| Presentation | 2019-11-13 The way of analyzing the time series data of system calls and recovering the files infected with ransomeware Hirotaka Hiraki, Hideya Ochiai, Hiroshi Esaki, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Today, keeping the computer environment safe is a very important issue. Among the malware, it is often difficult in practice to restore a file infected with ransomware that locks and encrypts the target file and requires a ransom instead of decrypting it. In addition, the spread of virtual currency has reduced the risk of attackers being supplemented, and malicious services that sell ransomware software are also available. Therefore, in this paper, we study a method for restoring files infected with ransomware. In the survey, we analyzed the system calls executed by ransomware and found that malicious behaviors tend to be executed periodically or continuously. Based on the investigation, we rewrite the Windows API processing executed by the ransomware to duplicate the file, and then aim to restore it by analyzing the time series data of system calls and identifying normal processing. Furthermore, malware functions have improved in recent years, and some have anti-debug functions that detect that they are subject to analysis, so analysis must be performed without being detected by ransomware. In this study, we propose a method using BitVisor, a hypervisor with low overhead. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Ransomware / BitVisor / Anti-Debug / System call / Malware |
| Paper # | ICSS2019-60 |
| Date of Issue | 2019-11-06 (ICSS) |
| Conference Information | |
| Committee | ICSS |
|---|---|
| Conference Date | 2019/11/13(1days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | MRT Terrace(Miyazaki) |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | Information Communication System Security, etc. |
| Chair | Hiroki Takakura(NII) |
| Vice Chair | Katsunari Yoshioka(Yokohama National Univ.) / Kazunori Kamiya(NTT) |
| Secretary | Katsunari Yoshioka(NICT) / Kazunori Kamiya(KDDI labs.) |
| Assistant | Keisuke Kito(Mitsubishi Electric) / Toshihiro Yamauchi(Okayama Univ.) |
| Paper Information | |
| Registration To | Technical Committee on Information and Communication System Security |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | The way of analyzing the time series data of system calls and recovering the files infected with ransomeware |
| Sub Title (in English) | |
| Keyword(1) | Ransomware |
| Keyword(2) | BitVisor |
| Keyword(3) | Anti-Debug |
| Keyword(4) | System call |
| Keyword(5) | Malware |
| 1st Author's Name | Hirotaka Hiraki |
| 1st Author's Affiliation | The University of Tokyo(Tokyo Univ.) |
| 2nd Author's Name | Hideya Ochiai |
| 2nd Author's Affiliation | The University of Tokyo(Tokyo Univ.) |
| 3rd Author's Name | Hiroshi Esaki |
| 3rd Author's Affiliation | The University of Tokyo(Tokyo Univ.) |
| Date | 2019-11-13 |
| Paper # | ICSS2019-60 |
| Volume (vol) | vol.119 |
| Number (no) | ICSS-288 |
| Page | pp.pp.1-5(ICSS), |
| #Pages | 5 |
| Date of Issue | 2019-11-06 (ICSS) |