Skip to main content
SpringerLink
Log in
Book cover

International Conference on Network and System Security

NSS 2020: Network and System Security pp 388–407Cite as

ESCAPADE: Encryption-Type-Ransomware: System Call Based Pattern Detection

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12570)

Abstract

Encryption-type ransomware has risen in prominence lately as the go-to malware for threat actors aiming to compromise Android devices. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We identify and present some common high-level system call behavioural patterns targeted at encryption-type ransomware and evaluate these patterns. We further present our repeatable and extensible methodology for extracting the system call log and patterns.

Keywords

  • Android
  • Behaviour
  • Patterns
  • Encryption-ransomware

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://crow.org.nz/tools/ransomwaresystemcalldataset.

References

  1. Abrams, L.: Confirmed: garmin received decryptor for WastedLocker ransomware (2020). https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/

  2. Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144–166 (2018)

    CrossRef  Google Scholar 

  3. Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_18

    CrossRef  Google Scholar 

  4. APKPure: Benign dataset (nd). https://apkpure.com/

  5. Avast: Avast blog (2020). https://blog.avast.com/

  6. Chebyshev, V.: Mobile malware evolution 2018. SecureList, 16 March 2019. https://securelist.com/mobile-malware-evolution-2018/89689/statistics

  7. Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R., Ahn, G.J.: Uncovering the face of Android ransomware: characterization and real-time detection. IEEE Trans. Inf. Forensics Secur. 13(5), 1286–1300 (2017)

    CrossRef  Google Scholar 

  8. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    CrossRef  Google Scholar 

  9. Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998–1022 (2014)

    CrossRef  Google Scholar 

  10. Faruki, P., Laxmi, V., Bharmal, A., Gaur, M.S., Ganmoor, V.: AndroSimilar: robust signature for detecting variants of Android malware. J. Inf. Secur. Appl. 22, 66–80 (2015)

    Google Scholar 

  11. Gadhiya, S., Bhavsar, K.: Techniques for malware analysis. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3(4), 2277–3128 (2013)

    Google Scholar 

  12. Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(02), 56 (2014)

    Google Scholar 

  13. Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010). https://doi.org/10.1007/s11416-008-0092-2

    CrossRef  Google Scholar 

  14. Google: Android security 2018 year in review (2019). https://source.android.com/security/reports/Google_Android_Security2018_Report_Final.pdf

  15. Google: Android Debug Bridge (adb) (2020). https://developer.android.com/studio/command-line/adb

  16. Google: UI/application exerciser monkey (2020). https://developer.android.com/studio/test/monkey

  17. Goud, N., et al.: Black Rose Lucy ransomware attack on Android devices, April 2020. https://www.cybersecurity-insiders.com/black-rose-lucy-ransomware-attack-on-android-devices/

  18. Hou, O.: A look at Google Bouncer [blog post], 20 July 2012. https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google-bouncer/

  19. Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for Android malware detection. In: 2011 Seventh International Conference on Computational Intelligence and Security, pp. 1011–1015. IEEE (2011)

    Google Scholar 

  20. Kanwal, M., Thakur, S.: An app based on static analysis for Android ransomware. In: 2017 International Conference on Computing, Communication and Automation (ICCCA), pp. 813–818. IEEE (2017)

    Google Scholar 

  21. Kok, S., Abdullah, A., Jhanjhi, N., Supramaniam, M.: Ransomware, threat and detection techniques: a review. Int. J. Comput. Sci. Netw. Secur. 19(2), 136 (2019)

    Google Scholar 

  22. Koodous: Malicious dataset (nd). https://koodous.com/

  23. Lance, W.: CovidLock ransomware exploits coronavirus with malicious Android app. TechRepublic, 17 March 2020. https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/

  24. Lashkari, A.H., Kadir, A.F.A., Taheri, L., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark Android malware datasets and classification. In: 2018 International Carnahan Conference on Security Technology (ICCST), pp. 1–7. IEEE (2018)

    Google Scholar 

  25. Levin, D.V.: Strace (2020). https://strace.io/

  26. Lin, Y.D., Lai, Y.C., Chen, C.H., Tsai, H.C.: Identifying Android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39, 340–350 (2013)

    CrossRef  Google Scholar 

  27. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current Android malware behaviors. In: 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 3–17. IEEE (2014)

    Google Scholar 

  28. Lockheimer, H.: Android and security [blog post], 2 February 2012. https://googlemobile.blogspot.com/2012/02/android-and-security.html

  29. Malwarebytes: CTNT report cybercrime tactics and techniques: Ransomware retrospective (2020). https://resources.malwarebytes.com/files/2019/08/CTNT-2019-Ransomware_August_FINAL.pdf

  30. Mana, O., Hazum, A., Melnykov, B., Kuperman, L.: Lucy’s back: ransomware goes mobile, April 2020. https://research.checkpoint.com/2020/lucys-back-ransomware-goes-mobile/

  31. Micro, T.: Behind the Android menace: Malicious apps–TrendLabs security intelligence blog. https://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps

  32. Micro, T.: The sprawling reach of complex threats (2020). https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/the-sprawling-reach-of-complex-threats

  33. Mohammad, A.H.: Ransomware evolution, growth and recommendation for detection. Modern Appl. Sci. 14(3), (2020)

    Google Scholar 

  34. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE (2007)

    Google Scholar 

  35. Ninja, S.: How malware detects virtualized environment (and its countermeasures) (2016). https://resources.infosecinstitute.com/how-malware-detects-virtualized-environment

  36. O’Kane, P., Sezer, S., Carlin, D.: Evolution of ransomware. IET Netw. 7(5), 321–327 (2018)

    CrossRef  Google Scholar 

  37. Richardson, R., North, M.M.: Ransomware: evolution, mitigation and prevention. Int. Manag. Rev. 13(1), 10 (2017)

    Google Scholar 

  38. Lipovský, R., Lukáš Štefanko, G.B.: Labour party is latest victim of Blackbaud ransomware attack (2016). https://www.welivesecurity.com/wp-content/uploads/2016/02/Rise_of_Android_Ransomware.pdf

  39. Scroxton, A.: Labour party is latest victim of Blackbaud ransomware attack (2020). https://www.computerweekly.com/news/252487002/Labour-Party-is-latest-victim-of-Blackbaud-ransomware-attack

  40. Shivang, D.: CovidLock: Android ransomware walkthrough and unlocking routine, 16 March 2020. https://www.zscaler.com/blogs/research/covidlock-android-ransomware-walkthrough-and-unlocking-routine

  41. Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on Android platform. Mob. Inf. Syst. 2016 (2016)

    Google Scholar 

  42. Sood, G.: virustotal: R Client for the virustotal API (2017). r package version 0.2.1

    Google Scholar 

  43. Sophos: The state of ransomware 2020 (2020). https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

  44. Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of Android malware behaviors. In: NDSS (2015)

    Google Scholar 

  45. Uppal, D., Mehra, V., Verma, V.: Basic survey on malware analysis, tools and techniques. Int. J. Comput. Sci. Appl. (IJCSA) 4(1), 103 (2014)

    Google Scholar 

  46. WeLiveSecurity: WeLiveSecurity (2020). https://www.welivesecurity.com/

  47. Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party Android marketplaces. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, pp. 317–326. ACM (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Waikato, Hamilton, New Zealand

    Christopher Jun-Wen Chew & Vimal Kumar

  2. Department of Software Engineering, University of Waikato, Hamilton, New Zealand

    Panos Patros & Robi Malik

Authors
  1. Christopher Jun-Wen Chew
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vimal Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Panos Patros
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robi Malik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vimal Kumar .

Editor information

Editors and Affiliations

  1. Wrocław University of Technology, Wroclaw, Poland

    Mirosław Kutyłowski

  2. Swinburne University of Technology, Hawthorn, VIC, Australia

    Jun Zhang

  3. James Cook University, Douglas, QLD, Australia

    Chao Chen

Appendix

Appendix

figure a
figure b
Table 2. List of token names and their respective pattern
Full size table
Table 3. List of common behavioural patterns discovered and their token representation
Full size table

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chew, C.JW., Kumar, V., Patros, P., Malik, R. (2020). ESCAPADE: Encryption-Type-Ransomware: System Call Based Pattern Detection. In: Kutyłowski, M., Zhang, J., Chen, C. (eds) Network and System Security. NSS 2020. Lecture Notes in Computer Science(), vol 12570. Springer, Cham. https://doi.org/10.1007/978-3-030-65745-1_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65745-1_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65744-4

  • Online ISBN: 978-3-030-65745-1

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation