Attempts to detect ransomware based on properties of of a binary.
How does it work?
This is still a work in progress, so this will be updated as more concrete versions are developed.
Attempts to detect cryptographic primitives using several different identifying properties. The following lists the properties that are planned to be implemented:
- Per Gröbert, et al., cryptographic binaries have many loops and makes excessive use bitwise arithmetic.
- Cryptographic API use.
- Writing to many files.
- Common ransom messages.