure the compatibility with the virtual system. That is like
malware spotted that Virtual Box uses several processes on a machine. (Reverse Engineering
Technology for Windows O.S Software Program, 2017)
To load a fake process into memory by using Create Process function:
39

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Duplicate file creation
Malwares can detect the existence of any file or folder interconnecting to the computer
generated or simulated machine. There are many DLL files are created by the hypervisor.
(Software reviews: Mobile security, 2012)
Some potential virtual files are given below:
Fake files are created on the system by the CreateFile function:
Creating a fake MAC address
VMware and Virtual Box use some default MAC addresses on virtual machines.
(Mahmudi, Achmadi and Michael, 2018). The VM ware standard ID was 00:0C:29,00:1C:14,
00:50:56, or 00:05:69 and they are stored in the first 3 bytes.The default address of the virtual
machine uses the first three bytes 08:00:27.
By requesting the following registry key malware can detect these MAC id:
VM ware information security
VM ware gives the security to the data stored in the server or virtual machine. That is the best
feature for the peoples they do these kind of jobs. It has the capacity to do the virtualization of
40
Document Page
the physical storage. They also provides the data security to the customers. So these technology
was widely used in the data center virtualization (Thomas and Galligher, 2018). That is very
attractive to think that backing up an entire server should be as easy as backing up the handful of
associated configuration files ("Securing VMware Infrastructure", 2018) ("How secure is
VMware NSX?", 2018) ("How secure is VMware and Virtual Machines?", 2018).
These methods are superior to backup and recover the standard physical server. The list of
methods are given below:
Method0-1: Create the local backup by VM ware
Working methodology:
Each VM has installed the backup software agent on the actual system. From
the figure, the information flows over the LAN to the retrieval arrangement, if the agent was
installed locally on the actual system. This is a traditional approach to back up the data. (Burke,
2013) ("How to prevent & mitigate against Ransomware using VMware security solutions |
Insight UK", 2018)
Advantages
The refurbishing procedure was un-changed & it could be similar to procedures that
one who could follow for a file level rescue operatrions.
Backup agent installation and configuration is identical.
Full and incremental backups are possible.
File-level recovery is also possible.
41
Document Page
Method-2: Create backup by ESX Service Console
Working methodology
Here the ESX was used as the software tool for create eth backup process. by using these tools
we can create the backup of the virtual machine (Praczyk, 2012) ("VMware Knowledge Base",
2018). That was showed below,
It was a Red Hat Linux OS and it’s a Linux backup agent.
42

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Advantages:
Rescue of the data involved in spilling back a big-image file instead of searching large no of
files and also fast image-level recovery is possible. Here all the data was backed up by the help
of single agent. That was very effective method for creating the backup. So the single VMDK
file was created as the backup of the huge no of data elements.
Method-3: VCB-Proxy
Working methodology:
Here the data was stored as the ESX server with the help of the windows-2003 proxy server
(Sokół and Cekus, 2017). VMware Consolidated Backup is a collection of VMware-developed
utilities. It also involves LAN-free backup of VMs. The data is presented to the proxy for
subsequent backup by using a supported third-party backup application. The diagrammatic
representation of this method is given below. There are too much of complications are involved
in this method. So it was little bit difficult than other methods.
43
Document Page
List of components involved in this method:
VCB framework
A "sync driver" on ESX server flushes the file system and create screenshot.
A "VLUN driver" on the VCB Proxy Server gives permission to present the VMDK to the
Proxy.
Command line utilities (VCB Mounter /VCB Restore) are used to establish the automatic work
flow environment.
Back-up proxy server
The server it has SAN access.
VDMK file's image is exported onto this proxy system.
Backup Software Integration Module
Either VMware or the backup application supplied and developed this method.
The backup application backups the directories or files. (Popli and Girdhar, 2017)
44
Document Page
Advantages
If we want to back up our VMs, we would utilize a single back up agent on the VCB proxy.
The load of the ESX server was reduced by backing up the data into VCB Proxy system. quicker
image file rescue was achievable. In this process one big file was recovered instead of retrieve
the no of tiny files. It is a SAN-enabled and LAN-free back up approach, which leads to quicker
back-up by LAN based backup method.
Some important tips for VMware security
Must need to use Host-Machines for our Computer-generated Structure and Hardened Guest
OS Templates.
Use Startup Passwords
Take Sensitive VMs Offline
Encrypting the Virtual Drives and VM backups.
Disable Scripting in the Guest OSs. That is used to entirely disable the script work carried
out for VM, for open .vmx files form the VM text editor follow the simple steps
Then store the data for future references.
Always Log off a VM Session and Update Written Security Polices to Include VMs.
7. Reverse Engineering
Ransomware is an important threat. So, IT security professionals have the skills and knowledge
to protect their systems and networks from this malware. Probaply it was carry out to study about
the details of the existing process. It was done by a well-organized set of procedures (Static
Structural Analysis & Optimization of Concept Automotive A-Arm, 2017). It is a premier
disassembly tool. Nowadays it is efficiently available. The premier disassembly tool is
interactive, highly extensible and it is supported by many platforms. It is created by Iifak
Guilfanov. It is also called as the back engineering. It was the most interactive one.
45

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Purpose of Reverse Engineering:
Reverse Engineering is used as a learning tool. It is used to create a bridge data between the
databases or operating systems. Questionable privacy practice and security flaws also be exposed
by Reverse Engineering. (Reverse Engineering Epictemic Evaluations 2012)
In software RE can modified everything like changing the software’s name, edit the software.
And the main thing was to convert Trial software to License software.
Approaches in RE
Exploitation Technique: This techniques are used to focus on the piece of malware. It is used to
exploiting the vulnerability of the malware.
Obfuscation: Some of the malwares make itself obfuscate so it is unable to analyze that.
Reverse Engineer: The most important approach to avoid malware is completely reverse
engineer he piece of malware. But the main drawback was it requires higher time to finish the
entire operations.
Encryption methods: Nowadays the important malware is ransomware. First it will locks user
file in the form of encrypting it and it doesn’t allow to read that file. This demand the lots of
amount to release those files. It will lead to a great loss. (ENERGETIC DATA SECURITY
SCHEME VIA IMAGE AS CRYPTO KEY NATURE, 2017)
Attribution: Many of the malicious hacking teams follows the kind of malware called Murkey
area. It is the kind of dark art.
C&C Communication: Analysts of the malware always want to figure out the communication
protocol between the client side and the server side. So it must be in the control and command
side.
Categorization and Clustering: Instead of doing a deep dive we use broad stroke analysis to find
out the lots of different malwares.
Basic steps in Reverse Engineering:
Encryptor: Here first decrypt the malware affected file and fix imports.
Static Analysis: Without execution understand the application logic.
Dynamic Analysis: This is very useful to monitor the application activities and also execute the
binary values.
46
Document Page
Important terms used in Reverse Engineering:
Application Programming Interface (API): The understanding of API is very important because
in windows the main core of the trust and communication is code sharing. Here user application
will not directly communicate with windows kernel or directly control hardware. (Yan, 2010)
But we use DLLs (Dynamic Link Library) to exports various functions.so API is mainly used
for providing a service to the user applicants. Return Value in EAX: If user exports API/every
function mostly returns to EAX registers.
Uses of Reverse Engineering:
RE in software testing:
Most of the virus programmers used Reverse Engineering in software testing.RE is used to study
about the malware codes and other virus. Software testing is very extensive and it is also requires
great experience to analyze and study about the virus code.
RE in software security:
RE is mainly used here to check the systems whether it is affected by the major vulnerabilities or
not. The main aim of this RE is to make the system speed. With the help of this system get
protected from hackers and spywares.
RE has a positive approach and developed efficiently to generating expressive information set of
the actual body. Nowadays there are many new application tools generated by this technology.
Because of this technology we can manipulate the information efficiently.
Disassembly Theory:
Disassembly theory was the important one in Reverse engineering. Here it needs proper tools
and the tools must understand the executable file format. It must parse machine language
operation codes back to their assembly language equivalents.it is not used to run a code. It
contains many types of disassemblers that are Linear sweep, Recursive descent.
Type 1: Linear sweep
In linear sweep algorithm, it performs the operations like execution and disassembling in a
sequential manner. This algorithm is very simple, but also it is not susceptible for some codes in
linear sweep algorithm. (Tretyakov et al., 2013)
47
Document Page
It starts the process in coding section to decode each and every byte. If else it includes any data
byte as a code then it notified an illegal instruction. Some of the linear sweep disassemblers are
Objdump, WinDbg and Soft ICE.
Type 2: Recursive Descent
This also one of the important algorithm in disassemblers. When compared to linear sweep
algorithm it provides less capable to mistakes. It uses the branch and jump instructions. So here
the concept that we will used as same as in a linear sweep. There are some examples of recursive
descent disassemblers Olly and Ida.
Disassembly tools:
The well-used disassembly tools are Linux and windows. In Linux it contains Objdump and
Gdb.Windows contains IdaPro called Interactive Disassembler Pro.
Linux: Objdump
Objdump is the very easily handy tool for normal programmers. It is basically used for
debugging. It is the command used in Linux to provide all the information on object files.
Syntax: objdump [options] objfile….
Linux: GDB
GDB is a debugger .It is a command line interface. When its execution will reached a certain
point then it will stop the process. Make the printed copy of that certain variables at that point.
This process will going on under the GDB.
Syntax: gcc –g –o momsim memsim.c
It has many commands that are used to run a code. Following are few examples of GDB
command lines file, print, help, run, next, break, until, delete, continue clear, and list.
Windows: IDA Pro
IDA Pro is mainly used to convert machine executable code into an assembly language source
code because of Debugging. It Reverse Engineering process also It follows this methodology.
Basically it is a disassembler that are act primarily a multi-platform and multi-processor. It used
in a various platforms. But it was treat like a remote debugger or a local debugger. (Mishra,
2013)
Different executable formats will be running and developing by the plug-ins. It can be
developed for different operations and processing’s.
48

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
8. Operations of IDA Pro:
IDA Pro is mainly used for reverse engineering the binary components to analysis of malicious
software like rootkits, worms, viruses and Trojans. It was mainly analyzed for source code
regeneration and for security purposes. At first analyze the quality disassembly of the binary
component. It is used to overcome the Reverse Engineering problems. (Fang, 2014)
It is used to perform a detailed analysis of code. It can recognizes function boundaries, library
calls and data types for known library calls. It build a database to characterize each byte of the
binary data. It involves a database interaction for the manipulation of disassembly.
Features of Ida pro:
The Ida pro is flowchart display of function flow.it is graph based display of program flow. Ida
pro is automatic recognition of string constant. It can view the code cross references and display
data.it call a particular function to list the all locations.it is refer to a particular piece of data. Ida
pro is a hex display option.it is very simple stack frame displays. (PASCARIU, BARBU and
BACIVAROV, 2017) it is allow to assign your own names to code locations/functions.it is allow
to assign your own names to function locals and parameters.
Multitarget Debugger:
It is a Remote Debugger.
It offers all the features in Tracing.
It allows that the disassembler can gathered information in a dynamic analysis manner.
Multitarget Disassembler:
It provides full interactivity through keyboard and internal programming language and also
internal plugins with unlimited power.
It is used to allow the custom disassembler also.
Here code graphing will also possible.
49
Document Page
Screenshot for IDA Pro Desktop
Components of IDA Pro:
Tool bar: Here toolbar is used to docked the tools.
Dis-assembly window: It is used to show the execution of the assembly level code. It is a
primary window. It has the formats like text mode and graph mode. Graph mode shows the
control flow of the program. Execution performs in a function blocks. This function blocks are
highlighted by the colored arrows for showing its control flow. Conditional will not accepted
when the arrow will be red. Conditional jump is taken when the arrow will be green.
(PASCARIU, BARBU and BACIVAROV, 2017) If the arrow is blue then the unconditional jump
is taken. Here conditional jump is in a dashed lines and unconditional jump is in a solid lines.
Functions window:
50
Document Page
In this window we know about the functions that are used in an execution. It used different types
of flags. These flags are used to indicate the function types. With the help of its length and type
this window can differentiate the functions.
Navigation band
It places under the toolbar area in the form of horizontal color band which is used to jump or
move to the particular code region of the execution. It contains different color bands to represent
the codes. Library code will be represented by light blue, user written code will be represented
by dark blue and compiler generated code will represented by red color band. In execution
navigation band is used to represent the address space. (Raffetti, Marangon and Zuccarelli, 2000)
Strings window: It is used to view the ASCII strings within the executable manner.
Hex-Rays Decompiler: Here the object file can be convert into a compatible source file with the
help of plug-in.
Imports window: It is used to import the list of functions in the file.
Names window: It is used to view the named code, named data and strings address. These are
viewed with a letter coded name and color. Here multiple letters are used to coded the name that
are I, F, L, D, A, C.
I denotes the imported name
F denotes the regular function
L denotes the library function
D denotes the named data locations
A denotes the ASCII string data location
C denotes the named code in memory location
Exports window: It is used to displays the variables and functions in the files that exports to be
used by other files. (Han et al., 2018)
Stealth: It is used to hide the IDA Pro from different anti-debugging techniques. So it is called
as the open source anti-debugger.
IDA struct: It is an open source plug-in. It is used to identify the high level structures and
objects in binary code.
IDA Python: It is also an open source plug-in. It is used to combine the IDA Pro and Python
Programming Language. With the help of this combination we run a scripts in IDA Pro.
51

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
9. The Reverse Engineering process
The RE process is mainly used for finding the technique and extract which algorithms will be
used here. It has two levels of processing that are system level process and code level process.
System level process techniques will help to determine internal structure of the virus. And it is
also used for O/S monitoring. Because all the information gathered from O/S. In Code level
process techniques it provides detail information from the code segment. It is used to extracting
algorithms and design concepts from the binary code.
Snort Detection Rules from Reverse Engineering:
With the help of the RE, behavior of worm was discovered. Worm is a malware computer
program. It replicates itself in order to spread this malware to other computers. Because it has an
individual computer network to spread this malware to other systems. It generates some severe
harm to the network. This worms will be easily identified by the Reverse Engineering.
(Alhakimy and Sultan, 2015)
Advantages in Reverse-Engineering:
It is a process of converting program’s machine code into original source code. The following
are the some of the advantages while using reverse engineering with IDA Pro. It is used to view
how the program will be operated. This technique is used to repair certain bugs in our coding
part. It is also used to improve the Operations of the program. Reverse Engineering can be done
in many of the applications and platforms. One important application that used here was Hopper.
This application can run in the platforms like OS X and Linux. Each and every RE applications
has the capabilities to decode, disassemble and debug 32/64 bit Intel Mac, Windows, Linux and
iOS executable. This Hopper is also used to show the control flow graph of the detected
procedure. This flow graph representation will allow to the better understanding for the user.
Reverse Engineering creates the system structure better and generate new dimension for the
52
Document Page
documentation of the system. And it is very easy to understand and make an operation. The main
drawback of this RE is that there are practical limits to the extent that a system can be improved
by the RE process.
In May 2017 ransom ware ‘WannaCry’ is famous all around the world. In this ransom
ware is mainly used to damage the system. So many systems are damaged by ransom ware. This
ransom ware is used in two methods one is file encryption, and another one is worm function.
First we need to obtain the sample of WannaCry. Using worm functions the file encryption and
decryption methods are performed.
In WannaCry, encryption means encrypt the file with 128-bits, is knows as AES
encryption. AES encryption using the CBC mode. And also it encrypts the AES encryption key.
Each machine create a own RSA public key. Then the RSA pubic keys are combined to form a
“WannaCry”. The encrypted file data is fully based on the AES keys. If you want to encrypt the
RSA public key before we need to create a AES secret key on your own machine.
The main aim of the attackers is try to transmit the “00000000.eky”, by pressing the
checking payment command. The check is successfully completed it receive the decrypted RSA
secret key. There is problem in both the function and file, are not decrypted. “EtertnalBlue” is
the type of function used in the worm.
And “DoublePulser” is also the type of worm function. Using analysis result the warm
communication is detected and shut down also. We are follow some hash values for analyses the
samples.
MD5: db349b97c37d22f5ea1d1841e3c89eb4
SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256:24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1 022c
A patch was made to wait 20 seconds before starting the service in order to attach to the
process, and a survey was conducted.
The SMB vulnerabilities are used to detect WannaCry spread. In system privilege some
codes are infected and executed, it’s known as WannaCry infection. I WannaCry infection
53
Document Page
perform two actions one is ransom ware encryption method, and another one is worm function.
In SMB, 445 ports are connected in the network. The connection is possible whether “Eternal
Blue” vulnerabilities are exit. Suppose if there is no “DoublePulser” is available the backdoor is
affected by the “Eternal Blue”. IDS/IPS detection is possible. The IDS/IPS detection is used to
encrypt the 32 bit XOR, and also establish the communication,The earlier version of WannaCry
is fully based on the infection. First the system needs to connect URL in the famous “KII
switch”. The process is still continued, it means the connection is not established. So after the
first step is completed go to the next one, in this step arguments are checked. In the routine two
arguments are executed simultaneously it means the worm is performed.
And finally the routine is executes and encrypt the ransom ware. In this process the
service name and file names are created by Microsoft. Some of the Microsoft legitimate
processes are in below
Service Name: mssecsvc2.0 ž
Display name: Microsoft Security Center Service
Execution file path
Startup type: Auto ž
Recovery: Restart service
The worm functions are used to search the machines, and these machines are connected
by SMB. The IPv4 address with a random number is created by the search method. We need to
avoid the octal number becoming 127 or above 224. The machines are affected by that reason
only. In SMB connection normally two types of address are used one is global address and
another one is local address.
In the port 445, all the connections are successfully completed, use the first and third
octal for identify the address. But the fourth octal is used to connect the port 445 in particular
order (1 to 254). Then port 445 is connected, the WannaCry service create the thread. Using this
thread the malware transmissions are exploiting. First the thread needs to send the specific data.
Next, check any “Eternal Blue” is available or not, the target follows the specific return value
like STATUS_INSUFF_SERVER_RESOURCES. Using this command the malware analysis is
54

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
done successfully. The thread need to check the multiplexer ID for receive the correct data. The
target data is matched “DoublePulser’ is infected otherwise not infected.
“DoublePulser” is infected, so the values are change. Using malware the infection
of “DoublePulser” is located. The following window represents the threads run post exploit.
55
Document Page
Exploit
The “Double Pulsar” is affected based on the target. The WannaCry is used to execute the
Eternal Blue exploit. In second transaction the secondary request is performed and SMB 2 data
are transmitted and also exploited. Using this method the memory destructions are communicate
and also execute. In this session we are using a large concept like Non paged pool overflow in
SRV driver.
Finally the communication is executed successfully, after that “DoublePulser” backdoor
is sent. In this backdoor includes types data, among these data the backdoor is confirmed. The
main advantages of using this data is perform decryption operation. 32 bit decryption operation
is successfully performed by backdoor data. And also it check whether the DoublePulser is
infected or not.
56
Document Page
.
Worm details- post exploit
After the infection of “DoublePulser” the target will started and send the WannaCry
payload. Trans2 SESSION_SETUP is a transmission. This is used in SMB reserved command.
Using this command threads are easily encrypted and perform the WannaCry payload with 32 bit
XOR and transmit. Only the 32 bit decryption key is transmitted the other keys are not permit to
access the system.
Finally the targets receive the data, but the data is already decrypted by the
“DoublePulser”. And also they have a ability to access the remote system. The executed file in
the WannaCry is used to create a file name and these file names are in exe format. The windows
folder has a remote code and also executes the program without ant arguments.
Communication of “Eternal Blue” and “DoublePulser”
In this section we are discussed about the communication between the “Eternal Blue” and
“DoublePulser”. The eternal perform the communication of memory destruction. And also
remote codes are executed successfully. This command is used to exploit the communication and
send much destruction to the payload.
57

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Only fixed size data is transmitted. The important thing is the transmitted data sixe to be
fixed. So the attacker use another method in this method, duplicate data is generated and this data
acts like an original data. For this reason the concept of the payload will change. The signature
on the “Eternal Blue” payload is not a perfect one.
.
The doublepulser takes the payload from wannacry. Eternal blue use the plaintext, after
the destruction. We can also detect the doublepulser payload signature. The only way to detect
the signature is detect the attack. Eternal blue is send by backdoor.
Using backdoor the exploit is changed automatically. The values are detected but it not
changed. Because backdoor have not an ability to change the eternal blue value. The main
advantage of the process is detecting the characteristics of Meta data, transmit the payload.
58
Document Page
32 bit XOR encryption is done by the doublepulser, and also performs the payload
transmission. First wannacry is analyzed then found the strange process. The strange process of
XOR with a 32 bit data is sending by the payload. In this concept 32 bit data is acts like a key.
We need to record the data. Finally the data is recorded the capture information’s are analyzed.
The wire shark is used to detect or analyze the communication.
The XOR is used to transmit the key, so the first communication as well as the
second communication uses the same key. But the real time communication is detected and also
it is weak encryption. Then, I found that the 32 bit record matching that the key is transmitted
with the first communication and the last communication. The transmitted data was decrypted by
XOR with the 32 bit key. As a result, the execution code was output. For this reason, I was
convinced that the “Double Pulsar” is encrypting 32 bit XOR.
In addition, I also found that the 32 bit key is created at random every time. You may
point out that the 32 bit key encryption is vulnerable. But, detection on real time communication
is difficult even with weak encryption. This means that detection by the payload of the “Double
Pulsar” which is XOR encrypted with random 32 bits key is not appropriate
59
Document Page
60

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
3. Reverse engineering knowledge using snort detection rules
The worm is one kind of virus and it was found by reverse engineering and the usage of
communication. And using this reverse knowledge we can find the communication of eternal
blue. And this snort detection also used after this snort detection rules the eternal blue
verification done by the detection rules.
SMB2 transmission
The SMB2 transmission is done while the eternal blue exploit and it reported in the form of
illegal transmission. And the eternal blue is defined as communicate a particular pattern by
detect the vulnerabilities in the transmission. In some communication the parameters are
identified often. And the communication is used for the detection by the usage of SMB2
communication and rules. In that SMB2 it has the parameters like header and the important
function is the structure size and the header size and the parameters must be 64 bits. And in the
eternal blue the communication is to be unauthorized so this is could not be an ordinary
communication. In that detection it has some of the detection rules. They are,
Communication - SMB2
Structure size - 00 00
Data - 00 00
From the snort rules the detection is identified as positive detection by the above
condition. And the SMB2 is known as server message block protocol as the version of 2 and 3
and the structure of this server message block protocol should be 40 00 and if the new pattern is
created the structure will not be similar and through this above explanation this communication
seems to be normal communication and so the eternal blue is used for this detection. And the
snort rule described as follows,
Alert tcp any any-> any 445 (message: server block protocol 2 possible detection is
eternal blue.
61
Document Page
The above figure seems to be transmission of data on the server message block using the
eternal blue exploit. And in that diagram the protocol id is notified in 4 bytes and the protocol id
value should be in the network order and the structure size notified in 2bytes and should be 64 as
the size for the server message block header and credit charge also notified in 2 bytes in that
MUST is the keyword used and it may be used and it is vary for the sender and the receiver and
the channel status get notified in 3 bytes and request in the form of different ways.
Eternal Blue
In eternal blue the is analyzed as whether it is a request or response and in that eternal the
default status with fid is 0 it is required and this configuration is needed to the attackers to verify
the value is vulnerable and by the attacker response we can identify the communication. And the
request and response of the eternal blue detection is below.
Request:
Communication - server message block
And in the request the command and sub command also there and the fid is known as 0.
62
Document Page
Response:
Communication – server message block
And here in the response it have return command and the return value.
In the above figure the Eternal blue vulnerability request and response are displayed.
And using this detection we can analyze whether it is positive or negative. And the result is false
detection by using these constraints. And the return value is related to another request and not the
vulnerability. So from this we can identify the request is false. So finally attacker analyze these
two detection and choose the eternal blue for vulnerability and also check the target is
vulnerable. And the snort rule for this notified below.
Alert tcp any any-> any 445(message: eternal vulnerable check request) and for this content
is server message block and the offset is 4 and the distance is 56.
Alert tcp any any-> any 445(message: eternal blue vulnerable check return) and for this
content is similar as server message block and offset is 4 and the distance is 0.
Transmission by Double pulsar
Wannacry worm is such a virus that infect the double pulsar by using the eternal blue
vulnerable. And the wannacry convey the payload to the target which is infected within the target
and the command is used during the transmission in the target. But in the real-time the command
is not used and not implemented so that is use the sub command for the ordinary application. So
the double pulsar is detected for the communication by using the sub command and the payload
63

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
is sent in the form encrypted by the double pulsar detection with 32bit and it has the complexity
to make a signature.
And the above diagram describe the transmission by the sub command and in this sub
command is reserved but not implemented. And this transaction command is used by the LAN
manager. According to the request the client use the command mode to send the request and the
receiver not use the command mode to get the requests. And for that detection rule as follows,
Communication – server message block
And it added the request command and the sub command and in this detection the result is
false positive detection. In the common internet file system the sub command not implemented
and it is not sued for the normal applications. And the solution may be found the communication
detection by this command. And the attacker needs to be high knowledgeable to use the double
pulsar. And for this the snort rule described below.
Alert tcp any any->any 445(message: data is possible to send the double pulsar) and the
content is here server message block and the offset is 4 and the distance is 56 and also included
fid.
Infected double pulsar
In this we have to check the double pulsar is infected or good and it is known as initial of
the attack and for this identification the wannacry is used in the way of providing the parameter
as multiplex id. And using this multiplex id we can get the commands in the send and receiving
process. And it also used to check the payload communication and fixed the value for both
detection. And the detection rule for double pulsar infection as follow,
Communication – server message block
64
Document Page
And it have the request command and sub command an also the multiplex id. This
detection also found as false detection and the snort rule is described below.
Alert tcp any any->any 445(message: possible check request) and the consent for this
server message block and the offset is 4 and the distance is 25 and also it included the fid.
Response from double pulsar infection
Depending on the wannacry the multiplex id is analyzed whether it received or not ands by
default the target is not infected in the double pulsar. If no id is received the sub command will
work for that identification. And the status is returned while sub command is not implemented so
it is used for the normal communication and the infection is analyzed by the id parameter and the
detection rule described below.
Communication – server message block
And the request command and return status and the multiplex id also identified. And the snort
rule is described below.
Alert tcp any 445-> any any (message: double pulsar infected below) and the content is server
message block and the offset is 4 and the distance is 0 and also included Sid.
Payload to the double pulsar
Payload data is such complex to detect so it is encrypted and the multiplex id cannot change
and the detection is happened the malware is getting inside. And detection rule described below.
Communication – server message block
And the request command and sub command and also the multiplex id identified. And the
snort rules described as follows.
Alert tcp any any-> any 445(message: possible to send payload)
65
Document Page
4. Operation verification of Snort definition
The verification can be done by two operation such as EternaBlue and Double pulsar.
The eternal blue was one of the vulnerability of SMB that was released in year of April 2017 by
shadow broker. It the part to exploits and for offering the auction.
Microsoft window exploits by shadow boxer to patch by MS17-010. The vulnerabilities has
fixed by MS17-010 as given above figure.
The next verification is double pulsar it communicates to affect the machine which has been
targeted by ransom ware WannaCry.
Communication of normal data
If anyone tries to send a file from one system to another system the snort will not detect.
By window 7 we can transmits the file and receive the file by the protocol SMB2. The SMB2 is
the supported windows for communication and it not specified to configure. So the snort has uses
the SMB1.
The “Eternal Blue” vulnerability check for not vulnerable machine
66

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The vulnerability tool checker can checks the machine by Eternalblue whether it has
patched are not. If the machine has vulnerable it will display a message to your machine then
update the computer or install the security update.
The “Eternal Blue” vulnerability check for vulnerable machine
If the machine has install the checker it will often ask the IP address of the machine.
Have to give single IP for scanning a target machine. And it will scan for vulnerable of the
machine. The output shown as below.
The “Eternal Blue” exploits for vulnerable machines
In kali Linux we exploit the vulnerable from the eternal Blue for the target system.
Whether the Double Pulsar has not payload. The result has exploit by definition of the illegal
SMB2 transmission was send by sending the exploit with number of times. The exploits has
67
Document Page
sends number of times by this reasons. There is an error due to the more number of logs in single
logs. But the detection has been founded. The vulnerable has detected, then the attack has
produced.
WannaCry's attack against a vulnerable machine
The WannaCry was attack the target machine with specimen. If the machine is execute
the exploit has display the infected device by Wannacry of the target machine.
In first stage the WannaCry has detect the system whether the system has vulnerable are
not by eternal blue. If the vulnerable is found it will returns.
During second stage the double Pulsar have detected the machine from vulnerable. It
sends only request due to the infected machine.
Operation verification result
As the result of operation it is difficult to detect the malware during transmission. But it
can display the detection of eternal blue and double pulsar by the definition of snort. The
WannaCry infection of the behavior have been capture. By more number of detection can be
analysis the characteristics will be obtain.
68
Document Page
10. ANALAYSIS OF MALWARE (Wannacry)
Nowadays malware issues are common in computer security. It is easily able to
damage the data and information which is stored in the computer. (Malware Detection in Cloud
Computing Infrastructures, 2018) It which includes worms, virus, adware, Trojans, spyware,
rootkits and backdoors it can tragically affects the Microsoft-windows OS. The analysis is done
for preventing the issues happens in the computer. The Analysis malware is classified into two
types (Kaur, Singh and Dhir, 2017) (Mansfield-Devine, 2016).
Types of analysis
Static-Analysis (code)
Dynamic-Analysis (behavioral)
Static Investigation (code)
This type of inspection was done by scanning with anti-virus software, hex editor,
unpacking the malware. Typically this process was done by the inspecting the .exe file. Here
there is no set of instructions are actually followed. Based on this inspection we can found the
suspicious files or links. And also we can able to know about the functional details. That also
gives the details about the method producing the small and easy network-signatures.
69

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Steps for static-analysis
check strings in the binary
analyze binary header: anomalies
analyze imports
analyze resources
analyze code with disassembler
The following techniques were used for performing basic static malware analysis.
File Finger printing
This method was carried out by the set of algorithms. It is used to map the information like
documents or files or folders or text files, etc. They are commonly termed as the fingerprints (An
Analysis and Averstion of Highly Servivable Ransomware, 2017). Tit has the id that was very
unique. It is used to represent the respected files and folders. Because that was termed as the
fingerprints. That was the typical method to secure the data.
70
Document Page
Sensitive data about the system was easily identified by this method. So there is a necessary of
providing the higher security to this fingerprints. By using this technology the huge amount of
data was analyzed, monitored as well as protected.
Virus Scanning
During the use of websites there are big variety of third party sources are involved. Each of them
gives the way to spread the worms. Each of them has capable of doing the data stealing. So there
is a need of high level inspection practice. That was known as virus scanning. It was done by the
antivirus software tools. They initially analyze all the data or information transfer throughout the
system. So the real time monitoring was attained. By the real time monitoring the suspicious files
are identified. Based on the analyzed results we can take the corrective measure. Analyzing
memory artefacts (Pagefile.sys, hiberfile.sys) and Packer Detection are some of the tricks. But
the same time the attackers developed many trickeries to escape from the scanning. Employs the
packer was the mostly used technique, a tool that compresses, encrypts, and/or modifies a
malicious file’s format. (Packers can also be used for legitimate ends, for example, to protect a
program against cracking or copying.) All these tricks decrease the chance of detection by
antimalware products and help to avoid analysis by security researchers. (Cohen and Nissim,
2018). Packers can both make it harder for security staff to identify the behavior of malware and
increase the amount of time required for an analysis. Unpacking malware is the first challenge to
understanding a threat. The complexity of packers varies.
71
Document Page
Dynamic Analysis
Dynamic Analysis is also said be an behavior code. In dynamic analysis technique
network traffic, file system and other window features like service, process were analyzed.
Dynamic the name that states the process change with respect to time. Here the inspection
process was carried out by the tool on the real time basis. So the flaws in the process was
measured during the real time (Tanaka, Akiyama and Goto, 2017). Here the all the scenarios was
created by virtually to inspect the flaws in the real system (Nomnga et al., 2014). Here the whole
inspection was carry out by the virtual or the real CPU (Nomnga et al., 2014).
Steps for Dynamic analysis:
run it inside a sandbox
run it inside a debugger
By implementing this technique we can able to identify the unwanted programs to reduce the
actual cost spent to the test process. The testing was the key factor that show the impact on the
maintenance as well as security. Also we can able to identify the compatibility of the application.
(cybercrime, 2018).
72

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
11. DIFFERENCE BETWEEN STATIC AND DYNAMIC ANALYSIS
STATIC ANALYSIS
1) Force is constant /dead with respect to time always.
2) Displacement is static.
3) Static analysis requires lesser solution time.
4) Output will be stress and displacement.
DYNAMIC ANALYSIS
1) Force varies with respect to time.
2) Displacement varies with respect to time.
3) Solution time required is more.
4) Output will be stress, displacement, velocity, acceleration all these varies with respect to time.
The file static characteristic give the details of the file name, file type, architecture, file size, file
MD5 hash, file MD5 import hash and compile time of the execution file. The file name
represents the name of the execution file. (CABAJ, 2015). The file type represents the file is
execution file or not. Architecture represents the windows architecture. File size explains the size
of the file. The static information about the file which is attacked by the thread is given below
figure.
Technical Analysis
Once the executable file will be executed on a system. It gets the information of the
infected system like hostname. The upcoming figure gives an example for the hostname of the
infected system. RE and malware inspection was carried out to ensure the security of the systems
against the attackers. There are some complications are involved in this process. So the industries
they don’t try to do this. But these kind of analysis gives the profit to the IT industries mainly.
This process was generally carried out by two stages. The first stage was known as static analysis
and the second part was known as the dynamic analysis. In first stage the source code of worms
are reversed. In second stage that inspects the effects of the malware when it actually affect the
73
Document Page
system. The first stage was too important for carry out the secondary analysis (Ali, 2017). From
this inspection we can simply found the actual process of the malware in the computer.
Basic Malware Analysis Tools
In the market there are large variety of Malware inspecting tools are available. This process need
high level skills. Because it was highly hazardous. And also a person who carry out the RE
process must need great sound of knowledge. Then only he can perform these kind of activities.
So the detailed knowledge about the malware analyzing tools are very important. He must needs
some deep understanding of the basic things like OS, Internet etc. he must know about the
conversion method between high level language vs machine language.
Wannacry dropper
It contains huge no of components to perform the successful operations. First it contains the
encrypting tool that encrypt the data stored in the computer or server which is affected by this
threat. It was protected by the password. It also has some other files for the further actions.
(“Wanna Decrypt0r 2.0) (Zimba, Wang and Simukonda, 2018). These files have the key for open
the computer. (North Korea blamed for WannaCry, PoS attacks and Bitcoin phishing, 2018).
74
Document Page
Malware propagation and execution flow
75

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
12. Elements of the Malware
It consists of the four different elements. They are dropper, carrier and worms. These are
responsible for the entire action of the ransom ware. They are spread by some suspicious files
from the interne (Vishnu and Sridharan, 2018). The first part was responsible for the carry the
infectious files in the format of document or some other formats. Then the dropper was
employed to affect the system. Then the infectious files are start to spread. Here we are going to
see about the different elements of the ransom ware (DOGRAMACI, 2012).
Resource of dropper
this is used to carry the message from the attacker. In the infected system it shows the message
of demand. The message also contains the payment details. The ransom ware files are decrypted
by this tool. Before this process it was in the encrypted format (Ijari, 2017).
Revenue generation
This attack creates the revenue of $106343 by demanding the money instead of the password. It
uses the crypto currencies like bitcoins for their transactions. So these transactions was not
identifiable. So they used these kind of the money trancactions.
13. Analysis of Wannacry
The file static characteristic give the details of the file name, file type, architecture, file size, file
MD5 hash, file MD5 import hash and compile time of the execution file. (Malware Detection in
Cloud Computing Infrastructures, 2018) The file name represents the name of the execution file.
The file type represents the file is execution file or not. Architecture represents the windows
architecture. File size explains the size of the file. The static information about the file which is
attacked by the thread is given below figure.
76
Document Page
Technical Analysis
Once the executable file will be executed on a system. It gets the information of the infected
system like hostname. The upcoming figure gives an example for the hostname of the infected
system. (Cabaj and Mazurczyk, 2016)
Once the hostname is recorded. The file produce the registry key for the affected system.
Subroutine sub_4010FD i.e. PE file was handled by registry change process.
File Static Characteristics
There are other several functions are called like SizeofResource, LoadResource and
LoadResource by executable file according to their own purposes.
Decode and loaded resource sections using XOR operations at the final state of process.
77
Document Page
78

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The below files are extracted into the affected systems.This table incledes filename ane Result is
MD5 Hash:
79
Document Page
In this following table contains the information about each file name and their functionalities:
80
Document Page
Bitcoin Addresses Grabbing
After the successful completion of extraction process on victim system, grabbing below
hardcoded Bitcoin addresses when the subroutine sub_401E9E was called by PE.
The below picture describe Bitcoin address inside the SUB_401E9E subroutine:
Reading the content of the file c.wnry in this subroutine SUB_401E9E:
81

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
The below table having the extracted strings from c.wnry file:
82
Document Page
File Attribute Permissions & Encryption
Change the permission and attributes of the file in this step in the same folders and subfolders.
The below two hardcoded strings are runs when executes PE files:
Following files are running when PE files are called the subroutine:
Using the GetProcAddress Windows API function loading the files .To load the file
kernel132.dll , the corresponding subroutines are called like Load Library:
The creation, read and delete the files are descripted in above windowing functions.sub_401A45
subroutine are called inside this subroutine for load adavapi32.dll using the LoadLibrary and
these Windows API functions are depicted below:
83
Document Page
The next stage in this process is to retrieve an AES key which is helpful for encrypt the files
through enumerated process. Key retrieval using read the content of t.wnry file. The subroutine
responsible for this process is sub_4014A6.After complete this process this may leads to replace
the extension by WRCY. (Krunal and Viral, 2017)
The Ransomware wallpaper as shown in below diagram:
The affected system is shown in below when the PE file executes the GUI file
@WanaDecryptor@.exe:
84

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The payment and decryption process are provided by GUI application. The victim one have a
short range of time to get a decryption key before delete this file for an payment.
The mutex Global\\MsWinZonesCacheCounterMutexA is shown in the below picture and this is
created during the execution of ransomware:
Process Tree Analysis
In this analysis, the additional malwares are downloaded and installed via diskpart.exe file.
The PE files spawns the other process on the system. The below picture shows icacls.exe file is
also spawned by the file diskpart.exe and this is full responsible for allowing full permission to
the dropped files. (Hernandez-Castro, Cartwright and Stepanova, 2017)
85
Document Page
The next step in this process the batch files are executed by diskpart.exe using with cmd.exe.
After this execution the cmd.exe run the windows command line script execution tool such as
cscript.exe. The following picture depict the detailed execution of a Visual Basic Script (VBS)
named m.vbs on the affected system and cmd.exe events tracking process:
The batch file was executed through cmd.exe process when m.vbs visual basics file was executed
through cscript.exe process. The content of the batch file is shown in below table:
86
Document Page
Then creates a link file on the system when the m.vbs file executed on the system. The link is
@WanaDecryptor@.exe.lnk and @WanaDecryptor@.exe process was executed by the sane link.
After executing this process by diskpart.exe. (Simran Sabharwal and Dr. Shilpi Sharma, 2018)
Then taskhsvc.exe file was spawned by @WanaDecryptor@.exe this is shown in below picture:
Taskdata folder was created by taskhsvc.exe in the same location of the folder which includes the
Tor client application. In the worm affected system command. taskhsvc.exe.TaskData\Tor\
taskhsvc.exe was run using taskhsvc.exe.
The next step, to create the new process the command cmd.exe /c start
/b@WanaDecryptor@.exe to launch a new @WanaDecryptor@.exe process .
This processes are defined in the following diagram of vssadmin execution.
To remove any shadows bcedit and vssadmin tools are used. The below table shows the full
command execution with the help of cmd.exe,
87

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
TrapX AIR Analysis Results
The collection of digital forensics artifacts from the system on windows using trapx lab.The
overall analyses are done on the artifacts are through Trapx AIR. Trapx AIR ransomware has
Installed one of its components in the registry auto run keys was described in following table:
Trapx having the overall responsibilities for scanning and verifying all space and disks in the
system and remote network shares. (Ransomware claims more victims, 2016) WannaCry added
this file to the Current Version\Run registry key to establish persistence across system reboots
and shutdowns. After successful completion of identifying ransomware malware process is
described in following picture:
The prefetch file having recorded many files that are spawned using Diskpart.exe file .The
execution of icalcs.exe, vssadmin.exe and attrib.exe are the prefetch files.
88
Document Page
When collect the artifacts ,this type of ransomwares are runned, viruses are detected and finally
this processes are malicious.The AIR present information providing clean device that attack
activity was running on the system. The below table depicts windows prefetch files hiving
numerous artifacts related to the ransomeware:
Malware Family Association
Trapx security labs are having more tools and performed threat intelligence analysis, import
hassh Message digest5 value. The Final decision according to the various of ransomware
community. The below table consisting of the report identified Message Digest5 lists:
89
Document Page
The many of these having same properties:
Identical Portable Executable is imports and windows API functions.
The ransomware compilation time was identical to this ransomware in this report.
Identical PE section series with the same section table and entropy.
CryptoTrap from TrapX – Defense Against WannaCry
Trapx is an innovative elegant and simple solution against all of other ransomware including
wannacry. The cryptography process within ransomware will enumerate shares on the machine.
90

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The data is carefully monitored for file changes such as modifications to the files or their names
and suffixes. (Choudhary, 2018)
Below Table defines the malware activity detected in Trapx
Encrypting a dataset it can never finish while An infinite amount of data can be presented to the
malware .In this way, the resulting impact on the brand and wannacry can be averted are the
potential catastrophic damage representation. Using this is for customize the business continuity
and customer perception. (Beckett, 2015)
91
Document Page
The crypto Trap Automatically Disconnects Infected Host was described in the following Table:
TrapX – Mitigation and Containment
Without using agent based technology, the Trapx having facility to consist cryptographic
ransomware. (Brewer, 2016) By making a great deal of sense for organization to deploy,
wannacry is a defense against threat. This means that devices showing signs of malicious
behavior can seamlessly and automatically be either removed from the network or routed to a
different part of the network where they only have decoys and fake data to interact with.
Attackers having motivational analysis and in depth insights to the attack tools.
92
Document Page
The above table describes the TrapX NAC Integration.
By placing deception Tokens on client endpoints and deploying Decoy asset on every network
vlan The machine compromised by external Blue and The next step in Trapx deception tokens
redirect malware to crypto trap.
The workflow of the ransomware Trapx Was described in following Table:
The focus on outcomes rather than signatures means higher fidelity alerts when human attackers
and malware show signs of reconnaissance, lateral movement and cryptographic activity.
93

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
This non-routable part of the infrastructure where it can interact only with decoys. A
corresponding network approach medium and high interaction decoys on the network such as if
its start from there and surface attack provides Rich framework.
Quarantine of Affected System was deployed in below table
Whenever the threat was identified or detected and immediately there was removed from the
network any quarantined device can be placed back onto the network with a single click from the
TrapX GUI. (Byun, 2015). Using Trapx ecosystem integration, the potentially catastrophic
consequences of exploits like WannaCry are handled effectively. The below table also
representation of removing the machine from the quarantine:
94
Document Page
14. WannaCry analysis with IDA Pro
Used old IDA version 5.0
95
Document Page
This Figure is initial point at IDA pro tool.
Select new , this is disassemble file. That mean empty page.
This is called disassemble page, display this figure many tools and some coding here in bottom.
96

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
97
Document Page
This shot is called text mode. You can see many numbers, this is not only numbers is called
Address. This address used to find place for wanna cry.
The above screen is called graph mode. Use space bar switches in this section.
This arrow mentioned in what type of address and file access to planned.
98
Document Page
This figure is called permanent graph mode screen. Import some constant, characters, variables
value, many details filled.
99

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
This shot is a IDA option window. To choose many option and fix line length ,pointer value etc.
This figure mentioned split one box to many boxes. This inside box place in various ip address,
affected file address. Red arrow mention at conditional jump not taken, Blue arrow mention at
unconditional jump, Green arrow mean at take conditional jump.
100
Document Page
Indicate all text in graphical mode, to show all detail at text in graphical mode.
This figure mentioned some follow details. Dot means high loop, Text stands for section of
analysis the wannacry ransom ware and this numbers called address of file or system or any one.
Generate some IDA pro command to find the wannacry virus.
101
Document Page
This figure defined in all individual instruction to mentioned command. Set a command for each part in
section.
The above figure mention at some functions and flags. L means library function. Number of
function used this analysis work. Because all function is more important.
This figure show that each address can be allocated some special names.
102

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
This figure is called string box.
This figure mentioned at input and output box. Which type of function imported and mentioned in
which type function, hostname .
103
Document Page
This figure show all active datas. Active data can be indicated at yellow color.
This figure stands for cross reference , double tab on function straightly go to another code platform.
104
Document Page
All framework forced on stack, this framework work in starting the function. To save all events,
And special option for reset and drop the events.
To click the string and straightly imported at navigating the IDA pro. To tab an double time and
show for new entry input string displayed.
This figure is called Link window. To place on special links, to click double time and display to
new address location.
105

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
This figure display in multi colors. This colors is called navigating ring. All colors mentioned
some details. Red mentioned in compile a new coding, Dark blue mentioned at Analyze the
customer own coding, light blue is called library program.
This figure is called search box. Search in name and address of wannacry ransom ware virus.
106
Document Page
107
Document Page
This figure is called search box. To search any tools.
108

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
This figure name is code cross details, This section use XREF command ,is used for what type of
function called or what type of program installed or what type of virus installed to clearly
displayed.
This screen shot is called Data cross reference, this box fully placed a strings, Double tab a string
straightly go to XREF command and displayed what type of string used in catch it.
109
Document Page
This screen shot show that classified the wannacry names, which type function, and also
displayed names and daat’s.
110
Document Page
This above all figures show that graphical options how to use displayed.
This figure mentioned at to change the location name. One location name change else all location
name changed automatically. This location is indicated at wannacry and ransom ware address.
111

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
15. Ransomware Attack
Ransomware is the largest cyber scam. It affects the businesses in the duration of last three years.
FBI is the best investigation management. It estimate the losses caused by Ransomware. The
amount of loss by Ransomware in 2016 is 1 Billion dollars. The encryption is most major one for
prevent the data’s attack by Ransomware because the Ransomware is dangerous one to attack or
retrieve the data from networked computers. That’s why we need the Encryption standard for
blocking Ransomware. (Tahir, 2018). There are many digital currencies are available. Bitcoin is
one of them. Nowadays most of the company and some others using bitcoin. Attacks are rapidly
increasing by ransomware. The attack earns one million Pound in 30 days with cyber-criminals
(Application Security through Sandbox Virtualization, 2014).
There are many PC malware and malicious are available Trojan is one of them. This is
distributed by Dr joseph popp. The Ransomware has more note on some time. The Trojan has the
functionality of malware is hide all the folders and files of Encrypted in the drive of C: because
all the executing files are default installed in C: drive.
Ransomware Phases
The Ransomware has a five phases such that
Now we see the one by one Explanation for each Phase
Exploitation and infection:
Every malware is an executing file format (EXE) even the ransomware also an executing
file format it needs a Pc to execute the attack function. (DOGRAMACI, 2012) There are many
ways are available to inject the malware to Pc.
112
Document Page
Sending email is one of them that email includes the Ransomware execute file. This malware has
some toolkit for inject these malicious function to software applications. The target of this toolkit
is start the user’s outdated application or programing.
Delivery and Execution
The executable file of Ransomware is send to the system of victim’s with the help of
exploit process. The time taken for the process is based on network latencies it's like a seconds or
some minutes. There are many encrypted channels are available. The executable is send through
by Secure Socket Layer which is add on top of the HTTP. The removal of exe file from wire is
difficult. That’s why we remove the exe file from %APPDATA or %TEMP% because the exe
files are located in that place which is mentioned to above
Back-up spoliation
The Ransomware needs some duration for execute or injected malware to the System. It
takes some sec to execute the program. The target of this ransomware is spoil the files which all
are backing-up to the drives in a computer. It has the main activity of remove some privileges of
the folder a file restoring so that we cannot restore or Back-up files after spoliation by
Ransomware. There are two major attacks are done by Ransomware. Such that Major
distribution attack and Target attack. It will delete all the shadow files of the drive in the system.
This process is done by execute the commands with the help of Crypto locker and Locky.
File encryption
The ransomware uses the AES 256 secure key exchange method because it needs some
key changing method for attack the systems. This action will do when the back-up files are
removed by executable file of Ransomware. The Ransomware needs C2 server for exchange the
keys generated by AES 256 algorithm. It doesn't change the key internally so that needs C2
server for exchange the key. The Victim doesn't break the encryption on their self.C2 server
exchange keys to Internet Of Things. When the c2 server absent the ransomware is also absent.
User notification and clean-up
113
Document Page
The victim have a quite often for few days are given for pay. The ransom increases after
the pay. This will happen on when the back-up files are removed and dirty works are done. We
can identify the affected the ransomware by the instructions.
The instructions are saved to the encrypted folder or hard drive. The attacker define the storage
location on sometimes that is saved to the location of same folder in encrypted files.
There are many crypto wall versions are available here version and version 4 are used.
Crypto Wall V3 store the instruction by using HELP_DECRYPT.
Crypto Wall version 4 changed the instructions to HELP-YOUR-FILES.
These two instruction are used and remove the malware from the systems by itself.
16. Ransomware attack handling steps
Here also five steps are available to handling the attack of Ransomware. Such that
Preparation
Detection
Containment
Eradication
Recovery
Preparation
The malware known the vulnerabilities to enter the systems. The aggressively patch file
is best step to blaster the defenses. Back-up files and encrypted filed are destroyed by this
Ransomware then the Enterprises meets the Risk. Even the network shared files and folders also
affected by this Ransomware so that the cloud storage is also not safe. The Incident response is
used to explicit the ransomware attack that should must developed by the Enterprises. This is
particularly for Target attack. This will identify the attack and stop the serious situation
Detection
When the attack is identify early then only the organization can reduce the damage. An
attack was identified by a good defense. The Internet Of Things also alerted and other network
devices. Here another one technique is used for identify the ransomware in network traffic. That
114

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
is Thread intelligence source. The signatures are used to identify and detect the ransomware n
traffic or some other area wherever it is. We discussed the Ransomware is send by an email at
that time we can use good malware scanning. That is used for detect the malware from the email.
This scanning method is also used for detect the malware from the local area of system that is
%APPDATA% and %TEMP%. Also in folders. The crypto locker is also one of the best detector
it detects before the Back-up Spoliation. Another way of identifying Ransomware is looking
filename in random manner.
Containment
When the Ransomware has identified before from the system some steps are available to
protect the network files. That is done by an Endpoint protection that watch the exe files and
terminate the process that is containment. The Network connectivity is disabled when the
Ransomware is detected for the purpose prevent the network files from ransomware.
Eradication
The Ransomware is eradicated from the network when that is detected and contained. If the file
type and File name is same that is called residual files. Simply the repeated files are called
Residual files.
If the Ransomware have a residual file that is hidden in the system and there is chance for affects
the system. It is done by malicious emails. So we can clean up the malicious mail containing in
the mailbox. The Enterprises should monitor the IOCs and Signatures for the purpose of prevent
the attack from Ransomware.
Recovery
In recovery the major role is restore the file from back-up which is affected by the
Ransomware. (Kenyon and McCafferty, 2016) This is done only the Back-ups are verified
thoroughly. We can do some cleaning process in Back-up files it take some time to done the
process or we meet the large day issue which is made by Ransomware. (Hernandez-Castro,
Cartwright and Stepanova, 2017). The major step is investigate the specific infection made by
Ransomware to the systems. Whether it is injected by Email or attack based n web. Identify the
115
Document Page
Ransomware injected type while it is in web based attack kit. It was helpful for the Enterprises to
make the better defense against Ransomware in future.
17. Findings and Impact
Based on the reverse engineering,
1. To find the approaches to detect ransomware:
1.1 Detecting Ransomware using Dynamic approaches :
Nowadays, empowering influence conduct is based on malware location .It is dynamic
examination. In a controlled situation, these frameworks execute a malware test and record its
conduct (e.g., framework call, system movement). Malware recognition frameworks conduct
suspicious working framework usefulness for keylogging. In this segment, we propose a novel
dynamic investigation framework. That is intended to examine and also demonstrate their
practices. (Sato, Chiba and Goto, 2013) . The framework tracks changes to the PCs work area in
parallel. That shows ransomware-like conduct. The key knowledge is keeping in the mind. The
end goal to be very useful. The ransomware should access and combined with a casual records or
work area. Our computerized approach, called Unveil.
System design:
This section is used to describe our techniques for detecting multiple classes of ransomware
attacks.
Generating Artificial User Environments:
The ransomware analyzing environments are uses the fingerprinting techniques. This is not
trivial in a real world setting out. A static character is significant impact on the effectiveness of
the malware analysis systems. It is the user details. It can be effectively used to fingerprint the
analysis environment. Before each run, Unveil automatically generates an artificial user
environment for ransomware.
File system Activity Monitor:
116
Document Page
The first core component of Unveil is a file system monitor. It is used to collect
filesystem activities during a cryptographic ransomware attack. The filesystem monitor in Unveil
has direct access to data storage involved in I/O requests giving the system visibility into file
system modification. These samples each use a single, specific strategy to block access to user
data. This attack strategy is accurately reflected in the form of I/O access patterns. That are
repeated for each file when performing the attack. The module monitors file system accesses of
user-mode processes. This allows Unveil to have full visibility into interactions with user files.
Our approach mainly considers write or delete requests. We elaborate on extracting I/O access
patterns per file. The Unveil computes read and write request to a file with data buffer.
This is due to the common strategy to read in the original file data and also encrypt it. Overwrite
the original data with the encrypted version. The system uses Shannon entropy for this
computation.
Constructing Access Patterns:
Unveil creates I/O. It sorts the I/O get to demands in light of record names. This
enables the framework to remove the I/O get to succession for each document and check which
forms got to each record. I/O gets demands per document while arranging. Reiteration can be
seen in the way I/O of the noxious procedure.
The specific location measure utilized by the framework. These I/O ask for designs
raise a caution in unveil. They are distinguished as suspicious filesystem action. We
contemplated diverse cryptographic ransomware tests crosswise over various ransomware
families. Our investigation demonstrates that in spite of the fact.
(1) Attacker overwrites the client's document with an encoded adaptation.
(2) Attacker erases records without removing them from capacity.
(3) Attacker peruses, makes another moved rendition. It is safely erases the first
documents by overwriting the substance.
They can be arranged into three primary classes of assaults.
The entrance design appeared to one side for instance. It is characteristic of Crypto locker
variations that have changing key lengths and work area locking systems.Its entrance design
117

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
stays steady concerning family variations. We watched a similar I/O action for tests.
They have comparable I/O designs when they assault client records. Another case is the
ransomware first makes another record. Cryptographic ransomware is the malware does not wipe
the first document's information from the circle. The ransomware makes encoded record in the
third approach.
Detecting Screen Lockers:
This is the second tough process involved in the detection phase of the ransom ware. Because it
has many complications. That are used to monitor and lock the screen. That is also used to show
the message of the attacker. That tracks the changes like mouse movements and open and close
the different dialogue boxes. That also takes the snapshots after the successful attacks. They are
used to identify the ransom ware.Changes the location of the mouse pointer, current date and
time, new desktop icons, windows, and visual changes in the task bar. It should be rejected as
unimportant. After a successful ransomware attack, the display of the ransom note regular results
in automatically identifiable changes of the screenshot. (e.g., a large rectangular object covers a
large part of the desktop). The pre- and post-attack images decreases significantly. It can be used
as an indication of ransomware.
1.3 Detecting Zero-Day Ransomware
The second experiment aim is evaluate the accuracy of unveil. In this experiment we are using
no of real world malware samples. The large data sets of real world malware samples are using
unveil. Finally the detection results will be compared. By comparing the final result we can
easily scan the entire virus. The daily malware is used to find the data sets, and also the security
researches are provided. In may 18 2015 the samples are start to collect; finally all the required
samples are collected in 12th February 2016. The dataset contain many no of distinct samples,
may be 148,223 distinct samples are contained by the data set. Unveil is used to submit the
samples, every samples using unveil for their submission process. Two types of process are used
one is I/O access, and another one is pre/post execution. They are used in desktop image
dissimilarity scores. The unknown ransomware is automatically detected by unveil, yes unveil is
mainly used to detect the ransomware automatically. The course of the experiment is used to run
118
Document Page
the present experiment. Unveil and total viruses are submitted by a malware dataset, to build the
malware dataset then the entire viruses are submitted effectively. The VT scanner is not detected
by the ransomware sample. So we need detection new for this report. The new detection have
some lags, these lags are calculated by the report. Then we need to create a record for new
detection samples. Theses whole submission is done on days. Suppose the detection results will
change that means the samples are resubmitted. The samples are submitted in many times, after a
few resubmissions the results are not change. The small detection ratio or very large detection
ratios are concentrating by the detected result. Almost all the scanners or small no of scanners
are detected by the samples. In the AV industry there was no standard labeling schemes are
available. Each and every scanner has a different name, for their identification purpose. We need
to label the scanners then only the biased results are avoided. We give any successful name for
this detection
2. Find the Functions: Encryption process and Encryption key:
Ransomware and encryption
. Every day we need to update the samples condition. Some changes are available in
subsequent submissions. Using unveil 72.2% samples are detected by every day. But 55 VT
scanners are not detected by unveil. Generally the large and also the small ratios are detected.
Unveil out performance is detected by the large scale experiment, and superficial is detected by
public AV scanners. The modern industrial sandbox technology is used for virus detection. In
crypto ransomware encryption is a key element.
Encryption in crypto-ransomware
The successful use of encryption is the only way to achieve the entire business plan. It is
powerful tool used in the industries, business, and governments. And also it’s used to protect the
data from unauthorized access. In symmetric encryption the secret key is used in both public and
119
Document Page
private. The public hey used for encryption and private key is use for decryption.
Impact in the enterprises
Service downtime
Data misfortune
Operation impact
Tolerant care impacts:
The trusts of clinic in England is irritated by the assault. There are over 235 healing facility
trusts are accessible in England. That trusts in excess of 78 trusts were influenced. In
that influenced believes the infected trusts are 34. A portion of the trusts are not influenced. That
are more than 45.There are some essential considerations are additionally.The NHS give a shared
guide to a few spots to their country. At the season of occurrence patients from in excess moved
for treatment of crisis. They are not ordinary patients. A portion of the solicitations are drop
which implies first arrangements. That all are recognized. A portion of the real growth patients
are spoken the rate is (0.4%). That the clinical framework and electronic patient records are
decreased. Because of the considerable number of practices of GP were affected at end of the
week.
Effects on monetary:
The sum was not paid by the association NHS for deliver. At the season of episode the NCSC
give an exhortation. That isn't to do.
Social care impacts:
The social suppliers are corrupted. We don't think about the purpose behind that issue. It is
implies we don't have evidence for that impaired. The email contains some isolated. That is send
from NHS. The principle opinion of this isolated email is constant business courses of action are
executed. The connections are kills by neighborhood experts with the end goal.
In this sort of circumstance the detection messages are send by NHS.
120

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Effect of Wannacry in worldwide way:
It is incorporate the Russian Interior Ministry, Telefonica (Spain's biggest media transmission
organization) and FedEx. The normal surgery and regular checkups was wiped out as the gains
administrations. The report tells that 40,000 associations was influenced in china. Including 60
scholarly organizations. The heaviest assault on Russia nation. Kaspersky lab is Russian
organization. It is running generally a huge extent of dated and unpatched frameworks.
The ransomware was uncommonly intended for the worldwide attack. It can request the
wannacry in 28 dialects.
Hazard Mitigation systems :
The joining strides to the association can help relieve their hazard introduction accommodate that
powerlessness (it engaged with fix administration and weakness filtering/remediation) is a
vigorous and endeavor level program. Critical information can be reinforcement.
Keep up to the record. The rate of information age timeline can be adjust
endpoint observing is executed Security mindfulness preparing program is far reaching in the
association.
Incident reaction design is kept up and frequently tested. It estimated for the viability against
ransomware. It was consistently refreshed to mirror the current digital risk condition
Preventive measures:
Cyber security administrations including proactive entrance testing digital change .The
accompanying advances are presides. To be keep up occurrence reaction and business
progression design tried and measured. It is against on the ransomware and other assaults.
Refreshed to the current digital danger condition. Organizations direct a preparing program.
Organization must be customary tried. The reinforcement are set up to moderate impacts of
disease process. While associating with the outsider in your system that they following same
activities to yourself. The security activity group screen the helpless conduct happening in
nature. The information and basic frameworks are identified. It is adjust these are
121
Document Page
associated with the web is important. Security program tried with visit entrance test over the
home.
Forward look against Wannacry:
It can give an administration like quick reaction, interchanges to end client. The affected
machine is separate to the network. It take all reinforcement is disconnected mode. It is lifted to
the associated organize. Ransomware contain based a past involvement with check the
ransomware arrangements. Ransomware not just targets home clients, organizations can likewise
wind up tainted with ransomware, prompting negative results, including Transitory or perpetual
loss of touchy or restrictive data, Disturbance to consistent activities, Money related misfortunes
brought about to reestablish frameworks and documents
Potential effect of ransomware:
At the point when risk impacts are examined in the medicinal services industry. In the event that
PCs quit working and there are delays in data access and data stream, it could cause considerable
interruption. In crypto ransom ware the symmetric encryption process was used. On the other
hand, asymmetric encryption is convenient because it enables the malware operator to (super-)
protect only one private key regardless of the number of victims, otherwise the malware operator
would have to keep a record of a (symmetric) secret key for each one of the victims. Ransom
ware use the symmetric encryption to encrypt the victim’s data and asymmetric encryption used
to protect the key details. Because the key details are in small files.
18. Impacts of Ransomware attack
Patient care impacts
The trusts of hospital in England is disturbed by the attack. There are above 235 hospital
trusts are available in England at that trusts more than 78 trusts were affected. In that affected
trusts the infected trusts are 34. Some of the trusts are not affected that are more than 45.There
are some primary cares are also available that are counted as 603 that all are affected by
122
Document Page
Wannacry. At that incident the enterprises make a call to Wannacry. The NHS give a mutual aid
to some places to their nation. At the time of incident patients from more than four hospitals
moved for treatment of emergency. They are not normal patients. Some of the invitations are
cancelled which means first appointments. That all are re arranged to may mid. Also cancelled
the cancer patient’s appointments the count of that cancer patients are 139 at the duration of May
mid. Some of the major cancer patients are represented in May mid that rate is (0.4%). At the
time of attack and after that the clinical system and electronic patient records are reduced due to
all the practices of GP were impacted at end of the week and also evening time. The data of
cancelled appointments and diverted patients ambulance are not monitored by NHS England
(Owens, 2016) (Priya, 2017).
Impacts on financial
The amount was not paid by the organization NHS for ransom. At the time of incident the
NCSC give an advice that is not to do (RANSOMWARE AND ITS IMPACT IN INDIA – A
LITERATUER STUDY, 2018).
Social care impacts
The social providers are infected we do not know about the reason for that issue which
means we do not have Evidence for that infected. The email having some quarantined and that is
send from NHS. The main observation of this quarantined email is continual business
arrangements are implemented. The links are turns off by local authorities for the purpose of
prevent against infection. In this type of situation the Quarantines emails are send by NHS.
Impact of Wannacry in global manner
It was impact of approximately 30-40 publicly named by the company. It include the Russian
Interior Ministry, Telefonica (Spain’s largest telecommunication company) and FedEx. The
badly hit the UK National Health Service (NHS) and 16 of the 47 NHS trust being affected. The
routine surgery and doctor appointments was canceled as the recovers services. Their report tells
that 40,000 organizations was affected in china and including 60 academic institutions. The
heaviest attack on Russia country. Kaspersky lab is Russian organisation.it is running relatively a
123

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
large proportion of dated and unpatched systems. The ransomware was specially designed for the
international attack.it can demand the wannacry in 28 languages.
19. Risk Mitigation techniques
The following steps to the organization can help mitigate their risk exposure conform that
vulnerability (it involved in patch management and vulnerability scanning/remediation) is a
robust and enterprise-level program. Critical data can be backup and maintain to the account.
The rate of data generation. timeline can be align and restoring system backup to the procedure
of business continuity plan(BCP). endpoint monitoring is implemented, giving teams visibility
into malicious behavior occurring at that level. Security awareness training program in the
organization is comprehensive. incident response plan is maintained and regularly tested.it
measured for the effectiveness against ransomware.it was regularly updated to reflect the current
cyber threat environment. Check if system critical or not unnecessarily connected to/accessible
from the internet.
20. Preventive measures:
Cybersecurity services including proactive penetration testing, cyber transformation and
managed security operations centers can be leveraged to prevent a ransomware outbreak within
an organization. (Garber, 2012) ("Best Practices: Ransomware - Security News - Trend Micro
IN", 2018) The following steps are recommended. To be maintain incident response and business
stability strategy verified and measured.it is against on the ransom ware and other vulnerable
attacks. Updated to the current cyber threat environment (Digital Extortion: An Empirical
Investigation on Ransomware Infection and Countermeasures, 2018).
Organizations conduct an awareness training program.it include a proactive testing and
screenshots of what to look out for. They should provide a clear guidance of incident response. It
should be communicate user and third party and who is connect to the organization's network.
Organization must regularly verified. The backup are in place to mitigate effects of infection and
recovery process in lieu of succumbing to ransom payment demands. During the use of third
party applications there is a strong need to protect the systems. That was carried out to increase
124
Document Page
the monitoring system. The safety process crew screen the vulnerable activities arising in the
atmosphere. The information and critical systems are recognized.it is adapt these are connected
to the internet is necessary. Security program tested with frequent penetration test across the
estate. The ey managed soc provide a service is faster identify and response to incidents
("Comodo can help Protect you from Increasing Ransomware Attacks", 2018) ("Securing
VMware Infrastructure", 2018) ("VMware Knowledge Base", 2018) (Garber, 2012).
21. Forward look against Wannacry
It is compromised a following activities of the organization. It can help to provides a service like
quick response, harm containment and communication to final user. The infected machine is
disconnect to the network.it take all backup is offline mode. It is lifted to the connected network.
EY members firms FIDS forensic technology and discovery service team can be used to analyze
a network.to detect the host system early indications of penetration by ransomware to allow fast
response and remediation.
Forensically detect, identify and ransom ware contains based a past experience with check the
ransomware negotiations and ransom ware eradication. Ransomware can't be destroy a data.
Forensically image is highly impact on machine to support a system. It is collect an IT and
business evidence are sound mannered then provide a stakeholder investigations and support
disputes with service providers, customers. They need for regulatory reporting. Activate the
incident response plan to prevent from the system. The cross-functional representation in the
investigation team such as business, HR, PR, legal compliance and information security etc.
Address vulnerabilities is harden in complicated to the attacker's effort get back in.it is ability to
detect and respond to future attacks and prepare for eradication events. Business continuity plan
is activated. The data is prepared based on varying requirements for civil suits and regulatory
inquiries.
22. Suggestion and Solutions
125
Document Page
Cyber mapper is the advanced technology to prevent the malware in operating system. It
enables the switches to deliver the packet filtering, thread mitigation and load balancing. (The
WannaCry ransom ware attack, 2017)
SERVICES PROVIDED IN CYBERMAPPER
It provides high performance security mitigation. It provides high performance security redirect.
FEATURES OF CYBERMAPPER
It can manage with multiple NoviSwitches. It is a bi-directional balancing technique.
The three techniques were used to avoid the cyber attack
Packet filtering
Threat mitigation
Load balancing
Packet filtering:
It is the process of passing or blocking the packets at a network. The interface is between
the source and destination addresses ports or protocols (Zheng, 2017). The packets are
transmitted between the two devices by receiving the acknowledgement. The congested or
duplicate data or packets are filtered.
126

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Threat mitigation:
This image represents that the digital software which collect and analyze data from wind
turbines can increases the energy production of the wind turbine about 10%.
Distributes client request.
Ensures high obtainability and trustworthiness by sending requests only to server they are
in internet. Which provide a kind of tractability to the process of adding or subtracting the
servers as claim orders.
Few steps to avoid ransomware:
Perform regular backup
Keep up with software updates
Make file extensions visible
Be careful with email attachments
Use new security features in business applications
Disable remote desktop connection
Infected systems must be isolated
Educate your employees
Block ransomware communication
127
Document Page
Sandbox web and email traffic
Analyze and understand the attack and determine an appropriate response
Further analyses of ransomware:
Many sources have reported on ransomware attack and its behavior.
The malware cannot spread only to other machines in same networks.
The good property of the malware is that once a machine with an open NetBIOS port is
found (JIANG and XIAO, 2018).
The mal ware will send three Net-BIOS session packet to the system.
One has the proper IP of the machine being exploited
The malware generates a list of internal IPs
It generate random IP addresses, not limited to the local network.
23. Conclusion
128
Document Page
The Ransom-ware is a type of mal-ware that which precludes the organization from accessing
the data from part of the system. If the entity and the user is locked from the critical system, the
user should pay a certain amount of money to get relief from the attack. This problem mainly
caused in the hospital data security. At that time the ransomware will block the data to access or
encrypt the data. The crypto ransomware will encrypt the data, while the locker prevents the user
to access the data or information. The term of understanding the ransomware is said to be an Dip
Deeper. Dip deeper is nothing but a understanding of ransomware and health data security. This
is mainly used in the hospital to secure the data. The ransomware attack that which mainly
attacks the record of information in hospital. While hospital ransomware attacks not a new issue,
in which the healthcare is becoming more prominent target because the informations are under
the organizations hold. The new policy for the cyber-attack is College of Healthcare Information
Management Executives. It is maintained in the strong hospital ransom-ware is necessary to
ensure that health care organizations can protect against the evolving cyber security threat.
IDA Pro is mainly used to convert machine executable code into an assembly
language source code because of Debugging. It follows this methodology. Basically it is a
disassembler that are act primarily a multi-platform and multi-processor. It used in a various
platforms. But it was treat like a remote debugger or a local debugger. Different executable
formats will be running and developing by the plug-ins. IDA Pro is mainly used for reverse
engineering the binary components to analysis of malicious software like rootkits, worms,
viruses and Trojans. It was mainly analyzed for source code regeneration and for security
purposes. At first analyze the quality disassembly of the binary component. It is used to
overcome the Reverse Engineering problems. It is used to perform a detailed analysis of code. It
can recognizes function boundaries, library calls and data types for known library calls. It build a
database to characterize each byte of the binary data. The Ida pro is flowchart display of function
flow.it is graph based display of program flow. Ida pro is automatic recognition of string
constant. It can view the code cross references and display data.it call a particular function to list
the all locations.it is refer to a particular piece of data.
Now a days this malware occurrence the mobile also and it will the pin number of
your phone for make a demand in advanced version. But in normal malware easy to recover it by
online synchronization. Using this invader have hack all database of any company, industry,
government agencies, academics, institution through an individual person. For an efficacious
129

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
malware the top encryption is required. Now a day the technology should be protected with help
of an encryption. The upsetting ransomware attack is activate with help of wannacry plagued one
hundred fifty counties and all around the continents. The main objective of this malware is online
transaction illegally and it is encrypted file is known as hacking. The first version of the malware
is that identified in Russia pornographic image in target apparatus. The evaluation of the
ransomware was stared on the year of Nineteen eight nine. It was carried out Joseph popp. It was
named as AIDS Trojan. But it was not too effective, it simply hide the data on the computer hard
disk. And encrypt the file names alone. Then it shows the message to the user license has
finished for the usage access of the data on the computer. Then it asks some money to repair the
tool. Probably the money asked by the joseph was hundred and eighty nine US dollars. After the
completion of the payment the decryption code was created from the Trojan. It is a “PC Cyborg”.
He was announced as a mentally up normal person due to the activities done by himself.
This type of healthcare cyber security issues, including the ransomware attacks, continue along
with new technologies, organizations must regularly train employees and update their systems.
Employee training, strong technology and disasters recovery planning will be critical tools in
preparing for the ransomware attack. Ransomware was the major problem in 2017.The number
of reported health care hacking the data upto 89% from 2016 to 2017.It is the easiest method to
gain money. Internet of things devices are increasing for the cyber-attack or hackers is to access
the hospitals information (Acharya, 2017). Ransomware can be avoided by scanning the virus,
finger print, detection of cyber-attack (Brewer, 2016). Nowadays technology is improved to
avoid the crime or attack by the some other software. Petya, Skype, Fireball, Delta Charlie,
Wannacry are biggest cyber-attack.
Wannacry ransomware attack was a worldwide cyber-attack. It is done by wannacry ransomware
crypto worm. It is mainly targeted the Microsoft windows operating system computers. It
encrypt the data or files in your computer and they demand some ransom payments in Bit coin
crypto currency. Microsoft already released some patches for closing the exploit. The attack was
stopped in few days. Because the Microsoft releases the emergency patches. Wannacry
ransomware attack was a worldwide cyber-attack. It is done by wannacry ransomware crypto
worm. It is mainly targeted the Microsoft windows operating system computers. It encrypt the
data or files in your computer and they demand some ransom payments in Bit coin crypto
130
Document Page
currency. Microsoft already released some patches for closing the exploit. The attack was
stopped in few days. Because the Microsoft releases the emergency patches. In malware
motivation the live malware are identified by the light of locales in different malware detection.
In this way, the sandbox majorly helps to contaminate the malware detections and attacks. For
examining the malware associated with web it will experience the ill effects of the Web on the
grounds that the Web empowers assaults. In this way, situations for breaking down live malware
codes must be segregated from the Web to maintain a strategic distance from effect to/from the
Web. For investigating the malware detection it will resulting in harms of the malware attacks.
Along these lines, breaking down situation is must be difficult to modify the attacked malwares.
24. References
An Analysis and Averstion Of Highly Servivable Ransomware. (2017). International
Journal of Recent Trends in Engineering and Research, 3(2), pp.201-205.
Android Malware Detection And Prevention. (2017). International Journal of Recent
Trends in Engineering and Research, 3(2), pp.213-217.
Application Security through Sandbox Virtualization. (2014). Acta Polytechnica
Hungarica, 12(1).
Chong, H. (2017). SeCBD: The Application Idea from Study Evaluation of
Ransomware Attack Method in Big Data Architecture. Procedia Computer Science,
116, pp.358-364.
Collier, R. (2017). NHS ransomware attack spreads worldwide. Canadian Medical
Association Journal, 189(22), pp.E786-E787.
Digital Extortion: An Empirical Investigation on Ransomware Infection and Countermeasures.
(2018). International Journal of Recent Trends in Engineering and Research, 4(4), pp.293-
297.
DOGRAMACI, S. (2012). Reverse Engineering Epistemic Evaluations*. Philosophy
131
Document Page
and Phenomenological Research, 84(3), pp.513-530.
ENERGETIC DATA SECURITY SCHEME VIA IMAGE AS CRYPTO KEY
NATURE. (2017). International Journal of Recent Trends in Engineering and
Research, 3(10), pp.1-8.
Mansfield-Devine, S. (2017). Ransomware: the most popular form of
attack. Computer Fraud & Security, 2017(10), pp.15-20.
Orman, H. (2016). Evil Offspring - Ransomware and Crypto Technology. IEEE
Internet Computing, 20(5), pp.89-94.
Owens, B. (2016). 'Ransomware' cyberattack highlights vulnerability of
universities. Nature.
Comparative Study of RSA and Probabilistic Encryption/Decryption
Algorithms. International Journal Of Engineering And Computer Science.
RANSOMWARE AND ITS IMPACT IN INDIA A LITERATUER STUDY.
(2018). International Journal of Recent Trends in Engineering and Research, pp.273-276.
Zheng, K. (2017). Enabling “Protocol Routing”: Revisiting Transport Layer Protocol
Design in Internet Communications. IEEE Internet Computing, 21(6), pp.52-57.
Acharya, A. (2017). Internet of Things, Ransomware and Terrorism. Journal of
Defense Management, 07(01).
Ali, A. (2017). Ransomware: A Research and a Personal Case Study of Dealing with
this Nasty Malware. Issues in Informing Science and Information Technology, 14,
pp.087-099.
Kaur, G., Singh, M. and Dhir, R. (2017). Anatomy of ransomware malware: detection, analysis
and reporting. International Journal of Security and Networks, 12(3), p.188.
Mansfield-Devine, S. (2016). Ransomware: taking businesses hostage. Network
Security, 2016(10), pp.8-17.
Owens, B. (2016). 'Ransomware' cyberattack highlights vulnerability of
universities. Nature.
Ransomware and IoT among leading threats. (2017). Network Security, 2017(9), p.2.
Ransomware becomes the most prevalent form of malware and hits an ever-wider
range of victims. (2017). Network Security, 2017(2), pp.1-2.
132

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Ransomware claims more victims. (2016). Network Security, 2016(12), p.2.
Ransomware defeated but new forms emerge. (2015). Network Security, 2015(11),
p.2.
Ransomware hiding in the dark. (2015). Computer Fraud & Security, 2015(9), pp.3
20.
Ransomware menace will grow says Google. (2017). Computer Fraud & Security,
2017(8), p.3.
Ransomware: threat and response. (2016). Network Security, 2016(10), pp.17-19.
The WannaCry ransomware attack. (2017). Strategic Comments, 23(4), p.vii-ix.
UK major target for ransomware. (2016). Computer Fraud & Security, 2016(1), p.3.
Cabaj, K. and Mazurczyk, W. (2016). Using Software-Defined Networking for
Ransomware Mitigation: The Case of CryptoWall. IEEE Network, 30(6), pp.14-20.
Choudhary, M. (2018). Ransomware on Android devices. Forensic Science &
Addiction Research, 2(2).
Cohen, A. and Nissim, N. (2018). Trusted detection of ransomware in a private cloud
using machine learning methods leveraging meta-features from volatile
memory. Expert Systems with Applications, 102, pp.158-178.
Lee, K., Yim, K. and Seo, J. (2017). Ransomware prevention technique using key
backup. Concurrency and Computation: Practice and Experience, 30(3), p.e4337.
Parkinson, S. (2017). Use of access control to minimise ransomware impact. Network
Security, 2017(7), pp.5-8.
Ransomware becomes the most prevalent form of malware and hits an ever-wider
range of victims. (2017). Network Security, 2017(2), pp.1-2.
Thomas, J. and Galligher, G. (2018). Improving Backup System Evaluations in Information
Security Risk Assessments to Combat Ransomware. Computer and Information Science,
11(1), p.14.
YUN, J., HUR, J., SHIN, Y. and KOO, D. (2017). CLDSafe: An Efficient File Backup System in
Cloud Storage against Ransomware. IEICE Transactions on Information and Systems,
E100.D(9), pp.2228-2231.
133
Document Page
Guo, F., Kim, S., Baskakov, Y. and Banerjee, I. (2015). Proactively Breaking Large Pages to
Improve Memory Overcommitment Performance in VMware ESXi. ACM SIGPLAN
Notices, 50(7), pp.39-51.
Westin, S. (2012). A Sandbox Approach to Online Exam Administration. International Journal
of Online Pedagogy and Course Design, 2(4), pp.49-62.
Nomnga, N., P., P., Scott, S., S., M., Nyambi, N. and P, B. (2014). A Technical Cost Effective
Network-Domain Hosting through Virtualization: a VMware ESXi and vSphere Client
Approach. International Journal of Computer Applications, 91(10), pp.39-47.
Zuo, H. and Chen, X. (2014). The Analysis of Storage Efficiency in VMware Virtualization
Environment. Applied Mechanics and Materials, 697, pp.438-441.
Ijari, P. (2017). Comparison between Cisco ACI and VMWARE NSX. IOSR Journal of
Computer Engineering, 19(01), pp.70-72.
JIANG, L. and XIAO, D. (2018). Comparing Function of OpenStack and VMware. DEStech
Transactions on Computer Science and Engineering, (wcne).
Application Security through Sandbox Virtualization. (2014). Acta Polytechnica Hungarica,
12(1).
Brewer, R. (2016). Ransomware attacks: detection, prevention and cure. Network Security,
2016(9), pp.5-9.
DOGRAMACI, S. (2012). Reverse Engineering Epistemic Evaluations*. Philosophy and
Phenomenological Research, 84(3), pp.513-530.
Garber, L. (2012). The Challenges of Securing the Virtualized Environment. Computer, 45(1),
pp.17-20.
Hernandez-Castro, J., Cartwright, E. and Stepanova, A. (2017). Economic Analysis of
Ransomware. SSRN Electronic Journal.
Kapil, G. (2016). Native Client: A Sandbox Technology. International journal of Emerging
Trends in Science and Technology.
Kenyon, B. and McCafferty, J. (2016). Ransomware Recovery. ITNOW, 58(4), pp.32-33.
Luo, W. (2013). Research on Reverse Analysis Method of Malwares. Applied Mechanics and
Materials, 278-280, pp.2025-2028.
134
Document Page
Sato, R., Chiba, D. and Goto, S. (2013). Detecting Android Malware by Analyzing Manifest
Files. Proceedings of the Asia-Pacific Advanced Network, 36(0), p.23.
Tennenhouse, D. (2017). Research at VMware. ACM SIGOPS Operating Systems Review, 51(1),
pp.1-4.
Comparison between Virtualization and Cloud Computing. (2016). International Journal of
Science and Research (IJSR), 5(6), pp.195-199.
Garber, L. (2012). The Challenges of Securing the Virtualized Environment. Computer, 45(1),
pp.17-20.
Kalil, M., Youssef, M., Shami, A., Al-Dweik, A. and Ali, S. (2016). Wireless resource
virtualization: opportunities, challenges, and solutions. Wireless Communications and
Mobile Computing, 16(16), pp.2690-2699.
Kim, J. (2014). Bio-mimetic Recognition of Action Sequence using Unsupervised
Learning. Journal of Internet Computing and Services, 15(4), pp.9-20.
Azmoodeh, A., Dehghantanha, A., Conti, M. and Choo, K. (2017). Detecting crypto-ransomware
in IoT networks based on energy consumption footprint. Journal of Ambient Intelligence
and Humanized Computing.
Cabaj, K. and Mazurczyk, W. (2016). Using Software-Defined Networking for Ransomware
Mitigation: The Case of CryptoWall. IEEE Network, 30(6), pp.14-20.
Cabaj, K., Gregorczyk, M. and Mazurczyk, W. (2018). Software-defined networking-based
crypto ransomware detection using HTTP traffic characteristics. Computers & Electrical
Engineering, 66, pp.353-368.
Lee, J. and Jeong, J. (2017). Increase of Awareness of the Importance of Information Security
Using Simulation Experiment Technique Model as Ransomware. Advanced Science
Letters, 23(10), pp.10246-10249.
Liu, S. and Jia, W. (2015). A Survey: Main Virtualization Methods and Key Virtualization
Technologies of CPU and Memory. The Open Cybernetics & Systemics Journal, 9(1),
pp.350-358.
Luo, W., Li, N. and Tang, Y. (2012). Reverse Analysis of Malwares: A Case Study on QQ
Passwords Collection. Journal of Software, 7(8).
135

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Malware Detection in Cloud Computing Infrastructures. (2018). International Journal of Recent
Trends in Engineering and Research, pp.223-227.
Obasuyi, G. and Sari, A. (2015). Security Challenges of Virtualization Hypervisors in
Virtualized Hardware Environment. International Journal of Communications, Network
and System Sciences, 08(07), pp.260-273.
Pope, M., Warkentin, M. and Luo, X. (2012). Evolutionary Malware. International Journal of
Wireless Networks and Broadband Technologies, 2(3), pp.52-60.
Popli, N. and Girdhar, A. (2017). WannaCry Malware Analysis. MERI-Journal of Management
& IT, 10(2).
Song, S., Kim, B. and Lee, S. (2016). The Effective Ransomware Prevention Technique Using
Process Monitoring on Android Platform. Mobile Information Systems, 2016, pp.1-9.
Srinivasan, C. (2017). Hobby hackers to billion-dollar industry: the evolution of
ransomware. Computer Fraud & Security, 2017(11), pp.7-9.
Tahir, R. (2018). A Study on Malware and Malware Detection Techniques. International
Journal of Education and Management Engineering, 8(2), pp.20-30.
Zimba, A., Wang, Z. and Simukonda, L. (2018). Towards Data Resilience: The Analytical Case
of Crypto Ransomware Data Recovery Techniques. International Journal of Information
Technology and Computer Science, 10(1), pp.40-51.
Cohen, A. and Nissim, N. (2018). Trusted detection of ransomware in a private cloud using
machine learning methods leveraging meta-features from volatile memory. Expert Systems
with Applications, 102, pp.158-178.
Raffetti, A., Marangon, F. and Zuccarelli, F. (2000). Integrated Navigation System Safety
Assessment Methodology. Journal of Navigation, 53(3), pp.425-435.
Alhakimy, A. and Sultan, A. (2015). Hybrid Algorithm to Protect Java’s Code from Reverse
Engineering. Lecture Notes on Software Engineering, 3(1), pp.11-16.
Byun, J. (2015). Privacy preserving smartcard-based authentication system with provable
security. Security and Communication Networks, 8(17), pp.3028-3044.
Macrae, A. (2013). Identifying threats in real time. Network Security, 2013(11), pp.5-8.
136
Document Page
Best Practices: Ransomware - Security News - Trend Micro IN. (2018). Retrieved from
https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digital-threats/best-
practices-ransomware
Comodo can help Protect you from Increasing Ransomware Attacks. (2018). Retrieved from
https://blog.comodo.com/it-security/ransomware-attacks-are-on-the-rise-comodo-can-help-
protect-you-from-them
cybercrime, H. (2018). How sandboxing can help in the fight against cybercrime. Retrieved from
https://www.cso.com.au/article/597037/how-sandboxing-can-help-fight-against-cybercrime/
Enhanced Security Solutions for VMware - EMC. (2018). Retrieved from
https://www.emc.com/platform/vmware/enhanced-security-for-vmware.htm
How can Advanced Sandboxing Techniques Thwart Elusive Malware? - Security News - Trend
Micro USA. (2018). Retrieved from
https://www.trendmicro.com/vinfo/us/security/news/security-technology/how-can-
advanced-sandboxing-techniques-thwart-elusive-malware
How secure is VMware and Virtual Machines?. (2018). Retrieved from
http://www.mosaictec.com/tessera/how-secure-is-vmware-and-virtual-machines.htm
How secure is VMware NSX?. (2018). Retrieved from
https://searchvmware.techtarget.com/answer/How-secure-is-VMware-NSX
How to prevent & mitigate against Ransomware using VMware security solutions | Insight UK.
(2018). Retrieved from https://www.uk.insight.com/learn/articles/2017-05-15-how-to-
prevent-and-mitigate-against-ransomware-using-vmware-security-solutions
Malenfant, J. (2018). Detecting Ransomware From The Outside Looking In. Retrieved from
https://blogs.cisco.com/security/detecting-ransomware-from-the-outside-looking-in
Roccia, T. (2018). Stopping Malware With a Fake Virtual Machine | McAfee Blogs. Retrieved
from https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-
machine/”
Sandboxing: In the Ring with Ransomware - CyberSheath. (2018). Retrieved from
https://www.cybersheath.com/sandboxing-in-the-ring-with-ransomware/
Securing VMware Infrastructure. (2018). Retrieved from
https://www.computerweekly.com/tip/Securing-VMware-Infrastructure
VMware Knowledge Base. (2018). Retrieved from https://kb.vmware.com/s/article/2150740
137
Document Page
VMware Security Recommendations and Best Practices - IS&T Contributions - Hermes. (2018).
Retrieved from
http://kb.mit.edu/confluence/display/istcontrib/VMware+Security+Recommendations+and+
Best+Practices
138
1 out of 139
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]