Emergence of crypto-ransomware has significantlyudchanged the cyber threat landscape. A crypto ransomwareudremoves data custodian access by encrypting valuable dataudon victims’ computers and requests a ransom payment to reinstantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly andudaccurately system logs can be mined to hunt abnormalities andudstop the evil. In this paper we first setup an environment toudcollect activity logs of 517 Locky ransomware samples, 535 Cerberudransomware samples and 572 samples of TeslaCrypt ransomware.udWe utilize Sequential Pattern Mining to find Maximal FrequentudPatterns (MFP) of activities within different ransomware familiesudas candidate features for classification using J48, Random Forest,udBagging and MLP algorithms. We could achieve 99% accuracyudin detecting ransomware instances from goodware samples andud96.5% accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applyingudpattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctiveudfrequent patterns within different ransomware families whichudcan be used for identification of a ransomware sample family forudbuilding intelligence about threat actors and threat profile of audgiven target.
展开▼