RansomShield is a powerful tool designed to detect and mitigate crypto-ransomware using machine learning. This tool utilizes Cuckoo Sandbox for dynamic malware analysis, extracts features from analysis reports, and classifies samples using a trained Support Vector Machine (SVM) model.
Sample Analysis |
- File upload and analysis.
- Directory monitoring.
- Link submission for analysis.
- Dynamic analysis with Cuckoo Sandbox.
- Ransomware classification using a trained SVM model.
- Integration with a cloud-based signature repository.
- User-friendly interface for easy usage.
- Python Installed: Ensure you have Python 3.10+ installed on your machine.
- Oracle VM VirtualBox: Enusre you're have Oracle VM VirtualBox on a Windows sytem. Download here
- Cuckoo Sandbox: Follow the tutorial to setup your Cuckoo Sandbox locally. Link
- Other Resources:
-
Clone the Repository or Download the Code:
- Clone the repository.
git clone https://github.com/whoIsOneZero/ransomware_detection_mitigation.git
- Alternatively, download the project files and extract them to your desired location.
- Clone the repository.
-
Navigate to the Project Directory:
- Open a terminal (or command prompt) and navigate to the directory containing your project files. Example:
cd C:\Users\user\Desktop\ransomware_detection_mitigation
- Open a terminal (or command prompt) and navigate to the directory containing your project files. Example:
-
Create a Virtual Environment (Optional but Recommended):
- Create a virtual environment to isolate your project dependencies.
python -m venv myenv
- Activate the virtual environment.
- On Windows:
myenv\Scripts\activate
- On macOS/Linux:
source myenv/bin/activate
- On Windows:
- Create a virtual environment to isolate your project dependencies.
-
Install Required Dependencies:
- Install all required dependencies using pip. If you have a
requirements.txt
file, use it to install dependencies.pip install -r requirements.txt
-
Start the Cuckoo Sandbox System:
In the Ubuntu VM;- Activate the virtual environment
workon sandbox
- This script creates a VirtualBox host-only network interface called vboxnet0, which is used for communication between the host and the virtual machines.
vmcloak-vboxnet0
- Enable IP forwarding on your network interface
sudo sysctl -w net.ipv4.conf.enp0s3.forwarding=1
- Configures Network Address Translation (NAT) to allow virtual machines in the 192.168.56.0/24 network to access the internet through the enp0s3 interface.
sudo iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.56.0/24 -j MASQUERADE
- Set the default policy for the FORWARD chain to DROP, which means all forwarded packets will be dropped unless explicitly allowed.
sudo iptables -P FORWARD DROP
- Allow packets that are part of an established connection or related to an existing connection.
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
Open Terminator and split into 3 windows
- Activate the virtual environment in all 3 windows:
workon sandbox
- In the Terminator window 1, start the Cuckoo rooter service:
cuckoo rooter --sudo --group osboxes
- In the Terminator window 2, start the main Cuckoo service:
cuckoo
- Run this command to get the IP adress of the the primary network interface connected to your VirtualBox's virtual network.
ip -4 addr show enp0s3 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'
- In the Terminator window 3, start the Cuckoo REST API server on VM's IP address:
cuckoo api --host 192.168.153.41 --port 8090
-
Run the Streamlit App:
On your host machine:python main.py