Implement Build Ransomware Tracer: Build a tracer on top of PyREbox sandbox to accurately record the execution trace of ransomware. The developed tracer has good transparency. It is functional on 100% of the MS Windows ransomware samples we have collected (>500 samples), as long as the C2C server of the ransomware sample is still available.
Develop Replay Emulator to Detect Avalanche Effect: Replay the loop extracted from the execution trace to detect avalanche effect. The replay is conducted multiple time using different input bytes. The input bytes is found using a input detection algorithm.
Evaluate Performance: Evaluate the tool on 10 ransomware samples of 10 distinct families. The tool can detect encryption loops in ALL of the samples, with 0 false positive.
Submitting/Under Review