For this reason, we present this article as a continuation and a complementary to the existing works on ransomware. Each ransomware detection or prevention must be based on monitoring several behaviours to detect the ransomware without consuming many resources on the machine. Therefore, most ransomware keeps some common behaviours. Generally, the single objective of a ransomware on a target machine is encrypting files. Therefore, compared to other methods (host-based indicators and machine learning models) that involve complex programmes and more resources, we suggest that static anti-virus engines have shown their limit on malware detection, especially on ransomware. Nine days later, we found another variant of this ransomware detected only by two anti-virus engines. The first analysis of a variant of this ransomware in VT was performed at T20:59:31 (UTC) and not detected by any anti-virus engine. In this research on ransomware, we found many ransomware in VirusTotal (VT) not detected by any anti-virus engine, for example, some variants of FTCode ransomware. Many papers have been published in this regard demonstrating the effect of applying machine learning on malware detection, for example, the work of Suleiman et al. Therefore, it can catch more variants of a given malware according to a single pattern. Although signatures can find the exact match with the searched pattern, the machine learning models search for the closest matches with the searched pattern. Recently, some anti-virus products have applied machine learning to detect malware. Several studies have been published on this topic like the study in, which classifies malware based on their application programming interface (API) calls and behavioural analysis. These indicators focus on what the malware is doing on the target machine and not on the characteristics of the malware as a file. Unlike this category of anti-virus, behavioural or host-based indicators are also used to detect malware. This is a disadvantage for the anti-virus signatures. To evade a particular signature, a single malware can generate multiple variants that vary in their static properties using packers or by altering a character in its content. The signature can be unique for a specified file or for multiple different files. If a signature is found, the file will be deleted or quarantined. When this file arrives at a specified machine and even before this file is written in the drive (if real-time scanning is enabled), the traditional anti-virus scans this file searching for signatures. Indeed, it searches according to one or several databases for a number of bits extracted from the given file. This detection/identification consists to process a given file like a sequence of bits out of any execution context. Malware detection or identification is essentially based on statistical analysis in other words, it looks for signatures. IET Generation, Transmission & Distribution.IET Electrical Systems in Transportation.IET Cyber-Physical Systems: Theory & Applications.IET Collaborative Intelligent Manufacturing.CAAI Transactions on Intelligence Technology.
0 Comments
Leave a Reply. |