Ransomware analysis forms a critical aspect of cybersecurity defense mechanism. The number of ransomware attacks have increased in the recent years affecting different sectors which includes health, education, finance and banking and e-commerce. Various work has been done via static and dynamic analysis of malware to build the distinguishing characteristics of the malware. Binary code bit vector analysis approach , hashing, finding strings, control flow graph based analysis , n-gram analysis  and PEheader analysis  are static techniques used by researchers to study the behavior of the malware. However, whatever techniques they use most of them include the analysis of Portable executable (PE) file of the malware executable. In this paper we have proposed PEFile analysis technique to study the behavior and characteristics of the ransomware. We have used open source tool: PEview program  to analyze PE file of ransomware sample in a safe virtual environment. We also use open source PE parser  tool to get dlls used by the ransomware. The experiment reveals that we can compile the static behaviors of the ransomware to build a feature database for further analysis such as machine learning classification techniques to detect ransomware. Feature vector of both normal and ransomware samples can be created to feed the machine learning model to improve the detection rate.
Ransomware detection, Static analysis, PE analysis, PE parser, Dll, Functions.
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 14, Number 1, pages 34-39, DOI: 10.5769/J201901004 or http://dx.doi.org/10.5769/J201901004
PEFile Analysis: A Static Approach To Ransomware Analysis
By Subash Poudyal, Kishor Datta Gupta, Sajib Sen
To download this paper, click here.