A Study on Behavioural Analysis of Specific Ransomware and its Comparison with DBSCAN-MP

Authors

  • Dr. V. Vinodhini  Professor, Department of Information Technology, Dr. N.G.P. Arts and Science College, Dr. N.G.P. Nagar, Kalapatti Road, Coimbatore, Tamil Nadu, India
  • Dr. C. Kumuthini  Associate Professor, Department of Information Technology, Dr. N.G.P. Arts and Science College, Dr. N.G.P. Nagar, Kalapatti Road, Coimbatore, Tamil Nadu, India
  • Dr. K. Santhi  Associate Professor, Department of Information Technology, Dr. N.G.P. Arts and Science College, Dr. N.G.P. Nagar, Kalapatti Road, Coimbatore, Tamil Nadu, India

DOI:

https://doi.org/10.32628/CSEIT206670

Keywords:

WannaCry, WCRY, Eternalblue, GPO, Bitcoin

Abstract

Ransomware attack is known to as WCRY or WannaCry. This ransomware is intriguing advantage of a recently disclosed Microsoft vulnerability (“MS17-010 – “Eternalblue” ) coupled with the Shadow Brokers tools release. After a computer is fouled, WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database related files, multimedia and archive related files, as well as Microsoft Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its fatalities—an amount that increases incrementally after a definite time limit. The victim is also given seven days before the pretentious files are deleted.

The WannaCry Ransomware consists of multiple components. It arrives on the ruined computer in the form of a dropper, a self-reliant program that extracts the other application mechanism embedded within it. Those components include: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor 

The program secret code is not obfuscated and was relatively easy for security pros to analyze. Once it is launched, WannaCry tries to access a hard-coded URL (the so-called kill switch); if it can't, it proceeds to investigate for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them completely inaccessible to the user. It then displays a ransom notice, demanding numbers in Bitcoin to decrypt the files.

References

  1. Nolen Scaife, Henry Carter, Patrick Traynor, Kevin R.B. Butler.” CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data”,2016, IEEE 36th International Conference on Distributed Computing Systems.
  2. MattiasWeckstén, Jan Frick, Andreas Sjöström, Eric Jarpe, “A novel method for recovery from Crypto Ransomware infections”, [5]. Computer and Communications (ICCC), 2016 2nd IEEE International Conference.
  3. N. Andronio, S. Zanero, and F. Maggi, “HelDroid: dissecting and detecting mobile ransomware,” 2015, in Research in Attacks, Intrusions, and Defenses, vol. 9404 of Lecture Notes in Computer Science, pp. 382–404, Springer.
  4. Pathak, P B.”Malware a Growing Cybercrime Threat: Understanding and Combating Malvertising Attacks”,2016.
  5. https://www.proofpoint.com/us/blog/threat-protection/providing-healthcare-organizations-visibility-latest-ransomware-attacks
  6. https://www.zdnet.com/article/ransomware-an-executive-guide-to-one-of-the-biggest-menaces-on-the-web

IInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology

Downloads

Published

2021-01-30

Issue

Volume 7, Issue 1, January-February-2021

Section

Research Articles

License

Copyright (c) IJSRCSEIT

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
Dr. V. Vinodhini, Dr. C. Kumuthini, Dr. K. Santhi, " A Study on Behavioural Analysis of Specific Ransomware and its Comparison with DBSCAN-MP" International Journal of Scientific Research in Computer Science, Engineering and Information Technology(IJSRCSEIT), ISSN : 2456-3307, Volume 7, Issue 1, pp.01-06, January-February-2021. Available at doi : https://doi.org/10.32628/CSEIT206670