|
|
Defeating Ransomware By Hooking System Calls On Windows Os
Touš, Filip
This paper explains why ransomware needs to use the Windows API to encrypt files andhow this can be utilized to protect sensitive data from ransomware. Critical API functions are examinedon a low level and a generic method to monitor and possibly block their usage through systemcall hooks is presented. This approach is then demonstrated with a custom kernel mode driver whichcan keep protected files safe from any user mode malware. It is then compared to current ransomwareprotection in Windows 10.
|
|
|
Analysis of malware
Bláha, Michael ; Caha, Tomáš (referee) ; Člupek, Vlastimil (advisor)
The aim of my bachelor thesis is to design a safe environment for the analysis of malicious software. In the theoretical part of the work, I deal with the basic division of computer viruses. Next, I describe two main procedures for malware analysis, namely static and dynamic analysis. I describe why they are used and what tools fall into these categories. I also present my methodology for secure malware analysis. In the practical part of the work, I focus on creating an analytical environment on Windows 10 and Fedora platforms. I use a graphical environment and a command line to create virtual machines. For the analysis of network traffic, I create the so-called "Fake Internet" program with the INetSim program. In the last part of the work, I deal with a sample analysis of selected types of computer viruses. I follow the described methodology. For each analysis, I describe a brief summary and results. At the end of the work, I describe a possible defense against malicious software.
|
|
|
Criminological and criminal law aspects of the ransomware spread
Fousek, Jan ; Gřivna, Tomáš (advisor) ; Bohuslav, Lukáš (referee)
Criminological and criminal law aspects of the ransomware spread Abstract This diploma thesis examines different aspects of criminology and criminal law with the issue of the malware spread in the form of ransomware. This text is divided into two main parts. First, the theoretical part consists of the chapters about cybercrime, malware and criminological and criminal law aspects of ransomware spread. It uses the substantive law and also procedural law perspective. All chapters are divided into subchapters dealing with the questions of offenders and victims, criminal law qualification of the ransomware phenomena and with related concepts used for the broader understanding of this kind of cybercrime. Second, the analytical part follows. This thesis combines different criminological research methods and tries to verify the main hypothesis regarding the increase in the number of ransomware attacks in the Czech Republic. The hypothesis is as follows: "The number of ransomware attacks registered by the Police of the Czech Republic has been increasing since 2016". This hypothesis cannot be accepted due to missing relevant data from the Police of the Czech Republic and other institutions. It can be said that for the period 2016-2018, there was 3 registered ransomware attacks per 100,000 inhabitants of the Czech...
|
|
|
Ransomware Obfuscation Techniques
Jacko, Jerguš ; Barabas, Maroš (referee) ; Kačic, Matej (advisor)
This master's thesis seeks to design, implement, and point out new techniques for obfuscation of ransomware activity using the entropy principles of data that do not fall within the detection capabilities of known anti-ransomware and anti-virus tools. The proposed techniques are aimed at changing the ransomware activity in the downgrading phase (encryption or obfuscation) of files on the infected system.
|
|
|
Automatic Detection of Cryptography Used in Code
Mička, Richard ; Šilhavý, Pavel (referee) ; Hajný, Jan (advisor)
This thesis covers the topic of automatic detection of cryptography used in application code, which currently requires a lot of manual effort to analyze for a given unknown program sample. In this thesis, a possibility of implementing an automated tool for analysing the usage of Microsoft CryptoAPI cryptographic library by analysed programs is researched. This library is distributed with Microsoft Windows and can be misused by an attacker to cause significant harm to a victim. By recognizing cryptographic operations used and by presenting the summary of their use, it is in certain situations possible to distinguish malicious programs just based on the presented analysis summary. Main objective of this thesis was creation of such automatic analyser module integrated into Cuckoo sandbox. Along with the design proposal of such analyser, this thesis includes CryptoAPI library and Cuckoo sandbox functionality exploration and description. Proposed automatic analyser was successfully created, deployed and tested in production environment and the achieved results were discussed.
|
|
|
Analysis of the GlobeImposter ransomware
Procházka, Ivo ; Komosný, Dan (referee) ; Martinásek, Zdeněk (advisor)
The aim of this diploma thesis is to analyze an instance of the GlobeImposter ransomware extracted from an affected device. The first part outlines various types of malware and ransomware and includes a description of encryption mechanisms and key distribution systems. It also discusses possible approaches of static and dynamic analysis of malware samples and requirements for test environments. The practical part describes the source of the malware sample, the physical and virtual test environment and the results of the static and dynamic analysis of the GlobeImposter ransomware. The final part discusses the results and the possibility of implementing a decryptor for the analyzed GlobeImposter ransomware.
|
|
|
Criminal and criminological aspects of ransomware spreading
Zavadil, Stanislav ; Gřivna, Tomáš (advisor) ; Bohuslav, Lukáš (referee)
Criminal and criminological aspects of ransomware spreading Abstract This diploma thesis deals with issues of ransomware spreading and examines certain criminal and criminological aspects of this cybercrime phenomenon. Ransomware is malware that encrypts, blocks or prevents access to the computer system or data in a computer system. In connection to this, it demands monetary or other ransom. This diploma thesis firstly describes ransomware from the point of view of its function and technical aspects, including its history, categorization of its variations and description of several notable infection examples, namely WannaCry, Petya, DoubleLocker and Vir Policie. Following section describes possible criminal qualifications according to Czech substantive criminal law, including the consideration of specifics of different ransomware variations and potential development of this criminal aktivity. The final part focuses on criminological aspects of ransomware spreading. It beggins with a description of the crime status and dynamics, including further details about latency and trends. Then follows the description of perpetrator and victim in view of certain criminological theories. Finally, criminological part comprises a chapter about crime control and prevention, which includes practical parts that aim to help...
|
|
|
Criminological and legal aspects of the ransomware phenomenon
Johanovský, Tomáš ; Gřivna, Tomáš (advisor) ; Bohuslav, Lukáš (referee)
Criminological and legal aspects of the ransomware phenomenon Abstract This diploma thesis deals with the current topic of cybercrime and focuses specifically on the phenomenon of ransomware on a scope unprecedented in Czech legal literature. Ransomware is a malicious code that interferes with the operation of a computer system, and later requires ransom for the victim to recover the access to the computer system and the data contained therein. Basic concepts necessary for the definition of ransomware (such as cyberspace, cybercrime, computer system, malicious code, cryptocurrency and darknet) are introduced and explained. The specificities of cybercrime and its development and current range in the Czech Republic are analysed. The main part of the text deals with the analysis of ransomware, starting with its history and leading to the possible future developments of ransomware. Different variants of ransomware are described such as false antivirus, police, locker and encryption ransomware. From a criminological point of view, the text focuses on the unique interaction of the perpetrator and the victim, which takes on surprising forms of customer support, answers to frequently asked questions and instructions for acquiring virtual currencies. Emphasis is placed on prevention efforts that can mitigate the...
|
|
|
Application displaying the course of cyber attacks
Safonov, Yehor ; Gerlich, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
Nowadays, the safety of end stations is a topical issue. The complexity of the programming equipment of the computing systems brings about a greater probability of creating vulnerabilities, which could be used as a new anchor point for possible attacks aimed at endpoint computers or the whole company infrastructure. One of the main goals of this bachelor thesis is to create an instrument that would allow system administrators to perform more effective analysis and countermeasures directed to prevent the emergence of negative threats. From a theoretical point of view, the bachelor thesis will focus on the most common attacks on modern operating systems with an emphasis on Windows. It will then deal with the problematics of malicious code, especially with the principles of its operation, specific features and current trends. In the practical part, focus will be placed on the implementation of a robust application that will become a part of the project that is currnetly being developed in TrustPort company. In the beginning, the bachelor thesis is going to analyze different use cases of the application. Further it will make comparisons between different graphical representations, which could be displayed. Subsequently, the thesis is going to define the sets of functional, non-functional and critical requirements for the implementation as to create a concept of future application, specifically its architecture and user interface. During the next step a plan of the implementation of the proposed application is going to be presented. This plan is logically divided into several stages for better understanding. According to the implemented parts, the functionality of the application will be tested on the most commonly detected user attacks. At the end of the work, possible expansion, improvements and a concise conclusion will be stated.
|
|
|
Ransomware Traffic Analysis
Šrubař, Michal ; Grégr, Matěj (referee) ; Ryšavý, Ondřej (advisor)
The focus of this work is crypto-ransomware; a variant of malware, an analysis of this malware’s network communication, and the identification of means by which it may be detected in the network. The thesis describes the methodology and environment in which the malware’s network communications were studied. The first part of the thesis provides a network traffic analysis of this type of malware with a focus on HTTP and DNS communication, including anomalies that can be observed in the network during this malware’s activity. The thesis also includes a discussion of the user behavior of devices infected by this type of malware. The resulting data was used to identify and describe four detection methods that are able to recognize the malware from its network communication using the HTTP protocol. Finally, a description of several signatures that can be used as indicators of a possible infection by this malware are provided.
|
guest ::
