A Study on Behavioural Analysis of Specific Ransomware and its Comparison with DBSCAN-MP

Abstract

Ransomware attack is known to as WCRY or WannaCry. This ransomware is intriguing advantage of a recently disclosed Microsoft vulnerability (“MS17-010 – “Eternalblue” ) coupled with the Shadow Brokers tools release. After a computer is fouled, WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database related files, multimedia and archive related files, as well as Microsoft Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its fatalities—an amount that increases incrementally after a definite time limit. The victim is also given seven days before the pretentious files are deleted. The WannaCry Ransomware consists of multiple components. It arrives on the ruined computer in the form of a dropper, a self-reliant program that extracts the other application mechanism embedded within it. Those components include:  An application that encrypts and decrypts data Files containing encryption keys A copy of Tor  The program secret code is not obfuscated and was relatively easy for security pros to analyze. Once it is launched, WannaCry tries to access a hard-coded URL (the so-called kill switch); if it can't, it proceeds to investigate for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them completely inaccessible to the user. It then displays a ransom notice, demanding numbers in Bitcoin to decrypt the files.