Abstract
Recently, the wanton outbreak of ransomware WannaCry caused great harm to the network users. How to prevent and decrypt ransomware WannaCry brings a big challenge to security practitioners and researchers. In this paper, we first study the detailed encryption and decryption process of ransomware WannaCry, and then propose a novel method called dptCry to decrypt and free the damaged data. dptCry monitors and tracks all the running processes of an operating system, performs API hooking for key operations, records key information with the customized hook functions. When ransomware WannaCry infected, Using the recorded key information, dptCry can decrypt the damaged files. Our experimental results show that dptCry can be effectively used to mitigate users from the damages caused by WannaCry. dptCry can also be applied to other ransomware using similar mechanisms.
Similar content being viewed by others
References
Antiy, C.E.R.T.: A brief history of ransomware. China Inf. Secur. 4, 50–58 (2016)
Guinet, A.: A WannaCry flaw could help some victim get files back[EB/OL]. https://www.wired.com/2017/05/wannacry-flaw-help-windows-xp-victims-get-files-back/ (2019)
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows kernel. Addison-Wesley Professional, Boston (2006)
Jianzhang, Cai, Qiang, Wei, Yuefei, Zhu: Identification of encrypted function in malicious software. J. Comput. Appl. 33(11), 3239–3243 (2013)
Kesheng, L., Zhongshou, W.: The analysis of API Hook central technique. Netw. Secur. Technol. Appl. 11, 48–50 (2006)
Kharraz, A., Arshad, S., Mulliner, C. et al.: UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. USENIX Security Symposium. 757-772 (2016)
Kolodenker, E., Koch, W., Stringhini, G. et al.: PayBreak: Defense against cryptographic ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 599-611 (2017)
Kruegel, C.: Full system emulation: Achieving successful automated dynamic analysis of evasive malware. Proc. BlackHat USA Security Conference. (2014)
Lanzi, A., Sharif, M.I., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. NDSS, San Diego (2009)
Lei, Shi, Liang, Sun: Research on ransomware. Wirel. Internet Technol. 21, 41–42 (2016)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. 5(2), 40–45 (2007)
Qiao, Y., Yang, Y., He, J. et al.: CBM: free, automatic malware analysis framework using API call sequences. In: Sun, F., Li, T., Li, H. (eds.) Knowledge Engineering and Management, pp. 225–236. Springer, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-642-37832-4_21
Salehi, Z., Sami, A., Ghiasi, M.: MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values. Eng. Appl. Artif. Intell. 59, 93–102 (2017)
Shaid S.Z.M., Maarof, M.A.: In memory detection of windows API call hooking technique. Computer, Communications, and Control Technology (I4CT), 2015 International Conference on. IEEE, 2015, pp. 294-298 (2015)
Su, X.L., Yuan, D.: Research and implementation of two API-Hooking technologies based on Windows. Compur. Eng. Des. 32(7), 2548–2552 (2011)
Wang, X., Yu, H.: How to break MD5 and other hash functions. Eurocrypt 3494, 19–35 (2005)
Wright, W., Schroh, D., Proulx, P. et al.: The Sandbox for analysis: concepts and methods. Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 801-810 (2006)
Funding
This research was supported by National Key R&D Plan Program of China (Grant 2018YFB1800602, 2017YFB0801703), Ministry of Education-China Mobile Research Fund Project (Grant MCM20180506), the National Natural Science Foundation of China (Grant 61602114), the CERNET Innovation Project (Grant NGIICS20190101, NGII20170406).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cheng, G., Guo, C. & Tang, Y. dptCry: an approach to decrypting ransomware WannaCry based on API hooking. CCF Trans. Netw. 2, 207–216 (2019). https://doi.org/10.1007/s42045-019-00024-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s42045-019-00024-8