RansomLens: Understanding Ransomware via Causality Analysis on System Provenance Graph

Malware analysis technology has been one of the most important research topics of cyber security. The recent surge in adoption of ransomware is rapidly changing the malware landscape. A large body of researches in security community have given us an understanding of ransomware individuals and families. However, to the best of our knowledge, there are currently few works that explore common and distinct malicious behaviors on large scale ransomware dataset. Our insight is that although the implementation of each ransomware vary widely, its malicious behaviors inevitably interact with the underlying operating system, which will be exposed and captured by system event tracing mechanism. In this paper, we propose a novel ransomware analysis pipeline, a system provenance graph based approach for better understanding the ransomware's behaviors. Then we leverage the analysis framework to analyze on large scale ransomware dataset and present some interesting findings on diverse ransomware and their families. Furthermore, our analysis on ransomware also reveals that system provenance graph is an ideal tool, with strong abstract expression ability and relatively high efficiency.