One of the most sophisticated cyber threats of today is that of ransomware. 2016, in particular, has seen an exponential rise in attacks, not just to individuals, companies, and governments as previously established, but towards critical services such as hospitals. Moreover, ransomware is now sold as a service by cyber criminals on the dark web, making it easier for regular, or curious individuals to take advantage of, what can be described as a successful criminal business model.
This dissertation looks at establishing a proactive approach towards the analysis and detection of ransomware with the use of open source security tools, configured within safe and secure environments. The evolution of ransomware and its characteristics are presented, in order to provide an understanding of ransomware, thus allowing for safe, secure environments to be designed and implemented for the purpose of hosting analysis and detection systems. Unlike other works, the environments are designed to have an active network connection. As such, the ethics and methodology of such environments are also discussed.
First, the analysis system is presented which has been implemented on an external hard drive, with Kali Linux as the host OS, and Cuckoo Sandbox as the primary analysis tool. The environment configured within this system, uses a Windows 7 “victim” machine running on VirtualBox to conduct the analysis. Following this, the detection system is presented, again, implemented in a similar manner, though the environment for VirtualBox consists of a pfSense firewall; Windows 7 and Server 2008 R2 machines; and a Kali Linux management server. Open source security tools were configured on these devices, such as Snort and OSSEC HIDS, with the use of Splunk to aggregate all the security logs for review. For evaluation, two samples of current ransomware were used within the experiments, Locky and Cerber 4.1.5.
Through the use of controlled experiments, it was concluded that the analysis system is successful in establishing key characteristics of ransomware. Moreover, the results established were implemented within the design system, which was subsequently successful in detecting these characteristics via Snort and OSSEC. In addition, the evaluation identified that a SIEM tool such as Splunk can make a significant difference when analysing security logs from multiple sources. Finally, the dissertation concludes by establishing that the systems presented are viable approaches in tackling ransomware, and would prove useful to security professionals in securing their networks from such attacks.