You know, if the kernel of Windows was able to detect mass encryption at the filesystem level like RansomWhere on Mac does, much of this problem would evaporate. Then only exfiltration would be a viable threat vector.
Hi! I just wanted to post this project into HN and collect some feedbacks. Don't feel bad to just say "lol your approach won't work" because static analysis has always limits (e.g. obfuscated software) and many more.
The main goal was to build (another) software that given a PE executable in input, parse it and outputs some indicators of the similarity of it across the ransomware I studied (the classic ones). Naturally most of the advanced ransomware employed nowadays is able to circumvent it, only with a little bit of modifications. TL;DR: "a more advanced" pattern matching.
The description is here as follows:
MicroSCOPE is a software program developed through the Go programming language that allows for the detection of a precise category of malicious software. The program is designed specifically for a class of malicious programs called ransomware whose operation consists of data encryption and ransom demand in order to gain access to the content again.
In particular, MicroSCOPE was developed to be able to support two of the mainly used formats: the PE (Portable Executable) format for Windows platforms and ELF (Executable and Linking Format) for Unix-based platforms. Through the application of certain heuristics, MicroSCOPE is able to assign a score that corresponds to the level of dangerousness of the file being analyzed. The higher the score, the more similar characteristics the software will exhibit to ransomware that has already been studied. The heuristics have been extrapolated from numerous case studies and will be improved over time.