Ransomware Detection Method Based On Dynamic Analysis

With the large-scale spread of the Internet,people's lifestyles have changed dramatically.More and more individuals or governments and enterprises have exposed important asset data to the Internet,making important asset data face more and more threats.Among them,ransomware is one of the major threats to user data security,causing serious losses to both individuals and business users.And with the emergence of ransomware-as-a-service industry,more threatening ransomware will continue to emerge.Detection and decryption of ransomware has become a hot issue in current research,which is critical to improving the security of cyberspace and protecting users' data security.Though analyzing the behavior of real ransomware samples,integrating various ransomware analysis reports for supplementary verification,dynamically analyzing the behavior trace of ransomware and the process of encryption and decryption.The design of the overall framework of ransomware detection system is proposed based on the behaviors analyzed,and the detection and decryption of ransomware are implemented in this thesis.This thesis mainly has the following three aspects:(1)The overall framework design of the ransomware detection system: Through the dynamic analysis of the behavior characteristics of the ransomware,and combining with various ransomware analysis reports for supplementary verification,the entire ransomware detection system is designed from the top layer.Dynamically linking the API functions used by the ransomware to obtain information such as its running trajectory and the encryption algorithm used.Using the data source,not only the behavior fingerprint can be extracted to detect ransomware,but also the corresponding decryption algorithm can be designed to complete the data recovery.So that it has ransomware detection and decryption functions to protect user data in real time;(2)Research and implementation of ransomware detection method based on sequence alignment: Through the analysis of life cycle behaviors of ransomware,it is found that the ransomware of the same family has similar behavioral characteristics,and the API call sequence of ransomware is data source.Extracting similar local subsequences by using local sequence alignment algorithm to perform pairwise alignment.Then using the global sequence alignment algorithm for similar local subsequences to obtain each ransomware fingerprint sequence.Thereby constructing a fingerprint database and calculating the similarity between sequences to detect ransomware.The effectiveness of the method is verified by experiments,and the accuracy rate reaches 98.17%,and accurately predicting the family of ransomware.(3)Research and implementation of ransomware decryption method based on API Hooking: Analyzing the encryption process of each ransomware family and their encrypted file formats.Real-time tracking of the ransomware encryption and decryption API functions and the file operation API functions.Obtaining the encryption algorithm of ransomware and the key information used for encryption,as well as the format information of encrypted file.The corresponding decryption algorithm is designed to complete the decryption of the file by using the obtained key information.And the experiment verified the effectiveness of the method,which can decrypt the Spora and WannaCry family ransomware.