YARAMON: A Memory-based Detection Framework for Ransomware Families

Ransomware attacks have evolved to become more sophisticated, persistent and irreversible. In 2019, many high profile ransomware developers extorted high-value entities for money by encrypting their data and deleting any backup files. Once a system is infected with a crypto-ransomware attack, it will be tough to recover the victim's data unless a backup is available or the malware author shares the decryption key with the victim. Moreover, ransomware developers nowadays adopt new tactics and techniques to spread and evade detection. One of those techniques is packing in order to enhance their defensive mechanisms to avoid detection. This paper suggests a hybrid approach to detect packed ransomware samples based on scanning process memory dumps and dropped executable files using enhanced YARA rules framework. Through describing common ransomware artifacts using YARA rules, upon testing, the detection rate reached 97.9% of dumped files.