Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

WannaLaugh: A Configurable Ransomware Emulator -- Learning to Mimic Malicious Storage Traces

Dionysios Diamantopoulos, Roman Pletka, Slavisa Sarafijanovic, A. L. Narasimha Reddy, Haris Pozidis

TL;DR

Ransomware detections struggle with evolving threats, especially when relying on static signatures. This paper introduces WannaLaugh, a safe, open-source ransomware emulator that can mimic full encryption activity or targeted traces to generate realistic storage IO patterns without propagating malware. It offers an extensive configurable design space (workloads, encryption schemes, file targeting, timing, and multi-threading via Ray) and uses NSGA-II optimization to tailor traces toward known ransomware or novel patterns, enabling robust evaluation of storage-based detectors. Case studies demonstrate multi-threaded performance gains, effective trace mimicry, and the emulator’s potential to accelerate development of detection methods in storage systems and computational storage devices.

Abstract

Ransomware, a fearsome and rapidly evolving cybersecurity threat, continues to inflict severe consequences on individuals and organizations worldwide. Traditional detection methods, reliant on static signatures and application behavioral patterns, are challenged by the dynamic nature of these threats. This paper introduces three primary contributions to address this challenge. First, we introduce a ransomware emulator. This tool is designed to safely mimic ransomware attacks without causing actual harm or spreading malware, making it a unique solution for studying ransomware behavior. Second, we demonstrate how we use this emulator to create storage I/O traces. These traces are then utilized to train machine-learning models. Our results show that these models are effective in detecting ransomware, highlighting the practical application of our emulator in developing responsible cybersecurity tools. Third, we show how our emulator can be used to mimic the I/O behavior of existing ransomware thereby enabling safe trace collection. Both the emulator and its application represent significant steps forward in ransomware detection in the era of machine-learning-driven cybersecurity.

WannaLaugh: A Configurable Ransomware Emulator -- Learning to Mimic Malicious Storage Traces

TL;DR

Ransomware detections struggle with evolving threats, especially when relying on static signatures. This paper introduces WannaLaugh, a safe, open-source ransomware emulator that can mimic full encryption activity or targeted traces to generate realistic storage IO patterns without propagating malware. It offers an extensive configurable design space (workloads, encryption schemes, file targeting, timing, and multi-threading via Ray) and uses NSGA-II optimization to tailor traces toward known ransomware or novel patterns, enabling robust evaluation of storage-based detectors. Case studies demonstrate multi-threaded performance gains, effective trace mimicry, and the emulator’s potential to accelerate development of detection methods in storage systems and computational storage devices.

Abstract

Ransomware, a fearsome and rapidly evolving cybersecurity threat, continues to inflict severe consequences on individuals and organizations worldwide. Traditional detection methods, reliant on static signatures and application behavioral patterns, are challenged by the dynamic nature of these threats. This paper introduces three primary contributions to address this challenge. First, we introduce a ransomware emulator. This tool is designed to safely mimic ransomware attacks without causing actual harm or spreading malware, making it a unique solution for studying ransomware behavior. Second, we demonstrate how we use this emulator to create storage I/O traces. These traces are then utilized to train machine-learning models. Our results show that these models are effective in detecting ransomware, highlighting the practical application of our emulator in developing responsible cybersecurity tools. Third, we show how our emulator can be used to mimic the I/O behavior of existing ransomware thereby enabling safe trace collection. Both the emulator and its application represent significant steps forward in ransomware detection in the era of machine-learning-driven cybersecurity.
Paper Structure (27 sections, 9 figures, 4 tables, 1 algorithm)

This paper contains 27 sections, 9 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background and Motivation
  4. The landscape of ransomware simulation tools
  5. Ransomware Emulator Design
  6. Configurable design space
  7. Workload type
  8. Directory Selection and File Ordering
  9. Encryption Algorithms and Methods
  10. Encryption Content Methods
  11. Encryption Write Methods
  12. Delay Modes and Timeouts
  13. Custom File Extensions
  14. Multi-threaded File Encryption using Ray
  15. Implementation Aspects
  16. ...and 12 more sections

Figures (9)

  • Figure 1: Life-cycle of Ransomware and positioning of WannaLaugh emulator as a use-case enabler.
  • Figure 2: WannaLaugh's interactive GUI.
  • Figure 3: LBA scatter plot for WannaCry Ransomware.
  • Figure 4: Overview of our ML flow and data lifetime.
  • Figure 5: Test Environment for Feature Extraction.
  • ...and 4 more figures