ABSTRACT Ransomware has emerged as one of the most serious and rapidly evolving cyber threats. This can potentially cause substantial financial losses and adversely affect organizational operations. In recent years, ransomware attacks have increasingly used methods such as encryption, hidden communication and advanced circumvention strategies. Most traditional intrusion detection systems (IDS) struggle to detect encrypted traffic, leading to high false alerts and low accuracy. This limitation is more critical in modern ransomware attacks that rely heavily on encrypted command‐and‐control (C2) communication channels. This study proposes an improved method of detecting ransomware through Suricata as evidence to address these concerns. This study focuses on improving detection accuracy, reducing false positive rates and enhancing encrypted traffic analysis. This was accomplished using Suricata, an open‐source intrusion detection and prevention system. The structured methodology was implemented in three phase, which consist of design, development and testing and validation. In the design phase, the data set is prepared and IDS is configured. In the development phase, Suricata rule sets were optimized with JA3 TLS fingerprints to analyze encrypted ransomware traffic. The system was validated using real‐world ransomware datasets to ensure realistic evaluation conditions. As a result, the IDS can detect known and emerging ransomware communication patterns more effectively. Additionally, the system was optimized to achieve maximum throughput and reduce resource consumption while performing real‐time analysis. Performance evaluation was conducted using standard metrics, including detection accuracy, false positive and processing time. The proposed method achieved 96.8% detection accuracy, 2.4% false positive rate and reduced processing time from 240 to 30 s, representing a 10 times improvement compared to baseline Suricata. In addition, system performance remained acceptable while improving ransomware detection. These findings show that JA3 fingerprinting and optimized Suricata rules can improve real‐time ransomware detection in a cost‐effective and scalable way.
Aziz et al. (Mon,) studied this question.