Top Cybersecurity Training Protects Your Assets - Learn From the BEST and Apply New Knowledge Immediately!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

You Have 24 Hours to Comply: Lessons Learned from Implementing a Behavioral Ransomware Detection Framework

  • Monday, June 12, 2017 at 10:30 AM EDT (2017-06-12 14:30:00 UTC)
  • Mark Mager

You can now attend the webcast using your mobile device!



There was an unprecedented rise in the development and deployment of ransomware in 2016. The most common form of ransomware is designed to encrypt a user's files in the hopes of obtaining a Bitcoin ransom payment in exchange for the means to decrypt the affected files. Static detection of this type of ransomware through traditional anti-virus approaches has typically had mixed results due to the unique characteristics of these samples and rapid evolution of ransomware families. Behavioral detection methods have shown a lot of promise as an effective means for generically detecting ransomware at runtime with minimal data loss. This talk will detail an effective behavioral detection method with some novel components and provide an overview of the trials and tribulations I've endured while on the path to implementing this Windows ransomware detection framework.

To learn more on this topic, attend the 10th annual SANS Digital Forensics & Incident Response (DFIR) Summit & Training. This training event brings together an influential group of experts, SANS training, and industry networking opportunities in one place. Over the course of this eight-day training event, you'll enjoy:

  • Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit
  • Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses, and learn how to better protect your organization
  • The opportunity to network with fellow attendees at receptions and community-building events
  • A DFIR NetWars tournament to sharpen your skills and solve incident-related challenges

Speaker Bio

Mark Mager

Mark Mager is a Senior Malware Researcher for Endgame. Throughout his career in software engineering and computer security, he has served in prominent technical leadership roles in the research and development of advanced computer network operations tools and has provided malware analysis and reverse engineering subject matter expertise to a diverse range of government and commercial clients in the Washington, D.C. metropolitan area.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.