May Medhat, Menna Essa, Hend Faisal, Samir G. Sayed
{"title":"YARAMON: A Memory-based Detection Framework for Ransomware Families","authors":"May Medhat, Menna Essa, Hend Faisal, Samir G. Sayed","doi":"10.23919/ICITST51030.2020.9351319","DOIUrl":null,"url":null,"abstract":"Ransomware attacks have evolved to become more sophisticated, persistent and irreversible. In 2019, many high profile ransomware developers extorted high-value entities for money by encrypting their data and deleting any backup files. Once a system is infected with a crypto-ransomware attack, it will be tough to recover the victim's data unless a backup is available or the malware author shares the decryption key with the victim. Moreover, ransomware developers nowadays adopt new tactics and techniques to spread and evade detection. One of those techniques is packing in order to enhance their defensive mechanisms to avoid detection. This paper suggests a hybrid approach to detect packed ransomware samples based on scanning process memory dumps and dropped executable files using enhanced YARA rules framework. Through describing common ransomware artifacts using Y ARA rules, upon testing, the detection rate reached 97.9% of dumped files.","PeriodicalId":346678,"journal":{"name":"2020 15th International Conference for Internet Technology and Secured Transactions (ICITST)","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 15th International Conference for Internet Technology and Secured Transactions (ICITST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/ICITST51030.2020.9351319","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Ransomware attacks have evolved to become more sophisticated, persistent and irreversible. In 2019, many high profile ransomware developers extorted high-value entities for money by encrypting their data and deleting any backup files. Once a system is infected with a crypto-ransomware attack, it will be tough to recover the victim's data unless a backup is available or the malware author shares the decryption key with the victim. Moreover, ransomware developers nowadays adopt new tactics and techniques to spread and evade detection. One of those techniques is packing in order to enhance their defensive mechanisms to avoid detection. This paper suggests a hybrid approach to detect packed ransomware samples based on scanning process memory dumps and dropped executable files using enhanced YARA rules framework. Through describing common ransomware artifacts using Y ARA rules, upon testing, the detection rate reached 97.9% of dumped files.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
