PrincessLocker analysis

2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security) Pub Date : 2017-06-01 DOI:10.1109/CyberSecPODS.2017.8074854

Yassine Lemmou, E. M. Souidi

{"title":"PrincessLocker analysis","authors":"Yassine Lemmou, E. M. Souidi","doi":"10.1109/CyberSecPODS.2017.8074854","DOIUrl":null,"url":null,"abstract":"During the year 2016, ransomware continued to spread panic throughout the world. Kaspersky reported that, between January and September 2016, the rate of ransomware attacks on companies tripled from one every two minutes to one every 40 seconds with more than 62 new families of ransomware emerging. We have encountered Cerber, Locky, PrincessLocker and others. In this work, we present an analysis of PrincessLocker, a form of ransomware that first appeared some time ago and presents victims with the same ransom demand site template as Cerber did. We explain the malware analysis steps we used to characterise the PrincessLocker infection process. We also discuss self-reproduction and over-infection, two major concepts in computer virology theory. Furthermore we compare our own PrincessLocker analysis with the related work of Nolen Scaife et al. on detection of the non-malicious tool CryptoLock (not to be confused with the ransomware CryptoLocker) using behavioral analysis of information exchanges between the software under investigation and the file systems which are being encrypted.","PeriodicalId":203945,"journal":{"name":"2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security)","volume":"77 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CyberSecPODS.2017.8074854","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

During the year 2016, ransomware continued to spread panic throughout the world. Kaspersky reported that, between January and September 2016, the rate of ransomware attacks on companies tripled from one every two minutes to one every 40 seconds with more than 62 new families of ransomware emerging. We have encountered Cerber, Locky, PrincessLocker and others. In this work, we present an analysis of PrincessLocker, a form of ransomware that first appeared some time ago and presents victims with the same ransom demand site template as Cerber did. We explain the malware analysis steps we used to characterise the PrincessLocker infection process. We also discuss self-reproduction and over-infection, two major concepts in computer virology theory. Furthermore we compare our own PrincessLocker analysis with the related work of Nolen Scaife et al. on detection of the non-malicious tool CryptoLock (not to be confused with the ransomware CryptoLocker) using behavioral analysis of information exchanges between the software under investigation and the file systems which are being encrypted.

查看原文本刊更多论文

PrincessLocker分析

2016年，勒索软件继续在全球传播恐慌。卡巴斯基报告称，在2016年1月至9月期间，针对企业的勒索软件攻击率从每两分钟一次增加到每40秒一次，出现了超过62个新的勒索软件家族。我们遇到了Cerber, Locky, PrincessLocker和其他人。在这项工作中，我们对PrincessLocker进行了分析，这是一种前一段时间首次出现的勒索软件，它向受害者提供了与Cerber相同的赎金要求网站模板。我们解释了恶意软件分析步骤，我们用来描述PrincessLocker感染过程。我们还讨论了自我繁殖和过度感染，这是计算机病毒学理论中的两个主要概念。此外，我们将自己的PrincessLocker分析与Nolen Scaife等人在检测非恶意工具CryptoLock(不要与勒索软件CryptoLocker混淆)方面的相关工作进行了比较，该分析使用对正在调查的软件与正在加密的文件系统之间的信息交换进行行为分析。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security)

自引率

0.00%

发文量