Advanced Ransomware Analysis and Detection

Abstract

Ransomware is one of the most prevalent threats on the Internet today, and ransomware attacks have continued to grow in number and severity in 2023, with 66% of organizations targeted by such attacks, according to a Sophos report.However, monetary damages are just one aspect of the impact of these attacks.First, these attacks can cripple an organizations infrastructure.In addition, when the attackers can obtain access to sensitive information, they often follow a double-extortion scheme, in which the victim is threatened with the disclosure of that information.Finally, the money collected through ransomware finances terrorism and other activities thattarget the nations interests.Therefore, combating ransomware is essential to protecting the national infrastructure, mission-critical services, and the nations economic well-being.Both industry and academia have developed various approaches to combating malware.However, the ever-changing nature of these threats makes it difficult to identify patterns that correctly identify threats without false positives.Even if one would have reliable models for ransomware, the actual kill chain would make it challenging to identify an attack, as the deployment of the ransomware is usually the last step in a highly targeted, multi-phase attack (initial breach, lateral movement, and eventually the download of the ransomware).If these steps are not completed, the final ransomware component is not deployed, preventing the security analysts from extracting key threat intelligence about the attackers.We propose to develop a novelapproach to create a simulated complex network environment to provide inputs to the various steps of the kill chain of a targeted ransomware attack so that the attacker is deceived into delivering the final ransomware component.This will allow us to collect threat intelligence that aids in the disruption of the malicious actors activity.In particular, we propose to derive effective, host-based models that can beused to detect (and block) ransomware activity.While there are sandboxing solutions that provide a realistic execution environment for the analysis of malware, the multi-step nature of the kill chain, combined with the targeted nature of the attack, only allows for the detection of the early stages of a breach.Once the initial malware component is unable to move laterally or discovers a target environment that does not meet the attackers expectations, the attack stops.To solve this problem, we propose a novel analysis framework that evolves the concept of a traditional sandbox to an elastic sandbox that extends and adapts in reaction to the attempts to move laterally performed during the early stages of an attack.Therefore, as an attacker looks for additional hosts to compromise, additional instances of the sandbox are deployed to support the advance of the kill chain.In particular, we planto leverage our prior work on using Generative Adversarial Networks to build network configurations dynamically.In this project, weplan to extend this approach by taking into account explicit feedback from malware activity and prior malware runs.By using this approach, it is possible to provide a more comprehensive analysis environment that automatically expands as the attacker attempts to move laterally.The resulting threat intelligence can be extremely effective in protecting networks from similar attacks and disrupting the threat actors operations.For example, full visibility into the TTPs adopted in the kill chain allows for the creation of models to detect both single artifacts and multi-step attacks.In addition, by obtaining the ransomware sample, it is possible to collectcommand-and-control indicators and identify the ransom collection infrastructure.Finally, in this project, we plan to directly leverage the collected intelligence to generate detection models that can be deployed on targeted hosts.Approved for public release.

Document Details

Document Type

DoD Grant Award

Publication Date

Nov 09, 2024

Source ID

N000142412597

Entities

Tags