Isolating Key Phrases to Identify Ransomware Attackers

Abstract

Ransomware attacks are a devastatingly severe class of cyber-attacks capable of crippling an organization through disrupting operations or egregious financial demands. A number of solutions have been proposed to decrease the risk of ransomware infection or detect ransomware once a system has been infected. However, these proposed solutions do not address the root of the problem: identifying the adversary that created them. This study takes steps towards identifying an adversary by utilizing linguistic analysis of ransomware messages to ascertain the adversary’s language of origin. Our proposed method begins by using existing ransomware messages. We isolate commonly used phrases by analyzing a number of notable ransomware attacks: CryptoLocker, Locky, Petya, Ryuk, WannaCry, Cerber, GandCrab, SamSam, Bad Rabbit, and TeslaCrypt. Afterwards, we translate these phrases from English to another language and then back to English using Google Translate and calculate the Levenshtein Distance between the two English phrases. Next, we identify the languages that have a Levenshtein Distance greater than 0 for these phrases due to differences in how parts of speech are implemented in the respective languages. Finally, we analyze new ransomware messages and rank the languages from easiest to most difficult to distinguish.

Keywords: ransomware, linguistic analysis, cybersecurity

DOI: 10.54941/ahfe1002200