Attacks on critical infrastructure are becoming more and more rampant, especially since 2019. Ransomware has become a necessary subject of study for stakeholders and personnel, and has also had a substantial operational impact on industrial control system (ICS) environments. The continuous evolution of ransomware and the peculiarities of the ICS environment make it difficult to ensure that ICSes are protected from ransomware attacks under operating conditions. In this talk, in addition to in-depth analysis of the ransomware behaviors and ransomware-related techniques that have affected ICS environments, we also propose effective defense methods and strategies perfected to ICS environments to strengthen protection against ransomware.

In the era of endless new exploits, Active Defense of Antivirus have already collapsed. Also, the efficient Static Scan is the most important feature of modern antivirus against malware, designed to provide AV/EDR with the ability to detect immediately when it discovers an unknown file that is or is not a known threat, so as to avoid infection.

This technique has evolved from the originally file hash fingerprint, to the now well-known pattern matching (YARA), and even the heuristic-based ML methods to produce patterns automatically against high variant samples as much as possible.

As a result, hackers have advanced their pattern-bypassing tactics to identify and remove anti-virus signature in no time. This allows variant-enhanced malware in the wild to increase rather than decrease even against state-of-the-art AI based detections. However, do we want such detection techniques that chase behind attackers? The blame goes to the fact that classic pattern matching design never considers semantics of execution behavior, making it easy for hackers to bypass.

In this session, we will talk about how the latest variant samples can beat the major pattern matching techniques heavily with simple tricks such as obfuscation, FLA (OLLVM) and RC4 encryption.

To fight against this, we will present a next-generation static scanning idea. Instead of optical scanning of files, a full set of decompilers will be built in to analyze all the static functions in a program file and use symbolic definition of malicious functions to achieve a semantic-aware malware detection engine. Researchers can elastically define malware templates and use this engine to perform excellent detection results on multiple heavily obfuscated samples.