Emergence of crypto-ransomware has significantly changed the cyber threat landscape. A crypto ransomware removes data custodian access by encrypting valuable data on victims’ computers and requests a ransom payment to re-instantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky ransomware samples, 535 Cerber ransomware samples and 572 samples of TeslaCrypt ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99 percent accuracy in detecting ransomware instances from goodware samples and 96.5 percent accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different ransomware families which can be used for identification of a ransomware sample family for building intelligence about threat actors and threat profile of a given target.

中文翻译：

---

了解异常，发现邪恶：针对勒索软件威胁狩猎和情报的频繁模式挖掘

加密勒索软件的出现显着改变了网络威胁格局。加密勒索软件通过加密受害者计算机上的有价值数据来移除数据托管人的访问权限，并请求支付赎金以通过解密数据来重新实例化托管人的访问权限。勒索软件的及时检测很大程度上取决于系统日志挖掘的速度和准确性，以寻找异常并阻止邪恶。在本文中，我们首先设置一个环境来收集 517 个 Locky 勒索软件样本、535 个 Cerber 勒索软件样本和 572 个 TeslaCrypt 勒索软件样本的活动日志。我们利用顺序模式挖掘找到不同勒索软件系列中活动的最大频繁模式 (MFP)，作为使用 J48、随机森林、装袋和 MLP 算法进行分类的候选特征。我们可以在检测来自好软件样本的勒索软件实例方面达到 99% 的准确率，在检测给定勒索软件样本的家族方面达到 96.5% 的准确率。我们的结果表明应用模式挖掘技术来检测勒索软件狩猎的良好特征的有用性和实用性。此外，我们展示了不同勒索软件家族中存在独特的频繁模式，可用于识别勒索软件样本家族，以构建有关威胁行为者和给定目标的威胁概况的情报。