Analysis and improvement of ransomware detection techniques

Ransomware is a malware that is able not only to disrupt normal behavior of a system, but the most sophisticated ransomware can attack entire networks, leading to service interruption mainly due to data encryption that makes data useless, which means a loss of money for a company most of the time. Having backups is extremely important, but we want to be able not only to recover from the issue, but also to detect the attack as soon as possible and to stop it. Since ransomware leave traces in the network, we want to exploit this in order to perform the actual detection. The focus of the thesis was first to perform an introduction to ransomware and an analysis on most popular ransomware in Italy in 2022. After understanding what was currently detected by the existing network intrusion detection system that has to be improved, the next step was then to perform an analysis on existing network traffic captures that recorded a ransomware attack being performed. This was done in order to understand the reports generated by Zeek, that is a network traffic analyzer that gets as input raw traffic capture data and generates many types of reports, but those existing captures were not sufficient to perform the actual detection. Since real ransomware are too dangerous to intentionally run them in a testing environment, an ad-hoc ransomware has been created using Python adopting a different encryption technique with respect to the techniques of the most popular ransomware that are already detected by the system. Since this kind of ransomware was not detected by the existing network intrusion detection system, it has been used by running a simulation of a network attack using virtual machines and SMB protocol and by recording the traffic using Wireshark, in order to later analyze the generated traffic. At this point, the analysis and detection were performed using the Spring framework based on Java. The detection starts from the Zeek reports generated from raw traffic captures and it is based on the frequency of SMB operations over time and on percentiles that are computed on past traffic and used as thresholds for detection in newly analyzed traffic. Since this was based on a simulation, the generated code was then adapted to the real implementation carried out by the network intrusion detection system, using the real traffic received as input.