Scribd
Upload
1 views5 pages

RAN

Uploaded by

snehachowbanerjee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1 views5 pages

RAN

Uploaded by

snehachowbanerjee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

1.

Ransomware and WannaCry Overview

1.1. Ransomware

Ransomware is malicious software designed to encrypt or lock data until a ransom is paid. It has evolved into
different types over time:

 Locker Ransomware: Blocks access to systems entirely.


 Crypto Ransomware: Encrypts data, demanding payment for decryption.
 Double Extortion Ransomware: Combines encryption with threats of leaking sensitive data.

The evolution of ransomware reflects a shift toward more sophisticated attacks, with the WannaCry
ransomware attack in May 2017 serving as a landmark event due to its unprecedented scale and rapid
propagation.

1.2. WannaCry Overview

 Timeline: The WannaCry attack began on May 12, 2017, and infected over 200,000 systems in 150
countries within a single day.
 Mechanism:
o Exploited the SMBv1 protocol vulnerability using EternalBlue, a leaked NSA tool.
o Used DoublePulsar to install its payload and propagate rapidly.
 Impact:
o Estimated financial losses of over $4 billion.
o Industries affected included healthcare (notably the UK’s NHS), telecommunications, and
logistics.

2. Traditional Detection Techniques for WannaCry

2.1. Signature-Based Detection

This approach uses predefined patterns or signatures of known ransomware to identify threats.

 Advantages:
o High accuracy for previously identified ransomware variants.
o Fast and computationally efficient.
 Limitations:
o Ineffective against new variants or polymorphic ransomware.
o Requires regular updates of signature databases.

2.2. Behavior-Based Detection

Analyzes system behavior to identify suspicious activities, such as:

 Sudden mass encryption of files.


 Unusual network activity (e.g., connections to known malicious IPs).
 Deletion of shadow copies or backups.
 Advantages:
o Can detect unknown ransomware variants based on behavior patterns.
 Limitations:
o High false positive rates (e.g., legitimate applications mimicking ransomware behavior).
o Resource-intensive due to continuous monitoring.

2.3. Heuristic-Based Detection

Uses rules and thresholds to flag anomalies. Examples include:

 Flagging processes that access a high number of files in a short period.


 Blocking processes that attempt to disable security features.
 Advantages:
o Detects previously unseen ransomware that shares similarities with known variants.
 Limitations:
o Static rules may miss sophisticated ransomware.
o Requires manual tuning and regular updates.

2.4. Static Analysis

Static analysis examines the ransomware’s code and structure without executing it.

 Techniques:
o Disassemblers and decompilers to analyze code.
o Hash-based comparisons for detecting known samples.
o Identifying embedded strings, API calls, or encryption algorithms.
 Advantages:
o Safe as the malware is not executed.
o Useful for initial classification and understanding.
 Limitations:
o Ineffective against heavily obfuscated or encrypted malware.

2.5. Dynamic Analysis

Dynamic analysis observes the behavior of ransomware in a controlled environment.

 Techniques:
o Sandboxing to monitor execution.
o Tools to capture network traffic, system modifications, and file access patterns.
 Advantages:
o Provides real-time insights into ransomware behavior.
o Effective against obfuscated malware.
 Limitations:
o Risk of escape from the sandbox environment.
o Resource-intensive and time-consuming.

3. Machine Learning (ML)-Based Detection Techniques

3.1. Supervised Learning


Models trained on labeled datasets containing ransomware and benign samples.

 Common algorithms:
o Decision Trees and Random Forests: Useful for feature importance analysis.
o Support Vector Machines (SVM): Effective for smaller datasets.
 Applications:
o Detecting suspicious patterns in file operations, network activity, or API calls.

3.2. Unsupervised Learning

Focuses on anomaly detection without labeled data.

 Common techniques:
o Clustering (e.g., K-Means): Identifies outliers in system behaviors.
o Autoencoders: Detect deviations in network traffic or file access patterns.
 Applications:
o Identifying zero-day ransomware or unusual encryption patterns.

3.3. Deep Learning

Advanced models like Neural Networks analyze complex patterns in data.

 Techniques:
o Convolutional Neural Networks (CNNs): Analyzing file signatures or packet captures.
o Recurrent Neural Networks (RNNs): Detecting sequential patterns in API calls or logs.
 Applications:
o High accuracy in detecting ransomware behavior but requires significant computational
resources.

4. Comparative Analysis of Traditional and ML-Based Models

Aspect Traditional Models Machine Learning Models


Relies on signatures, rules, and predefined Learns patterns from data
Detection Approach
patterns. (supervised/unsupervised).
Limited; struggles with zero-day and
Adaptability High; adapts to new variants with retraining.
polymorphic threats.
False Positives Higher; especially in behavior-based models. Lower with properly trained models.
Resource Higher; computationally intensive during
Lower; efficient for known threats.
Requirements training.
Challenging for large datasets or complex
Scalability Scales better with appropriate infrastructure.
networks.

5. Challenges in ML-Based Detection

Despite their promise, ML-based models face challenges:

 Data Availability:
o Need large, diverse datasets for training.
o Limited access to real-world ransomware samples due to ethical and security concerns.
 Feature Engineering:
o Extracting meaningful features from ransomware behavior requires expertise.
 Adversarial Attacks:
o Attackers may design ransomware to evade ML-based detection.
 Computational Overhead:
o Training and deploying models can be resource-intensive.

6. Conclusion

While traditional models have been instrumental in detecting WannaCry and similar ransomware, their
limitations in adaptability and scalability have paved the way for ML-based approaches. Static and dynamic
analysis methods play a crucial role in enhancing detection capabilities, providing foundational insights for both
traditional and machine learning models. The integration of these methods, leveraging the strengths of
traditional models for rapid detection and ML for adaptability, offers a promising hybrid solution.

Security professionals and tools use behavior-based detection techniques that compare new behaviours to historical
data to look for evidence of compromise by comparing recent activity to typical behavioural baselines. When an
employee checks in from the workplace, is their corporate PC being accessed remotely from another state on the same
day? Three of them are listed below.

File system changes:abnormal file operations, including an excessive number of file renames

Traffic analysis:Check traffic for oddities such software connections to dubious file-sharing websites_and the times of
such activities.

API calls:A third behavior-based tactic that security teams may employ is auditing API calls.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy