역공학을 통한 Bianlian 랜섬웨어 복호화 방안 연구

Ransomware damage is steadily increasing both domestically and internationally, and the amount of damage is also on the rise. This study aims to develop a decryption tool to effectively counter the latest ransomware, the Bianlian ransomware, by analyzing its characteristics. Bianlian exploits the hardware-implemented AES 256-CBC(Cipher Block Chaining) algorithm for encryption and uses Go language's goroutines to seize the system faster than previous ransomware. After the file encryption process, it deletes execution file of the ransomware and performs memory zeroing, obstructing the acquisition of the encryption Key and IV (Initialization Vector). These characteristics significantly increase the possibility of data loss for victims. In this research, we have thoroughly analyzed the operating principle and encryption process of Bianlian through reverse engineering. Based on this, we propose a method to detect Bianlian's operation and extract the Key and IV used for encryption from memory to recover the infected files. Experimental results show that the decryption tool developed in this study overcame the limitations of existing tools that only performed decryption with the secured Key and IV. The outcomes of this research demonstrated a recovery speed three times faster than existing tools by leveraging the characteristics of Bianlian ransomware, thereby providing an effective countermeasure against ransomware attacks.