Table of Contents
Fetching ...

Enhanced Cyber Threat Intelligence by Network Forensic Analysis for Ransomware as a Service(RaaS) Malwares

Sharmila S P

TL;DR

This work has analysed RaaS samples by network forensic approach to investigate on packet captures of benign and malicious network traffic and recommends the proposed approach for integration into honeypots in the present scenario to combat with data scarcity concerned with malware samples(RaaS).

Abstract

In the current era of interconnected cyberspace, there is an adverse effect of ransomware on individuals, startups, and large companies. Cybercriminals hold digital assets till the demand for payment is made. The success of ransomware upsurged with the introduction of Ransomware as a Service(RaaS) franchise in the darknet market. Obfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system. Signature based intrusion detection is still on role suffering from the scarcity of RaaS packet signatures. We have analysed RaaS samples by network forensic approach to investigate on packet captures of benign and malicious network traffic. The behavior analysis of RaaS family Ransomwares, Ryuk and Gandcrab have been investigated to classify the packets as suspicious, malicious, and non-malicious which further aid in generating RaaS packet signatures for early detection and mitigation of ransomwares belonging to RaaS family. More than 40\% of packets are found malicious in this experiment. The proposed method is also verified by Virus Total API Approach. Further, the proposed approach is recommended for integration into honeypots in the present scenario to combat with data scarcity concerned with malware samples(RaaS). This data will be helpful in developing AI-based threat intelligence mechanisms. In turn enhance detection, prevention of threats, incident response and risk assessment.

Enhanced Cyber Threat Intelligence by Network Forensic Analysis for Ransomware as a Service(RaaS) Malwares

TL;DR

This work has analysed RaaS samples by network forensic approach to investigate on packet captures of benign and malicious network traffic and recommends the proposed approach for integration into honeypots in the present scenario to combat with data scarcity concerned with malware samples(RaaS).

Abstract

In the current era of interconnected cyberspace, there is an adverse effect of ransomware on individuals, startups, and large companies. Cybercriminals hold digital assets till the demand for payment is made. The success of ransomware upsurged with the introduction of Ransomware as a Service(RaaS) franchise in the darknet market. Obfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system. Signature based intrusion detection is still on role suffering from the scarcity of RaaS packet signatures. We have analysed RaaS samples by network forensic approach to investigate on packet captures of benign and malicious network traffic. The behavior analysis of RaaS family Ransomwares, Ryuk and Gandcrab have been investigated to classify the packets as suspicious, malicious, and non-malicious which further aid in generating RaaS packet signatures for early detection and mitigation of ransomwares belonging to RaaS family. More than 40\% of packets are found malicious in this experiment. The proposed method is also verified by Virus Total API Approach. Further, the proposed approach is recommended for integration into honeypots in the present scenario to combat with data scarcity concerned with malware samples(RaaS). This data will be helpful in developing AI-based threat intelligence mechanisms. In turn enhance detection, prevention of threats, incident response and risk assessment.
Paper Structure (11 sections, 6 figures, 3 tables, 1 algorithm)

This paper contains 11 sections, 6 figures, 3 tables, 1 algorithm.

Figures (6)

  • Figure 1: Pipeline view of the proposed Solution with VirusTotal integration for packet classification.
  • Figure 2: Malicious activity observed in IO Graph for Gandcrab Pcap.
  • Figure 3: Malicious activity observed in IO Graph for Ryuk Pcap
  • Figure 4: Malicious Packet details identified with GandCrab: HTTP Link and unverified Checksum.
  • Figure 5: Malicious Packet details identified with Ryuk: HTTP Link and unverified Checksum.
  • ...and 1 more figures