WannaLaugh: A Configurable Ransomware Emulator -- Learning to Mimic Malicious Storage Traces
This addresses the problem of improving ransomware detection for cybersecurity professionals, though it is incremental as it builds on existing machine-learning approaches.
The paper tackles the challenge of detecting dynamic ransomware threats by introducing a configurable ransomware emulator that safely mimics attacks to generate storage I/O traces for training machine-learning models, resulting in effective ransomware detection.
Ransomware, a fearsome and rapidly evolving cybersecurity threat, continues to inflict severe consequences on individuals and organizations worldwide. Traditional detection methods, reliant on static signatures and application behavioral patterns, are challenged by the dynamic nature of these threats. This paper introduces three primary contributions to address this challenge. First, we introduce a ransomware emulator. This tool is designed to safely mimic ransomware attacks without causing actual harm or spreading malware, making it a unique solution for studying ransomware behavior. Second, we demonstrate how we use this emulator to create storage I/O traces. These traces are then utilized to train machine-learning models. Our results show that these models are effective in detecting ransomware, highlighting the practical application of our emulator in developing responsible cybersecurity tools. Third, we show how our emulator can be used to mimic the I/O behavior of existing ransomware thereby enabling safe trace collection. Both the emulator and its application represent significant steps forward in ransomware detection in the era of machine-learning-driven cybersecurity.