Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules

Nitin Naik, Paul Jenkins, Nick Savage, Longzhi Yang

Research output: Chapter in Book/Report/Conference proceedingConference publication

Abstract

Ransomware is currently one of the most significant cyberthreats to both national infrastructure and the individual, often requiring severe treatment as an antidote. Triaging ran-somware based on its similarity with well-known ransomware samples is an imperative preliminary step in preventing a ransomware pandemic. Selecting the most appropriate triaging method can improve the precision of further static and dynamic analysis in addition to saving significant t ime a nd e ffort. Currently, the most popular and proven triaging methods are fuzzy hashing, import hashing and YARA rules, which can ascertain whether, or to what degree, two ransomware samples are similar to each other. However, the mechanisms of these three methods are quite different and their comparative assessment is difficult. Therefore, this paper presents an evaluation of these three methods for triaging the four most pertinent ransomware categories WannaCry, Locky, Cerber and CryptoWall. It evaluates their triaging performance and run-time system performance, highlighting the limitations of each method.

Original languageEnglish
Title of host publication2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019
PublisherIEEE
ISBN (Electronic)9781538617281
DOIs
Publication statusPublished - 10 Oct 2019
Event2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019 - New Orleans, United States
Duration: 23 Jun 201926 Jun 2019

Publication series

NameIEEE International Conference on Fuzzy Systems
Volume2019-June
ISSN (Print)1098-7584

Conference

Conference2019 IEEE International Conference on Fuzzy Systems, FUZZ 2019
CountryUnited States
CityNew Orleans
Period23/06/1926/06/19

Bibliographical note

Funding Information:
The authors gratefully acknowledge the support of Hybrid-

Publisher Copyright:
© 2019 IEEE.

Copyright:
Copyright 2019 Elsevier B.V., All rights reserved.

Keywords

  • Cer-ber
  • Context-Triggered Piecewise Hashing
  • CryptoWall
  • Fuzzy Hashing
  • IM-PHASH
  • Import Hashing
  • Locky
  • Ransomware
  • SDHASH
  • Similarity Preserving
  • SSDEEP
  • Triaging
  • WannaCry
  • WannaCryptor
  • YARA Rules

Fingerprint Dive into the research topics of 'Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules'. Together they form a unique fingerprint.

Cite this