Publication

Abstract : Cyber adversaries use advanced tools and techniques to develop malware, specifically ransomware, to extort wealth from organizations and individuals. Cybersecurity researchers, sovereign governments, and federal agencies around the globe are continuously developing numerous methods to prevent, protect, and recover from surging ransomware attacks. These attacks are often referenced using conventional labeling methods that use ransomware family name, trojans used, system vulnerabilities exploited, name of the victim organization, or the threat actor behind the attack. The usage of conventional labeling techniques often leads to referencing similar ransomware using conflicting aliases. Such inconsistent nomenclature prevents the researchers from obtaining a federated view of ransomware characteristics during the investigation. This also adversely affects the development of effective solutions against ransomware attacks due to the lack of unified behavioral information. The proposed method focuses on developing a novel semantic model that uniquely represents ransomware's behavioral characteristics. The semantic model addresses the shortcomings of inconsistent ransomware nomenclature and supports better ransomware traceability. This is achieved by formally representing the high-level adversarial tactics, the chain of behaviors, and the system-level atomic operations of ransomware in a semantic model. The behavioral characteristics are obtained from live Windows-based cryptoransomware samples analyzed in a sophisticated hybrid testbed. The proposed model is designed to be interoperable with other standard external knowledge bases. The semantic organization of harmonized, high-fidelity knowledge integrated from heterogeneous sources supports precise and context-aware search for information retrieval. The methodology promises potential applications such as discovering inferred relationships among ransomware behavioral characteristics as well as sharing and collaboration of malware domain knowledge.