Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats

Abstract

This paper focuses on a successful and fruitful combination of machine learning (ML)-based approach and heuristics-based approach in the case of Advanced Ransomware Defence, where the advanced ransomware is the ransomware that maliciously exploits the trusted context of execution, so it is the case of ransomware injection into well-known trusted processes, system services, that are used for the disguise of the malicious encryption. ML is used for malicious or benign classification of call stacks that match injections into trusted processes. The heuristics-based technique is based in our case on just one of the examples of injections, using such API as CreateRemoteThread and WriteProcessMemory. This approach has been used with good results to the case of Ryuk ransomware, one of the deadliest malware weapons. We show how the ML helps to find those call stacks which match malicious injections with high probability. Then we augment the results of the ML classifier with the special detection of threads, created in the trusted process, using other sensors, including kernel drivers. This combination provides the maximum accuracy and the ability to remediate the attack. This paper also presents the architectural materials as well as the links and references to the hands-on demonstration of collecting suspicious stacks. We also show how to use ML decisions and pair these decisions with the thread creation events as the sensor examples. The links with demonstrations use the execution of the real-world Ryuk malware strain. The analysis of the events flow is also shown in the kernel debugger coupled with the case analysis with the help of other tools like Process monitor.