Journal of information and communication convergence engineering 2022; 20(4): 280-287
Published online December 31, 2022
https://doi.org/10.56977/jicce.2022.20.4.280
© Korea Institute of Information and Communication Engineering
Correspondence to : Dohyun Kim (E-mail: dohyun@cup.ac.kr, Tel: +82-51-510-0654)
Department of Computer Engineering, Catholic University of Pusan, Busan 46252, Korea
This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/by-nc/3.0/) which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.
Recently, the number of mobile ransomware types has increased. Moreover, the number of cases of damage caused by mobile ransomware is increasing. Representative damage cases include encrypting files on the victim's smart device or making them unusable, causing financial losses to the victim. This study classifies ransomware apps by analyzing several representative ransomware apps to identify trends in the malicious behavior of ransomware. We present a technique for recovering from the damage, from a digital forensic perspective, using reverse engineering ransomware apps to analyze vulnerabilities in malicious functions applied with various cryptographic technologies. Our study found that ransomware applications are largely divided into three types: locker, crypto, and hybrid. In addition, we presented a method for recovering the damage caused by each type of ransomware app using an actual case. This study is expected to help minimize the damage caused by ransomware apps and respond to new ransomware apps.
Keywords Mobile Ransomware, Incident Response, Ransomware Analysis, Digital Forensics
Ransomware, which causes many cyber-crimes in the PC environment around the world, has also been developed as a malicious mobile app, and more than 20,708 mobile ransomware are detected every year [1]. A growing variety of mobile ransomware is being discovered, ranging from simply locking the screen to encrypting files within the device or sending device information to attackers. In proportion to the increase in mobile ransomware, infringement accidents, such as financial damage to victims and the loss of important media and files, are also increasing. To minimize the damage due to such accidents, research on cryptographic technology analysis and decryption, as applied to mobile ransomware, is required. This study analyzes several previously distributed mobile ransomware and studies the types and characteristics of each ransomware, the analysis results of cryptographic technology, and how to cope with incidents caused by ransomware. We investigated and studied mobile ransomware distributed to smartphones, as ransomware targeting existing OS (Mac, Windows, Linux, etc.) for PCs is transformed by attackers. The contributions of this study are as follows:
This study classifies the different types of ransomware found to date and analyzes the trends in malicious behavior.
This study presents an investigative method for responding to malicious behavior by analyzing three major ransomware types (Locker, Crypto, and Hybrid).
The remainder of this paper is organized as follows. In Section 2, related works are discussed. In Section 3, the types of mobile ransomware used are described. In Section 4, an analysis of the mobile ransomware is presented. In Section 5, the response to mobile ransomware incidents is presented. In Section 6, a discussion and conclusions are presented.
In this section, we briefly describe different ransomware and related articles, and research.
AIDS Trojan, the first known malware extortion attack, was developed by Joseph Popp in 1989. Its characteristic was that it hid files from the hard drive and encrypted only the names of the files. The PC Cyborg Corporation was asked to pay US\$ 189. However, its weakness was that the decryption keys could be extracted from the source code of the ransomware; therefore, they could be easily decrypted without paying [2].
Between May 2005 and 2006, several ransomware appeared, including Gpcode, TROJ.RANSOM.A, Archiveusm Krotten, Cryzip, and MayArchive. As the key size increased, they began to use more sophisticated RSA encryption systems. Gpcode.AG, discovered in June 2006, was encrypted with a 660-bit RSA public key [3]. In 2008, Gpcode.AK, a variant of Gpcode, was discovered and it used a 1024-bit RSA key [4].
Unlike Gpcode, the WinLock ransomware discovered in 2010 did not use encryption. Instead, WinLock displayed obscene images on the user's screen, limited access to the system and asked the user to pay a ransom to receive code that would unlock the system [5].
In 2011, ransomware appeared disguised as activation notifications for Microsoft Windows products. Because online authentication options, such as the actual Windows activation process, were provided, but not made available, the victim had to call one of the specified international numbers to enter a six-digit code. It was routed through countries with high international phone charges, forcing victims to pay these high charges [6].
Reveton ransomware displayed a message to the victim disguising it as a warning message from law enforcement agencies claiming that illegal activities, such as unlicensed software use or child pornography downloads, were detected. It also informed the victims that a fine had to be paid to unlock the system. Reveton ransomware spread to several European countries since early 2012, and several variants were discovered until 2014 [7].
In 2013, a ransomware was discovered using the Stamp EK exploit kit to attract users to fake nude photos of celebrities, such as athletes and movie stars, through Github or SourceForge. The infected PC had limited access and a message was sent to the user asking for a ransom to recover the system [8].
CryptoLocker ransomware attacks were cyber-attacks on PCs using Microsoft Windows from September 5, 2013, to the end of May 2014. CryptoLocker was spread via infected email attachments and the Gameover ZeuS botnet. When the malicious code was executed, encrypted RSA public-key encryption was used to encrypt files stored on local and network drives having specific extensions, and each encrypted file was recorded as a registry key. Subsequently, the victim was notified through the payload that the file had been encrypted, and a ransom was required for its recovery [9].
In 2014, Synology discovered SynoLocker, a ransomware that locked up a network-attached storage device (NAS) built by Synology. It is targeted by hackers and received a ransom call to decrypt and recover files [10].
In the same year, CryptoWall, a ransomware for Windows, was discovered. CryptoWall was distributed as several variants, one of which was a malicious advertising campaign on Zedo advertising networks targeting major websites. CryptoWall encrypted files on the infected PCs and installed spyware that stole user-encrypted electronic money wallets. CryptoWall continued to be enhanced to version 4.0 until 2015 and later evolved to encrypt file data as well as file names [11].
In 2015, Tox, a ransomware that encrypted files within a PC at the time of execution, by disguising malicious code executables as icons of word documents, was discovered [12]. CTB-Locker ransomware, which was distributed through spam advertising and mail and encrypted files on infected PCs, was also discovered [13].
The WannaCry ransomware attack was a worldwide cyberattack that occurred in May 2017. WannaCry was intended for PCs using the Windows operating system and was propagated through EternalBlue, an export developed for older Windows systems. When executed, the WannaCry malware first checked the kill switch domain name. If the kill switch was not found, it attempted to encrypt data on the PC and exploited SMB vulnerabilities to spread to any computer on the Internet or to computers on the same network. The payload then displayed a message informing the victim that the file had been encrypted [14].
Ryuk ransomware was first introduced in 2018 but was widely known after the November 2020 attack on the Baltimore County (Maryland) school system. Ryuk was distributed through malicious documents or hyperlinks. When the victim activated it, access to the network server was secured, and the installation proceeded on its own using Trickbot PC malware. When Ryuk controlled the system, it encrypted the stored data and made them inaccessible to victims until they received a ransom. It also disabled The System Restore functionality of Microsoft Windows to prevent it from being restored before it was encrypted [15].
On May 7, 2021, the colonial pipeline, a U.S. pipeline system that transports gasoline and jet fuel mainly to the southeastern United States, was attacked by DarkSide ransomware, and all pipeline operations were suspended to contain the attack. The hacker group demanded \$4.4 million as ransom, which was paid within hours of the incident, and the company received IT tools needed to proceed with the restoration [16].
The GandCrab ransomware discovered in 2021 is a ransomware-as-a-service (RaaS) ransomware and has a structure in which ransomware developers benefit each other by providing ransomware to affiliates capable of infecting ransomware. Management information can be extracted based on values hard-coded in the ransomware source code, and a self-summary can be created. Thus, various GandCrab samples can be produced [17].
In 2014, Sypeng ransomware was discovered during its first attack on Android tablets and mobile devices. Sypeng ransomware was distributed via a fake Adobe flash software update message. Sypeng ransomware requires ransomware by locking the screen of the infected device, making the victim inaccessible to the device[18]. Simplocker, discovered in the same year, also targets Android devices and is distributed via fake Adobe Flash software update messages, such as Sypeng. When the ransomware is executed, AES encryption encrypts data inside the SD memory card and demands a ransom from the victim [19].
In 2015, the Fusob ransomware was distributed disguised as a pornographic video player. After checking the language used by the device, the Fusob ransomware locked the device if it was not Russian and displayed a ransom message on the screen [20].
LeakerLocker ransomware was discovered in 2017. LeakerLocker locks home screens to prevent victims from accessing the device. It also collects the victim's browser data, messages, phone records, location information, e-mails, and media files, and demand ransom with a warning message that it will leak them [21].
The Lycorisradiata ransomware was discovered in China in 2017. In particular, it used the payment screen of Wanna-Cry ransomware as it is, and the file in the device was encrypted and the file extension was changed to ‘勿卸载软件 解密加QQ (number) bahk (number)’ [22].
The Table 1 and Figure 1 below summarize the ransomware described above and the ransomware to be described in the next section by type and year, respectively.
Table 1 . Kinds of ransomware
Type | PC | Mobile |
---|---|---|
Crypto | Crypto AIDS Trojan Gpcode TROJ.RANSOM.A Archiveusm Krotten Cryzip MayArchive Gpcode.AK CryptoLocker CryptoWall Tox CTB-Locker | Simplocker Lycorisradiata CryptoLocker (Mobile) |
Locker | WinLock Reveton | Sypeng Fusob LockerPin LeakerLocker Slocker covidSlocker |
Hybrid | SynoLocker Wannacry Ryuk | DoubleLocker SauronLocker |
We investigated trends in several mobile ransomware prior to the analysis. We categorized and organized them into three types according to their characteristics to make this analysis more efficient. Figure 2. below shows the classification of the surveyed ransomware by feature and shows the year in which the ransomware attacks occurred.
The first is a locker-type ransomware that locks the screen of a device infected with the ransomware which displays a message asking the victim for a ransom through the locked screen and restricts the use of the device. Representative of these types of ransomwares include ‘LockerPin’, ‘covidSlocker’ and ‘Slocker’.
LockerPin is a mobile ransomware discovered around August 2015 and was distributed to users disguised as an adult porn application. When the victim installs and runs this application, a fake FBI message appears and asks for ransom. In addition, the ransomware randomly changes the PIN of the infected device. If there is no PIN, it sets a new PIN and keeps the device locked until it receives a ransom [23]. The Slocker is a mobile ransomware that appeared in 2017. The Slocker did not do much because it was an early mobile ransomware model. However, because the attackers could easily access and change Slocker’s source code, many modified mobile ransomware were created. These were developed, modified, and distributed from lock-type mobile ransomware to hybrid-type mobile ransomware [24].
CovidSlocker is a mobile ransomware discovered around May 2020 and is a variant of the previously popular mobile ransomware Slocker. It was disguised as an application for the delivery of COVID-19 information. When the victim installed and ran this application, the screen was locked and a message asking for ransom was displayed. The CovidSlocker kept the device locked until a specific password was entered through the lock screen [25].
The second is crypto-type ransomware, which encrypts files or data in devices infected with ransomware and informs victims of the infection through toast messages or text files and seeks ransom. Among these ransomware types, CryptoLocker is the most representative.
CryptoLocker is a new mobile ransomware distributed around June 2020 after transforming Trojan horse ransomware for computers using Microsoft Windows operating system that occurred around September 2013 in the mobile version for Android and iOS [26]. In addition, CryptoLocker deceives users by distributing a COVID-19 tracking application. Running this application encrypts files inside the SD card of the infected device, changes the file’s extension name, and informs the user that the file is encrypted. Encrypted and extended files cannot be opened, and in order to reopen the file, a ransom must be paid to the attacker, to receive the password, and enter it through the application screen [27].
Hybrid-type ransomware combines the working of the locker-type and crypto-type ransomware. Representative ransomware include SauronLocker and DoubleLocker.
SauronLocker, a mobile ransomware discovered in 2019, was distributed to users disguised as a crack version of a popular mobile game. When this application is installed and executed, the screen of the device is immediately locked, and continuously displays a message demanding a ransom from the user. In addition, it transmits the information of the infected device to the attacker’s server to obtain the encryption key and encrypts the data in the device’s SD card using the encryption key [28].
DoubleLocker is a mobile ransomware discovered in the fall of 2017 and is distributed by deceiving users with an Adobe Flash Player through an infected website. When running this application, it changes the PIN of the device to lock the screen, encrypts the files inside the SD card of the infected device, and attaches ‘.cryeye’ to the name of the infected device. When the victim pays the ransom, the attacker remotely sets the PIN to unlock the screen and delivers the encryption key to decrypt the file [29].
In this section we analyze the cryptographic key generation function of the Locker-type, the CryptoLocker of Crypto Type, and SauronLocker of the Hybrid Type, and explain how they operate within the device.
Because covidSlocker is a ransomware derived from the earlier Slocker, there is no significant difference from it in terms of the operation process. After installing and running the covidSlocker, the ransomware uses the API to lock the device with stolen administrator rights, and seeks a password input with a simple ransomware message in Russian. When the check box of the message is clicked, an additional message seeking ransom appears. If the password input fails, an incorrect message appears and remains locked.
When CryptoLocker is executed, the user is notified of the status message of the application and a message that the device file has been encrypted through a readme.txt generated in the SD card directory. Five English case letters, 10 numbers, and 23 special symbols (!@#\$%^&*()_+-=[]|,./?16 of ><) are randomly selected to generate an encryption key. After generating the encryption key, it is used as an encryption key for the AES/CBC/PKCS5Padding algorithm to encrypt a total of 14 formats (txt, jpg, bmp, png, pdf, doc, docx, pptx, avi, xls, xlsxlsx, VCF, db) in the SD card. When the encryption is complete, it is based on the original file [original file name]. enc [original file name, extension]. enc.salt [original file name, extension]. enc.iv created three files and deleted the original file. In addition, information on a randomly generated 16-digit encryption key is stored in the form of a .xml file under ‘/data/data/com.crydroid/shared_prefs/prefs.xml’.
When the SauronLocker is executed, it transmits information about the infected device to the attacker’s C&C server. This information includes the UID, firmware version, model name, and the country code of the infected device. Thereafter, the attacker’s C&C server generates an encryption key based on the received device information and transmits the encryption key to the infected device. The device encrypts the files in the SD card using the received encryption key as the key to the AES encryption algorithm. This creates the encrypted file name [original file name, extension]. The original files are Encrypted and deleted. The code below shows that the information sent to the attacker’s C&C server is hard-coded into the internal source code.
In this section, we describe the process of unlocking the locked screen of the covidSlocker and decrypting the encrypted files of devices infected with CryptoLocker to cope with infringement accidents caused by ransomware from a digital forensic perspective. This does not apply to SauronLocker because the attacker’s C&C server is dead, and the encryption key cannot be secured.
The covidSlocker does not have the ability to encrypt files but simply locks the screen. In addition, to unlock the screen, a specific password must be input to unlock the screen. However, because information regarding this password is stored in the ransomwarés source code, it is vulnerable to easy identification through source-code analysis. The figure below shows part of the source code in which the password is stored.
CryptoLocker, as explained earlier, stores the encryption key values used to encrypt and decrypt files on SD cards in specific files inside infected devices. Figure 7 shows the vulnerability of storing and managing the encryption key in the ‘com.crydroid.password’ key value of the .xml file under ‘/data/data/com.cryroid/shared_prefs/prefs.xml’.
In addition, it is easy to determine the encryption algorithm for encryption or decryption through static analysis, and there is a vulnerability in storing the salt and IV values required for decryption in the form of files such as [original file name.Extension]. enc.salt, and [original file name, extension]. enc.iv on the same path as the encrypted file [original file name, extension]. Therefore, the encrypted file can be easily decrypted using various types of information, including the encryption key stored therein.
Therefore, to recover a device infected with CryptoLocker, first, an encryption key is obtained from the file in Figure 7. Next, the corresponding encryption keys salt and IV are decrypted through AES/CBC/PKSC5Padding.
Mobile ransomware may be created by modifying the PC-based ransomware or may be distributed under a new name by modifying the previously distributed mobile ransomware. Because there are many types of mobile ransomware, it is expected that if the ransomware can be classified based on their characteristics, and studied, it would be possible to come up with measures to cope with infringement accidents. It would also be helpful in responding to and analyzing infringement accidents caused by ransomware.
Mobile ransomware continue to emerge or reoccur, which could provide an opportunity to find various ways to respond to infringement accidents. In addition, it is expected that in the future, new operating ransomware that have never existed before may occur. Therefore, it is necessary to continue to identify trends in ransomware and carry out research into various analysis methods and solutions. In addition, among mobile ransomware, there are ransomware that generate or manage encryption keys through external servers, such as the attackers’ C&C servers, such as SauronLocker. However, when the attacker’s server is closed or inaccessible, it is difficult to access the information that was transmitted and received between the server and the infected device and the encryption keys. However, if the server is open, various dynamic analysis tools can be used to access other transmitted and received information with encryption keys to cope with infringement accidents.
This paper was supported by RESEARCH FUND offered from Catholic University of Pusan.
was born in Korea in 1996. He received the Bachelor of computer engineering in 2021. He is Master student in network security and digital forensics, at the Catholic University of Pusan, since March 2021. His research interest includes Mobile Security and network security.
was born in Korea in 1995. He received the Bachelor of computer engineering in 2021. He is Master student in network security and digital forensics, at the Catholic University of Pusan, since March 2021. His research interest includes vulnerability analysis and Digital Forensics.
has been an assistant professor at the Dept. of Computer & Information Engineering at the Catholic University of Pusan since April 2020. He received a Ph.D. from the School of Cybersecurity at the Korea University in August 2019 under the supervision of Prof. Sangjin Lee. He worked at the Korea University as a research professor from September 2019 to March 2020, and at Electronics and Telecommunications Research Institute (ETRI) as a researcher from July 2017 to August 2019. His research interests are Digital Forensics(PC & Mobile), Vulnerability Analysis(Firmware & OS & Application), Machin Learning & Deep Learning(NLP).
Journal of information and communication convergence engineering 2022; 20(4): 280-287
Published online December 31, 2022 https://doi.org/10.56977/jicce.2022.20.4.280
Copyright © Korea Institute of Information and Communication Engineering.
Min-Hyuck Ko *, Pyo-Gil-Hong , and Dohyun Kim
Department of Computer Engineering, Catholic University of Pusan, Busan 46252, Korea
Correspondence to:Dohyun Kim (E-mail: dohyun@cup.ac.kr, Tel: +82-51-510-0654)
Department of Computer Engineering, Catholic University of Pusan, Busan 46252, Korea
This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/by-nc/3.0/) which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.
Recently, the number of mobile ransomware types has increased. Moreover, the number of cases of damage caused by mobile ransomware is increasing. Representative damage cases include encrypting files on the victim's smart device or making them unusable, causing financial losses to the victim. This study classifies ransomware apps by analyzing several representative ransomware apps to identify trends in the malicious behavior of ransomware. We present a technique for recovering from the damage, from a digital forensic perspective, using reverse engineering ransomware apps to analyze vulnerabilities in malicious functions applied with various cryptographic technologies. Our study found that ransomware applications are largely divided into three types: locker, crypto, and hybrid. In addition, we presented a method for recovering the damage caused by each type of ransomware app using an actual case. This study is expected to help minimize the damage caused by ransomware apps and respond to new ransomware apps.
Keywords: Mobile Ransomware, Incident Response, Ransomware Analysis, Digital Forensics
Ransomware, which causes many cyber-crimes in the PC environment around the world, has also been developed as a malicious mobile app, and more than 20,708 mobile ransomware are detected every year [1]. A growing variety of mobile ransomware is being discovered, ranging from simply locking the screen to encrypting files within the device or sending device information to attackers. In proportion to the increase in mobile ransomware, infringement accidents, such as financial damage to victims and the loss of important media and files, are also increasing. To minimize the damage due to such accidents, research on cryptographic technology analysis and decryption, as applied to mobile ransomware, is required. This study analyzes several previously distributed mobile ransomware and studies the types and characteristics of each ransomware, the analysis results of cryptographic technology, and how to cope with incidents caused by ransomware. We investigated and studied mobile ransomware distributed to smartphones, as ransomware targeting existing OS (Mac, Windows, Linux, etc.) for PCs is transformed by attackers. The contributions of this study are as follows:
This study classifies the different types of ransomware found to date and analyzes the trends in malicious behavior.
This study presents an investigative method for responding to malicious behavior by analyzing three major ransomware types (Locker, Crypto, and Hybrid).
The remainder of this paper is organized as follows. In Section 2, related works are discussed. In Section 3, the types of mobile ransomware used are described. In Section 4, an analysis of the mobile ransomware is presented. In Section 5, the response to mobile ransomware incidents is presented. In Section 6, a discussion and conclusions are presented.
In this section, we briefly describe different ransomware and related articles, and research.
AIDS Trojan, the first known malware extortion attack, was developed by Joseph Popp in 1989. Its characteristic was that it hid files from the hard drive and encrypted only the names of the files. The PC Cyborg Corporation was asked to pay US$ 189. However, its weakness was that the decryption keys could be extracted from the source code of the ransomware; therefore, they could be easily decrypted without paying [2].
Between May 2005 and 2006, several ransomware appeared, including Gpcode, TROJ.RANSOM.A, Archiveusm Krotten, Cryzip, and MayArchive. As the key size increased, they began to use more sophisticated RSA encryption systems. Gpcode.AG, discovered in June 2006, was encrypted with a 660-bit RSA public key [3]. In 2008, Gpcode.AK, a variant of Gpcode, was discovered and it used a 1024-bit RSA key [4].
Unlike Gpcode, the WinLock ransomware discovered in 2010 did not use encryption. Instead, WinLock displayed obscene images on the user's screen, limited access to the system and asked the user to pay a ransom to receive code that would unlock the system [5].
In 2011, ransomware appeared disguised as activation notifications for Microsoft Windows products. Because online authentication options, such as the actual Windows activation process, were provided, but not made available, the victim had to call one of the specified international numbers to enter a six-digit code. It was routed through countries with high international phone charges, forcing victims to pay these high charges [6].
Reveton ransomware displayed a message to the victim disguising it as a warning message from law enforcement agencies claiming that illegal activities, such as unlicensed software use or child pornography downloads, were detected. It also informed the victims that a fine had to be paid to unlock the system. Reveton ransomware spread to several European countries since early 2012, and several variants were discovered until 2014 [7].
In 2013, a ransomware was discovered using the Stamp EK exploit kit to attract users to fake nude photos of celebrities, such as athletes and movie stars, through Github or SourceForge. The infected PC had limited access and a message was sent to the user asking for a ransom to recover the system [8].
CryptoLocker ransomware attacks were cyber-attacks on PCs using Microsoft Windows from September 5, 2013, to the end of May 2014. CryptoLocker was spread via infected email attachments and the Gameover ZeuS botnet. When the malicious code was executed, encrypted RSA public-key encryption was used to encrypt files stored on local and network drives having specific extensions, and each encrypted file was recorded as a registry key. Subsequently, the victim was notified through the payload that the file had been encrypted, and a ransom was required for its recovery [9].
In 2014, Synology discovered SynoLocker, a ransomware that locked up a network-attached storage device (NAS) built by Synology. It is targeted by hackers and received a ransom call to decrypt and recover files [10].
In the same year, CryptoWall, a ransomware for Windows, was discovered. CryptoWall was distributed as several variants, one of which was a malicious advertising campaign on Zedo advertising networks targeting major websites. CryptoWall encrypted files on the infected PCs and installed spyware that stole user-encrypted electronic money wallets. CryptoWall continued to be enhanced to version 4.0 until 2015 and later evolved to encrypt file data as well as file names [11].
In 2015, Tox, a ransomware that encrypted files within a PC at the time of execution, by disguising malicious code executables as icons of word documents, was discovered [12]. CTB-Locker ransomware, which was distributed through spam advertising and mail and encrypted files on infected PCs, was also discovered [13].
The WannaCry ransomware attack was a worldwide cyberattack that occurred in May 2017. WannaCry was intended for PCs using the Windows operating system and was propagated through EternalBlue, an export developed for older Windows systems. When executed, the WannaCry malware first checked the kill switch domain name. If the kill switch was not found, it attempted to encrypt data on the PC and exploited SMB vulnerabilities to spread to any computer on the Internet or to computers on the same network. The payload then displayed a message informing the victim that the file had been encrypted [14].
Ryuk ransomware was first introduced in 2018 but was widely known after the November 2020 attack on the Baltimore County (Maryland) school system. Ryuk was distributed through malicious documents or hyperlinks. When the victim activated it, access to the network server was secured, and the installation proceeded on its own using Trickbot PC malware. When Ryuk controlled the system, it encrypted the stored data and made them inaccessible to victims until they received a ransom. It also disabled The System Restore functionality of Microsoft Windows to prevent it from being restored before it was encrypted [15].
On May 7, 2021, the colonial pipeline, a U.S. pipeline system that transports gasoline and jet fuel mainly to the southeastern United States, was attacked by DarkSide ransomware, and all pipeline operations were suspended to contain the attack. The hacker group demanded $4.4 million as ransom, which was paid within hours of the incident, and the company received IT tools needed to proceed with the restoration [16].
The GandCrab ransomware discovered in 2021 is a ransomware-as-a-service (RaaS) ransomware and has a structure in which ransomware developers benefit each other by providing ransomware to affiliates capable of infecting ransomware. Management information can be extracted based on values hard-coded in the ransomware source code, and a self-summary can be created. Thus, various GandCrab samples can be produced [17].
In 2014, Sypeng ransomware was discovered during its first attack on Android tablets and mobile devices. Sypeng ransomware was distributed via a fake Adobe flash software update message. Sypeng ransomware requires ransomware by locking the screen of the infected device, making the victim inaccessible to the device[18]. Simplocker, discovered in the same year, also targets Android devices and is distributed via fake Adobe Flash software update messages, such as Sypeng. When the ransomware is executed, AES encryption encrypts data inside the SD memory card and demands a ransom from the victim [19].
In 2015, the Fusob ransomware was distributed disguised as a pornographic video player. After checking the language used by the device, the Fusob ransomware locked the device if it was not Russian and displayed a ransom message on the screen [20].
LeakerLocker ransomware was discovered in 2017. LeakerLocker locks home screens to prevent victims from accessing the device. It also collects the victim's browser data, messages, phone records, location information, e-mails, and media files, and demand ransom with a warning message that it will leak them [21].
The Lycorisradiata ransomware was discovered in China in 2017. In particular, it used the payment screen of Wanna-Cry ransomware as it is, and the file in the device was encrypted and the file extension was changed to ‘勿卸载软件 解密加QQ (number) bahk (number)’ [22].
The Table 1 and Figure 1 below summarize the ransomware described above and the ransomware to be described in the next section by type and year, respectively.
Table 1 . Kinds of ransomware.
Type | PC | Mobile |
---|---|---|
Crypto | Crypto AIDS Trojan Gpcode TROJ.RANSOM.A Archiveusm Krotten Cryzip MayArchive Gpcode.AK CryptoLocker CryptoWall Tox CTB-Locker | Simplocker Lycorisradiata CryptoLocker (Mobile) |
Locker | WinLock Reveton | Sypeng Fusob LockerPin LeakerLocker Slocker covidSlocker |
Hybrid | SynoLocker Wannacry Ryuk | DoubleLocker SauronLocker |
We investigated trends in several mobile ransomware prior to the analysis. We categorized and organized them into three types according to their characteristics to make this analysis more efficient. Figure 2. below shows the classification of the surveyed ransomware by feature and shows the year in which the ransomware attacks occurred.
The first is a locker-type ransomware that locks the screen of a device infected with the ransomware which displays a message asking the victim for a ransom through the locked screen and restricts the use of the device. Representative of these types of ransomwares include ‘LockerPin’, ‘covidSlocker’ and ‘Slocker’.
LockerPin is a mobile ransomware discovered around August 2015 and was distributed to users disguised as an adult porn application. When the victim installs and runs this application, a fake FBI message appears and asks for ransom. In addition, the ransomware randomly changes the PIN of the infected device. If there is no PIN, it sets a new PIN and keeps the device locked until it receives a ransom [23]. The Slocker is a mobile ransomware that appeared in 2017. The Slocker did not do much because it was an early mobile ransomware model. However, because the attackers could easily access and change Slocker’s source code, many modified mobile ransomware were created. These were developed, modified, and distributed from lock-type mobile ransomware to hybrid-type mobile ransomware [24].
CovidSlocker is a mobile ransomware discovered around May 2020 and is a variant of the previously popular mobile ransomware Slocker. It was disguised as an application for the delivery of COVID-19 information. When the victim installed and ran this application, the screen was locked and a message asking for ransom was displayed. The CovidSlocker kept the device locked until a specific password was entered through the lock screen [25].
The second is crypto-type ransomware, which encrypts files or data in devices infected with ransomware and informs victims of the infection through toast messages or text files and seeks ransom. Among these ransomware types, CryptoLocker is the most representative.
CryptoLocker is a new mobile ransomware distributed around June 2020 after transforming Trojan horse ransomware for computers using Microsoft Windows operating system that occurred around September 2013 in the mobile version for Android and iOS [26]. In addition, CryptoLocker deceives users by distributing a COVID-19 tracking application. Running this application encrypts files inside the SD card of the infected device, changes the file’s extension name, and informs the user that the file is encrypted. Encrypted and extended files cannot be opened, and in order to reopen the file, a ransom must be paid to the attacker, to receive the password, and enter it through the application screen [27].
Hybrid-type ransomware combines the working of the locker-type and crypto-type ransomware. Representative ransomware include SauronLocker and DoubleLocker.
SauronLocker, a mobile ransomware discovered in 2019, was distributed to users disguised as a crack version of a popular mobile game. When this application is installed and executed, the screen of the device is immediately locked, and continuously displays a message demanding a ransom from the user. In addition, it transmits the information of the infected device to the attacker’s server to obtain the encryption key and encrypts the data in the device’s SD card using the encryption key [28].
DoubleLocker is a mobile ransomware discovered in the fall of 2017 and is distributed by deceiving users with an Adobe Flash Player through an infected website. When running this application, it changes the PIN of the device to lock the screen, encrypts the files inside the SD card of the infected device, and attaches ‘.cryeye’ to the name of the infected device. When the victim pays the ransom, the attacker remotely sets the PIN to unlock the screen and delivers the encryption key to decrypt the file [29].
In this section we analyze the cryptographic key generation function of the Locker-type, the CryptoLocker of Crypto Type, and SauronLocker of the Hybrid Type, and explain how they operate within the device.
Because covidSlocker is a ransomware derived from the earlier Slocker, there is no significant difference from it in terms of the operation process. After installing and running the covidSlocker, the ransomware uses the API to lock the device with stolen administrator rights, and seeks a password input with a simple ransomware message in Russian. When the check box of the message is clicked, an additional message seeking ransom appears. If the password input fails, an incorrect message appears and remains locked.
When CryptoLocker is executed, the user is notified of the status message of the application and a message that the device file has been encrypted through a readme.txt generated in the SD card directory. Five English case letters, 10 numbers, and 23 special symbols (!@#$%^&*()_+-=[]|,./?16 of ><) are randomly selected to generate an encryption key. After generating the encryption key, it is used as an encryption key for the AES/CBC/PKCS5Padding algorithm to encrypt a total of 14 formats (txt, jpg, bmp, png, pdf, doc, docx, pptx, avi, xls, xlsxlsx, VCF, db) in the SD card. When the encryption is complete, it is based on the original file [original file name]. enc [original file name, extension]. enc.salt [original file name, extension]. enc.iv created three files and deleted the original file. In addition, information on a randomly generated 16-digit encryption key is stored in the form of a .xml file under ‘/data/data/com.crydroid/shared_prefs/prefs.xml’.
When the SauronLocker is executed, it transmits information about the infected device to the attacker’s C&C server. This information includes the UID, firmware version, model name, and the country code of the infected device. Thereafter, the attacker’s C&C server generates an encryption key based on the received device information and transmits the encryption key to the infected device. The device encrypts the files in the SD card using the received encryption key as the key to the AES encryption algorithm. This creates the encrypted file name [original file name, extension]. The original files are Encrypted and deleted. The code below shows that the information sent to the attacker’s C&C server is hard-coded into the internal source code.
In this section, we describe the process of unlocking the locked screen of the covidSlocker and decrypting the encrypted files of devices infected with CryptoLocker to cope with infringement accidents caused by ransomware from a digital forensic perspective. This does not apply to SauronLocker because the attacker’s C&C server is dead, and the encryption key cannot be secured.
The covidSlocker does not have the ability to encrypt files but simply locks the screen. In addition, to unlock the screen, a specific password must be input to unlock the screen. However, because information regarding this password is stored in the ransomwarés source code, it is vulnerable to easy identification through source-code analysis. The figure below shows part of the source code in which the password is stored.
CryptoLocker, as explained earlier, stores the encryption key values used to encrypt and decrypt files on SD cards in specific files inside infected devices. Figure 7 shows the vulnerability of storing and managing the encryption key in the ‘com.crydroid.password’ key value of the .xml file under ‘/data/data/com.cryroid/shared_prefs/prefs.xml’.
In addition, it is easy to determine the encryption algorithm for encryption or decryption through static analysis, and there is a vulnerability in storing the salt and IV values required for decryption in the form of files such as [original file name.Extension]. enc.salt, and [original file name, extension]. enc.iv on the same path as the encrypted file [original file name, extension]. Therefore, the encrypted file can be easily decrypted using various types of information, including the encryption key stored therein.
Therefore, to recover a device infected with CryptoLocker, first, an encryption key is obtained from the file in Figure 7. Next, the corresponding encryption keys salt and IV are decrypted through AES/CBC/PKSC5Padding.
Mobile ransomware may be created by modifying the PC-based ransomware or may be distributed under a new name by modifying the previously distributed mobile ransomware. Because there are many types of mobile ransomware, it is expected that if the ransomware can be classified based on their characteristics, and studied, it would be possible to come up with measures to cope with infringement accidents. It would also be helpful in responding to and analyzing infringement accidents caused by ransomware.
Mobile ransomware continue to emerge or reoccur, which could provide an opportunity to find various ways to respond to infringement accidents. In addition, it is expected that in the future, new operating ransomware that have never existed before may occur. Therefore, it is necessary to continue to identify trends in ransomware and carry out research into various analysis methods and solutions. In addition, among mobile ransomware, there are ransomware that generate or manage encryption keys through external servers, such as the attackers’ C&C servers, such as SauronLocker. However, when the attacker’s server is closed or inaccessible, it is difficult to access the information that was transmitted and received between the server and the infected device and the encryption keys. However, if the server is open, various dynamic analysis tools can be used to access other transmitted and received information with encryption keys to cope with infringement accidents.
This paper was supported by RESEARCH FUND offered from Catholic University of Pusan.
Table 1 . Kinds of ransomware.
Type | PC | Mobile |
---|---|---|
Crypto | Crypto AIDS Trojan Gpcode TROJ.RANSOM.A Archiveusm Krotten Cryzip MayArchive Gpcode.AK CryptoLocker CryptoWall Tox CTB-Locker | Simplocker Lycorisradiata CryptoLocker (Mobile) |
Locker | WinLock Reveton | Sypeng Fusob LockerPin LeakerLocker Slocker covidSlocker |
Hybrid | SynoLocker Wannacry Ryuk | DoubleLocker SauronLocker |