Similarity Analysis of Ransomware Attacks Based on ATT&CK Matrix

In recent years, there has been an increasingly prevalent trend of ransomware attacks, with malicious organizations employing various techniques to gain system privileges and subsequently engaging in extortion through methods such as encrypting files or leaking information. Current research predominantly focuses on the analysis of ransomware using existing features, but there has been scarce exploration of the behavioral patterns associated with ransomware attacks. In light of this situation, we propose a ransomware attack similarity analysis method based on the ATT&CK matrix. To initiate this analysis, a substantial amount of network threat intelligence is sifted through to select reliable and comprehensive ransomware attack incidents. From these incidents, we extract attack tactics, techniques, and procedural information. Subsequently, we employ the TF-IDF algorithm to calculate the keyword weights within attack descriptions. Based on these weights, we utilize the cosine similarity algorithm to compare the similarity between attack events. This approach reveals critical technical and tactical information employed by the attacking organizations, enabling researchers to gain a deeper understanding of the behavioral patterns of the attackers. Finally, we propose countermeasures corresponding to the critical attack techniques employed by these malicious organizations. These countermeasures aim to enhance network security defenses and reduce the risks associated with ransomware attacks.

Automated summary

This article proposes a ransomware attack similarity analysis method based on the ATT&CK matrix, which reveals the behavioral patterns of attackers by analyzing the similarity between attack events, and proposes corresponding countermeasures to enhance network security defenses.