Towards Reproducible Ransomware Analysis

Ransomware attacks continue to be a prominent cybersecurity threat and the subject of considerable research activity. Despite frequent high profile public reports of ransomware attacks, we found a paucity of tangible open behavioral activity data for large collections of real world ransomware binaries. The lack of such open datasets introduces barriers to research that may otherwise lead to innovative approaches to ransomware mitigation. We have constructed a dataset of ransomware activity logs and corresponding provenance graphs. They are derived from the sandboxed execution of all ransomware-tagged binaries in the widely-known MalwareBazaar. We also provide the code for orchestrating the log collection and provenance inference steps. The aim is to enable other researchers to customize and extend it for their analyses. We hope that the dataset will facilitate the discovery of innovative and effective ransomware mitigation strategies.