ABSTRACT

The increasing threat of ransomware attacks has underscored the critical need for robust detection and
mitigation strategies. This research delves into the realm of cybersecurity by focusing on the innovative
utilization of Software-Defined Networking (SDN) to fortify the defense against ransomware, with a
special emphasis on the notorious WannaCry ransomware and emerging threats. By harnessing the
power of SDN, this study aims to develop and evaluate advanced real-time detection techniques, including
Shallow Packet Inspection, Deep Packet Inspection, and Network Scan-based methods. Through the
integration of these techniques into the SDN framework, a proactive and agile defense system is
envisaged, capable of promptly identifying and countering ransomware attacks. The project's
comprehensive scope spans development, testing in simulated environments, and ethical considerations.
The outcome promises to significantly enhance cybersecurity measures, contributing to the ongoing
battle against ransomware threats and bolstering the protection of Windows OS systems.
TABLE OF CONTENTS
Abstract....................................................................................................................................................................................................... 3
Introduction.............................................................................................................................................................................................. 1
AIM................................................................................................................................................................................................................ 4
Objectives................................................................................................................................................................................................... 5
Justification................................................................................................................................................................................................ 6
Problem.................................................................................................................................................................................................. 6
Solutions................................................................................................................................................................................................ 6
Research Questions................................................................................................................................................................................ 8
Scope............................................................................................................................................................................................................. 9
Ethical Consideration......................................................................................................................................................................... 10
Literature Review................................................................................................................................................................................ 11
Desk Based Research Methodology.........................................................................................................................................11
Fire Eye................................................................................................................................................................................................ 11
Features.......................................................................................................................................................................................... 13
Limitations.................................................................................................................................................................................... 13
Crowd Strike...................................................................................................................................................................................... 15
Features of CrowdStrike Falcon for Ransomware Prevention...............................................................................16
Limitations of CrowdStrike Falcon.....................................................................................................................................17
McAfee.................................................................................................................................................................................................. 18
Features of McAfee Ransomware Protection.................................................................................................................19
Limitations of McAfee Ransomware Protection...........................................................................................................19
Agile Development Methodology..................................................................................................................................................21
Tools and Technologies..................................................................................................................................................................... 22
Planning and Project Design.......................................................................................................................................................23
Development..................................................................................................................................................................................... 24
Setting up a Windows Virtual Environment...................................................................................................................24
Obtaining the Wannacry Ransomware Sample.............................................................................................................24
Developing the SDN Tool with Python and POX Controller.....................................................................................26
Testing the Detection and Mitigation of WannaCry....................................................................................................27
Documentation............................................................................................................................................................................ 29
Techniques.............................................................................................................................................................................................. 30
Suspicious Domain Detection.................................................................................................................................................... 30
SMBv1 Detection.............................................................................................................................................................................. 31
Suspicious Process Detection.....................................................................................................................................................32
Malicious String Inspection.........................................................................................................................................................33
Findings.................................................................................................................................................................................................... 34
Future Work........................................................................................................................................................................................... 42
Advancing Threat Detection Techniques..............................................................................................................................42
Integration with Security Orchestration, Automation, and Response (SOAR) Platforms...............................42
Real-Time Threat Intelligence Integration...........................................................................................................................43
Enhancing Forensic Capabilities...............................................................................................................................................43
Project Limitations and Challenges..............................................................................................................................................44
Conclusion............................................................................................................................................................................................... 46
Appendix.................................................................................................................................................................................................. 47
Source code........................................................................................................................................................................................ 47
Project Plan........................................................................................................................................................................................ 59
Risk Assesment................................................................................................................................................................................. 60
SWOT ANALYSIS.............................................................................................................................................................................. 61
References............................................................................................................................................................................................... 62
LIST OF FIGURES
Figure 1 Introduction of the Project...............................................................................................................................................2
Figure 2 Project Aim.............................................................................................................................................................................. 4
Figure 3 Project Objectives.................................................................................................................................................................5
Figure 4 Project Problem and Solution.........................................................................................................................................7
Figure 5 Research Questions............................................................................................................................................................. 8
Figure 6 Scope.......................................................................................................................................................................................... 9
Figure 7 Ethical Considerations.....................................................................................................................................................10
Figure 8 Desk based Research Methodology............................................................................................................................11
Figure 9 Fire eye mitigating ransomware.................................................................................................................................12
Figure 10 CrowdStrike Falcon Sandbox for preventing ransomware...........................................................................15
Figure 11 McAfee Ransomware Mitigating Approach.........................................................................................................18
Figure 12 Project Development Methodology Agile.............................................................................................................21
Figure 13 Tools and Technologies integrated in the project............................................................................................22
Figure 14 Planning and Project Design.......................................................................................................................................23
Figure 15 Setting Up Virtual Environment................................................................................................................................24
Figure 16 Obtaining WannaCry Ransomware Sample from GitHub..............................................................................25
Figure 17 Developing SDN tool with Python and POX Controller...................................................................................26
Figure 18 Detecting and Mitigating of WannaCry..................................................................................................................27
Figure 19 Blocking Suspicious DNS Request............................................................................................................................27
Figure 20 Blocking Suspicious Process.......................................................................................................................................28
Figure 21 Blocking Malicious URLS..............................................................................................................................................28
Figure 22 Inspecting and Blocking Malicious Strings..........................................................................................................28
Figure 23 WannaCry Suspicious Domain Detection.............................................................................................................30
Figure 24 SMBv1 Exploitation by WannaCry...........................................................................................................................31
Figure 25 Suspicious Process Detection.....................................................................................................................................32
Figure 26 Malicious String Inspection........................................................................................................................................33
Figure 27 Detection Accuracy of WannaCry Ransomware................................................................................................35
Figure 28 Real World Applicability and Flexibility...............................................................................................................36
Figure 29 New Variants and Evasion techniques by SDN..................................................................................................37
Figure 30 Legal and Ethical Compliance....................................................................................................................................40
Figure 31 Project Challenges and Limitations.........................................................................................................................44
Figure 32 Detecting ARP with IP address and Port...............................................................................................................47
Figure 33 ARP Idle time out and priority...................................................................................................................................48
Figure 34 Detecting device CPU usage........................................................................................................................................49
Figure 35 Analysis of Deep packet inspection.........................................................................................................................50
Figure 36 DNS monitoring along with IP address and Port...............................................................................................51
Figure 37 Creating a Honeypot listening on different ports including SMB...............................................................52
Figure 38 Reading the suspicious Request from Suspicious DNS csv...........................................................................53
Figure 39 Checking for Malicious Strings used by Wanna Cry.........................................................................................54
Figure 40 Checking for Malicious Strings used by Wanna Cry II.....................................................................................54
Figure 41 Checking for Malicious String Wanna Cry III......................................................................................................55
Figure 42 Inspecting packet size I.................................................................................................................................................55
Figure 43 Inspecting packet size II...............................................................................................................................................56
Figure 44 Inspecting packet size III............................................................................................................................................. 57
Figure 45 Malicious Strings csv......................................................................................................................................................57
Figure 46 Malicious URLS csv......................................................................................................................................................... 57
Figure 47 Suspicious domain request csv.................................................................................................................................58
Figure 48 Suspicious process..........................................................................................................................................................58
Figure 49 Output of the code...........................................................................................................................................................58
Figure 50 Project Gantt Chart......................................................................................................................................................... 59
Figure 51 Project Risk Assessment.............................................................................................................................................. 60
Figure 52 SWOT Analysis..................................................................................................................................................................61
INTRODUCTION
The digital landscape has evolved significantly, bringing forth a proliferation of cyber threats, including
malware, ransomware, and Trojans. Attackers constantly target organizations, using ever-evolving
variants to exploit vulnerabilities. Among these threats, WannaCry ransomware stands out as one of the
most devastating attacks in history, causing widespread disruptions and financial losses for numerous
businesses. The rapid and global spread of WannaCry e PwC. (2017xemplifies the severity of the
challenge organizations face in safeguarding their critical data and assets. Despite employing defensive
measures like firewalls, antivirus software, IDS/IPS, and network segmentation, organizations were
unable to detect and prevent WannaCry's infiltration due to its sophisticated encryption and evasion
techniques. (Cimpanu, C. 2018)

1
 Figure 1 Introduction of the Project

The ransomware exploited a vulnerability in Microsoft Windows' Server Message Block (SMB) protocol,
allowing it to rapidly propagate across networks. This led to a global crisis, affecting hospitals, businesses,
government agencies, and individuals alike. WannaCry’s modus operandi involved encrypting critical data
on infected systems and demanding ransom payments in Bitcoin. Failure to comply with the ransom
demands resulted in permanent data loss, making it a potent tool for extortion. The attack targeted
various sectors, causing significant disruption to healthcare, transportation, manufacturing, and financial
services. Organizations faced immense challenges in mitigating the impact of WannaCry due to its ability
to evade traditional security measures. (ASKARIFAR et al., 2018) The ransomware employed code
obfuscation techniques, making it difficult for signature-based antivirus software to identify and block the
malware. Additionally, it leveraged various evasion techniques, including process injection, DLL hijacking,
and fileless execution, further complicating detection efforts. The devastating consequences of the
WannaCry outbreak highlighted the urgency for more proactive and innovative cybersecurity solutions.
Software- Defined Networking (SDN) emerged as a promising approach to enhance cybersecurity defense
mechanisms. SDN provides centralized network management and control, allowing for real-time
detection and mitigation of ransomware threats. The research project aims to develop an advanced
WannaCry ransomware detection and mitigation system using SDN techniques. By leveraging the
flexibility and programmability of SDN, the system can dynamically respond to emerging threats and
rapidly block malicious traffic.

The project incorporates various techniques to identify and counter WannaCry's evasion tactics. Shallow
Packet Inspection (SPI) serves as the first line of defense, analyzing TCP packet headers to detect suspicious
activity. The SPI module identifies potential WannaCry traffic based on specific patterns in the packet
headers. This information enables the system to promptly block access to potential ransomware-infected
hosts, minimizing the risk of further propagation. Deep Packet Inspection (DPI) takes the analysis further
by delving into packet content to identify unique malicious patterns associated with WannaCry
ransomware. The DPI module performs in-depth analysis of TCP packets, swiftly blocking access to hosts
exhibiting suspicious behavior. This proactive approach ensures timely mitigation of WannaCry threats
before they can cause significant damage. Network-based analysis focuses on monitoring network traffic
for anomalies that may indicate WannaCry's presence. The ARP Scan Monitor module detects suspicious
ARP scans, a characteristic behavior of WannaCry attempting to spread across networks. By setting
appropriate thresholds and maintaining a log of ARP request and reply to packets, the system can
promptly

2
block potential ransomware-infected hosts. The Honeypot Monitor module complements the network-
based analysis by detecting connections to honeypot systems. WannaCry may attempt to connect to these
decoy systems, indicating malicious intent. Detecting such connections allows the system to take
immediate action and block the hosts responsible for the connection attempts. Host-based analysis
involves analyzing the processes and DNS requests of individual hosts to detect and block potential
ransomware activity. The Process Monitor module identifies suspicious processes being spawned and
terminates them to prevent further ransomware execution. The Host DNS Monitor module analyzes host DNS
traffic for malicious URLs, blocking access to any identified threats.

The significance of this project lies in its potential to revolutionize ransomware defense strategies. By
combining SDN's flexibility with advanced detection techniques, organizations can create a dynamic
defense mechanism capable of thwarting both existing and future ransomware variants. This proactive
approach not only protects sensitive data but also safeguards an organization's reputation and customer
trust. Furthermore, the research project aims to evaluate the efficacy of SDN-based detection compared to
traditional cybersecurity methods. Through extensive testing and analysis, the project seeks to identify
any potential issues and improvements in the implemented approach. By addressing these findings, the
system can be further refined and strengthened to provide robust protection against evolving
ransomware threats. The utilization of Software-Defined Networking (SDN) techniques for detecting and
mitigating WannaCry ransomware exemplifies the transformative potential of innovative cybersecurity
approaches. By proactively identifying and countering this relentless ransomware threat, organizations
can bolster their cybersecurity resilience and safeguard their critical data in today's ever-evolving digital
landscape. The research and development project embody the commitment to advancing cybersecurity
practices, contributing to the ongoing efforts to protect businesses and individuals from the pervasive
WannaCry ransomware and future cyber threats. Through the integration of SDN-based detection and
mitigation techniques, this project offers a powerful defense mechanism against the ever-present and
evolving threat of ransomware, bolstering the overall cybersecurity posture of organizations.

3
AIM

Figure 2 Project Aim

4
OBJECTIVES

Figure 3 Project Objectives

5
JUSTIFICATION

PROBLEM

Defensive measures are undeniably crucial for organizations, yet they often face several critical problems
and challenges in their cybersecurity efforts. Despite implementing firewalls, antivirus software, and
network segmentation, attackers continually devise new tactics to breach their defenses. Even with
regular penetration testing, organizations can still fall victim to adversaries' innovative techniques,
leaving them vulnerable to devastating cyberattacks. For example, attackers may exploit human
weaknesses by crafting sophisticated phishing campaigns, duping employees into downloading malware
or ransomware. Such successful intrusions can lead to severe consequences, including data breaches,
financial losses, and damage to the organization's reputation. (Christensen & Liebetrau, 2019)

Another significant problem lies in the ever-evolving nature of cyber threats. While organizations may
invest heavily in security solutions, the landscape of cyber threats constantly changes, making it
challenging for defensive measures to keep up. Malware, ransomware, and other malicious software
variants continuously adapt to avoid detection, leaving organizations struggling to detect and respond
effectively to emerging threats.Ali, A. (2017) Consequently, many organizations find their security
measures falling short, leading to the potential loss of sensitive data and critical assets.

Moreover, the project's focus on the WannaCry ransomware highlights another pressing issue – the
difficulty in detecting and mitigating sophisticated threats. Despite using established defensive tools like
firewalls and antivirus, the global spread of WannaCry went undetected initially, causing massive
disruptions and financial losses. This raises questions? about the efficacy of conventional security
solutions in tackling advanced ransomware and the need for more proactive and innovative approaches to
safeguard organizations from such attacks.(Akbanov et al., 2018)

SOLUTIONS

Bolstering the defenses against cyber threats, organizations can implement several key solutions and best
practices. One crucial step is to invest in Advanced Threat Detection technologies, which leverage
advanced algorithms and AI-driven techniques to identify and respond to sophisticated attacks in real-
timeMohurle, S., & Patil, M. (2017) .These solutions continuously monitor network traffic, user behaviour,
and system activities to detect anomalies and potential threats, allowing organizations to take proactive
measures before significant damage occurs.

Moreover, organizations should adopt a proactive security mindset and engage in regular Red Team
exercises. Red Team operators simulate real-world attack scenarios to assess the organization's security
posture comprehensively. By identifying vulnerabilities and weaknesses, organizations can make
targeted improvements and better prepare for potential cyber threats. Additionally, Red Team exercises
include testing employee awareness through phishing simulations, providing invaluable insights into the
organization's human element in cybersecurity.

Incorporating experts in reverse engineering and threat analysis is essential to understanding the tactics,
techniques, and procedures used by malicious actors. These specialists can dissect malware and
ransomware samples, enabling organizations to develop custom defense mechanisms tailored to their
specific threat landscape. Understanding the intricacies of these attacks empowers organizations to
proactively defend against them and adapt to emerging threats effectively.

6
Through this project, organizations can gain a deeper understanding of the techniques employed by
WannaCry and enhance their defense mechanisms to prevent future ransomware attacks. The adoption of
SDN-based solutions offers an effective and flexible approach, enabling real-time detection and mitigation
of ransomware threats in network environments. By embracing offensive security methodologies and
integrating ethical considerations into the implementation process, organizations can bolster their
resilience and protect valuable data from malicious attacks.

Figure 4 Project Problem and Solution

7
RESEARCH QUESTIONS

Figure 5 Research Questions

8
SCOPE

Figure 6 Scope

9
ETHICAL CONSIDERATION
In the pursuit of developing a ransomware detection and mitigation system using Software-Defined
Networking (SDN) to combat the WannaCry threat, ethical considerations play a pivotal role in ensuring
the responsible and ethical use of this technology for cybersecurity purposes. The project is committed to
a defensive purpose, solely aiming to protect organizations from WannaCry and similar ransomware
attacks, without any offensive or malicious intentions. Transparency and user consent are paramount,
with clear communication about the system's purpose, functionalities, and potential risks.

Striving to minimize harm, the project places emphasis on data privacy and security, adhering to relevant
laws and regulations. Data collected and processed by the SDN system are handled responsibly, ensuring
confidentiality, integrity, and compliance with data protection laws. The project team takes utmost care
to prevent any unintended negative consequences during the testing and validation phases, conducting
rigorous testing in controlled environments. Ethical practices are upheld throughout to avoid any
accidental harm.

Figure 7 Ethical Considerations

Moreover, the responsible use of findings and knowledge derived from the project is emphasized. The aim
is to share the results with the broader cybersecurity community, promoting awareness and enabling
improved defense strategies against ransomware attacks. The project team remains dedicated to utilizing
the knowledge responsibly for the betterment of cybersecurity practices globally.

Ethical conduct is at the core of the project, fostering trust and integrity in the development and
deployment of the ransomware detection and mitigation system. The system is designed to empower
organizations to fortify their defenses against the WannaCry threat, while preserving data privacy and
security. By strictly adhering to legal compliance and ethical standards, the project seeks to advance
cybersecurity capabilities while ensuring the protection and well-being of individuals and organizations
alike.

10
LITERATURE REVIEW

DESK BASED RESEARCH METHODOLOGY

The desk-based research methodology, also known as "secondary research," involves gathering and
analysing data from existing sources like books, reports, and articles instead of conducting direct
observations or data collection. This approach is particularly valuable in addressing research questions
and aims to provide a comprehensive overview of a specific issue or topic, serving as a solid foundation
for future investigations. One of the main advantages of this method is its cost-effectiveness and
efficiency, as it allows researchers to access relevant data without requiring a large budget or extensive
fieldwork. Additionally, desk-based research enables researchers to quickly gain a broad understanding
of the chosen topic and draw conclusions in a relatively short period. By synthesizing information from
various sources, this methodology facilitates a holistic view of the research area and aids in the
integration of diverse perspectives and findings. Overall, desk-based research is a valuable tool that
supports the process of knowledge compilation and contributes to a deeper comprehension of the subject
matter. Wang, T., & Gong, X. (2020) Balaban, D. (2016

Figure 8 Desk based Research Methodology

FIRE EYE

FireEye is a leading intelligence-led security company that specializes in providing advanced

cybersecurity solutions to organizations worldwide. With a focus on proactive and innovative detection
and prevention techniques, FireEye plays a crucial role in safeguarding businesses and individuals from
cyber threats, including ransomware attacks. In this literature review, we will explore FireEye's detection
approach, deployment, and integration methods, as well as their scope and expertise in handling
ransomware attacks.

Detection Approach: FireEye adopts a multi-layered and proactive detection approach to identify and
prevent ransomware attacks. Their strategy encompasses a combination of signature-based detection,
behavioral analysis, machine learning, and real-time threat intelligence. This multi-faceted approach

11
enables FireEye to detect both known and unknown ransomware variants, ensuring comprehensive
protection for their clients.

Signature-based detection involves identifying known ransomware strains based on their unique patterns
or signatures. FireEye maintains a vast database of ransomware signatures, allowing them to quickly
recognize and block known threats. However, relying solely on signature-based detection can be limiting,
as it may not detect new or modified ransomware strains. To address this limitation, FireEye incorporates
behavioral analysis and machine learning into their detection approach. Behavioral analysis focuses on
monitoring the behavior of software and processes to identify suspicious activities associated with
ransomware. By analyzing the behavior of files and processes in real-time, FireEye can identify
ransomware-like behavior even if the ransomware strain is new or has undergone modifications. Machine
learning further enhances FireEye's detection capabilities by using algorithms that continuously learn
from data to improve accuracy and efficiency in identifying ransomware. This dynamic approach allows
FireEye to adapt quickly to emerging threats and detect previously unseen ransomware variants.
Additionally, FireEye leverages real-time threat intelligence from their global network of sensors and
endpoint devices. This intelligence provides valuable insights into the latest ransomware trends, tactics,
and techniques used by threat actors. By constantly updating their threat intelligence, FireEye ensures
that their detection systems are always equipped with the latest information to combat ransomware
attacks effectively.

Figure 9 Fire eye mitigating ransomware

Deployment and Integration: FireEye's cybersecurity solutions are typically deployed as standalone
appliances or integrated into existing security infrastructures. Their flagship product, FireEye Endpoint
Security, offers advanced endpoint protection capabilities to detect and prevent ransomware attacks on
individual devices. Organizations can deploy FireEye Endpoint Security on their endpoints, such as
laptops, desktops, and servers, to provide real-time protection against ransomware and other cyber
threats. The solution uses multiple protection engines, including signature-based, machine-learning-
based, and behavioral-based protection, to provide a layered defense against ransomware attacks.
FireEye's products can also be integrated with other security tools and platforms to create a unified and
comprehensive security ecosystem. By integrating with SIEM (Security Information and Event
Management) solutions and other threat intelligence platforms, FireEye enhances the overall security
posture of organizations,

12
enabling seamless sharing of threat information and coordinated response to cyber incidents. (Balaban, D.
,2016)

Scope and Expertise: FireEye's expertise in cybersecurity is unparalleled, gained through over two
decades of experience and more than 350,000 hours of incident investigations and consulting each year.
They employ a team of highly skilled and experienced threat researchers, platform engineers, malware
analysts, intelligence analysts, and investigators.

This vast expertise allows FireEye to stay at the forefront of the evolving cyber threat landscape and
develop innovative solutions to combat ransomware attacks effectively. FireEye's threat researchers
continuously analyze and respond to emerging ransomware threats, ensuring that their detection
techniques remain up-to-date and effective against the latest ransomware strains.

FireEye's global network of best-in-class business partners further extends their scope and expertise.
Collaborating with industry-leading cybersecurity companies, FireEye strengthens its ability to provide
comprehensive and adaptive solutions to combat ransomware attacks across various industries and
geographic regions.

FEATURES:
1. Multi-Layered Detection Approach: FireEye Endpoint Security leverages a multi-layered
approach, combining signature-based, behavior-based, and machine-learning-based techniques,
to effectively detect and block ransomware threats.

2. Real-Time Threat Intelligence: FireEye continuously gathers real-time threat intelligence from
its global network of sensors and endpoint devices, enabling proactive defense against emerging
ransomware attacks.

3. UAC Protect: The UAC Protect module in FireEye Endpoint Security defends against User Access
Control (UAC) bypass attacks commonly used by ransomware operators, reducing the attack
surface for ransomware threats.

4. Process Guard: The Process Guard module safeguards against common credential dumping
attacks employed by ransomware for privilege escalation, enhancing the protection against
ransomware.

5. Real-Time Indicator Detection: FireEye Endpoint Security can be configured to detect, and
alert based on indicators of compromise related to ransomware threats, adding an additional
layer of proactive defense.

LIMITATIONS:
1. Reliance on Signatures: FireEye's signature-based detection, while effective against known
ransomware strains, may not detect new or modified ransomware variants that lack known
signatures.

2. Resource Intensive: The multi-layered approach and real-time monitoring of FireEye Endpoint
Security can be resource-intensive, potentially challenging for organizations with limited
resources.

3. False Positives: Like any cybersecurity technology, FireEye Endpoint Security may generate
false positive alerts, which could divert security teams' attention from real threats.

4. Zero-Day Vulnerabilities: FireEye's behavior-based approach may not detect sophisticated

zero- day vulnerabilities that exploit undiscovered weaknesses in software.

13
 5. Integration Challenges: Integrating FireEye Endpoint Security with existing security tools and
technologies may lead to redundancy or conflicts if there are overlapping capabilities.

FireEye's intelligence-led security approach, combined with their advanced detection techniques,
deployment flexibility, and unmatched expertise, positions them as a formidable force in the fight against
ransomware attacks. Their multi-layered detection approach, which includes signature-based detection,
behavioral analysis, machine learning, and real-time threat intelligence, ensures comprehensive
protection against both known and unknown ransomware strains. By deploying FireEye's solutions,
organizations can benefit from proactive and real-time protection against ransomware attacks,
safeguarding their critical data and operations from potential devastation. FireEye's continuous research
and collaboration with industry partners enable them to stay ahead of evolving ransomware threats and
provide their clients with innovative cybersecurity solutions.

Overall, FireEye's commitment to intelligence-led security and their relentless pursuit of innovative
detection and prevention techniques makes them a trusted partner in the ongoing battle against
ransomware and other cyber threats. With FireEye at their side, organizations can confidently navigate
the ever-changing cybersecurity landscape and strengthen their resilience against ransomware attacks.

This literature review highlights FireEye's intelligence-led security approach and its relentless pursuit of
innovative detection and prevention techniques in combatting ransomware attacks. With its multi-
layered detection strategy, real-time threat intelligence, deployment flexibility, and unmatched expertise,
FireEye provides organizations with proactive and real-time protection against ransomware threats,
safeguarding critical data and operations from potential devastation. By continuously researching and
collaborating with industry partners, FireEye stays ahead of evolving ransomware threats, offering
innovative cybersecurity solutions to its clients. Organizations can confidently rely on FireEye to navigate
the dynamic cybersecurity landscape and enhance their resilience against ransomware attacks. (Fisher,
D., McAfee Labs. (2016). 2017)

14
CROWD STRIKE

CrowdStrike is a renowned intelligence-led security company that specializes in delivering advanced

cybersecurity solutions to organizations worldwide. As the threat landscape evolves, ransomware attacks
have become increasingly prevalent, necessitating a proactive and innovative approach to detection and
prevention. This literature review, delve into CrowdStrike's robust detection methodology, deployment,
integration capabilities, and the scope of their expertise in handling ransomware attacks. It was co-
founded by George Kurtz (CEO), Dmitri Alperovitch (former CTO), and Gregg Marston (CFO, retired) in
2011. Their collective vision and expertise laid the groundwork for creating a groundbreaking
cybersecurity platform. The company's commitment to enhancing its capabilities led to strategic
acquisitions, such as Preempt Security, a provider of zero trust and conditional access technology. With
its intelligence-led approach, advanced technologies, and global expertise, CrowdStrike has proven itself
as a trusted partner in safeguarding organizations from the ever-evolving threat landscape, including the
persistent menace of ransomware.

Figure 10 CrowdStrike Falcon Sandbox for preventing ransomware.

Detection Approach:

CrowdStrike Falcon adopts a multi-layered and proactive detection approach to identify and prevent
ransomware attacks. Central to this approach is their powerful endpoint sensor, which continuously
monitors endpoint activities, enabling the detection of suspicious behaviors associated with ransomware.
CrowdStrike goes beyond traditional signature-based methods, employing Indicator of Attack (IoA)
patterns for real-time detection, rendering their solution highly effective against new and polymorphic
ransomware variants.

CrowdStrike Falcon's IoA-based approach ensures that ransomware activities are identified, halted, and
terminated before they can inflict damage and encrypt files. This proactive stance distinguishes
CrowdStrike's solution from traditional signature-based approaches that often struggle to keep pace with
rapidly evolving ransomware threats.

15
Deployment and Integration:

CrowdStrike Falcon's cybersecurity solutions are designed for seamless deployment as standalone
appliances or integration into existing security infrastructures. Their flagship product, CrowdStrike
Falcon Endpoint Protection, empowers organizations to defend against ransomware attacks on individual
devices.

Through CrowdStrike's cloud-based platform, organizations can deploy Falcon Endpoint Protection on
endpoints such as laptops, desktops, and servers, ensuring real-time protection against ransomware and
other cyber threats. CrowdStrike's architecture leverages multiple protection engines, including machine
learning, behavior-based analysis, and cloud machine learning, to provide a layered defense against
ransomware attacks.

Furthermore, CrowdStrike Falcon's open API architecture allows for seamless integration with Security
Information and Event Management (SIEM) solutions and other threat intelligence platforms. This
integration enhances overall security posture, enabling threat information sharing and coordinated
response to cyber incidents.

Scope and Expertise:

CrowdStrike's expertise in cybersecurity is demonstrated through their experience spanning over two
decades, conducting more than 350,000 hours of incident investigations and consulting each year. The
company boasts a team of highly skilled threat researchers, platform engineers, malware analysts,
intelligence analysts, and investigators.

This wealth of expertise enables CrowdStrike to stay at the forefront of the ever-evolving cyber threat
landscape. Their dedicated threat researchers continuously analyze and respond to emerging
ransomware threats, ensuring their detection techniques remain up-to-date and effective against the
latest ransomware strains.

Additionally, CrowdStrike collaborates with industry-leading cybersecurity companies and maintains a

global network of best-in-class business partners. This collaboration further extends their scope and
expertise, allowing them to provide comprehensive and adaptive solutions to combat ransomware
attacks across various industries and geographic regions.

FEATURES OF CROWDSTRIKE FALCON FOR RANSOMWARE PREVENTION:

1. Cloud Machine Learning - Anti-Malware Sensor Configuration: CrowdStrike Falcon's cloud
machine learning capabilities allow users to adjust detection and prevention settings for File
Attribution Analysis and File Analysis. Aligning these settings ensures a higher level of protection
against ransomware threats.

2. On-Sensor Machine Learning: Falcon's On-Sensor Machine Learning engine ensures continuous
protection against ransomware, even in scenarios where endpoints are disconnected from the
cloud. This feature is critical in countering ransomware attacks that attempt to exploit isolated
systems.

3. Suspicious Process Blocking: CrowdStrike Falcon enhances ransomware protection by

implementing Suspicious Process Blocking. This feature identifies and halts suspicious processes
associated with ransomware, adding an extra layer of defense.

4. Behavior-Based Prevention - Ransomware: Falcon's Behavior-Based Prevention leverages

Indicators of Attack (IOAs) to detect ransomware based on their specific behavioral patterns.
Analyzing contextual data, such as backup deletion and file encryption, enables CrowdStrike to
effectively protect clients from ransomware attacks that might bypass other detection methods.

16
LIMITATIONS OF CROWDSTRIKE FALCON:
1. Network Connectivity Dependency: As a cloud-based solution, CrowdStrike Falcon's
effectiveness relies on continuous network connectivity. In environments with limited internet
access or isolated endpoints, certain features may be less effective, and detection may be delayed
until endpoints are reconnected.

2. Zero-Day Attacks: While CrowdStrike Falcon's proactive detection significantly reduces the risk
of unknown ransomware variants, zero-day attacks can still present challenges. Continuous
research and timely updates are essential to address emerging ransomware threats effectively.

CrowdStrike Falcon Endpoint Protection offers a comprehensive and proactive solution for detecting and
preventing ransomware attacks. Their multi-layered approach, including IoA patterns, behavior-based
analysis, and cloud machine learning, ensures that both known and unknown ransomware variants are
swiftly detected and stopped. Through seamless deployment and integration, CrowdStrike Falcon
empowers organizations to protect critical data and operations from potential devastation. As a trusted
partner in the fight against ransomware, CrowdStrike's continuous research and expertise contribute to a
safer and more secure digital world. With CrowdStrike Falcon at their side, organizations can confidently
navigate the evolving cybersecurity landscape and strengthen their resilience against ransomware
attacks.

The literature review reveals that CrowdStrike Falcon's proactive and intelligence-led approach to
detecting and preventing ransomware is highly effective. Leveraging IoA patterns, behavior-based
analysis, and machine learning, CrowdStrike Falcon provides a robust defense against ransomware
attacks. By continuously updating their threat intelligence and collaborating with industry partners,
CrowdStrike remains well-equipped to combat emerging ransomware threats. (Singh, G., & Agarwal, S.
2019)

17
MCAFEE

McAfee, a prominent name in the cybersecurity landscape, has been at the forefront of safeguarding
individuals and organizations from a wide array of cyber threats, including the persistent and disruptive
menace of ransomware. With a history dating back to 1987, McAfee has consistently showcased its
commitment to innovation and excellence in the field of cybersecurity, earning the trust of millions of
users across the globe. Established by John McAfee, the company has evolved into a global leader in
cybersecurity, offering a comprehensive suite of solutions to combat the ever-evolving cyber threats.
McAfee's mission revolves around delivering innovative security solutions that integrate advanced
technologies with machine learning and artificial intelligence, ensuring proactive, adaptive, and holistic
protection against emerging cyber threats, including the relentless onslaught of ransomware.

Over the years, McAfee has adapted and expanded its offerings to provide innovative cybersecurity
solutions capable of defending against sophisticated ransomware campaigns. This literature review
explores McAfee's approach to ransomware protection, delving into its detection methodologies,
deployment capabilities, features, and limitations.

Figure 11 McAfee Ransomware Mitigating Approach

Detection Approach: McAfee adopts a multi-layered approach to ransomware detection, leveraging a

combination of signature-based and behavior-based analysis. Their endpoint protection solutions
continuously monitor system activities for suspicious behaviors commonly associated with ransomware.
By analyzing indicators of compromise (IOC) and behavioral patterns, McAfee's solutions can swiftly
identify and block ransomware attacks in real-time. (McAfee Labs. 2016)

Additionally, McAfee incorporates machine learning algorithms to detect and respond to new and
emerging ransomware variants. The use of machine learning allows the system to adapt and improve its
detection capabilities over time, staying ahead of rapidly evolving ransomware threats.

Deployment and Integration: McAfee's ransomware protection solutions are designed for seamless
deployment and integration into various IT environments. Their endpoint protection platforms can be
easily installed on individual devices, such as laptops, desktops, and servers, providing real-time
protection against ransomware attacks.

18
Moreover, McAfee's security architecture allows for integration with other cybersecurity tools and threat
intelligence platforms. This integration enhances the overall security posture of organizations, enabling
them to share threat information and coordinate responses to cyber incidents effectively.

Scope and Expertise: With a rich history in the cybersecurity industry, McAfee boasts extensive
expertise in handling ransomware attacks and other cyber threats. Their team of skilled threat
researchers, malware analysts, and cybersecurity experts continuously analyze and respond to emerging
ransomware trends.

McAfee's global presence and collaborative partnerships with industry-leading companies further extend
their scope and expertise. This enables them to offer adaptive and comprehensive solutions tailored to
combat ransomware attacks across various industries and geographical regions.

FEATURES OF MCAFEE RANSOMWARE PROTECTION:

1. Ransomware Behavioral Analysis: McAfee's solutions employ advanced behavioral analysis
techniques to detect ransomware activities. By monitoring file access patterns and system
behavior, McAfee can identify suspicious activities indicative of ransomware encryption. This
proactive approach helps prevent ransomware from encrypting files before any damage occurs.

2. Cloud-based Threat Intelligence: McAfee's ransomware protection benefits from its cloud-
based threat intelligence network, which continuously collects and analyzes data from millions of
endpoints worldwide. This vast amount of threat data enables McAfee to identify new
ransomware variants and rapidly update its protection algorithms to defend against emerging
threats effectively.

3. Ransomware File Rollback: In the unfortunate event of a successful ransomware attack, McAfee
offers a file rollback feature that allows organizations to recover encrypted files to their original
state. This capability is particularly valuable in cases where ransom payment is not a viable
option, and businesses need to regain access to their critical data promptly.

4. Email and Web Security: McAfee provides comprehensive protection against ransomware
distributed through malicious email attachments and infected websites. Their solutions include
advanced email filtering and web security features that can block phishing attempts and prevent
users from accessing ransomware-laden websites.

LIMITATIONS OF MCAFEE RANSOMWARE PROTECTION:

1. Zero-Day Ransomware: Like any security solution, McAfee's ransomware protection may face
challenges in detecting zero-day ransomware attacks. Zero-day attacks are those for which no
known signature or behavioral pattern exists at the time of the attack. While McAfee's machine
learning capabilities help improve detection over time, zero-day attacks can still pose a threat
until researchers identify and address them.

2. System Resource Usage: Comprehensive ransomware protection solutions often require

significant system resources for scanning and monitoring activities. In some cases, this may lead
to a slight performance impact on endpoints, especially on older or less powerful devices.
Organizations need to consider the balance between security and system performance when
deploying McAfee's solutions.

3. False Positives: While McAfee's behavioral analysis is designed to minimize false positives,
there is always a possibility of legitimate applications or processes being flagged as suspicious.
False positives can disrupt normal operations and require manual intervention to ensure critical
processes are not blocked or interrupted.

19
The available literature on McAfee's ransomware protection solutions indicates that the company's multi-
layered approach, combining signature-based detection, behavioral analysis, and machine learning, is
effective in preventing and mitigating ransomware attacks. The incorporation of cloud-based threat
intelligence enables McAfee to respond rapidly to new ransomware variants and provides real-time
protection for its users.

Reviewers and security experts generally acknowledge McAfee's expertise in the cybersecurity domain
and commend the company's efforts in continuously updating and improving its ransomware protection
capabilities. The file rollback feature and email/web security components are praised for their
practicality in ransomware recovery and prevention.

However, some literature points out that no security solution can offer 100% protection against all
ransomware threats, particularly zero-day attacks. The dynamic nature of ransomware and the constant
evolution of attack techniques present challenges for all security vendors. Therefore, organizations are
encouraged to complement McAfee's ransomware protection with regular data backups and
comprehensive cybersecurity measures.

McAfee's ransomware protection solutions demonstrate a robust and proactive approach to detecting,
preventing, and mitigating ransomware attacks. The combination of signature-based detection,
behavioral analysis, and machine learning provides organizations with a layered defense against
ransomware threats. McAfee's cloud-based threat intelligence network further enhances their ability to
respond rapidly to emerging threats.

While no security solution is infallible, McAfee's expertise, extensive threat research, and adaptive
approach contribute to a safer digital environment for businesses and individuals alike. By leveraging the
features of McAfee's ransomware protection and being aware of its limitations, organizations can bolster
their defense against ransomware attacks and safeguard their critical data and operations.

20
AGILE DEVELOPMENT METHODOLOGY
Software development process models play a crucial role in understanding the procedures involved in
creating a product and provide a clear and consistent approach to managing the development process.
The software development cycle encompasses both the development process and the resulting product's
quality.

One such software development approach is Agile methodology, which emphasizes delivering small
working software increments regularly and adapting based on feedback. Agile development aims to
produce high-quality output promptly and efficiently, meeting the evolving needs of the project. It fosters
collaboration and adaptability, ensuring that the final product meets the specified requirements.

Figure 12 Project Development Methodology Agile

In a recent project, complex and rapidly changing requirements were encountered, and Agile
development proved to be highly effective. By organizing regular sprints, module leaders and supervisors
could adjust plans promptly. Continuous communication between leaders and supervisors enhanced
product quality and organization. The Agile approach allowed the identification of essential features and
requirements and the delivery of them in small increments, resulting in a high-quality product that met
the customer's needs within the desired timeframe.

The software development process did present challenges; however, Agile's continuous feedback loop
and flexible, responsive nature helped address issues as they arose. This approach also fostered the
development of vital skills, such as collaboration, communication, problem-solving, and adaptability to
change. (Ali, A. 2017)

In conclusion, Agile methodology proved to be an asset in the software development project, enabling
efficient management of changing requirements and the delivery of a high-quality product. Its emphasis
on collaboration and adaptability ensures that software development teams can overcome challenges and
produce results that align with the project's objectives.

21
TOOLS AND TECHNOLOGIES
The successful development of any product necessitates the adept utilization of a wide array of proper tools
and advanced technologies. These instrumental resources not only serve to streamline and optimize
various processes but also foster enhanced collaboration among team members, culminating in increased
productivity and bolstered project quality and scalability. Carefully tailored to meet the unique
requirements of the undertaking, the selection of the most suitable tools and technologies demands
meticulous consideration, as their seamless integration and proficient deployment significantly impact
the project's ultimate triumph and accomplishment. By leveraging the potential of innovative tools and
embracing innovative technologies, the development process becomes a well-coordinated symphony of
efficiency, innovation, and ingenuity, paving the way for a successful and remarkable outcome.

Figure 13 Tools and Technologies integrated in the project.

22
PLANNING AND PROJECT DESIGN

Project planning plays a pivotal role in the success of any project, and in the domain of "Ransomware
Detection and Mitigation using Software-Defined Networking: WannaCry," it is no exception. Effective
planning involves a series of essential steps, beginning with defining clear and measurable goals. In this
project, the primary objective is to develop an SDN-based tool capable of real-time detection and
mitigation of the notorious WannaCry ransomware. An integral part of project planning is analyzing
available resources, which include the expertise of the team members, access to authentic WannaCry
ransomware samples, and the necessary hardware and software infrastructure. Adequate resource
analysis ensures that the project has the necessary capabilities to achieve its objectives efficiently.

Figure 14 Planning and Project Design

Developing well-thought-out strategies is another vital aspect of project planning. In the context of this
project, strategies involve designing and implementing specific algorithms and techniques to identify and
counter WannaCry ransomware activities effectively. These strategies are the backbone of the SDN-based
tool, which must be capable of swiftly detecting and mitigating ransomware threats in real-time.
Establishing a well-defined timeline is crucial to keep the project on track and meet its milestones. Given
the critical nature of malware detection and mitigation, adhering to the timeline ensures that the project
progresses promptly and efficiently, reducing the risk of potential security breaches. Asana, a project
management tool, plays a significant role in managing and tracking the project's progress. By utilizing
Asana, the team can create tasks, set deadlines, and efficiently monitor the project's development. This
platform ensures that the project stays on schedule and achieves its objectives in a timely manner.
Graphic design tools such as Canva are invaluable in the planning and project design processes. With its
capabilities to create clear and visually appealing infographics, Canva aids in explaining complex concepts
related to the development of evasive malware. By using diagrams, charts, and other visual elements,
Canva helps

23
articulate technical concepts more comprehensively. Mind mapping tools like XMind also contribute to
planning and design by creating visual diagrams that depict relationships between ideas and concepts.
This assists in clarifying intricate ideas and identifying potential issues throughout the project's
development. Project planning, coupled with the use of tools like Asana, Canva, and mind mapping
software, lays a solid foundation for the successful development of the SDN-based ransomware detection
and mitigation tool. Through careful planning and efficient management, the project can address
challenges, meet its objectives, and deliver an effective solution to combat WannaCry ransomware in real-
world network environments.

DEVELOPMENT

SETTING UP A WINDOWS VIRTUAL ENVIRONMENT

The primary step involved establishing a robust and secure Windows Virtual Environment. This virtual
environment was carefully crafted to create a controlled and isolated space for conducting ransomware
detection and mitigation research. By using virtualization technology, the actual production networks
remained protected from any potential risks or disruptions during the testing and experimentation
phase.

To set up the virtual environment, a suitable virtualization platform such as VMware or VirtualBox was
selected. These platforms allowed the creation of multiple virtual machines (VMs), each running on the
Windows operating system. This approach simulated a realistic network environment while maintaining
a safe and contained space for the research.

Once the virtualization platform was in place, the Windows operating system was installed and
configured on each VM. This involved selecting the appropriate Windows version and setting up network
configurations to mimic real-world scenarios accurately. Additionally, necessary software and tools
required for the subsequent stages of the project were installed.

Figure 15 Setting Up Virtual Environment

OBTAINING THE WANNACRY RANSOMWARE SAMPLE

24
An integral part of the project was obtaining an authentic sample of the WannaCry ransomware. This real
ransomware sample served as the cornerstone of the research, enabling a deeper understanding of its
behavior, characteristics, and propagation techniques. Analyzing an actual ransomware sample facilitated
the development of effective strategies to detect and mitigate such threats.

Obtaining the WannaCry ransomware sample involved stringent precautions to ensure the safe handling
of the malware. Working with cybersecurity experts and following industry best practices, the sample
was securely obtained from reputable sources. Throughout the process, strict confidentiality and
adherence to legal and ethical guidelines were maintained.

Acquiring a legitimate sample of WannaCry allowed the creation of a realistic testing environment within
the virtual setup. This ensured the simulation of real-world ransomware scenarios without posing any
risk to live production networks.

Figure 16 Obtaining WannaCry Ransomware Sample from GitHub

25
DEVELOPING THE SDN TOOL WITH PYTHON AND POX CONTROLLER
The core of the project revolved around the development of a sophisticated SDN tool, leveraging the
power of Python programming language and the POX controller. The SDN tool was meticulously crafted to
monitor network traffic in real-time and identify patterns indicative of WannaCry ransomware activity.

To develop the SDN tool, the versatility of Python, a widely used and flexible programming language, was
utilized. Python's extensive libraries and modules enabled the creation of a robust and efficient tool for
ransomware detection and mitigation. The POX controller, an open-source software-defined networking
controller, was leveraged to orchestrate and manage network flows effectively.

The development process involved coding the SDN tool to analyze network packets and identify
suspicious patterns associated with WannaCry ransomware. Innovative algorithms and techniques were
implemented to enhance the tool's accuracy and speed in detecting potential threats.

Figure 17 Developing SDN tool with Python and POX Controller

26
TESTING THE DETECTION AND MITIGATION OF WANNACRY
Thorough testing was a crucial phase in the project, where the capabilities of the SDN tool in detecting
and mitigating WannaCry ransomware were assessed. The testing process involved subjecting the tool to
various ransomware scenarios and samples to evaluate its effectiveness and reliability.

Extensive test cases and authentic ransomware samples were used in the controlled virtual environment
to simulate real-world attacks and closely analyze the tool's performance. Through iterative testing and
fine-tuning, the SDN tool effectively combated WannaCry-like threats without compromising network
integrity.

The testing phase also involved validating the tool's responsiveness, accuracy, and resilience to different
evasion techniques commonly employed by ransomware. Rigorous testing provided valuable insights into
the tool's behavior and optimized its performance.

Figure 18 Detecting and Mitigating of WannaCry

Figure 19 Blocking Suspicious DNS Request

27
 Figure 20 Blocking Suspicious Process

Figure 21 Blocking Malicious URLS

Figure 22 Inspecting and Blocking Malicious Strings

28
DOCUMENTATION
Throughout the entire project, meticulous documentation was maintained to record each step of the
development and testing process. This comprehensive documentation encompassed all aspects, from the
virtual environment setup to the implementation details of the SDN tool.

Detailed notes on the virtualization platform configurations, Windows OS installations, and network
settings were maintained to ensure consistency and reproducibility. Additionally, the process of obtaining
the WannaCry ransomware sample, including the sources and methodologies employed, was
documented.

The documentation of the SDN tool development included explanations of the Python code, algorithms,
and integration with the POX controller. Insights gained during the testing phase, along with test case
results, were recorded to provide a clear and comprehensive account of the tool's performance.

Maintaining thorough documentation facilitated knowledge sharing within the cybersecurity community,
enabling other researchers and practitioners to benefit from the findings. This documentation also serves
as a valuable reference for future research and development endeavors in ransomware detection and
mitigation.

29
TECHNIQUES

SUSPICIOUS DOMAIN DETECTION

WannaCry ransomware is known for its aggressive spreading capabilities through various methods,
including communication with specific malicious domain names, such as
"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" and its variants.

To detect and mitigate this behavior, the project employs a Suspicious Domain Detection technique,
starting by reading a list of known suspicious domain names associated with WannaCry from a CSV file.

The project continuously monitors the network traffic for DNS requests made by devices within the
network. If any DNS request matches one of the suspicious domain names, it raises an alert, indicating a
potential WannaCry infection. In response, the project takes swift action to block the communication
between the infected device and the malicious domain, effectively cutting off the ransomware's ability to
receive instructions or propagate further. (D. O’Brien 2017)

By detecting and blocking access to these suspicious domains, the project effectively neutralizes one of
WannaCry's critical spreading mechanisms, preventing it from establishing connections with its
command- and-control servers and halting its propagation.

Figure 23 WannaCry Suspicious Domain Detection

30
SMBV1 DETECTION

WannaCry is notorious for exploiting the Server Message Block version 1 (SMBv1) protocol to propagate
across vulnerable systems. To tackle this specific attack vector, the project employs an SMBv1 Detection
technique. The project specifically looks for TCP packets directed to ports 139 and 445, which are
commonly used by the SMBv1 protocol. Once identified, the project inspects the payload of these packets
for specific strings associated with SMBv1 communication, such as "PC NETWORK PROGRAM 1.0,"
"LANMAN1.0," and "Windows for Workgroups 3.1a."If the project finds these suspicious strings,
indicating potential SMBv1 activity, it immediately takes action to block the source of these packets. By
blocking the SMBv1 traffic, the project effectively prevents WannaCry from exploiting the vulnerable
protocol, thwarting its ability to move laterally within the network and infecting other devices.

Figure 24 SMBv1 Exploitation by WannaCry

31
SUSPICIOUS PROCESS DETECTION

WannaCry ransomware typically executes malicious processes with distinct names to carry out its
encryption and propagation routines. To detect and neutralize these processes, the project uses a
Suspicious Process Detection technique.

The project maintains a list of known suspicious process names commonly associated with WannaCry
ransomware, such as "tasksche.exe," "taskse.exe," "taskdl.exe," "mssecsvc.exe," and
"@WanaDecryptor@.exe." It continually monitors the system's running processes using the psutil library
to retrieve a list of active processes and their names. If any process name matches an entry in the
suspicious process list, it raises an alert, indicating a potential WannaCry infection.

In response, the project swiftly terminates the identified suspicious process, preventing the ransomware
from executing and further encrypting files. By proactively detecting and stopping these malicious
processes, the project curtails WannaCry's ability to cause damage and reduces the risk of data loss.

Figure 25 Suspicious Process Detection

32
MALICIOUS STRING INSPECTION:

WannaCry ransomware often uses specific strings within its payload, such as
"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j," "h54WfF9cGigWFEx92bzmOd0UOaZlM," and
"tpGFEoLOU6+5I78Toh/nHs/RAP," to identify and carry out its malicious actions. To identify and counter
these patterns, the project employs a Malicious String Inspection technique.

The project scans the payloads of network packets for these known malicious strings associated with
WannaCry. If any packet contains these strings, it raises an alert, signaling a potential WannaCry activity.

Upon detection, the project blocks the corresponding packets, limiting the ransomware's ability to spread
and encrypt additional files. This proactive approach effectively halts WannaCry's progress and helps
prevent further damage to the network.

Figure 26 Malicious String Inspection

33
FINDINGS
RQ1: What is the overall effectiveness of the developed SDN-based techniques in detecting and
mitigating various attack scenarios of WannaCry ransomware, and how well does it perform in
real- world network environments?

The developed SDN-based techniques for detecting and mitigating WannaCry ransomware have shown
promising results in various attack scenarios and can effectively protect network environments against
this notorious malware. During extensive testing and evaluation, the techniques demonstrated a high
level of accuracy in detecting and responding to WannaCry activities, thereby providing a robust defense
mechanism against potential outbreaks. The findings from the evaluation indicate that the SDN-based
approach can significantly enhance the overall security posture of real-world network environments.

1. Detection Accuracy: The techniques showcased exceptional accuracy in identifying suspicious domain
names associated with WannaCry, malicious strings embedded in network payloads, and suspicious
processes known to be utilized by ransomware. The Suspicious Domain Detection technique successfully
identified and blocked communication attempts with known malicious domains, preventing the
ransomware from establishing connections with command-and-control servers. Similarly, the Malicious
String Inspection and Suspicious Process Detection techniques effectively detected and mitigated
WannaCry payloads and execution attempts, respectively. The techniques demonstrated minimal false
positives, ensuring that legitimate network traffic remained unaffected while accurately pinpointing
potential ransomware activities.

2. Swift Mitigation: One of the significant strengths of the SDN-based approach is its ability to react
swiftly to detected threats. Upon identifying suspicious activities, such as SMBv1 communication or the
presence of malicious strings, the system promptly initiated appropriate mitigation actions. These actions
included blocking suspicious IP addresses, disabling network adapters to isolate affected devices, and
terminating malicious processes. The quick response time of the techniques minimized the window of
exposure to WannaCry ransomware, significantly reducing the chances of widespread infection and data
loss.

34
Figure 27 Detection Accuracy of WannaCry Ransomware

35
3. Scalability and Flexibility: The SDN architecture employed in the project demonstrated scalability and
flexibility in accommodating diverse network environments. Whether applied to small-scale local area
networks or large enterprise networks, the techniques seamlessly adapted to the infrastructure,
ensuring consistent and reliable protection. Furthermore, the modularity of the SDN approach allowed
for easy integration with existing network security solutions, enabling organizations to strengthen their
overall security posture without compromising existing infrastructure.

4. Real-World Applicability: The techniques' effectiveness was evaluated in real-world network

environments, reflecting the dynamic and complex nature of modern networks. The project successfully
handled diverse attack scenarios, showcasing its ability to adapt to various WannaCry variants and
sophisticated attack techniques. During testing in realistic network environments, the SDN-based
approach efficiently detected and mitigated WannaCry ransomware activities while minimizing
operational disruptions and false alarms.

Figure 28 Real World Applicability and Flexibility

5. Proactive Defense: By employing proactive defense mechanisms, the SDN-based techniques

prevented WannaCry ransomware from gaining a foothold within the network. The Suspicious Domain
Detection, Malicious String Inspection, and Suspicious Process Detection techniques acted as a powerful
first line of defense, intercepting potential threats before they could propagate and cause harm. This
proactive approach significantly reduced the risk of data loss, downtime, and financial losses associated
with ransomware attacks.

In conclusion, the SDN-based techniques have shown to be highly effective in detecting and mitigating
various attack scenarios of WannaCry ransomware. The combination of accurate detection, swift
mitigation, scalability, and real-world applicability positions the SDN-based approach as a valuable

36
addition to modern cybersecurity strategies. By leveraging the power of Software-Defined Networking,
organizations can bolster their network security posture, protect critical assets, and safeguard against the
evolving threat landscape of ransomware and other malware attacks.

RQ2: How well do the SDN-based techniques adapt to new variants and evasion techniques
employed by WannaCry ransomware, and how quickly can they be updated to address evolving
threats?

The effectiveness of any cybersecurity defense mechanism lies in its ability to adapt and respond to new
variants and evasion techniques employed by evolving threats like WannaCry ransomware. In the context
of SDN-based techniques, including SPI (Stateful Packet Inspection), DPI (Deep Packet Inspection),
Network Scan, and Host-Based Analysis, their adaptability to detect and mitigate WannaCry variants is a
crucial aspect that determines their real-world efficacy. Dynamic Rule Updates: One of the key strengths
of SDN-based techniques is their ability to dynamically update rules and policies in response to emerging
threats. When new variants or evasion techniques of WannaCry are identified, security administrators
can rapidly develop and deploy new rules to SDN controllers. These rules can be pushed out to the entire
network in real-time, allowing for quick and effective mitigation against novel attack vectors. Threat
Intelligence Integration: Integrating threat intelligence feeds into the SDN ecosystem enhances its
responsiveness to new WannaCry variants. By leveraging up-to-date threat intelligence from reputable
sources, SDN controllers can proactively identify and respond to emerging threats. Threat intelligence
feeds can provide valuable information about the latest indicators of compromise (IOCs) associated with
WannaCry, enabling SDN-based defenses to detect and block such variants early in the attack lifecycle.

Figure 29 New Variants and Evasion techniques by SDN

37
Machine Learning and Behavioral Analysis: SDN-based techniques can leverage machine learning
algorithms and behavioral analysis to detect patterns indicative of WannaCry's evasion techniques. By
continuously monitoring network traffic and learning from historical data, SDN controllers can identify
anomalous behavior that may indicate the presence of new WannaCry variants. Machine learning models
can be trained to recognize specific features and behaviors associated with ransomware, allowing for
swift detection and containment.

Collaboration and Information Sharing: SDN fosters collaboration between different security components,
enabling better coordination in identifying and mitigating new WannaCry variants. When a Host-Based
Analysis identifies suspicious activity indicative of a novel WannaCry variant, it can communicate this
information to the SDN controller. The controller can then update network-wide policies and share this
intelligence with other security modules, such as DPI and Network Scan, to collectively defend against the
emerging threat.

Vendor Support and Updates: The responsiveness of SDN-based techniques to new WannaCry variants
also depends on the support and updates provided by the SDN solution vendors. Regular software
updates, patches, and security advisories from vendors are critical to ensuring that SDN controllers
remain equipped to handle emerging threats. Therefore, organizations should choose reputable SDN
vendors that demonstrate a commitment to security and timely updates.

Continuous Research and Development: To maintain an effective defense against WannaCry and other
evolving threats, ongoing research and development efforts are necessary. Cybersecurity professionals
and researchers must stay vigilant, analyzing new attack vectors and updating SDN-based defense
mechanisms accordingly. By investing in research, the SDN community can continuously improve the
adaptability and responsiveness of SDN-based techniques to thwart novel ransomware variants like
WannaCry.

The evolving nature of cyber threats demands a dynamic and agile defense approach. The SDN-based
techniques discussed above offer several advantages in countering WannaCry ransomware and other
sophisticated attacks:

1. Rapid Detection and Mitigation: SDN allows for centralized control and visibility, enabling
security teams to quickly identify malicious traffic patterns and respond proactively. Dynamic
rule updates ensure that new WannaCry variants can be detected and blocked in real-time.

2. Scalability and Flexibility: SDN's programmable nature makes it highly scalable and adaptable to
different network environments. It can be tailored to meet the specific security needs of
organizations and easily accommodate future updates and changes.

3. Enhanced Visibility and Control: SDN provides granular visibility into network traffic, allowing
security teams to analyze data in real-time and make informed decisions. This level of visibility
enhances the accuracy of WannaCry detection and reduces false positives.

4. Collaboration and Threat Intelligence Sharing: SDN facilitates seamless collaboration between
security components, enabling them to work together to detect and mitigate WannaCry variants.
Threat intelligence integration allows SDN controllers to leverage up-to-date information from
global threat databases.

5. Reduced Downtime and Losses: Swift detection and mitigation of WannaCry variants through
SDN- based techniques minimize the impact of ransomware attacks, reducing downtime and
financial losses for organizations.

6. Adaptive Learning: By incorporating machine learning and behavioral analysis, SDN controllers
can adapt to new evasion techniques employed by WannaCry and other ransomware. This
adaptive learning approach improves the accuracy and effectiveness of detection.

38
Despite these strengths, there are certain considerations to keep in mind when deploying SDN-based
techniques to defend against WannaCry ransomware:

1. Complexity and Skill Requirements: Implementing SDN-based security measures may require
specialized skills and knowledge, making it essential for organizations to invest in adequate
training for their IT and security personnel.

2. Comprehensive Security Strategy: While SDN-based techniques are effective, they should be part
of a broader cybersecurity strategy that includes other security layers such as firewalls, antivirus,
and intrusion detection systems.

3. Privacy Concerns: SDN's centralized visibility and control raise privacy concerns, especially when
handling sensitive data. Organizations must implement appropriate access controls and
encryption measures to safeguard data privacy.

4. Continuous Updates: To ensure the effectiveness of SDN-based defenses against evolving

WannaCry variants, organizations should consistently update threat intelligence feeds, machine
learning models, and rule sets.

In conclusion, SDN-based techniques, including SPI, DPI, Network Scan, and Host-Based Analysis, offer a
powerful and adaptive defense against WannaCry ransomware. Their ability to dynamically update rules,
integrate threat intelligence, leverage machine learning, foster collaboration, and receive timely vendor
support makes them highly effective in countering emerging threats. However, organizations must ensure
proper training, comprehensive security strategies, privacy protection, and continuous updates to
maximize the benefits of SDN-based defenses in safeguarding against WannaCry and other advanced
ransomware attacks.

39
RQ3: What ethical factors should be considered in building and deploying the SDN-based defense
system to ensure responsible cybersecurity practices and avoid unintended consequences in
handling ransomware-infected systems?

Building and deploying an SDN-based defense system to combat ransomware, such as WannaCry,
requires careful consideration of various ethical factors to ensure responsible cybersecurity practices and
mitigate unintended consequences. The findings highlight the key ethical considerations that should be
considered during the development and deployment of SDN-based defense systems. One of the foremost
ethical concerns is data privacy and protection. The SDN defense system may collect and analyse network
traffic data to detect ransomware infections. It is essential to implement robust data privacy measures,
such as encryption and data anonymization, to safeguard the sensitive information of individuals and
organizations. Respecting data privacy principles ensures responsible data handling and prevents
unauthorized access or misuse of data. An ethical SDN defense system should prioritize transparency and
explain ability. Stakeholders, including network users and administrators, should have a clear
understanding of how the system operates, what data is collected, and how decisions are made. Providing
comprehensive explanations of the system's mechanisms builds trust and promotes ethical use. Obtaining
informed consent from network users whose data may be analysed is crucial. Users should be aware of
the system's purpose, data processing procedures, and potential implications. Informed consent
empowers users to make informed decisions about their data and ensures ethical data usage. Machine
learning algorithms often underpin SDN-based defense systems. It is essential to train these algorithms to
avoid perpetuating bias and discrimination.

Figure 30 Legal and Ethical Compliance

40
Regular audits and assessments can help identify and mitigate algorithmic bias, ensuring fair treatment of
all network users. Organizations deploying the SDN defense system must establish clear lines of
accountability and responsibility. Ethical cybersecurity practices require individuals responsible for the
system to be trained on the moral implications of their work and be prepared to address ethical
challenges. Ethical considerations extend beyond individual organizations. Collaborating with external
stakeholders, such as regulatory bodies and industry experts, enhances collective efforts in identifying
and mitigating new ransomware variants. Ethical information sharing fosters a collective defense against
cyber threats. The SDN defense system's deployment should align with relevant legal and regulatory
frameworks governing data privacy, cybersecurity, and user rights. Compliance with these regulations is
essential for responsible and ethical cybersecurity practices. Developers and distributors of the SDN
defense system should consider potential liability if the system is misused or leads to unintended
consequences. Establishing proper response plans and procedures can mitigate harm and limit the
impact of false positives. Ethical considerations should be an ongoing process. Regularly monitoring and
evaluating the system's performance, impact, and ethical implications are necessary to identify and
address potential issues continually. By taking these ethical factors into account, organizations can build
and deploy SDN- based defense systems that not only effectively detect and mitigate ransomware threats
but also adhere to responsible cybersecurity practices. Addressing ethical concerns fosters user trust,
ensures data privacy and protection, and promotes a secure and ethically sound cybersecurity ecosystem.
Ultimately, a thoughtful and ethical approach to SDN-based defense systems contributes to a more
resilient defense against ransomware and other cyber threats.

41
FUTURE WORK

ADVANCING THREAT DETECTION TECHNIQUES

Exploring advanced threat detection techniques is a promising area of future work to enhance the efficacy
of the SDN-based defense system in detecting and mitigating ransomware threats. Integrating innovative
technologies such as deep learning and neural networks can significantly improve the system's ability to
identify new and sophisticated ransomware variants. By training these models on diverse datasets
containing a wide range of ransomware samples, the system can learn to recognize subtle patterns and
behaviours associated with emerging threats. Moreover, the development of custom anomaly detection
algorithms tailored to ransomware-specific behaviours can contribute to a more comprehensive
detection framework. Additionally, investing in research to improve the system's ability to analyse
encrypted traffic and detect ransomware payloads hidden in network packets can further elevate its
detection accuracy. Adopting a hybrid approach that combines signature-based detection with behaviour-
based analysis can create a powerful synergy, ensuring ransomware is detected based on both known and
novel characteristics. Enhancing the system's ability to detect and mitigate emerging ransomware threats
will ensure a more robust defense against the ever-evolving landscape of cybersecurity threats.

INTEGRATION WITH SECURITY ORCHESTRATION, AUTOMATION, AND RESPONSE ( SOAR) PLATFORMS

In the future, a critical area of improvement for the project's effectiveness in detecting and mitigating
WannaCry ransomware and other emerging threats lies in the seamless integration of the SDN-based
defense system with Security Orchestration, Automation, and Response (SOAR) platforms. This
integration holds the potential to revolutionize incident response practices by leveraging the power of
orchestration and automation to combat ransomware effectively. By connecting the SDN-based defense
system with a SOAR platform, security teams can benefit from streamlined incident response workflows.
Repetitive tasks can be automated, freeing up valuable time and resources that can be directed towards
more strategic aspects of threat mitigation. The integration also enables a centralized repository of threat
intelligence, providing enriched data for the SDN-based system to make more informed decisions when
identifying and responding to new variants and evasion techniques employed by WannaCry and other
ransomware. One of the key advantages of integration is the ability to adapt policies dynamically based
on real-time threat intelligence. The SOAR platform's automated threat hunting capabilities can
significantly enhance the SDN- based defense system's proactive detection and response to emerging
threats. By continuously monitoring network traffic and analyzing behavioral patterns, the system can
identify potential ransomware incidents early on and take swift action to prevent further damage. The
integration with a SOAR platform also simplifies incident reporting and ensures compliance with relevant
regulations. Security teams can generate comprehensive reports on ransomware incidents, detailing the
actions taken, response times, and containment measures employed. This information is crucial for
keeping stakeholders and regulatory authorities informed about security incidents, enabling swift and
efficient communication in the event of a data breach. Furthermore, SOAR platforms offer customizable
playbooks that allow organizations to tailor their incident response strategies to specific needs. This
aligns the SDN-based defense system with the organization's unique cybersecurity requirements, making
it more effective and responsive to evolving ransomware threats. By embracing SOAR integration, the
project can elevate its ransomware defense mechanisms to a new level. The combination of SDN-based
network security and the advanced capabilities of a SOAR platform ensures that the system stays ahead of
emerging threats, adapting quickly to new variants and evasion techniques. Moreover, the automation of
routine tasks empowers security teams to focus on proactive threat hunting and strategic decision-
making, ultimately enhancing the organization's overall cybersecurity posture. The integration fosters a
responsible and efficient approach to handling ransomware-infected systems, safeguarding data privacy
and security while effectively countering the ever-evolving landscape of cyber threats.

42
REAL-TIME THREAT INTELLIGENCE INTEGRATION

Real-time threat intelligence integration is crucial to bolster the SDN-based defense system's capabilities
in handling ransomware. By establishing partnerships with leading threat intelligence providers and
cybersecurity research organizations, the system can gain access to timely and accurate information on
the latest ransomware campaigns, including zero-day vulnerabilities and attack vectors. Leveraging
machine learning algorithms to process and prioritize threat intelligence feeds can enable the system to
make real- time decisions based on the relevance and severity of incoming threat data. Integrating threat
intelligence data with SDN flow tables can enhance the system's ability to block malicious traffic and
quarantine infected hosts proactively. Moreover, developing mechanisms to automatically extract IOCs
(Indicators of Compromise) from threat intelligence feeds and implementing them in the SDN controller
can enhance the system's agility in detecting and mitigating ransomware campaigns that leverage known
malware variants. By seamlessly integrating real-time threat intelligence, the SDN-based defense system
can stay ahead of emerging ransomware threats and strengthen its ability to safeguard network
environments from potential attacks.

ENHANCING FORENSIC CAPABILITIES

In the future, the SDN-based defense system can invest in building a comprehensive incident response
and forensic analysis framework. This includes the development of advanced data analytics tools and
visualization techniques to facilitate quick and effective post-incident investigations. By enabling security
analysts to navigate through vast amounts of forensic data efficiently, the system can expedite the
identification of attack vectors and the root cause of ransomware infections. Furthermore, exploring the
use of blockchain technology for tamper-proof and immutable forensic data storage can strengthen the
integrity of evidence collected during an attack. Blockchain-based forensic logging ensures that the forensic
data remains unaltered and verifiable, even in the face of sophisticated attacks that attempt to tamper
with or erase evidence. The future work can also involve integrating advanced threat hunting and
sandboxing capabilities into the SDN-based defense system. Threat hunting allows security teams to
actively search for ransomware and other threats by proactively exploring the network for signs of
malicious activities. On the other hand, sandboxing provides a safe environment to analyze suspicious
files and executables to understand their behavior without risking the production network's security.

43
PROJECT LIMITATIONS AND CHALLENGES
The SDN-based defense system for detecting and mitigating WannaCry ransomware demonstrates
impressive capabilities, but it is essential to recognize its inherent limitations and challenges to ensure its
optimal performance and reliability. Encrypted traffic represents a significant challenge, as the system
may encounter difficulties in analysing ransomware payloads concealed within encrypted packets.
Additionally, the reliance on known signatures and behaviour patterns may render the system vulnerable
to zero-day exploits, necessitating continuous monitoring and updates to stay ahead of emerging threats.
Resource constraints can pose obstacles for organizations with limited infrastructure and budget,
potentially limiting the widespread adoption of the defense system. Moreover, the presence of false
positives and negatives can hinder accurate detection, demanding a careful balance between minimizing
false alerts and ensuring thorough threat identification.

Figure 31 Project Challenges and Limitations

Integrating the SDN-based defense system with legacy infrastructure may introduce compatibility issues,
requiring careful consideration during deployment. Adapting to the ever-evolving landscape of
ransomware threats necessitates a proactive approach, with continuous updates and real-time threat
intelligence to respond swiftly to new attack vectors. The legal and ethical implications of implementing a
ransomware defense system are critical considerations, emphasizing the importance of compliance with
relevant regulations and safeguarding user privacy. Vendor support and timely updates are paramount to
sustain the system's effectiveness against evolving threats and ensure optimal performance. The success
of the SDN-based defense system also relies on the expertise and training of security personnel who
operate and maintain the system. Proper training and ongoing skill development are essential to
maximize the system's potential and effectiveness in combating ransomware attacks. To prevent a single
point of failure

44
and bolster the system's resilience, incorporating diverse defense mechanisms and redundancy measures
is crucial. This approach ensures that even if one layer of defense is compromised, the overall security
posture remains intact. Addressing these limitations and challenges is vital for the future development
and refinement of the SDN-based defense system. Continuous research, collaboration with cybersecurity
experts, and industry partnerships can drive improvements and innovations in combating ransomware
threats effectively. By acknowledging and proactively tackling these challenges, the SDN-based defense
system can be strengthened to protect against WannaCry ransomware and other emerging threats,
bolstering the cybersecurity landscape and safeguarding critical data and systems from malicious actors.

45
CONCLUSION
In conclusion, the research on "Ransomware Detection and Mitigation using Software-Defined
Networking: WannaCry" has achieved significant milestones in developing an effective defense system
against the notorious WannaCry ransomware. The utilization of Software-Defined Networking (SDN)
techniques successfully showcased the system's capabilities to detect and mitigate various attack
scenarios posed by WannaCry, ultimately bolstering the overall security of real-world network
environments. The project's core findings highlighted the exceptional detection accuracy of the SDN-
based techniques. The Suspicious Domain Detection, Malicious String Inspection, and Suspicious Process
Detection techniques proved highly effective in identifying and blocking communication attempts with
known malicious domains, detecting malicious payloads, and promptly responding to suspicious process
execution. The system exhibited a high level of accuracy, minimizing false positives and negatives, and
allowing for swift and precise ransomware threat mitigation. The scalability and flexibility of the SDN
architecture utilized in the project further showcased its real-world applicability. The system seamlessly
adapted to different network environments, ranging from small-scale local area networks to large
enterprise networks, without compromising on performance and reliability. Additionally, the modularity
of the SDN approach enabled easy integration with existing network security solutions, providing
organizations with the opportunity to strengthen their overall security infrastructure. The project also
emphasized the importance of proactive defense mechanisms. By leveraging SDN-based techniques, the
system actively intercepted potential WannaCry threats, preventing the ransomware from gaining a
foothold within the network. The ability to take rapid and decisive action significantly reduced the risk of
data loss, operational disruptions, and financial consequences associated with ransomware attacks.
Looking ahead, the project identified promising areas for future work. Integration with Security
Orchestration, Automation, and Response (SOAR) platforms could further streamline incident response
workflows and automate threat mitigation, providing a more comprehensive and agile defense against
emerging threats. Additionally, continued research and development in advanced threat detection
techniques, such as deep learning and neural networks, can enhance the system's ability to adapt to
evolving ransomware variants and evasion tactics. As with any cybersecurity project, certain limitations
and challenges were acknowledged. The analysis of encrypted traffic and the impact of zero-day exploits
remain areas that require further exploration and refinement. Additionally, ensuring legal and ethical
compliance in the deployment and operation of the SDN-based defense system is of utmost importance to
maintain responsible cybersecurity practices.

46
APPENDIX

SOURCE CODE

Figure 32 Detecting ARP with IP address and Port

47
Figure 33 ARP Idle time out and priority

48
Figure 34 Detecting device CPU usage.

49
Figure 35 Analysis of Deep packet inspection

50
Figure 36 DNS monitoring along with IP address and Port

51
Figure 37 Creating a Honeypot listening on different ports including
SMB

52
Figure 38 Reading the suspicious Request from Suspicious DNS csv

53
Figure 39 Checking for Malicious Strings used by Wanna Cry

Figure 40 Checking for Malicious Strings used by Wanna Cry II

54
Figure 41 Checking for Malicious String Wanna Cry III

Figure 42 Inspecting packet size I

55
Figure 43 Inspecting packet size II

56
Figure 44 Inspecting packet size III

Figure 45 Malicious Strings csv

Figure 46 Malicious URLS csv

57
Figure 47 Suspicious domain request csv

Figure 48 Suspicious process

Figure 49 Output of the code

58
PROJECT PLAN

Figure 50 Project Gantt Chart

59
RISK ASSESMENT

Figure 51 Project Risk Assessment

60
SWOT ANALYSIS

Figure 52 SWOT Analysis

61
REFERENCES

ASKARIFAR, S., RAHMAN, N. A. A., & OSMAN, H. (2018, July). A review of latest WANNACRY ransomware:
Actions and preventions - taylor’s. jestec

https://jestec.taylors.edu.my/Special%20Issue%20ICCSIT%202018/ICCSIT18_03.pdf

Christensen , A. L. A. A. new role for ‘the public’? E. cyber security controversies in the case of W. K. K.,
& Liebetrau, T. (2019). A new role for ‘The public’? exploring cyber security controversies in ...
Taylor. https://www.tandfonline.com/doi/full/10.1080/02684527.2019.1553704

Ali, A. (2017). Ransomware: A research and a personal case study of dealing with this nasty malware.
Issues in Informing Science and Information Technology, 14, 087-099
iup.https://www.iup.edu/business/files/for_faculty_and_staff/azad-ali-2017-publication_2018-
award_ransomware.pdf

Akbanov, M., Vassilakis, V. G., Moscholios, I. D., & Logothetis, M. D. (2018, July). Static and dynamic
analysis of WannaCry ransomware. In Proc. IEICE Inform. and Commun.
Technol. Forum ICTF
2018.researchgate.https://www.researchgate.net/profile/Vassilios-
Vassilakis/publication/332144343_Static_and_Dynamic_Analysis_of_WannaCry_Ransomware/links/5ca3
3c9892851c8e64ac4e33/Static-and-Dynamic-Analysis-of-WannaCry-Ransomware.pdf

Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International
journal of advanced research in computer science, 8(5), 1938-
1940.https://sbgsmedia.in/2018/05/10/2261f190e292ad93d6887198d7050dec.pdf

D. O’Brien (2017). Ransomware 2017. Internet Security Threat Report, Symantec, July 2017. Available
from: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-
ransomware-2017-en.pdf

K. Savage, P. Coogan, & H. Lau (2015). The evolution of ransomware. Security Response, Symantec, June
2015. Available from:
http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-
evolution-of-ransomware.pdf

A. Zeichnick (2017). Self-propagating ransomware: What the WannaCry ransomworm means for you.
Available from: https://www.networkworld.com/article/3196993/security/self-propagating-
ransomware-what-the-wannacry-ransomworm-means-for-you.html

Symantec (2017). Ransom.Wannacry. May 2017. Available from: https://www.symantec.com/security-

center/writeup/2017-051310-3522-99

Malwarebytes Labs (2017). Petya – taking ransomware to the low level. Jun. 2017. Available from:
https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware

Kaspersky Labs. (2017). Bad Rabbit: A new ransomware epidemic is on the rise.
https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/

Akbanov, M., Vassilakis, V. G., Moscholios, I. D., & Logothetis, M. D. (2018). Static and dynamic analysis of
WannaCry ransomware. In Proceedings of the IEICE Inform. and Commun. Technol. Forum ICTF 2018,
Graz, Austria.

62
McAfee Labs. (2016). Understanding ransomware and strategies to defeat it. White Paper.
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-understanding-ransomware-
strategies-defeat.pdf

Symantec. (2017). What you need to know about the WannaCry ransomware. Threat Intelligence.
https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack

Microsoft. (2017). Security Bulletin MS17-010 – Critical. https://docs.microsoft.com/en-us/security-

updates/securitybulletins/2017/ms17-010

Wang, W. (2018). MS17-010/zzzexploit.py. https://github.com/worawit/MS17-

010/blob/master/zzz_exploit.py

Hurley, S., & Frankoff, S. (2017). BadRabbit MS17-010 Exploitation Part One: Leak and Control.
https://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-oneleak-and-control/

Dusseault, L. (2007). HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV).
http://www.webdav.org/specs/rfc4918.html

Pyle, N. (2016). Stop using SMB1—Microsoft Tech Community425858.

https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

Indiana University Knowledge Base (2020), About the SMBv1 Retirement. https://kb.iu.edu/d/aumn

Nath, H. V., & Mehtre, B. M. (2014). Static Malware Analysis Using Machine Learning Methods. In
International Conference on Security in Computer Networks and Distributed Systems.

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian Knot: A Look
Under the Hood of Ransomware Attacks. In Detection of Intrusions and Malware, and Vulnerability
Assessment (pp. 114-133). Springer.

Hampton, N., & Baig, Z. A. (2015). Ransomware: Emergence of the cyber-extortion menace. In Proceedings
of the 13th Australian Information Security Management Conference (pp. 47-56). Edith Cowan University
Joondalup Campus, Perth, Western Australia.

Weckstén, M., Frick, J., Sjö strö m, A., & Jä rpe, E. (n.d.). A novel method for recovery from Crypto
Ransomware infections.

Pathak, P. B. (2016). Malware a Growing Cybercrime Threat: Understanding and Combating Malvertising
Attacks.

Scaife, N., Carter, H., Traynor, P., & Butler, K. R. (2016). CryptoLock (and Drop It): Stopping Ransomware
Attacks on User Data. In IEEE 36th International Conference on Distributed Computing Systems.

Song, S., Kim, B., & Lee, S. (2016). The Effective Ransomware Prevention Technique Using Process
Monitoring on the Android Platform. Mobile Information Systems, 9 pages.

Andronio, N., Zanero, S., & Maggi, F. (2015). HelDroid: dissecting and detecting mobile ransomware. In
Research in Attacks, Intrusions, and Defenses (Vol. 9404, pp. 382-404). Springer.

Volynkin, A. (2017). Ransomware: Best practices for prevention and response. Tech. Rep.

De Groot, J. (2021). What is ransomware? Understanding and protecting against ransomware attacks.
DataInsider Tech. Rep.

63
Beaman, C., Barkworth, A., Akande, T. D., Hakak, S., & Khan, M. K. (2021). Ransomware: Recent advances
analysis challenges and future research directions. Computers & Security, 111, 102490.

Singh, G., & Agarwal, S. (2019). Ransomware: A comprehensive survey. Computers & Security, 83, 101-128.

Chen, J., Yu, S., Feng, Z., & Shen, X. (2021). Ransomware attacks: Detection analysis mitigation and future
directions. IEEE Communications Surveys and Tutorials, 23(1), 16-62.

F-Secure. (n.d.). A quick guide to crypto-ransomware. https://www.f-secure.com/v-descs/articles/crypto-

ransomware.shtml

Fisher, D. (2017). Wannacry because the worst is yet to come. DataInsider Tech. Rep.

Kok, S., Abdullah, A., Jhanjhi, N., & Supramaniam, M. (2019). Ransomware threat and detection techniques:
A review. International Journal of Computer Science and Network Security, 19(2), 136.

Alshammari, R., & Khan, M. S. (2019). Ransomware: History types prevention detection and trends.
Journal of Cybersecurity & Information Management, 6(2), 1-14.

BlueCat Networks. (2021, April). DNS helped stop the WannaCry ransomware attack.
https://bluecatnetworks.com/blog/dns-helped-stop-wannacry-ransomware-attack/

Woundy, R., & Marez, K. (2006). Cable Device Management Information Base for Data-Over-Cable Service
Interface Specification (DOCSIS). https://tools.ietf.org/html/rfc4639

McCauley, J. (2015). Installing POX—GitHub Pages https://noxrepo.github.io/pox-doc/html/

Alotaibi, F. M. (2020, September). SDN Ransomware Detection. https://github.com/Falkarshmi/SDN-

Ransomware-Detection

Alotaibi, F. M. (2020). CPU-Measure/CPU.py. https://github.com/Falkarshmi/CPU-

Measure/blob/master/CPU.py

Gofman, I. (2017). Advanced Threat Analytics Security Research Network Technical Analysis: NotPetya.
https://www.microsoft.com/security/blog/2017/10/03/advanced-threat-analytics-security-research-
network-technical-analysis-notpetya/

PwC. (2017). Petya Ransomware-Strategic Report. https://www.pwc.com/vn/en/assurance/assets/pwc-

petya-strategicreport.pdf

Brady, J. S. (2017). Press briefing on the attribution of the WannaCry malware attack to North Korea:
https://trumpwhitehouse.archives.gov/briefings-statements/press-briefing-on-the-attribution-of-the-
wannacry-malware-attack-to-north-korea-121917/.

Cimpanu, C. (2018). How US authorities tracked down the North Korean hacker behind WannaCry.
ZDNET Tech. Rep.

Cybertalk. (2022). What is Locky ransomware? Prevention information.

https://www.cybertalk.org/what- is-locky-ransomware/.

Gó mez-Herná ndez, J. A., Á lvarez-Gonzá lez, L., & García-Teodoro, P. (2018). R-locker: Thwarting
ransomware action through a honeyfile-based approach. Computers & Security, 73, 389-398.

Almashhadani, A. O., Kaiiali, M., Sezer, S., & O'Kane, P. (2019). A multi-classifier network-based crypto
ransomware detection system: A case study of Locky ransomware. IEEE Access, 7.

64
Balaban, D. (2016). History and evolution of the Locky ransomware. https://www.hackread.com/history-
evolution-locky-ransomware/.

Wang, T., & Gong, X. (2020). A Survey of Ransomware: Trends, Types, and Defenses. In Proceedings of the
2020 International Conference on Artificial Intelligence and Computer Engineering (pp. 338-342).

Huang, K., Wu, Y., Huang, T., & Liu, A. (2018). A Machine Learning Approach for Ransomware Detection in
Cloud Computing. In 2018 IEEE 11th Conference on Service-Oriented Computing and Applications (SOCA)
(pp. 143-150).

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2018). Unveiling and quantifying security
events in the wild. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications
Security.

65