Abstract
The primary objective of this research is to propose a novel method for analyzing malware through the utilization of hashing techniques. The proposed approach integrates the use of Import Hash, Fuzzy Hash, and Section Level Fuzzy Hash (SLFH) to create a highly optimized, efficient, and accurate technique to classify ransomware families. To test the proposed methodology, we collected a comprehensive dataset from reputable sources and manually labelled each sample to augment the reliability and precision of our analysis. During the development of the proposed methodology, we introduced new steps and conditions to identify ransomware families, resulting in the highest performance level. The major contributions of this research include the combination of various hashing techniques and the proposal of a hash comparison strategy that facilitates the comparison of section hashes between ransomware and the pre-build database.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Checkpoint, “Cyber Security Report 2021”. https://www.checkpoint.com/pages/cyber-security-report-2021. Accessed 05 Jan 2023
Naik, N., Jenkins, P., Savage, N., Yang, L., Boongoen, T., Iam-On, N.: Fuzzy-import hashing: a static analysis technique for malware detection. Forensic Sci. Int. Digital Invest. 37(301139), 1–13 (2021)
Shiel, I., O’Shaughnessy, S.: Improving file-level fuzzy hashes for malware variant classification. Digit. Investig. 28, 88–94 (2019)
Gupta, S., Sharma, H., Kaur, S.: Malware characterization using windows API call sequences. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 271–280. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49445-6_15
Microsoft, “Windows Devices,” microsoft. https://news.microsoft.com/bythenumbers/en/windowsdevices. Accessed 05 Jan 2023
Breitinger, F., Baier, H.: A fuzzy hashing approach based on random sequences and hamming distance. In: ADFSL Conference on Digital Forensics, Security and Law, pp. 89–100 (2012)
Raff, E., Nicholas, C.: Lempel-Ziv Jaccard Distance, an effective alternative to ssdeep and sdhash. Digit. Investig. 24, 34–49 (2018)
Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digit. Investig. 3, 91–97 (2006)
Pagani, F., Dell’Amico, M., Balzarotti, D. : Beyond precision and recall: understanding uses (and misuses) of similarity hashes in binary analysis. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 354–365 (2018)
Fernandes, E., Bezerra, F., Moraes, T.: Comparing PE pieces. https://pev.sourceforge.io/doc/manual/en_us/ch04s03.html. Accessed 05 Jan 2023
Fernandes, E., Bezerra, F., Moraes, T.: pev the PE file analysis toolkit. https://pev.sourceforge.io. Accessed 05 Jan 2023
Naik, N., Jenkins, P., Savage, N., et al.: Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis. Complex Intell. Syst. 7, 687–702 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Le, T.D., Le, B.L., Dinh, T.D., Pham, V.D. (2023). Classification of Ransomware Families Based on Hashing Techniques. In: Nguyen, N.T., Le-Minh, H., Huynh, CP., Nguyen, QV. (eds) The 12th Conference on Information Technology and Its Applications. CITA 2023. Lecture Notes in Networks and Systems, vol 734. Springer, Cham. https://doi.org/10.1007/978-3-031-36886-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-36886-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-36885-1
Online ISBN: 978-3-031-36886-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)