Boyang Ma,Yilin Yang,Jinku Li,Fengwei Zhang,Wenbo Shen,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1145/3576915.3616665

2023-01-01

Abstract:Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.

Jan von der Assen,Alberto Huertas Celdrán,Rinor Sefa,Gérôme Bovet,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2306.15566

2023-11-16

Abstract:Ransomware has remained one of the most notorious threats in the cybersecurity field. Moving Target Defense (MTD) has been proposed as a novel paradigm for proactive defense. Although various approaches leverage MTD, few of them rely on the operating system and, specifically, the file system, thereby making them dependent on other computing devices. Furthermore, existing ransomware defense techniques merely replicate or detect attacks, without preventing them. Thus, this paper introduces the MTFS overlay file system and the design and implementation of three novel MTD techniques implemented on top of it. One delaying attackers, one trapping recursive directory traversal, and another one hiding file types. The effectiveness of the techniques are shown in two experiments. First, it is shown that the techniques can delay and mitigate ransomware on real IoT devices. Secondly, in a broader scope, the solution was confronted with 14 ransomware samples, highlighting that it can save 97% of the files.

Cryptography and Security

Adrian Brodzik,Tomasz Malec-Kruszyński,Wojciech Niewolski,Mikołaj Tkaczyk,Krzysztof Bocianiak,Sok-Yen Loui

2024-09-10

Abstract:Linux-based cloud environments have become lucrative targets for ransomware attacks, employing various encryption schemes at unprecedented speeds. Addressing the urgency for real-time ransomware protection, we propose leveraging the extended Berkeley Packet Filter (eBPF) to collect system call information regarding active processes and infer about the data directly at the kernel level. In this study, we implement two Machine Learning (ML) models in eBPF - a decision tree and a multilayer perceptron. Benchmarking latency and accuracy against their user space counterparts, our findings underscore the efficacy of this approach.

Cryptography and Security,Machine Learning

Alian Yu,Jian Kang,Joshua Morris,Elisa Bertino,Dan Lin

DOI: https://doi.org/10.1109/tdsc.2024.3364209

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ransomware attacks have become widespread in the last few years and have affected many critical industries and infrastructures. Unfortunately, there are no recovery tools that can effectively defend against all types of ransomware. Approaches, such as frequent data backups, have several drawbacks. They are expensive in terms of resources and trained technical staff. Therefore, it is much more challenging and cost-consuming for average users and small business owners to survive ransomware attacks. To provide an easy-to-use tool for a broader population of users and businesses, we propose a novel ransomware defense mechanism that can be conveniently deployed in modern Windows systems which have over 76% market share as of 2022. The uniqueness of our approach is to fight malware like malware. We leverage Alternate Data Streams, which are sometimes used by malicious applications, to design and implement a data protection method that misleads the ransomware into attacking only file “shells” instead of the actual file content. We have evaluated our approach against different cryptographic ransomware. The results show that our approach is usable, efficient, and effective.

computer science, information systems, software engineering, hardware & architecture

Shuhei Enomoto,Hiroki Kuzuno,Hiroshi Yamada,Yoshiaki Shiraishi,Masakatu Morii

DOI: https://doi.org/10.1007/s10207-024-00892-2

2024-09-15

International Journal of Information Security

Abstract:Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.

computer science, information systems, theory & methods, software engineering

Benjamin Reidys,Peng Liu,Jian Huang

DOI: https://doi.org/10.48550/arXiv.2206.05821

2022-06-13

Abstract:Encryption ransomware has become a notorious malware. It encrypts user data on storage devices like solid-state drives (SSDs) and demands a ransom to restore data for users. To bypass existing defenses, ransomware would keep evolving and performing new attack models. For instance, we identify and validate three new attacks, including (1) garbage-collection (GC) attack that exploits storage capacity and keeps writing data to trigger GC and force SSDs to release the retained data; (2) timing attack that intentionally slows down the pace of encrypting data and hides its I/O patterns to escape existing defense; (3) trimming attack that utilizes the trim command available in SSDs to physically erase data. To enhance the robustness of SSDs against these attacks, we propose RSSD, a ransomware-aware SSD. It redesigns the flash management of SSDs for enabling the hardware-assisted logging, which can conservatively retain older versions of user data and received storage operations in time order with low overhead. It also employs hardware-isolated NVMe over Ethernet to expand local storage capacity by transparently offloading the logs to remote cloud/servers in a secure manner. RSSD enables post-attack analysis by building a trusted evidence chain of storage operations to assist the investigation of ransomware attacks. We develop RSSD with a real-world SSD FPGA board. Our evaluation shows that RSSD can defend against new and future ransomware attacks, while introducing negligible performance overhead.

Cryptography and Security,Hardware Architecture

Mohan Anand Putrevu,Hrushikesh Chunduri,Venkata Sai Charan Putrevu,Sandeep K Shukla

2024-09-13

Abstract:The use of multi-threading and file prioritization methods has accelerated the speed at which ransomware encrypts files. To minimize file loss during the ransomware attack, detecting file modifications at the earliest execution stage is considered very important. To achieve this, selecting files as traps and monitoring changes to them is a practical way to deal with modern ransomware variants. This approach minimizes overhead on the endpoint, facilitating early identification of ransomware. This paper evaluates various machine learning-based trap selection methods for reducing file loss, detection delay, and endpoint overhead. We specifically examine non-parametric clustering methods such as Affinity Propagation, Gaussian Mixture Models, Mean Shift, and Optics to assess their effectiveness in trap selection for ransomware detection. These methods select M files from a directory with N files (M<N) and use them as traps. In order to address the shortcomings of existing machine learning-based trap selection methods, we propose APFO (Affinity Propagation with File Order). This method is an improvement upon existing non-parametric clustering-based trap selection methods, and it helps to reduce the amount of file loss and detection delay encountered. APFO demonstrates a minimal file loss percentage of 0.32% and a detection delay of 1.03 seconds across 18 contemporary ransomware variants, including rapid encryption variants of lock-bit, AvosLocker, and Babuk.

Cryptography and Security

Aldin Vehabovic,Hadi Zanddizari,Nasir Ghani,G. Javidi,S. Uluagac,M. Rahouti,E. Bou-Harb,M. Safaei Pour

DOI: https://doi.org/10.48550/arXiv.2311.07760

2023-11-13

Cryptography and Security

Abstract:Ransomware is a type of malware which encrypts user data and extorts payments in return for the decryption keys. This cyberthreat is one of the most serious challenges facing organizations today and has already caused immense financial damage. As a result, many researchers have been developing techniques to counter ransomware. Recently, the federated learning (FL) approach has also been applied for ransomware analysis, allowing corporations to achieve scalable, effective detection and attribution without having to share their private data. However, in reality there is much variation in the quantity and composition of ransomware data collected across multiple FL client sites/regions. This imbalance will inevitably degrade the effectiveness of any defense mechanisms. To address this concern, a modified FL scheme is proposed using a weighted cross-entropy loss function approach to mitigate dataset imbalance. A detailed performance evaluation study is then presented for the case of static analysis using the latest Windows-based ransomware families. The findings confirm improved ML classifier performance for a highly imbalanced dataset.

Yiwei Hou,Lihua Guo,Chijin Zhou,Yiwen Xu,Zijing Yin,Shanshan Li,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1145/3597503.3639090

2024-01-01

Abstract:The threat of ransomware to the software ecosystem has become increasingly alarming in recent years, raising a demand for large-scale and comprehensive ransomware analysis to help develop more effective countermeasures against unknown attacks. In this paper, we first collect a real-world dataset Maraudermap, consisting of 7,796 active ransomware samples, and analyze their behaviors of disrupting data in victim systems. All samples are executed in iso-lated testbeds to collect all perspectives of six categories of runtime behaviors, such as API calls, I/O accesses, and network traffic. The total logs volume is up to 1.98 TiB. By assessing collected behaviors, we present six critical findings throughout ransomware attacks' data reconnaissance, data tampering, and data exfiltration phases. Based on our findings, we propose three corresponding mitigation strategies to detect ransomware during each phase. Experimental results show that they can enhance the capability of state-of-the-art anti-ransomware tools. We report a preliminary result of a 41%-69% increase in detection rate with no additional false positives, showing that our insights are helpful.

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Aldin Vehabovic,Hadi Zanddizari,Farook Shaikh,Nasir Ghani,Morteza Safaei Pour,Elias Bou-Harb,Jorge Crichigno

DOI: https://doi.org/10.48550/arXiv.2306.14090

2023-06-25

Abstract:Researchers have proposed a wide range of ransomware detection and analysis schemes. However, most of these efforts have focused on older families targeting Windows 7/8 systems. Hence there is a critical need to develop efficient solutions to tackle the latest threats, many of which may have relatively fewer samples to analyze. This paper presents a machine learning (ML) framework for early ransomware detection and attribution. The solution pursues a data-centric approach which uses a minimalist ransomware dataset and implements static analysis using portable executable (PE) files. Results for several ML classifiers confirm strong performance in terms of accuracy and zero-day threat detection.

Cryptography and Security

Jan von der Assen,Alberto Huertas Celdrán,Janik Luechinger,Pedro Miguel Sánchez Sánchez,Gérôme Bovet,Gregorio Martínez Pérez,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2306.15559

2023-06-27

Abstract:Cybersecurity solutions have shown promising performance when detecting ransomware samples that use fixed algorithms and encryption rates. However, due to the current explosion of Artificial Intelligence (AI), sooner than later, ransomware (and malware in general) will incorporate AI techniques to intelligently and dynamically adapt its encryption behavior to be undetected. It might result in ineffective and obsolete cybersecurity solutions, but the literature lacks AI-powered ransomware to verify it. Thus, this work proposes RansomAI, a Reinforcement Learning-based framework that can be integrated into existing ransomware samples to adapt their encryption behavior and stay stealthy while encrypting files. RansomAI presents an agent that learns the best encryption algorithm, rate, and duration that minimizes its detection (using a reward mechanism and a fingerprinting intelligent detection system) while maximizing its damage function. The proposed framework was validated in a ransomware, Ransomware-PoC, that infected a Raspberry Pi 4, acting as a crowdsensor. A pool of experiments with Deep Q-Learning and Isolation Forest (deployed on the agent and detection system, respectively) has demonstrated that RansomAI evades the detection of Ransomware-PoC affecting the Raspberry Pi 4 in a few minutes with >90% accuracy.

Cryptography and Security,Artificial Intelligence,Machine Learning

Pasquale Caporaso,Giuseppe Bianchi,Francesco Quaglia

2024-10-29

Abstract:The demand for data protection measures against unauthorized changes or deletions is steadily increasing. These measures are essential for maintaining the integrity and accessibility of data, effectively guarding against threats like ransomware attacks that focus on encrypting large volumes of stored data, as well as insider threats that involve tampering with or erasing system and access logs. Such protection measures have become crucial in today's landscape, and hardware-based solutions like Write-Once Read-Many (WORM) storage devices, have been put forth as viable options, which however impose hardware-level investments, and the impossibility to reuse the blocks of the storage devices after they have been written. In this article we propose VaultFS, a Linux-suited file system oriented to the maintenance of cold-data, namely data that are written using a common file system interface, are kept accessible, but are not modifiable, even by threads running with (effective)root-id. Essentially, these files are supported via the write-once semantic, and cannot be subject to the rewriting (or deletion) of their content up to the end of their (potentially infinite) protection life time. Hence they cannot be subject to ransomware attacks even under privilege escalation. This takes place with no need for any underlying WORM device -- since ValutFS is a pure software solution working with common read/write devices (e.g., hard disks and SSD). Also, VaultFS offers the possibility to protect the storage against Denial-of-Service (DOS) attacks, possibly caused by un-trusted applications that simply write on the file system to make its device blocks busy with non-removable content.

Cryptography and Security

Caio C. Moreira,Davi C. Moreira,Claudomiro Sales

DOI: https://doi.org/10.1016/j.jisa.2024.103716

IF: 4.96

2024-02-10

Journal of Information Security and Applications

Abstract:This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.

computer science, information systems

Aaron Zimba,Mumbi Chishimba,Sipiwe Chihana

DOI: https://doi.org/10.48550/arXiv.2102.10632

2021-02-22

Abstract:Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.

Cryptography and Security

Arjun Sekar,Sameer G. Kulkarni,Joy Kuri

2024-06-20

Abstract:In this work, we propose a two-phased approach for real-time detection and deterrence of ransomware. To achieve this, we leverage the capabilities of eBPF (Extended Berkeley Packet Filter) and artificial intelligence to develop both proactive and reactive methods. In the first phase, we utilize signature based detection, where we employ custom eBPF programs to trace the execution of new processes and perform hash-based analysis against a known ransomware dataset. In the second, we employ a behavior-based technique that focuses on monitoring the process activities using a custom eBPF program and the creation of ransom notes, a prominent indicator of ransomware activity through the use of Natural Language Processing (NLP). By leveraging low-level tracing capabilities of eBPF and integrating NLP based machine learning algorithms, our solution achieves an impressive 99.76% accuracy in identifying ransomware incidents within a few seconds on the onset of zero-day attacks.

Cryptography and Security,Artificial Intelligence,Emerging Technologies,Networking and Internet Architecture

Asad Arfeen,Muhammad Asim Khan,Obad Zafar,Usama Ahsan

DOI: https://doi.org/10.1002/cpe.6672

2021-10-11

Concurrency and Computation: Practice and Experience

Abstract:Ransomware is an emerging category of malware that locks computer data via powerful cryptographic algorithms. The global propagation of ransomware is a serious threat for individuals and organizations. The banking sector and financial institutions are the prime targets of such ransomware attacks. In case of such an attack, the field of digital forensics helps in estimation of the severity and data loss caused by the attack. Traditional digital forensics investigations make use of static or behavioral analysis to detect malware in infected systems. However, these procedures are challenged by malware obfuscation techniques. Malicious processes can stay inactive and undetected if only a single memory dump is analyzed. Thus, there is a need to collect numerous memory dumps of an individual program that can help with comprehensive and accurate analysis. In this article, we have developed a framework for volatile memory acquisition at regular time intervals to analyze the behavior of individual processes in memory. Through memory forensics, salient features are extracted from the infected memory dumps. These features can be utilized to classify malicious and benign processes efficiently through machine learning as compared to conventional techniques.

Atef Ibrahim,Usman Tariq,Tariq Ahamed Ahanger,Bilal Tariq,Fayez Gebali

DOI: https://doi.org/10.3390/math11010249

IF: 2.4

2023-01-04

Mathematics

Abstract:Ransomware is malicious software that encrypts data before demanding payment to unlock them. The majority of ransomware variants use nearly identical command and control (C&C) servers but with minor upgrades. There are numerous variations of ransomware, each of which can encrypt either the entire computer system or specific files. Malicious software needs to infiltrate a system before it can do any real damage. Manually inspecting all potentially malicious file types is a time-consuming and resource-intensive requirement of conventional security software. Using established metrics, this research delves into the complex issues of identifying and preventing ransomware. On the basis of real-world malware samples, we created a parameterized categorization strategy for functional classes and suggestive features. We also furnished a set of criteria that highlights the most commonly featured criteria and investigated both behavior and insights. We used a distinct operating system and specific cloud platform to facilitate remote access and collaboration on files throughout the entire operational experimental infrastructure. With the help of our proposed ransomware detection mechanism, we were able to effectively recognize and prevent both state-of-art and modified ransomware anomalies. Aggregated log revealed a consistent but satisfactory detection rate at 89%. To the best of our knowledge, no research exists that has investigated the ransomware detection and impact of ransomware for PureOS, which offers a unique platform for PC, mobile phones, and resource intensive IoT (Internet of Things) devices.

mathematics

Krzysztof Cabaj,Marcin Gregorczyk,Wojciech Mazurczyk

DOI: https://doi.org/10.1016/j.compeleceng.2017.10.012

2016-11-25

Abstract:Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages' sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.

Cryptography and Security

Malak Aljabri,Fahd Alhaidari,Aminah Albuainain,Samiyah Alrashidi,Jana Alansari,Wasmiyah Alqahtani,Jana Alshaya

DOI: https://doi.org/10.1016/j.eij.2024.100445

IF: 4.195

2024-01-31

Egyptian Informatics Journal

Abstract:Ransomware attacks have escalated recently and are affecting essential infrastructure and enterprises across the globe. Unfortunately, ransomware uses sophisticated encryption techniques to encrypt important files on the targeted machine and then demands payment to decrypt the data. Artificial intelligent techniques including machine learning have been increasingly applied in the field of cybersecurity and greatly contributed to detecting and preventing different kinds of attacks However, the number of studies that applied machine learning to detect ransomware are still limited by the obfuscation of malware, the lack of setting up a proper analysis environment, the accuracy of models, and the high false-positive rate. Thus, it is crucial to develop effective ransomware detection based on machine learning techniques. This study aims to build a robust machine-learning model that can recognize unknown samples using memory dumps to detect ransomware with high accuracy and minimal false positives providing an extensive analysis of how memory traces can assist in the detection of ransomware. This goal was achieved by building a new dataset composed of recent ransomware group attack samples like Revil, Lockbit, and BlackCat, as well as a number of benign samples, including office applications, Windows applications, and compression applications, which were dynamically analyzed within an enhanced cuckoo sandbox to ensure the most reliable results. Then, a set of machine learning models were developed, and a comparative performance analysis was conducted. Among the various models evaluated, XGBoost was the best-performing model, using only 47 features out of 58. It achieved 97.85% accuracy with a 2% false positive rate.

computer science, information systems, artificial intelligence