skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Automated Behavior Analysis of Malware: A Case Study of WannaCry Ransomware

Abstract

Ransomware, a class of self-propagating malware that uses encryption to hold the victims’ data ransom, has emerged in recent years as one of the most dangerous cyber threats, with widespread damage; e.g., zero-day ransomware WannaCry has caused world-wide catastrophe, from knocking U.K. National Health Service hospitals offline to shutting down a Honda Motor Company in Japan [1]. Our close collaboration with security operations of large enterprises reveals that defense against ransomware relies on tedious analysis from high-volume systems logs of the first few infections. Sandbox analysis of freshly captured malware is also commonplace in operation. We introduce a method to identify and rank the most discriminating ransomware features from a set of ambient (non-attack) system logs and at least one log stream containing both ambient and ransomware behavior. These ranked features reveal a set of malware actions that are produced automatically from system logs, and can help automate tedious manual analysis. We test our approach using WannaCry and two polymorphic samples by producing logs with Cuckoo Sandbox during both ambient, and ambient plus ransomware executions. Our goal is to extract the features of the malware from the logs with only knowledge that malware was present. We compare outputs with amore » detailed analysis of WannaCry allowing validation of the algorithm’s feature extraction and provide analysis of the method’s robustness to variations of input data—changing quality/quantity of ambient data and testing polymorphic ransomware. Most notably, our patterns are accurate and unwavering when generated from polymorphic WannaCry copies, on which 63 (of 63 tested) antivirus (AV) products fail.« less

Authors:
 [1]; ORCiD logo [2]
  1. University of Texas at San Antonio (UTSA)
  2. ORNL
Publication Date:
Research Org.:
Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1423027
DOE Contract Number:  
AC05-00OR22725
Resource Type:
Conference
Resource Relation:
Conference: IEEE International Conference on Machine Learning and Applications (ICMLA) - Cancun, , Mexico - 12/18/2017 10:00:00 AM-12/21/2017 10:00:00 AM
Country of Publication:
United States
Language:
English

Citation Formats

Chen, Qian, and Bridges, Robert A. Automated Behavior Analysis of Malware: A Case Study of WannaCry Ransomware. United States: N. p., 2018. Web.
Chen, Qian, & Bridges, Robert A. Automated Behavior Analysis of Malware: A Case Study of WannaCry Ransomware. United States.
Chen, Qian, and Bridges, Robert A. Mon . "Automated Behavior Analysis of Malware: A Case Study of WannaCry Ransomware". United States. https://www.osti.gov/servlets/purl/1423027.
@article{osti_1423027,
title = {Automated Behavior Analysis of Malware: A Case Study of WannaCry Ransomware},
author = {Chen, Qian and Bridges, Robert A.},
abstractNote = {Ransomware, a class of self-propagating malware that uses encryption to hold the victims’ data ransom, has emerged in recent years as one of the most dangerous cyber threats, with widespread damage; e.g., zero-day ransomware WannaCry has caused world-wide catastrophe, from knocking U.K. National Health Service hospitals offline to shutting down a Honda Motor Company in Japan [1]. Our close collaboration with security operations of large enterprises reveals that defense against ransomware relies on tedious analysis from high-volume systems logs of the first few infections. Sandbox analysis of freshly captured malware is also commonplace in operation. We introduce a method to identify and rank the most discriminating ransomware features from a set of ambient (non-attack) system logs and at least one log stream containing both ambient and ransomware behavior. These ranked features reveal a set of malware actions that are produced automatically from system logs, and can help automate tedious manual analysis. We test our approach using WannaCry and two polymorphic samples by producing logs with Cuckoo Sandbox during both ambient, and ambient plus ransomware executions. Our goal is to extract the features of the malware from the logs with only knowledge that malware was present. We compare outputs with a detailed analysis of WannaCry allowing validation of the algorithm’s feature extraction and provide analysis of the method’s robustness to variations of input data—changing quality/quantity of ambient data and testing polymorphic ransomware. Most notably, our patterns are accurate and unwavering when generated from polymorphic WannaCry copies, on which 63 (of 63 tested) antivirus (AV) products fail.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {2018},
month = {1}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: