Phylogenetic Analysis for Ransomware Detection and Classification into Families

Author (ESR): 
Christina Michailidou (Consiglio Nazionale Delle Ricerche)
Fabio Martinelli
Francesco Mercaldo
Andrea saracino

The widespread of ransomware experienced in the last years has been caused also by the ability of attackers
to introduce changes and mutations that make the malware hard to identify from antimalware software. In this
paper we propose a two-phase method based on machine learning on API-level analysis aimed (i) to effectively
detect ransomware despite the applied techniques for obfuscation and introduced variations, (ii) to provide a
tool for security analysts to track phylogenetic relationships exploiting the binary tree obtained by the classification
analysis. We preliminary experimented the proposed method on real-world ransomware applications
belonging to three widespread families (i.e., petya, badrabbit and wannacry), obtaining encouraging results
in ransomware detection and family identification. A discussion about the ransomware-related phylogenetic
relationships is also provided.

Secrypt 2018
Thursday, July 26, 2018