RansomShield: Crypto-Ransomware Detection and Mitigation Tool

RansomShield is a powerful tool designed to detect and mitigate crypto-ransomware using machine learning. This tool utilizes Cuckoo Sandbox for dynamic malware analysis, extracts features from analysis reports, and classifies samples using a trained Support Vector Machine (SVM) model.

Sample Analysis

Features

• File upload and analysis.
• Directory monitoring.
• Link submission for analysis.
• Dynamic analysis with Cuckoo Sandbox.
• Ransomware classification using a trained SVM model.
• Integration with a cloud-based signature repository.
• User-friendly interface for easy usage.

Prerequisites

1. Python Installed: Ensure you have Python 3.10+ installed on your machine.
2. Oracle VM VirtualBox: Enusre you're have Oracle VM VirtualBox on a Windows sytem. Download here
3. Cuckoo Sandbox: Follow the tutorial to setup your Cuckoo Sandbox locally. Link
4. Other Resources:
   • Windows 7 ISO
   • Ubuntu 18.04.0 Bionic Beaver VM
   • Cuckoo Docs
   • Cannot start nested Win7 VM in Ubuntu VM
   • Setup VirtualBox to be able to communicate with the Cuckoo API from the host machine:

Usage

1. Clone the Repository or Download the Code:

   • Clone the repository.

     git clone https://github.com/whoIsOneZero/ransomware_detection_mitigation.git

   • Alternatively, download the project files and extract them to your desired location.

2. Navigate to the Project Directory:

   • Open a terminal (or command prompt) and navigate to the directory containing your project files. Example:

     cd C:\Users\user\Desktop\ransomware_detection_mitigation

3. Create a Virtual Environment (Optional but Recommended):

   • Create a virtual environment to isolate your project dependencies.

     python -m venv myenv

   • Activate the virtual environment.
     • On Windows:

       myenv\Scripts\activate

     • On macOS/Linux:

       source myenv/bin/activate

4. Install Required Dependencies:

• Install all required dependencies using pip. If you have a requirements.txt file, use it to install dependencies.

  pip install -r requirements.txt

5. Start the Cuckoo Sandbox System:
   In the Ubuntu VM;

   • Activate the virtual environment

   workon sandbox

   • This script creates a VirtualBox host-only network interface called vboxnet0, which is used for communication between the host and the virtual machines.

   vmcloak-vboxnet0

   • Enable IP forwarding on your network interface

   sudo sysctl -w net.ipv4.conf.enp0s3.forwarding=1

   • Configures Network Address Translation (NAT) to allow virtual machines in the 192.168.56.0/24 network to access the internet through the enp0s3 interface.

   sudo iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.56.0/24 -j MASQUERADE

   • Set the default policy for the FORWARD chain to DROP, which means all forwarded packets will be dropped unless explicitly allowed.

   sudo iptables -P FORWARD DROP

   • Allow packets that are part of an established connection or related to an existing connection.

   sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
   sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT

   Open Terminator and split into 3 windows

   • Activate the virtual environment in all 3 windows:

   workon sandbox

   • In the Terminator window 1, start the Cuckoo rooter service:

   cuckoo rooter --sudo --group osboxes

   • In the Terminator window 2, start the main Cuckoo service:

   cuckoo

   • Run this command to get the IP adress of the the primary network interface connected to your VirtualBox's virtual network.

   ip -4 addr show enp0s3 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'

   • In the Terminator window 3, start the Cuckoo REST API server on VM's IP address:

   cuckoo api --host 192.168.153.41 --port 8090

6. Run the Streamlit App:
   On your host machine:

   python main.py