DCART - Decoupled Components for Automated Ransomware Testing

Explore the development of a behavioral ransomware detonation and detection framework in this conference talk from the Hack In The Box Security Conference. Learn about the challenges of controlled ransomware testing and the innovative approach of decoupling detonation and detection components. Discover the design process, implementation details, and testing methodology for this framework, which will be open-sourced. Gain insights into ransomware modification patterns, behavioral detection techniques, and the limitations of current testing methods. Delve into topics such as event tracing, minifilter drivers, file access auditing, and automation in ransomware analysis. Benefit from the speaker's expertise in malware research and reverse engineering as you examine practical demonstrations and real-world applications of this framework against known ransomware families.

Introduction
Overview
Ransomware
Ransomware Modification Patterns
Behavioral Ransomware Detection
Behavioral Ransomware Testing
Limitations
Event Traces
Event Listener
Event Race Format
File Access Auditing
MiniFilter Driver
MiniFilter Framework
Analysis Objectives
Entropy
File Header
File Rename
Demo
Log File
Log File Analysis
Automation
Limitations of Automation