Unveiling the Evolution

Analysing Generational Variances in Malware Families

Master thesis (2024)

Authors

F.R.F. Broy Electrical Engineering, Mathematics and Computer Science

Contributors

G. Smaragdakis Cyber Security - EEMCS (coach)
H.J. Griffioen Cyber Security - EEMCS (mentor)
T.J. Viering Pattern Recognition and Bioinformatics - EEMCS (graduation committee member)
S. Op de Beek Cyber Security - EEMCS (graduation committee member)
Faculty
Electrical Engineering, Mathematics and Computer Science
Conti Evolution Ransomware Sandbox Windows Malware
More Info
expand_more

Published Date

18-06-2024

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

The evolution of malware presents an ever-growing challenge to cybersecurity, impacting individuals, organisations, and nations alike. As malicious actors continue to adapt their tactics to bypass security measures, it becomes imperative to understand the evolutionary patterns of malware to stay ahead in the ongoing arms race between defenders and attackers. The complexity and sophistication of modern malware pose significant difficulties in detection and mitigation, making it crucial to unravel its evolving nature to enhance the existing defensive capabilities.

This research focuses on studying the evolutionary dynamics of malware, examining how variants emerge to circumvent existing security measures. Understanding the mechanisms through which malware evolves makes it possible to identify common patterns and develop strategies to predict the behaviour of certain malware. This work mainly encompasses Windows ransomware, particularly the Conti family, with an additional examination of the WannaCry and Ryuk families. The analysis was conducted primarily by applying dynamic malware analysis techniques to the samples. A total of 143 true-positive Conti samples, alongside 75 WannaCry and 21 Ryuk samples, were collected from reputable sources such as VX-Underground and Malware Bazaar. By utilising the ANY.RUN interactive sandbox for dynamic behavioural analysis, malware samples can be executed in a controlled environment and real-time behaviours, such as file modifications or registry changes, can be collected to discern the malware's underlying functionality and potential impact. In addition, the results obtained from Virustotal, a widely-used online malware scanning platform, are considered to get insights into the detection status of the analysed samples across multiple antivirus engines. Finally, Microsoft Defender Antivirus is utilised to classify the variants and eliminate false positives as much as possible. The tactics and techniques outlined in the MITRE ATT&CK Matrix are used to assess sample behaviour. This framework provides valuable insights into the observed behaviour of samples and the methods employed to achieve specific objectives.

The results answer the question "How do different variants of the malware families succeed in bypassing security measures?" and split the answer into three smaller ones. Overall, it can be observed that different ransomware share common traits, but differences over time and between variants and families can be seen. Some differences exist between the version of the operating system in which the malware is executed. Malware evolves, and the changes of the malware authors are reflected in their malware's behaviour and structure. Some changes persist, whereas new ways quickly replace others. By understanding the evolution and analysing the patterns that emerge, we can build our defences in a way that predicts incoming threats and creates a safer space for everyone.