Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules

Nitin Naik; Paul Jenkins; Nick Savage; Longzhi Yang

doi:10.1109/FUZZ-IEEE.2019.8858803

Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules

Nitin Naik, Paul Jenkins, Nick Savage, Longzhi Yang

College of Engineering and Physical Sciences

Research output: Chapter in Book/Published conference output › Conference publication

Abstract

Ransomware is currently one of the most significant cyberthreats to both national infrastructure and the individual, often requiring severe treatment as an antidote. Triaging ran-somware based on its similarity with well-known ransomware samples is an imperative preliminary step in preventing a ransomware pandemic. Selecting the most appropriate triaging method can improve the precision of further static and dynamic analysis in addition to saving significant t ime a nd e ffort. Currently, the most popular and proven triaging methods are fuzzy hashing, import hashing and YARA rules, which can ascertain whether, or to what degree, two ransomware samples are similar to each other. However, the mechanisms of these three methods are quite different and their comparative assessment is difficult. Therefore, this paper presents an evaluation of these three methods for triaging the four most pertinent ransomware categories WannaCry, Locky, Cerber and CryptoWall. It evaluates their triaging performance and run-time system performance, highlighting the limitations of each method.

Original language	English
Title of host publication	2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019
Publisher	IEEE
ISBN (Electronic)	9781538617281
DOIs	https://doi.org/10.1109/FUZZ-IEEE.2019.8858803
Publication status	Published - 10 Oct 2019
Event	2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019 - New Orleans, United States Duration: 23 Jun 2019 → 26 Jun 2019

Publication series

Name	IEEE International Conference on Fuzzy Systems
Volume	2019-June
ISSN (Print)	1098-7584

Conference

Conference	2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019
Country/Territory	United States
City	New Orleans
Period	23/06/19 → 26/06/19

Bibliographical note

Funding Information:
The authors gratefully acknowledge the support of Hybrid-

Publisher Copyright:
© 2019 IEEE.

Copyright:
Copyright 2019 Elsevier B.V., All rights reserved.

Keywords

Cer-ber
Context-Triggered Piecewise Hashing
CryptoWall
Fuzzy Hashing
IM-PHASH
Import Hashing
Locky
Ransomware
SDHASH
Similarity Preserving
SSDEEP
Triaging
WannaCry
WannaCryptor
YARA Rules

Access to Document

10.1109/FUZZ-IEEE.2019.8858803

Cite this

@inproceedings{77aa2d5def624d21ae14f1ca286ec8b1,

title = "Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules",

abstract = "Ransomware is currently one of the most significant cyberthreats to both national infrastructure and the individual, often requiring severe treatment as an antidote. Triaging ran-somware based on its similarity with well-known ransomware samples is an imperative preliminary step in preventing a ransomware pandemic. Selecting the most appropriate triaging method can improve the precision of further static and dynamic analysis in addition to saving significant t ime a nd e ffort. Currently, the most popular and proven triaging methods are fuzzy hashing, import hashing and YARA rules, which can ascertain whether, or to what degree, two ransomware samples are similar to each other. However, the mechanisms of these three methods are quite different and their comparative assessment is difficult. Therefore, this paper presents an evaluation of these three methods for triaging the four most pertinent ransomware categories WannaCry, Locky, Cerber and CryptoWall. It evaluates their triaging performance and run-time system performance, highlighting the limitations of each method.",

keywords = "Cer-ber, Context-Triggered Piecewise Hashing, CryptoWall, Fuzzy Hashing, IM-PHASH, Import Hashing, Locky, Ransomware, SDHASH, Similarity Preserving, SSDEEP, Triaging, WannaCry, WannaCryptor, YARA Rules",

author = "Nitin Naik and Paul Jenkins and Nick Savage and Longzhi Yang",

note = "Funding Information: The authors gratefully acknowledge the support of Hybrid- Publisher Copyright: {\textcopyright} 2019 IEEE. Copyright: Copyright 2019 Elsevier B.V., All rights reserved.; 2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019 ; Conference date: 23-06-2019 Through 26-06-2019",

year = "2019",

month = oct,

day = "10",

doi = "10.1109/FUZZ-IEEE.2019.8858803",

language = "English",

series = "IEEE International Conference on Fuzzy Systems",

publisher = "IEEE",

booktitle = "2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019",

address = "United States",

}

Naik, N, Jenkins, P, Savage, N & Yang, L 2019, Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules. in 2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019., 8858803, IEEE International Conference on Fuzzy Systems, vol. 2019-June, IEEE, 2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019, New Orleans, United States, 23/06/19. https://doi.org/10.1109/FUZZ-IEEE.2019.8858803

Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules. / Naik, Nitin; Jenkins, Paul; Savage, Nick et al.
2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019. IEEE, 2019. 8858803 (IEEE International Conference on Fuzzy Systems; Vol. 2019-June).

Research output: Chapter in Book/Published conference output › Conference publication

TY - GEN

T1 - Cyberthreat Hunting - Part 1

T2 - 2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019

AU - Naik, Nitin

AU - Jenkins, Paul

AU - Savage, Nick

AU - Yang, Longzhi

PY - 2019/10/10

Y1 - 2019/10/10

N2 - Ransomware is currently one of the most significant cyberthreats to both national infrastructure and the individual, often requiring severe treatment as an antidote. Triaging ran-somware based on its similarity with well-known ransomware samples is an imperative preliminary step in preventing a ransomware pandemic. Selecting the most appropriate triaging method can improve the precision of further static and dynamic analysis in addition to saving significant t ime a nd e ffort. Currently, the most popular and proven triaging methods are fuzzy hashing, import hashing and YARA rules, which can ascertain whether, or to what degree, two ransomware samples are similar to each other. However, the mechanisms of these three methods are quite different and their comparative assessment is difficult. Therefore, this paper presents an evaluation of these three methods for triaging the four most pertinent ransomware categories WannaCry, Locky, Cerber and CryptoWall. It evaluates their triaging performance and run-time system performance, highlighting the limitations of each method.

AB - Ransomware is currently one of the most significant cyberthreats to both national infrastructure and the individual, often requiring severe treatment as an antidote. Triaging ran-somware based on its similarity with well-known ransomware samples is an imperative preliminary step in preventing a ransomware pandemic. Selecting the most appropriate triaging method can improve the precision of further static and dynamic analysis in addition to saving significant t ime a nd e ffort. Currently, the most popular and proven triaging methods are fuzzy hashing, import hashing and YARA rules, which can ascertain whether, or to what degree, two ransomware samples are similar to each other. However, the mechanisms of these three methods are quite different and their comparative assessment is difficult. Therefore, this paper presents an evaluation of these three methods for triaging the four most pertinent ransomware categories WannaCry, Locky, Cerber and CryptoWall. It evaluates their triaging performance and run-time system performance, highlighting the limitations of each method.

KW - Cer-ber

KW - Context-Triggered Piecewise Hashing

KW - CryptoWall

KW - Fuzzy Hashing

KW - IM-PHASH

KW - Import Hashing

KW - Locky

KW - Ransomware

KW - SDHASH

KW - Similarity Preserving

KW - SSDEEP

KW - Triaging

KW - WannaCry

KW - WannaCryptor

KW - YARA Rules

UR - http://www.scopus.com/inward/record.url?scp=85071950667&partnerID=8YFLogxK

UR - https://ieeexplore.ieee.org/document/8858803

U2 - 10.1109/FUZZ-IEEE.2019.8858803

DO - 10.1109/FUZZ-IEEE.2019.8858803

M3 - Conference publication

AN - SCOPUS:85071950667

T3 - IEEE International Conference on Fuzzy Systems

BT - 2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019

PB - IEEE

Y2 - 23 June 2019 through 26 June 2019

ER -

Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this