nquiry Regarding New Feature Addition for Ransomware Detection in Wazuh Plugin

[Ilsa Khan]

I hope you're doing well. As part of my final year project (FYP), I am working on developing a plugin for Wazuh to enhance ransomware detection by analyzing system behavior and isolating affected endpoints to prevent the spread of encryption.

Currently, Wazuh is using SHA256 for detecting ransomware, and we have been successfully implementing it. However, as part of our enhancement, we are adding an additional feature by integrating fuzzy hashing and SSDEEP alongside SHA256. This addition aims to improve detection capabilities, particularly for ransomware that may not be easily detected through traditional SHA256 hashing alone.

Could you please confirm if the integration of fuzzy hashing and SSDEEP with Wazuh has been successfully implemented, and if this approach is aligned with best practices for improving ransomware detection?

I look forward to your insights and feedback.

[hasitha.u...@wazuh.com]

Hi Ilsa,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

[hasitha.u...@wazuh.com]

Hi Ilsa Khan,

Your approach is valid as a research/custom-extension idea, but it should be described carefully.
Wazuh does not currently document native support for fuzzy hashing/ssdeep as part of its standard malware-detection pipeline. Officially, Wazuh relies on FIM metadata (MD5/SHA1/SHA256), CDB lists, VirusTotal, YARA, rules, and Active Response.

So if you integrated ssdeep, that is best presented as a custom plugin/custom detection enhancement, not a built-in Wazuh feature.

From a detection-engineering perspective, ssdeep can add value for identifying similar ransomware variants, but it should be treated as supplementary evidence rather than a primary blocking signal, because fuzzy-hash matches indicate similarity, not certainty.

For ransomware detection in Wazuh, the most practical combination is:

1. exact hash matching for known samples,
2. YARA for family-level detection,
3. behavioral rules with Sysmon/FIM, and
4. Active Response for file removal or endpoint isolation.

You can check posts to understand how to detect and remove the ransomware using Wazuh.

• Detecting Lockbit 3.0 ransomware with Wazuh
• Detecting and responding to Phobos ransomware using Wazuh
• Blackbit ransomware detection with Wazuh
• Detecting Lynx ransomware with Wazuh
• Detecting Medusa ransomware with Wazuh
• Detecting and responding to Funklocker ransomware with Wazuh

Related documentation links:

• VirusTotal integration
• Detecting and removing malware using VirusTotal integration
• Detecting malware using YARA integration
• CDB lists and threat intelligence
• Active Response

Let me know if you need further assistance on this. Thanks!