network-based ransomware detection · cryptowall 699 63 8.27% 0%! jigsaw 19336 28887 59.90% 0%!...
TRANSCRIPT
![Page 1: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/1.jpg)
Network-based Ransomware Detection
D. Mülders & P. Meessen
April, 13th 2017
![Page 2: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/2.jpg)
2/42
/ department of mathematics and computer science
Introduction
Today we present the results of SpySpot research into Ransomware and IntrusionDetection Systems.
![Page 3: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/3.jpg)
3/42
/ department of mathematics and computer science
Ransomware
RansomwareRansomware is a class of malware, which interferes with the normal operation of acomputer and aims to extort the owner of the computer into paying a ransom inorder to undo or avoid further damage. - after: (Kharraz et al., 2015)
Ransomware using EncryptionThis project focuses on ransomware that uses encryption (AES) to prevent victimsaccessing their files.
![Page 4: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/4.jpg)
4/42
/ department of mathematics and computer science
Windows Shares
![Page 5: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/5.jpg)
5/42
/ department of mathematics and computer science
Example: SMB traffic
![Page 6: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/6.jpg)
6/42
/ department of mathematics and computer science
Example: SMB traffic
![Page 7: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/7.jpg)
7/42
/ department of mathematics and computer science
Example: SMB traffic
![Page 8: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/8.jpg)
8/42
/ department of mathematics and computer science
Global system overview
Ransomware detectionSome messages are recorded on the network traffic, that might containransomware. Extract crucial data, construct an exchange, detect encryption andanalyze the general behaviour.
![Page 9: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/9.jpg)
9/42
/ department of mathematics and computer science
Message extraction
Message featuresI file dataI data sizeI nameI message & file identifiersI etc.
![Page 10: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/10.jpg)
10/42
/ department of mathematics and computer science
Exchange building
By matching multiple related messages, based on theirmessage identifiers & file manipulation patterns, we canbuild exchanges. The can contain encryption.
![Page 11: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/11.jpg)
11/42
/ department of mathematics and computer science
Detection of encryption in exchanges
We can now calculate entropy, using thefile data, which we can use to detect
encryption.
![Page 12: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/12.jpg)
12/42
/ department of mathematics and computer science
Say we have two files:
unencrypted file:"HI HITB"
encrypted file:"XMz5#a!"
![Page 13: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/13.jpg)
13/42
/ department of mathematics and computer science
n-grams
An n-gram is the histogram of the substrings of length-n ina text.
![Page 14: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/14.jpg)
14/42
/ department of mathematics and computer science
1-grams
"HI HITB" "XMz5#a!"
![Page 15: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/15.jpg)
15/42
/ department of mathematics and computer science
Distribution
"HI HITB" "XMz5#a!"
![Page 16: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/16.jpg)
16/42
/ department of mathematics and computer science
From distributions to numbers
![Page 17: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/17.jpg)
17/42
/ department of mathematics and computer science
Lottery
Lottery:
odds payout
11.000.000
($100.000)
11.000
($100)
E(playing the lottery) =1
1.000.000× ($100.000) +
1
1000× ($100) = $0, 20
![Page 18: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/18.jpg)
18/42
/ department of mathematics and computer science
Expected Value
E(X) =∑x∈X
p(x) · f(x)
![Page 19: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/19.jpg)
19/42
/ department of mathematics and computer science
From Expected Value to Entropy
E(X) =∑x∈X
p(x) · f(p(x))
![Page 20: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/20.jpg)
20/42
/ department of mathematics and computer science
From Expected Value to Entropy
Payout function for Shannon Entropy:f(p(x))⇒ log2( 1
p(x))
https://commons.wikimedia.org/wiki/File:Binary_entropy_plot.svg
![Page 21: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/21.jpg)
20/42
/ department of mathematics and computer science
From Expected Value to Entropy
Payout function for Shannon Entropy:f(p(x))⇒ log2( 1
p(x))
https://commons.wikimedia.org/wiki/File:Binary_entropy_plot.svg
![Page 22: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/22.jpg)
21/42
/ department of mathematics and computer science
Shannon Entropy
H(X) =∑x∈X
p(x) · log21
p(x)
![Page 23: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/23.jpg)
22/42
/ department of mathematics and computer science
Shannon Entropy
“H(X) is the lower bound on the number of (yes/no)questions that you need to ask about [X] in order to learnthe outcome x."TU/e Course 2IMS10, Lecture Notes v1.7 2016
![Page 24: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/24.jpg)
23/42
/ department of mathematics and computer science
Distribution
"HI HITB" "XMz5#a!"
![Page 25: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/25.jpg)
24/42
/ department of mathematics and computer science
Calculating the Shannon Entropy for n-grams
“Text” ⇒ 1-gram ⇒ Distribution ⇒ Entropy ⇒ Number
![Page 26: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/26.jpg)
25/42
/ department of mathematics and computer science
Calculating the Shannon Entropy for n-grams
"HI HITB"
H
( )=
3× (1/7) · log2(7/1)+
2× (2/7) · log2(7/2)= 2.2359 . . .
"XMz5#a!"
H
( )=
7× (1/7) · log2(7/1)
= 2.8073 . . .
![Page 27: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/27.jpg)
26/42
/ department of mathematics and computer science
Calculating the Shannon Entropy for n-grams
normal
"HI HITB"≈ 2.2
encrypted
"XMz5#a!"≈ 2.8
![Page 28: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/28.jpg)
27/42
/ department of mathematics and computer science
Global system overview
![Page 29: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/29.jpg)
28/42
/ department of mathematics and computer science
Encryption
The 1-gram of an encrypted text should have:I 8 bits of entropy, andI use all the 256 characters in the ASCII alphabet.
![Page 30: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/30.jpg)
29/42
/ department of mathematics and computer science
Simple Detector Rule
![Page 31: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/31.jpg)
30/42
/ department of mathematics and computer science
Simple Detector Rule
![Page 32: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/32.jpg)
31/42
/ department of mathematics and computer science
Simple Detector Rule
![Page 33: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/33.jpg)
32/42
/ department of mathematics and computer science
1-gram entropy for different file types
![Page 34: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/34.jpg)
33/42
/ department of mathematics and computer science
Building Detectors
We need a new behavioral rule to removethe false-positives.
![Page 35: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/35.jpg)
34/42
/ department of mathematics and computer science
Detection of encryption in exchanges
We can detect encryption on exchanges,using relative entropy and same size
characteristics.
![Page 36: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/36.jpg)
35/42
/ department of mathematics and computer science
Encryption detection rate
Sample FN TP TP rate FP rateCryptXXX 15847 2068 11.54% 0% !CryptoWall 699 63 8.27% 0% !JigSaw 19336 28887 59.90% 0% !User 160 24 13.04% 0% !
![Page 37: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/37.jpg)
36/42
/ department of mathematics and computer science
Behavioural analysis
Using the detected exchanges, based onthe rate of encryption, we can distinguishbetween ransomware & regular user traffic.
![Page 38: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/38.jpg)
37/42
/ department of mathematics and computer science
Behavioural analysis
Analyse the rate of encryption, usingvarying time-frames and required number
of encryptions.
![Page 39: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/39.jpg)
38/42
/ department of mathematics and computer science
Behavioural analysis
Sample 1s/5 1s/10 1s/15 3s/5 3s/10 3s/15 5s/15 5s/20 5s/25CryptXXX 39 19 13 39 19 13 13 10 8CryptoWall 54 27 18 54 27 18 18 14 9JigSaw 35 17 12 35 17 12 12 9 7User 0 0 0 3 0 0 0 0 0
![Page 40: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/40.jpg)
39/42
/ department of mathematics and computer science
Behavioural analysis results
![Page 41: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/41.jpg)
40/42
/ department of mathematics and computer science
Implementation
Enterprise applicationsI Ransomware & Intrusion detection systemI Blocking traffic from an infected clientI Backing up data that is being attacked
![Page 42: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/42.jpg)
41/42
/ department of mathematics and computer science
Thank you for your attention
QuestionsPlease visit:https://nomoreransom.orghttp://security1.win.tue.nl/spyspot/
Special thanks to:Tijmen van Dries, Sandro Etalle, Davide Fauri, Jerry den Hartog, Emil Nikolov,Erik Poll, Peter Wu, Rob Wu, Joe Joe Wong, Omer Yüksel.
![Page 43: Network-based Ransomware Detection · CryptoWall 699 63 8.27% 0%! JigSaw 19336 28887 59.90% 0%! User 160 24 13.04% 0%! 36/42 /department of mathematics and computer science Behaviouralanalysis](https://reader033.vdocuments.net/reader033/viewer/2022050412/5f88a63579bea070372ef80e/html5/thumbnails/43.jpg)
42/42
/ department of mathematics and computer science
References I
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., and Kirda, E. (2015).Cutting the gordian knot: a look under the hood of ransomware attacks. InInternational Conference on Detection of Intrusions and Malware, andVulnerability Assessment, pages 3–24. Springer.
Nativ, Y. and Shalev, S. (2016-2017). thezoo.https://github.com/ytisf/theZoo.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-OnGuide to Dissecting Malicious Software. No Starch Press Series. No Starch Press.
Stokkel, M. (2016). Ransomware detection with bro. Talk at BroCon ‘16, Austin,https://www.bro.org/brocon2016/slides/stokkel_ransomware.pdf.