Deobfuscate Ransomeware through Cluster Analysis

Cluster analysis for deobfuscation of malware variants during ransomware attacks

Anthony Aarrott, CheckVir
Arun Lakhotia, Cythereal
Ferenc Leitold. Veszprog
Charles LeDoux, Cythereal


Risk managers attempting to reduce cyber-security vulnerability in enterprise IT networks rely on the “malware detection rate” as a primary measure at each layer of protection (e.g., network firewalls, breach detection systems, secure mail-servers, endpoint security suites). However, to be directly usable in risk assessments, separate malware detection rates are required for different malware categories that are quantitatively related to specific impacts of infection. A three-tier hierarchy of malware classification is formulated to assist cyber-risk decision-making. Malware is first categorized by victim impact (e.g., adware, data exfiltration, ransomware); second by malware technique (e.g., malware families), and third by evasion and obfuscation variants within individual malware families (e.g., polymorphs, metamorphs). The three-tier hierarchy is applied to a specific vertical: ransomware (impact); ransomware family (technique); and malware binary variants within one family, WannaCry (obfuscation and evasion).

Full Citation: Arrott, Anthony, Arun Lakhotia, Ferenc Leitold, and Charles LeDoux. “Cluster analysis for deobfuscation of malware variants during ransomware attacks.” In 2018 international conference on cyber situational awareness, data analytics and assessment (Cyber SA), pp. 1-9. IEEE, 2018.

Link to Research Paper: