Visible to the public Comparing Ransomware using TLSH and @DisCo Analysis Frameworks

TitleComparing Ransomware using TLSH and @DisCo Analysis Frameworks
Publication TypeConference Paper
Year of Publication2021
AuthorsCooley, Rafer, Cutshaw, Michael, Wolf, Shaya, Foster, Rita, Haile, Jed, Borowczak, Mike
Conference Name2021 IEEE International Conference on Big Data (Big Data)
Date Publisheddec
KeywordsBig Data, Conferences, Feeds, Fuzzy Cryptography, Intermediate Representation, Locality-Sensitive Hash, Metrics, pubcrawl, ransomware, resilience, Resiliency, Scalability, threat indicators
AbstractModern malware indicators utilized by the current top threat feeds are easily bypassed and generated through enigmatic methods, leading to a lack of detection capabilities for cyber defenders. Static hash-based algorithms such as MD5 or SHA generate indicators that are rendered obsolete by modifying a single byte of the source file. Conversely, fuzzy hash-based algorithms such as SSDEEP and TLSH are more robust to alterations of source information; however, these methods often utilize context boundaries that are hard to define or not based on meaningful information. In previous work, a custom binary analysis tool was created called @DisCo. In this study, four current ransomware campaigns were analyzed using TLSH fuzzy hashing and the @DisCo tool. While TLSH works on the binary level of the entire program, @DisCo works at an intermediate function level. The results from each analysis method were compared to provide validation between the two as well as introduce a narrative for using combinations of these types of methods for the creation of stronger indicators of compromise.
DOI10.1109/BigData52589.2021.9671573
Citation Keycooley_comparing_2021