SlideShare una empresa de Scribd logo

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware

Sajjad "JJ" Arshad
Sajjad "JJ" Arshad

USENIX Security Symposium Austin, TX, USA, August 2016

Ciencias
1 de 36
Descargar para leer sin conexión
Northeastern University International Secure Systems Lab A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, Engin Kirda NEU SECLAB
NEU SECLAB What is a ransomware attack? Receiving the decryption key2 Paying the ransom fee1 2
NEU SECLAB 3 A Typical Ransom Note
NEU SECLAB 4 Attacks on Hospitals
NEU SECLAB 5
NEU SECLAB 7
– CNN Interview with FBI, April 2016 “Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers.”
NEU SECLAB 8 How to defend against ransomware attacks? ● Educating end-users - Have a reliable backup policy - Avoid risky online behavior ● Developing detection tools to assist defenders - Providing insight from internal behavior ● Developing protection tools to enhance AV capabilities - Stopping the attack, and keeping the data consistent
NEU SECLAB 8 How to defend against ransomware attacks? ● Educating end-users - Have a reliable backup policy - Avoid risky online behavior ● Developing detection tools to assist defenders - Providing insight from internal behavior ● Developing protection tools to enhance AV capabilities - Stopping the attack, and keeping the data consistent
NEU SECLAB 9 Threat Model ● Ransomware can employ any techniques to attack - Inject code into benign processes - Perform encrypted communication - Leverage arbitrary cryptosystems ● We assume that OS kernel, and underlying software and hardware stack are free of malicious code. ● Unveil detects ransomware during dynamic analysis phase, and not at end-user machines. - Complements current dynamic analysis systems - A cloud-based malware analysis service, sample sharing But, how can we detect a ransomware sample?
NEU SECLAB 10 Achilles’ Heel of Ransomware • Ransomware has to inform victim that attack has taken place • Ransomware has certain behaviors that are predictable – e.g., entropy changes, modal dialogs and background activity, accessing user files • A good sandbox that looks for some of these signs helps here…
NEU SECLAB 10 UNVEIL: An Early Warning Dynamic Detection System for Ransomware
UNVEIL’s Architecture NEU SECLAB 11
NEU SECLAB Approach 12 • Detecting Cryptographic Ransomware: • Generating a fake (and attractive) user environment • Finding a reliable method for monitoring filesystem activity Why do we generate fake user environments? • Making the analysis environment more realistic • Protecting the analysis system from some user environment fingerprinting - A static user environment can be easily detected by a malware
NEU SECLAB Approach 12 • Detecting Cryptographic Ransomware: • Generating a fake (and attractive) user environment • Finding a reliable method for monitoring filesystem activity Why do we generate fake user environments? • Making the analysis environment more realistic • Protecting the analysis system from bare-user environment fingerprinting - A static user environment can be easily detected by a malware How do we generate fake user environments?
NEU SECLAB 13 Generating Fake (Honey) Content • Real files with valid headers – Using standard libraries (e.g., python- docx, python-pptx, OpenSSL) – Content that appears meaningful – File names do not look random, and appear realistic • File paths – User’s directory structure is generated randomly, but meaningfully • File attributes – Generate content with different creation, modification, and access times
User Kernel Content Generator I/O MANAGER UNVEIL NEU SECLAB 15
User Kernel Rfs = <Time,Pname,Pid,PPid,IRPflag,Arg,Result,BufEntropy> I/O MANAGER UNVEIL
NEU SECLAB 17 Extracting I/O Access Sequences (1) Overwrites the users’ file with an encrypted version (2) reads, encrypts and deletes files without wiping them from storage (3) reads, creates a new encrypted version, and securely deletes the original files
NEU SECLAB 18 IO Access Sequences in Multiple Ransomware Families Read Write New File Encrypted version Deleting the Original File New File Encrypted version Secure Deletion
NEU SECLAB 19 Iteration over files during a CryptoWall attack
Desktop Locker Ransomware NEU SECLAB 1 Malware run 2 3 20
Desktop Locker Ransomware NEU SECLAB 20 Dissimilarity Score
NEU SECLAB 21 Preparing the Analysis Environment ● UNVEIL is deployed on top of Cuckoo Sandbox - UNVEIL supports all versions of Windows platforms. - Our tool is deployed in Kernel. - Bypassing UNVEIL is not technically easy in user-mode. ● Finding active malware is not easy - We modified some parts of Cuckoo to make it more resilient to environmentally sensitive samples - e.g., fake response to some of the environment checks - Other anti-evasion measures to look more realistic - e.g., defining multiple NTFS drives, changing IP address range and MAC addresses
NEU SECLAB 22 Evaluation 1) Detecting known ransomware samples a) Collecting ~3500 ransomware from public repo, Anubis, two security companies. b) 149 benign executables including ransomware-like behavior c) 348 malware samples from 36 malware families Ransomware FamiliesBenign Applications
NEU SECLAB 23 Dissimilarity score is different from family to family
NEU SECLAB Detecting known ransomware samples The threshold value t = 0.32 gives the highest recall with 100% precision 24
NEU SECLAB Evaluation UNVEIL with unknown samples 25 . . .56 UNVEIL-enabled VMs on 8 Servers Ganeti Cluster ~ 1200 malware samples per day
NEU SECLAB Evaluation UNVEIL with unknown samples ● We used the same similarity threshold (t = 0.32) for the large scale experiment. ● The incoming samples were acquired from the daily malware feed provided by Anubis from March 18 to February 12, 2016. ● The dataset contained 148,223 distinct samples. 26
NEU SECLAB Cross-checking with VirusTotal 27 ● Pollution ratio is defined as the ratio of the number of scanners that identified the sample to the number of scanners in VirusTotal
NEU SECLAB Detection Results 28
NEU SECLAB Detection: New Ransomware Family 29
NEU SECLAB Detection: New Ransomware Family 30 • During our experiments, we discovered a new malware family – We call it “SilentCrypt” – After we reported it, others started detecting it as well – We were not able to find any information about this family online – The ransomware first checks for private files of a user, contacts the C&C server, and starts the attack based on the answer
NEU SECLAB Detection: New Ransomware Family 31
NEU SECLAB 32 ● Ransomware is a serious threat ● UNVEIL introduces concrete models to detect Ransomware ● Detecting an unknown family shows that the solutions are useful in practice ● We continue to improve functionality tuned towards detecting ransomware Conclusion
NEU SECLAB 34 Thank You

Recomendados

Google Stock Price Forecasting
Google Stock Price ForecastingGoogle Stock Price Forecasting
Google Stock Price ForecastingArkaprava Kundu
 
Introduction to Image Processing:Image Modalities
Introduction to Image Processing:Image ModalitiesIntroduction to Image Processing:Image Modalities
Introduction to Image Processing:Image ModalitiesKalyan Acharjya
 
Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...
Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...
Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...Simplilearn
 
Divide and conquer
Divide and conquerDivide and conquer
Divide and conquerramya marichamy
 
Unit 6: Application of AI
Unit 6: Application of AIUnit 6: Application of AI
Unit 6: Application of AITekendra Nath Yogi
 
Optimal binary search tree
Optimal binary search treeOptimal binary search tree
Optimal binary search treeKavya P
 
House price prediction
House price predictionHouse price prediction
House price predictionKaranseth30
 
P np &amp; np completeness
P np &amp; np completenessP np &amp; np completeness
P np &amp; np completenessAnwal Mirza
 

Recomendados

Google Stock Price Forecasting
Google Stock Price ForecastingGoogle Stock Price Forecasting
Google Stock Price ForecastingArkaprava Kundu
 
Introduction to Image Processing:Image Modalities
Introduction to Image Processing:Image ModalitiesIntroduction to Image Processing:Image Modalities
Introduction to Image Processing:Image ModalitiesKalyan Acharjya
 
Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...
Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...
Deep Learning Tutorial | Deep Learning TensorFlow | Deep Learning With Neural...Simplilearn
 
Divide and conquer
Divide and conquerDivide and conquer
Divide and conquerramya marichamy
 
Unit 6: Application of AI
Unit 6: Application of AIUnit 6: Application of AI
Unit 6: Application of AITekendra Nath Yogi
 
Optimal binary search tree
Optimal binary search treeOptimal binary search tree
Optimal binary search treeKavya P
 
House price prediction
House price predictionHouse price prediction
House price predictionKaranseth30
 
P np &amp; np completeness
P np &amp; np completenessP np &amp; np completeness
P np &amp; np completenessAnwal Mirza
 
Stock Market Prediction
Stock Market Prediction Stock Market Prediction
Stock Market Prediction SalmanShezad
 
Randomized Algorithm
Randomized Algorithm Randomized Algorithm
Randomized Algorithm Sanjeev Kumar Jaiswal
 
Open source CMS tool for web based job portal and recruitment system Thesis
Open source CMS tool for web based job portal and recruitment system ThesisOpen source CMS tool for web based job portal and recruitment system Thesis
Open source CMS tool for web based job portal and recruitment system ThesisArjun Rajeswaran
 
House Sale Price Prediction
House Sale Price PredictionHouse Sale Price Prediction
House Sale Price Predictionsriram30691
 
COMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed TranslationCOMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed TranslationJyothishmathi Institute of Technology and Science Karimnagar
 
Image Processing with OpenCV
Image Processing with OpenCVImage Processing with OpenCV
Image Processing with OpenCVdebayanin
 
Image proceesing with matlab
Image proceesing with matlabImage proceesing with matlab
Image proceesing with matlabAshutosh Shahi
 
Image processing on matlab presentation
Image processing on matlab presentationImage processing on matlab presentation
Image processing on matlab presentationNaatchammai Ramanathan
 
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2Kirill Eremenko
 
Do you trust your artificial intelligence system?
Do you trust your artificial intelligence system?Do you trust your artificial intelligence system?
Do you trust your artificial intelligence system?Facultad de Informática UCM
 
Biometric presentation attack detection
Biometric presentation attack detectionBiometric presentation attack detection
Biometric presentation attack detectionGautam Saxena
 
Unit 3 – AIML.pptx
Unit 3 – AIML.pptxUnit 3 – AIML.pptx
Unit 3 – AIML.pptxhiblooms
 
Deep Learning - Overview of my work II
Deep Learning - Overview of my work IIDeep Learning - Overview of my work II
Deep Learning - Overview of my work IIMohamed Loey
 
Predicting house prices_Regression
Predicting house prices_RegressionPredicting house prices_Regression
Predicting house prices_RegressionSruti Jain
 
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1Kirill Eremenko
 
point operations in image processing
point operations in image processingpoint operations in image processing
point operations in image processingRamachendran Logarajah
 
Employee Management System using c++ ppt.pptx
Employee Management System using c++ ppt.pptxEmployee Management System using c++ ppt.pptx
Employee Management System using c++ ppt.pptxDevikaSahu14
 
digital image processing, image processing
digital image processing, image processingdigital image processing, image processing
digital image processing, image processingKalyan Acharjya
 
Setting Artificial Neural Networks parameters
Setting Artificial Neural Networks parametersSetting Artificial Neural Networks parameters
Setting Artificial Neural Networks parametersMadhumita Tamhane
 
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning akira-ai
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Best Practice to Fight with Ransomware................
Best Practice to Fight with Ransomware................Best Practice to Fight with Ransomware................
Best Practice to Fight with Ransomware................Bhairave Maulekhi
 

Más contenido relacionado

La actualidad más candente

Stock Market Prediction
Stock Market Prediction Stock Market Prediction
Stock Market Prediction SalmanShezad
 
Open source CMS tool for web based job portal and recruitment system Thesis
Open source CMS tool for web based job portal and recruitment system ThesisOpen source CMS tool for web based job portal and recruitment system Thesis
Open source CMS tool for web based job portal and recruitment system ThesisArjun Rajeswaran
 
House Sale Price Prediction
House Sale Price PredictionHouse Sale Price Prediction
House Sale Price Predictionsriram30691
 
Image Processing with OpenCV
Image Processing with OpenCVImage Processing with OpenCV
Image Processing with OpenCVdebayanin
 
Image proceesing with matlab
Image proceesing with matlabImage proceesing with matlab
Image proceesing with matlabAshutosh Shahi
 
Image processing on matlab presentation
Image processing on matlab presentationImage processing on matlab presentation
Image processing on matlab presentationNaatchammai Ramanathan
 
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2Kirill Eremenko
 
Biometric presentation attack detection
Biometric presentation attack detectionBiometric presentation attack detection
Biometric presentation attack detectionGautam Saxena
 
Unit 3 – AIML.pptx
Unit 3 – AIML.pptxUnit 3 – AIML.pptx
Unit 3 – AIML.pptxhiblooms
 
Deep Learning - Overview of my work II
Deep Learning - Overview of my work IIDeep Learning - Overview of my work II
Deep Learning - Overview of my work IIMohamed Loey
 
Predicting house prices_Regression
Predicting house prices_RegressionPredicting house prices_Regression
Predicting house prices_RegressionSruti Jain
 
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1Kirill Eremenko
 
Employee Management System using c++ ppt.pptx
Employee Management System using c++ ppt.pptxEmployee Management System using c++ ppt.pptx
Employee Management System using c++ ppt.pptxDevikaSahu14
 
digital image processing, image processing
digital image processing, image processingdigital image processing, image processing
digital image processing, image processingKalyan Acharjya
 
Setting Artificial Neural Networks parameters
Setting Artificial Neural Networks parametersSetting Artificial Neural Networks parameters
Setting Artificial Neural Networks parametersMadhumita Tamhane
 
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning akira-ai
 

La actualidad más candente (20)

Stock Market Prediction
Stock Market Prediction Stock Market Prediction
Stock Market Prediction
 
Randomized Algorithm
Randomized Algorithm Randomized Algorithm
Randomized Algorithm
 
Open source CMS tool for web based job portal and recruitment system Thesis
Open source CMS tool for web based job portal and recruitment system ThesisOpen source CMS tool for web based job portal and recruitment system Thesis
Open source CMS tool for web based job portal and recruitment system Thesis
 
House Sale Price Prediction
House Sale Price PredictionHouse Sale Price Prediction
House Sale Price Prediction
 
COMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed TranslationCOMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed Translation
 
Image Processing with OpenCV
Image Processing with OpenCVImage Processing with OpenCV
Image Processing with OpenCV
 
Image proceesing with matlab
Image proceesing with matlabImage proceesing with matlab
Image proceesing with matlab
 
Image processing on matlab presentation
Image processing on matlab presentationImage processing on matlab presentation
Image processing on matlab presentation
 
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
Deep Learning A-Z™: Convolutional Neural Networks (CNN) - Module 2
 
Do you trust your artificial intelligence system?
Do you trust your artificial intelligence system?Do you trust your artificial intelligence system?
Do you trust your artificial intelligence system?
 
Biometric presentation attack detection
Biometric presentation attack detectionBiometric presentation attack detection
Biometric presentation attack detection
 
Unit 3 – AIML.pptx
Unit 3 – AIML.pptxUnit 3 – AIML.pptx
Unit 3 – AIML.pptx
 
Deep Learning - Overview of my work II
Deep Learning - Overview of my work IIDeep Learning - Overview of my work II
Deep Learning - Overview of my work II
 
Predicting house prices_Regression
Predicting house prices_RegressionPredicting house prices_Regression
Predicting house prices_Regression
 
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
Deep Learning A-Z™: Artificial Neural Networks (ANN) - Module 1
 
point operations in image processing
point operations in image processingpoint operations in image processing
point operations in image processing
 
Employee Management System using c++ ppt.pptx
Employee Management System using c++ ppt.pptxEmployee Management System using c++ ppt.pptx
Employee Management System using c++ ppt.pptx
 
digital image processing, image processing
digital image processing, image processingdigital image processing, image processing
digital image processing, image processing
 
Setting Artificial Neural Networks parameters
Setting Artificial Neural Networks parametersSetting Artificial Neural Networks parameters
Setting Artificial Neural Networks parameters
 
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
PPT4: Frameworks & Libraries of Machine Learning & Deep Learning
 

Similar a UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware

Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Best Practice to Fight with Ransomware................
Best Practice to Fight with Ransomware................Best Practice to Fight with Ransomware................
Best Practice to Fight with Ransomware................Bhairave Maulekhi
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Icacci presentation-isi-ransomware
Icacci presentation-isi-ransomwareIcacci presentation-isi-ransomware
Icacci presentation-isi-ransomwarevinaykumar R
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunk
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunk
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Agora Group
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfDipak Tiwari
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing toolmedoelkang600
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxtarkovtarkovski
 
Advanced Threat Defense Intel Security
Advanced Threat Defense Intel SecurityAdvanced Threat Defense Intel Security
Advanced Threat Defense Intel Securityxband
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 

Similar a UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware (20)

Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
Best Practice to Fight with Ransomware................
Best Practice to Fight with Ransomware................Best Practice to Fight with Ransomware................
Best Practice to Fight with Ransomware................
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Icacci presentation-isi-ransomware
Icacci presentation-isi-ransomwareIcacci presentation-isi-ransomware
Icacci presentation-isi-ransomware
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdf
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing tool
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
 
Advanced Threat Defense Intel Security
Advanced Threat Defense Intel SecurityAdvanced Threat Defense Intel Security
Advanced Threat Defense Intel Security
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101
 

Más de Sajjad "JJ" Arshad

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...Sajjad "JJ" Arshad
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteSajjad "JJ" Arshad
 
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsTracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsSajjad "JJ" Arshad
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
Practical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegrityPractical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegritySajjad "JJ" Arshad
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Sajjad "JJ" Arshad
 
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceIdentifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceSajjad "JJ" Arshad
 
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Sajjad "JJ" Arshad
 
A Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardA Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardSajjad "JJ" Arshad
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation NetworksSajjad "JJ" Arshad
 
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsInclude Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsSajjad "JJ" Arshad
 
On the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegrityOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegritySajjad "JJ" Arshad
 

Más de Sajjad "JJ" Arshad (16)

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path Overwrite
 
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsTracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSockets
 
Practical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegrityPractical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow Integrity
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
 
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceIdentifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
 
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
 
A Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardA Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt Standard
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSockets
 
"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks
 
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsInclude Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
 
On the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegrityOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity
 

Último

Introduction of Organ-On-A-Chip - Creative Biolabs
Introduction of Organ-On-A-Chip - Creative BiolabsIntroduction of Organ-On-A-Chip - Creative Biolabs
Introduction of Organ-On-A-Chip - Creative BiolabsCreative-Biolabs
 
3.-Acknowledgment-Dedication-Abstract.docx
3.-Acknowledgment-Dedication-Abstract.docx3.-Acknowledgment-Dedication-Abstract.docx
3.-Acknowledgment-Dedication-Abstract.docxUlahVanessaBasa
 
CHROMATOGRAPHY PALLAVI RAWAT.pptx
CHROMATOGRAPHY PALLAVI RAWAT.pptxCHROMATOGRAPHY PALLAVI RAWAT.pptx
CHROMATOGRAPHY PALLAVI RAWAT.pptxpallavirawat456
 
ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...
ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...
ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...Chayanika Das
 
Think Science: What Are Eclipses (101), by Craig Bobchin
Think Science: What Are Eclipses (101), by Craig BobchinThink Science: What Are Eclipses (101), by Craig Bobchin
Think Science: What Are Eclipses (101), by Craig BobchinNathan Cone
 
DNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptxDNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptxGiDMOh
 
Harry Coumnas Thinks That Human Teleportation May Ensure Humanity's Survival
Harry Coumnas Thinks That Human Teleportation May Ensure Humanity's SurvivalHarry Coumnas Thinks That Human Teleportation May Ensure Humanity's Survival
Harry Coumnas Thinks That Human Teleportation May Ensure Humanity's Survivalkevin8smith
 
Advances in AI-driven Image Recognition for Early Detection of Cancer
Advances in AI-driven Image Recognition for Early Detection of CancerAdvances in AI-driven Image Recognition for Early Detection of Cancer
Advances in AI-driven Image Recognition for Early Detection of CancerLuis Miguel Chong Chong
 
Interpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWSTInterpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWSTAlexander F. Mayer
 
Environmental Acoustics- Speech interference level, acoustics calibrator.pptx
Environmental Acoustics- Speech interference level, acoustics calibrator.pptxEnvironmental Acoustics- Speech interference level, acoustics calibrator.pptx
Environmental Acoustics- Speech interference level, acoustics calibrator.pptxpriyankatabhane
 
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep LearningCombining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learningvschiavoni
 
FBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptxFBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptxPayal Shrivastava
 
The Sensory Organs, Anatomy and Function
The Sensory Organs, Anatomy and FunctionThe Sensory Organs, Anatomy and Function
The Sensory Organs, Anatomy and FunctionJadeNovelo1
 
Telephone Traffic Engineering Online Lec
Telephone Traffic Engineering Online LecTelephone Traffic Engineering Online Lec
Telephone Traffic Engineering Online Lecfllcampolet
 
LAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary Microbiology
LAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary MicrobiologyLAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary Microbiology
LAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary MicrobiologyChayanika Das
 
Abnormal LFTs rate of deco and NAFLD.pptx
Abnormal LFTs rate of deco and NAFLD.pptxAbnormal LFTs rate of deco and NAFLD.pptx
Abnormal LFTs rate of deco and NAFLD.pptxzeus70441
 
Q4-Mod-1c-Quiz-Projectile-333344444.pptx
Q4-Mod-1c-Quiz-Projectile-333344444.pptxQ4-Mod-1c-Quiz-Projectile-333344444.pptx
Q4-Mod-1c-Quiz-Projectile-333344444.pptxtuking87
 

Último (20)

Introduction of Organ-On-A-Chip - Creative Biolabs
Introduction of Organ-On-A-Chip - Creative BiolabsIntroduction of Organ-On-A-Chip - Creative Biolabs
Introduction of Organ-On-A-Chip - Creative Biolabs
 
3.-Acknowledgment-Dedication-Abstract.docx
3.-Acknowledgment-Dedication-Abstract.docx3.-Acknowledgment-Dedication-Abstract.docx
3.-Acknowledgment-Dedication-Abstract.docx
 
Interferons.pptx.
Interferons.pptx.Interferons.pptx.
Interferons.pptx.
 
CHROMATOGRAPHY PALLAVI RAWAT.pptx
CHROMATOGRAPHY PALLAVI RAWAT.pptxCHROMATOGRAPHY PALLAVI RAWAT.pptx
CHROMATOGRAPHY PALLAVI RAWAT.pptx
 
ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...
ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...
ESSENTIAL FEATURES REQUIRED FOR ESTABLISHING FOUR TYPES OF BIOSAFETY LABORATO...
 
Introduction Classification Of Alkaloids
Introduction Classification Of AlkaloidsIntroduction Classification Of Alkaloids
Introduction Classification Of Alkaloids
 
Think Science: What Are Eclipses (101), by Craig Bobchin
Think Science: What Are Eclipses (101), by Craig BobchinThink Science: What Are Eclipses (101), by Craig Bobchin
Think Science: What Are Eclipses (101), by Craig Bobchin
 
DNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptxDNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptx
 
Harry Coumnas Thinks That Human Teleportation May Ensure Humanity's Survival
Harry Coumnas Thinks That Human Teleportation May Ensure Humanity's SurvivalHarry Coumnas Thinks That Human Teleportation May Ensure Humanity's Survival
Harry Coumnas Thinks That Human Teleportation May Ensure Humanity's Survival
 
Advances in AI-driven Image Recognition for Early Detection of Cancer
Advances in AI-driven Image Recognition for Early Detection of CancerAdvances in AI-driven Image Recognition for Early Detection of Cancer
Advances in AI-driven Image Recognition for Early Detection of Cancer
 
Interpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWSTInterpreting SDSS extragalactic data in the era of JWST
Interpreting SDSS extragalactic data in the era of JWST
 
Environmental Acoustics- Speech interference level, acoustics calibrator.pptx
Environmental Acoustics- Speech interference level, acoustics calibrator.pptxEnvironmental Acoustics- Speech interference level, acoustics calibrator.pptx
Environmental Acoustics- Speech interference level, acoustics calibrator.pptx
 
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep LearningCombining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
 
FBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptxFBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptx
 
The Sensory Organs, Anatomy and Function
The Sensory Organs, Anatomy and FunctionThe Sensory Organs, Anatomy and Function
The Sensory Organs, Anatomy and Function
 
PLASMODIUM. PPTX
PLASMODIUM. PPTXPLASMODIUM. PPTX
PLASMODIUM. PPTX
 
Telephone Traffic Engineering Online Lec
Telephone Traffic Engineering Online LecTelephone Traffic Engineering Online Lec
Telephone Traffic Engineering Online Lec
 
LAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary Microbiology
LAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary MicrobiologyLAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary Microbiology
LAMP PCR.pptx by Dr. Chayanika Das, Ph.D, Veterinary Microbiology
 
Abnormal LFTs rate of deco and NAFLD.pptx
Abnormal LFTs rate of deco and NAFLD.pptxAbnormal LFTs rate of deco and NAFLD.pptx
Abnormal LFTs rate of deco and NAFLD.pptx
 
Q4-Mod-1c-Quiz-Projectile-333344444.pptx
Q4-Mod-1c-Quiz-Projectile-333344444.pptxQ4-Mod-1c-Quiz-Projectile-333344444.pptx
Q4-Mod-1c-Quiz-Projectile-333344444.pptx
 

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware

  • 1. Northeastern University International Secure Systems Lab A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, Engin Kirda NEU SECLAB
  • 2. NEU SECLAB What is a ransomware attack? Receiving the decryption key2 Paying the ransom fee1 2
  • 7. – CNN Interview with FBI, April 2016 “Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers.”
  • 8. NEU SECLAB 8 How to defend against ransomware attacks? ● Educating end-users - Have a reliable backup policy - Avoid risky online behavior ● Developing detection tools to assist defenders - Providing insight from internal behavior ● Developing protection tools to enhance AV capabilities - Stopping the attack, and keeping the data consistent
  • 9. NEU SECLAB 8 How to defend against ransomware attacks? ● Educating end-users - Have a reliable backup policy - Avoid risky online behavior ● Developing detection tools to assist defenders - Providing insight from internal behavior ● Developing protection tools to enhance AV capabilities - Stopping the attack, and keeping the data consistent
  • 10. NEU SECLAB 9 Threat Model ● Ransomware can employ any techniques to attack - Inject code into benign processes - Perform encrypted communication - Leverage arbitrary cryptosystems ● We assume that OS kernel, and underlying software and hardware stack are free of malicious code. ● Unveil detects ransomware during dynamic analysis phase, and not at end-user machines. - Complements current dynamic analysis systems - A cloud-based malware analysis service, sample sharing But, how can we detect a ransomware sample?
  • 11. NEU SECLAB 10 Achilles’ Heel of Ransomware • Ransomware has to inform victim that attack has taken place • Ransomware has certain behaviors that are predictable – e.g., entropy changes, modal dialogs and background activity, accessing user files • A good sandbox that looks for some of these signs helps here…
  • 12. NEU SECLAB 10 UNVEIL: An Early Warning Dynamic Detection System for Ransomware
  • 14. NEU SECLAB Approach 12 • Detecting Cryptographic Ransomware: • Generating a fake (and attractive) user environment • Finding a reliable method for monitoring filesystem activity Why do we generate fake user environments? • Making the analysis environment more realistic • Protecting the analysis system from some user environment fingerprinting - A static user environment can be easily detected by a malware
  • 15. NEU SECLAB Approach 12 • Detecting Cryptographic Ransomware: • Generating a fake (and attractive) user environment • Finding a reliable method for monitoring filesystem activity Why do we generate fake user environments? • Making the analysis environment more realistic • Protecting the analysis system from bare-user environment fingerprinting - A static user environment can be easily detected by a malware How do we generate fake user environments?
  • 16. NEU SECLAB 13 Generating Fake (Honey) Content • Real files with valid headers – Using standard libraries (e.g., python- docx, python-pptx, OpenSSL) – Content that appears meaningful – File names do not look random, and appear realistic • File paths – User’s directory structure is generated randomly, but meaningfully • File attributes – Generate content with different creation, modification, and access times
  • 19. NEU SECLAB 17 Extracting I/O Access Sequences (1) Overwrites the users’ file with an encrypted version (2) reads, encrypts and deletes files without wiping them from storage (3) reads, creates a new encrypted version, and securely deletes the original files
  • 20. NEU SECLAB 18 IO Access Sequences in Multiple Ransomware Families Read Write New File Encrypted version Deleting the Original File New File Encrypted version Secure Deletion
  • 21. NEU SECLAB 19 Iteration over files during a CryptoWall attack
  • 22. Desktop Locker Ransomware NEU SECLAB 1 Malware run 2 3 20
  • 23. Desktop Locker Ransomware NEU SECLAB 20 Dissimilarity Score
  • 24. NEU SECLAB 21 Preparing the Analysis Environment ● UNVEIL is deployed on top of Cuckoo Sandbox - UNVEIL supports all versions of Windows platforms. - Our tool is deployed in Kernel. - Bypassing UNVEIL is not technically easy in user-mode. ● Finding active malware is not easy - We modified some parts of Cuckoo to make it more resilient to environmentally sensitive samples - e.g., fake response to some of the environment checks - Other anti-evasion measures to look more realistic - e.g., defining multiple NTFS drives, changing IP address range and MAC addresses
  • 25. NEU SECLAB 22 Evaluation 1) Detecting known ransomware samples a) Collecting ~3500 ransomware from public repo, Anubis, two security companies. b) 149 benign executables including ransomware-like behavior c) 348 malware samples from 36 malware families Ransomware FamiliesBenign Applications
  • 26. NEU SECLAB 23 Dissimilarity score is different from family to family
  • 27. NEU SECLAB Detecting known ransomware samples The threshold value t = 0.32 gives the highest recall with 100% precision 24
  • 28. NEU SECLAB Evaluation UNVEIL with unknown samples 25 . . .56 UNVEIL-enabled VMs on 8 Servers Ganeti Cluster ~ 1200 malware samples per day
  • 29. NEU SECLAB Evaluation UNVEIL with unknown samples ● We used the same similarity threshold (t = 0.32) for the large scale experiment. ● The incoming samples were acquired from the daily malware feed provided by Anubis from March 18 to February 12, 2016. ● The dataset contained 148,223 distinct samples. 26
  • 30. NEU SECLAB Cross-checking with VirusTotal 27 ● Pollution ratio is defined as the ratio of the number of scanners that identified the sample to the number of scanners in VirusTotal
  • 32. NEU SECLAB Detection: New Ransomware Family 29
  • 33. NEU SECLAB Detection: New Ransomware Family 30 • During our experiments, we discovered a new malware family – We call it “SilentCrypt” – After we reported it, others started detecting it as well – We were not able to find any information about this family online – The ransomware first checks for private files of a user, contacts the C&C server, and starts the attack based on the answer
  • 34. NEU SECLAB Detection: New Ransomware Family 31
  • 35. NEU SECLAB 32 ● Ransomware is a serious threat ● UNVEIL introduces concrete models to detect Ransomware ● Detecting an unknown family shows that the solutions are useful in practice ● We continue to improve functionality tuned towards detecting ransomware Conclusion