How to build an effective open source ransomware protective framework |
Abstract
Security solutions employ various methods to detect ransomware, yet many attacks still occur daily, slipping under the radar. This talk demonstrates how to build an effective ransomware detection framework, particularly useful when detection using specific rules or signatures in EDR/AV systems fails. The presentation begins with a brief overview of the common encryption methods ransomware uses to encrypt files, followed by a discussion of generic heuristics to counter these threats. The detection framework relies on a scoring system: as file modification events are recorded, the framework evaluates them against a set of heuristics. Each event may increase the score based on its anomalous nature. If the score surpasses a certain threshold, the process responsible for the events is deemed malicious. Speaker Bio: Ayoub Faouzi is an Endpoint Software Engineer at Elastic. His past work includes malware reverse engineering, and behavior detection. His current interests include low-level malware analysis, with a focus on detection and prevention. |