Ransomware, a class of self-propagating malware that uses encryption to holdthe victims' data ransom, has emerged in recent years as one of the mostdangerous cyber threats, with widespread damage; e.g., zero-day ransomwareWannaCry has caused world-wide catastrophe, from knocking U.K. National HealthService hospitals offline to shutting down a Honda Motor Company in Japan[1].Our close collaboration with security operations of large enterprises revealsthat defense against ransomware relies on tedious analysis from high-volumesystems logs of the first few infections. Sandbox analysis of freshly capturedmalware is also commonplace in operation. We introduce a method to identify and rank the most discriminating ransomwarefeatures from a set of ambient (non-attack) system logs and at least one logstream containing both ambient and ransomware behavior. These ranked featuresreveal a set of malware actions that are produced automatically from systemlogs, and can help automate tedious manual analysis. We test our approach usingWannaCry and two polymorphic samples by producing logs with Cuckoo Sandboxduring both ambient, and ambient plus ransomware executions. Our goal is toextract the features of the malware from the logs with only knowledge thatmalware was present. We compare outputs with a detailed analysis of WannaCryallowing validation of the algorithm's feature extraction and provide analysisof the method's robustness to variations of input data\textemdash changingquality/quantity of ambient data and testing polymorphic ransomware. Mostnotably, our patterns are accurate and unwavering when generated frompolymorphic WannaCry copies, on which 63 (of 63 tested) anti-virus (AV)products fail.
展开▼