You Have 24 Hours to Comply: Lessons Learned from Implementing a Behavioral Ransomware Detection Framework

  • Monday, 12 Jun 2017 10:30AM EDT (12 Jun 2017 14:30 UTC)
  • Speaker: Mark Mager

There was an unprecedented rise in the development and deployment of ransomware in 2016. The most common form of ransomware is designed to encrypt a user's files in the hopes of obtaining a Bitcoin ransom payment in exchange for the means to decrypt the affected files. Static detection of this type of ransomware through traditional anti-virus approaches has typically had mixed results due to the unique characteristics of these samples and rapid evolution of ransomware families. Behavioral detection methods have shown a lot of promise as an effective means for generically detecting ransomware at runtime with minimal data loss. This talk will detail an effective behavioral detection method with some novel components and provide an overview of the trials and tribulations I've endured while on the path to implementing this Windows ransomware detection framework.

To learn more on this topic, attend the 10th annual SANS Digital Forensics & Incident Response (DFIR) Summit & Training.'this training event brings together an influential group of experts, SANS training, and industry networking opportunities in one place. Over the course of this eight-day training event, you'll enjoy:

  • Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit
  • Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses, and learn how to better protect your organization
  • The opportunity to network with fellow attendees at receptions and community-building events
  • A DFIR NetWars tournament to sharpen your skills and solve incident-related challenges