Benjamin Reidys,Peng Liu,Jian Huang

DOI: https://doi.org/10.48550/arXiv.2206.05821

2022-06-13

Abstract:Encryption ransomware has become a notorious malware. It encrypts user data on storage devices like solid-state drives (SSDs) and demands a ransom to restore data for users. To bypass existing defenses, ransomware would keep evolving and performing new attack models. For instance, we identify and validate three new attacks, including (1) garbage-collection (GC) attack that exploits storage capacity and keeps writing data to trigger GC and force SSDs to release the retained data; (2) timing attack that intentionally slows down the pace of encrypting data and hides its I/O patterns to escape existing defense; (3) trimming attack that utilizes the trim command available in SSDs to physically erase data. To enhance the robustness of SSDs against these attacks, we propose RSSD, a ransomware-aware SSD. It redesigns the flash management of SSDs for enabling the hardware-assisted logging, which can conservatively retain older versions of user data and received storage operations in time order with low overhead. It also employs hardware-isolated NVMe over Ethernet to expand local storage capacity by transparently offloading the logs to remote cloud/servers in a secure manner. RSSD enables post-attack analysis by building a trusted evidence chain of storage operations to assist the investigation of ransomware attacks. We develop RSSD with a real-world SSD FPGA board. Our evaluation shows that RSSD can defend against new and future ransomware attacks, while introducing negligible performance overhead.

Cryptography and Security,Hardware Architecture

Donghyun Min,Yungwoo Ko,Ryan Walker,Junghee Lee,Youngjae Kim

DOI: https://doi.org/10.1109/tcad.2021.3099084

2021-01-01

Abstract:Ransomware is a growing concern in business and government because it causes immediate financial damages or loss of important data. There is a way to detect and block ransomware in advance, but evolved ransomware can still attack while avoiding detection. Another alternative is to back up the original data. However, existing backup solutions can be under the control of ransomware and backup copies can be destroyed by ransomware. Moreover, backup methods incur storage and performance overhead. In this article, we propose AMOEBA, a device-level backup solution that does not require additional storage for backup. AMOEBA is armed with: 1) a hardware accelerator to run content-based detection algorithms for ransomware detection at high speed and 2) a fine-grained backup control mechanism to minimize space overhead for data backup. For evaluations, we not only implemented AMOEBA using the Microsoft solid-state drive (SSD) simulator but also prototyped it on the OpenSSD-platform. Our extensive evaluations with real ransomware workloads show that AMOEBA has high ransomware detection accuracy with negligible performance overhead.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Jan von der Assen,Chao Feng,Alberto Huertas Celdrán,Róbert Oleš,Gérôme Bovet,Burkhard Stiller

2024-01-31

Abstract:Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

Cryptography and Security

Yiwei Hou,Lihua Guo,Chijin Zhou,Yiwen Xu,Zijing Yin,Shanshan Li,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1145/3597503.3639090

2024-01-01

Abstract:The threat of ransomware to the software ecosystem has become increasingly alarming in recent years, raising a demand for large-scale and comprehensive ransomware analysis to help develop more effective countermeasures against unknown attacks. In this paper, we first collect a real-world dataset Maraudermap, consisting of 7,796 active ransomware samples, and analyze their behaviors of disrupting data in victim systems. All samples are executed in iso-lated testbeds to collect all perspectives of six categories of runtime behaviors, such as API calls, I/O accesses, and network traffic. The total logs volume is up to 1.98 TiB. By assessing collected behaviors, we present six critical findings throughout ransomware attacks' data reconnaissance, data tampering, and data exfiltration phases. Based on our findings, we propose three corresponding mitigation strategies to detect ransomware during each phase. Experimental results show that they can enhance the capability of state-of-the-art anti-ransomware tools. We report a preliminary result of a 41%-69% increase in detection rate with no additional false positives, showing that our insights are helpful.

Jinwoo Ahn,Donggyu Park,Chang-Gyu Lee,Donghyun Min,Junghee Lee,Sungyong Park,Qian Chen,Youngjae Kim

DOI: https://doi.org/10.48550/arxiv.1904.05012

2019-01-01

Abstract:Traditional techniques to prevent damage from ransomware attacks are to detect and block attacks by monitoring the known behaviors such as frequent name changes, recurring access to cryptographic libraries and exchange keys with remote servers. Unfortunately, intelligent ransomware can easily bypass these techniques. Another prevention technique is to recover from the backup copy when a file is infected with ransomware. However, the data backup technique requires extra storage space and can be removed with ransomware. In this paper, we propose to implement an access control mechanism on a disk drive, called a KEY-SSD disk drive. KEY-SSD is the data store and the last barrier to data protection. Unauthorized applications will not be able to read file data even if they bypass the file system defense, thus denying the block request without knowing the disk's registered block key and completely eliminating the possibility of the file becoming hostage to ransomware. We have prototyped KEY-SSD and validated the usefulness of KEY-SSD by demonstrating 1) selective block access control, 2) unauthorized data access blocking and 3) negligible performance overhead. Our comprehensive evaluation of KEY-SSD for various workloads show the KEY-SSD performance is hardly degraded due to OS lightweight key transmission and access control drive optimization. We also confirmed that KEY-SSD successfully protects the files in the actual ransomware sample.

Jennie E. Hill,T. Owens Walker,Justin A. Blanco,Robert W. Ives,Ryan Rakvic,Bruce Jacob

DOI: https://doi.org/10.1109/access.2024.3395491

IF: 3.9

2024-05-10

IEEE Access

Abstract:Ransomware is a type of malicious software designed to encrypt a user's important data for the purpose of extortion, with a global annual impact of billions of dollars in damages. This research proposes a side-channel-based ransomware detection method that utilizes the microarchitectural side-channel accessed through hardware performance counters. Unlike most ransomware research, which relies on virtual machines to easily restore a system to its uncompromised, pre-encrypted state, this work leverages thousands of trials collected on hardware without the use of virtualization. Trials consist of both benign operations and real-world ransomware executables. Over two hundred distinct hardware events were collected on (non-virtualized) computer hardware to replicate the real-world scenario in which most ransomware attacks occur. Over 30 classifiers were systematically trained with each of the 200+ hardware events to reduce the number of classifiers and performance counters considered, and then five of the top classification algorithms were evaluated to rank which hardware performance counters contributed to the best classification results. Overall, this work showed that classification of ransomware in under two seconds with over 95% accuracy is viable with as few as 3 hardware event features for the Neural Network and Bagged Tree classifiers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Alian Yu,Jian Kang,Joshua Morris,Elisa Bertino,Dan Lin

DOI: https://doi.org/10.1109/tdsc.2024.3364209

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ransomware attacks have become widespread in the last few years and have affected many critical industries and infrastructures. Unfortunately, there are no recovery tools that can effectively defend against all types of ransomware. Approaches, such as frequent data backups, have several drawbacks. They are expensive in terms of resources and trained technical staff. Therefore, it is much more challenging and cost-consuming for average users and small business owners to survive ransomware attacks. To provide an easy-to-use tool for a broader population of users and businesses, we propose a novel ransomware defense mechanism that can be conveniently deployed in modern Windows systems which have over 76% market share as of 2022. The uniqueness of our approach is to fight malware like malware. We leverage Alternate Data Streams, which are sometimes used by malicious applications, to design and implement a data protection method that misleads the ransomware into attacking only file “shells” instead of the actual file content. We have evaluated our approach against different cryptographic ransomware. The results show that our approach is usable, efficient, and effective.

computer science, information systems, software engineering, hardware & architecture

Chijin Zhou,Lihua Guo,Yiwei Hou,Zhenya Ma,Quan Zhang,Mingzhe Wang,Zhe Liu,Yu Jiang

DOI: https://doi.org/10.1109/SP46215.2023.10179372

2023-01-01

Abstract:By encrypting the data of infected hosts, cryptographic ransomware has caused billions of dollars in financial losses to a wide range of victims. Many detection techniques have been proposed to counter ransomware threats over the past decade. Their common approach is to monitor I/O behaviors from user space and apply custom heuristics to discriminate ransomware. These techniques implicitly assume that ransomware behaves very differently from benign programs in terms of heuristics. However, when we investigated the behavior of benign and ransomware programs, we found that the boundary between their behaviors was blurred. A ransomware program can still achieve its goal even though it follows the behavior patterns of benign programs. In this paper, we aim to explore the limits of ransomware detection techniques that based on I/O behaviors. To this end, we present ANIMAGUS, an imitation-based ransomware attack that imitates behaviors of benign programs to disguise its encryption tasks. It first learns behavior patterns from a benign program, and then spawns and orchestrates child processes to perform encryption tasks behaving the same as the benign program. We evaluate its effectiveness against six state-of-the-art detection techniques, and the results show that it can successfully evade these defenses. We investigate in detail why they are ineffective and how ANIMAGUS is different from existing ransomware samples. In the end, we discuss potential countermeasures and the benefits that detection tools can gain from our work.

Shuhei Enomoto,Hiroki Kuzuno,Hiroshi Yamada,Yoshiaki Shiraishi,Masakatu Morii

DOI: https://doi.org/10.1007/s10207-024-00892-2

2024-09-15

International Journal of Information Security

Abstract:Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.

computer science, information systems, theory & methods, software engineering

Dionysios Diamantopoulos,Roman Pletka,Slavisa Sarafijanovic,A.L. Narasimha Reddy,Haris Pozidis

2024-06-12

Abstract:Ransomware, a fearsome and rapidly evolving cybersecurity threat, continues to inflict severe consequences on individuals and organizations worldwide. Traditional detection methods, reliant on static signatures and application behavioral patterns, are challenged by the dynamic nature of these threats. This paper introduces three primary contributions to address this challenge. First, we introduce a ransomware emulator. This tool is designed to safely mimic ransomware attacks without causing actual harm or spreading malware, making it a unique solution for studying ransomware behavior. Second, we demonstrate how we use this emulator to create storage I/O traces. These traces are then utilized to train machine-learning models. Our results show that these models are effective in detecting ransomware, highlighting the practical application of our emulator in developing responsible cybersecurity tools. Third, we show how our emulator can be used to mimic the I/O behavior of existing ransomware thereby enabling safe trace collection. Both the emulator and its application represent significant steps forward in ransomware detection in the era of machine-learning-driven cybersecurity.

Cryptography and Security,Artificial Intelligence

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Jan von der Assen,Alberto Huertas Celdrán,Rinor Sefa,Gérôme Bovet,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2306.15566

2023-11-16

Abstract:Ransomware has remained one of the most notorious threats in the cybersecurity field. Moving Target Defense (MTD) has been proposed as a novel paradigm for proactive defense. Although various approaches leverage MTD, few of them rely on the operating system and, specifically, the file system, thereby making them dependent on other computing devices. Furthermore, existing ransomware defense techniques merely replicate or detect attacks, without preventing them. Thus, this paper introduces the MTFS overlay file system and the design and implementation of three novel MTD techniques implemented on top of it. One delaying attackers, one trapping recursive directory traversal, and another one hiding file types. The effectiveness of the techniques are shown in two experiments. First, it is shown that the techniques can delay and mitigate ransomware on real IoT devices. Secondly, in a broader scope, the solution was confronted with 14 ransomware samples, highlighting that it can save 97% of the files.

Cryptography and Security

Timothy McIntosh,Teo Susnjak,Tong Liu,Dan Xu,Paul Watters,Dongwei Liu,Yaqi Hao,Alex Ng,Malka Halgamuge

DOI: https://doi.org/10.1145/3691340

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.

computer science, theory & methods

Caio C. Moreira,Davi C. Moreira,Claudomiro Sales

DOI: https://doi.org/10.1016/j.jisa.2024.103716

IF: 4.96

2024-02-10

Journal of Information Security and Applications

Abstract:This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.

computer science, information systems

Krzysztof Cabaj,Marcin Gregorczyk,Wojciech Mazurczyk

DOI: https://doi.org/10.1016/j.compeleceng.2017.10.012

2016-11-25

Abstract:Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages' sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.

Cryptography and Security

Ali Mehrban,Shirin Karimi Geransayeh

2024-02-04

Abstract:In recent years, there has been a noticeable increase in cyberattacks using ransomware. Attackers use this malicious software to break into networks and harm computer systems. This has caused significant and lasting damage to various organizations, including government, private companies, and regular users. These attacks often lead to the loss or exposure of sensitive information, disruptions in normal operations, and persistent vulnerabilities. This paper focuses on a method for recognizing and identifying ransomware in computer networks. The approach relies on using machine learning algorithms and analyzing the patterns of network traffic. By collecting and studying this traffic, and then applying machine learning models, we can accurately identify and detect ransomware. The results of implementing this method show that machine learning algorithms can effectively pinpoint ransomware based on network traffic, achieving high levels of precision and accuracy.

Cryptography and Security,Machine Learning

Manabu Hirano,Ryotaro Kobayashi

DOI: https://doi.org/10.48550/arXiv.2205.13765

2022-05-27

Cryptography and Security

Abstract:Since modern anti-virus software mainly depends on a signature-based static analysis, they are not suitable for coping with the rapid increase in malware variants. Moreover, even worse, many vulnerabilities of operating systems enable attackers to evade such protection mechanisms. We, therefore, developed a thin and lightweight live-forensic hypervisor to create an additional protection layer under a conventional protection layer of operating systems with supporting ransomware detection using dynamic behavioral features. The developed live-forensic hypervisor collects low-level memory access patterns instead of high-level information such as process IDs and API calls that modern Virtual Machine Introspection techniques have employed. We then created the low-level memory access patterns dataset of three ransomware samples, one wiper malware sample, and four benign applications. We confirmed that our best machine learning classifier using only low-level memory access patterns achieved an $F_1$ score of 0.95 in detecting ransomware and wiper malware.

Mohan Anand Putrevu,Hrushikesh Chunduri,Venkata Sai Charan Putrevu,Sandeep K Shukla

2024-09-13

Abstract:The use of multi-threading and file prioritization methods has accelerated the speed at which ransomware encrypts files. To minimize file loss during the ransomware attack, detecting file modifications at the earliest execution stage is considered very important. To achieve this, selecting files as traps and monitoring changes to them is a practical way to deal with modern ransomware variants. This approach minimizes overhead on the endpoint, facilitating early identification of ransomware. This paper evaluates various machine learning-based trap selection methods for reducing file loss, detection delay, and endpoint overhead. We specifically examine non-parametric clustering methods such as Affinity Propagation, Gaussian Mixture Models, Mean Shift, and Optics to assess their effectiveness in trap selection for ransomware detection. These methods select M files from a directory with N files (M<N) and use them as traps. In order to address the shortcomings of existing machine learning-based trap selection methods, we propose APFO (Affinity Propagation with File Order). This method is an improvement upon existing non-parametric clustering-based trap selection methods, and it helps to reduce the amount of file loss and detection delay encountered. APFO demonstrates a minimal file loss percentage of 0.32% and a detection delay of 1.03 seconds across 18 contemporary ransomware variants, including rapid encryption variants of lock-bit, AvosLocker, and Babuk.

Cryptography and Security

Jiseok Bang,Jeong Nyeo Kim,Seungkwang Lee

DOI: https://doi.org/10.3390/s24051446

IF: 3.9

2024-02-24

Sensors

Abstract:This study presents a groundbreaking approach to the ever-evolving challenge of ransomware detection. A lot of detection methods predominantly rely on pinpointing high-entropy blocks, which is a hallmark of the encryption techniques commonly employed in ransomware. These blocks, typically difficult to recover, serve as key indicators of malicious activity. So far, many neutralization techniques have been introduced so that ransomware utilizing standard encryption can effectively bypass these entropy-based detection systems. However, these have limited capabilities or require relatively high computational costs. To address these problems, we introduce a new concept entropy sharing. This method can be seamlessly integrated with every type of cryptographic algorithm and is also composed of lightweight operations, masking the high-entropy blocks undetectable. In addition, the proposed method cannot be easily nullified, contrary to simple encoding methods, without knowing the order of shares. Our findings demonstrate that entropy sharing can effectively bypass entropy-based detection systems. Ransomware utilizing such attack methods can cause significant damage, as they are difficult to detect through conventional detection methods.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Malak Aljabri,Fahd Alhaidari,Aminah Albuainain,Samiyah Alrashidi,Jana Alansari,Wasmiyah Alqahtani,Jana Alshaya

DOI: https://doi.org/10.1016/j.eij.2024.100445

IF: 4.195

2024-01-31

Egyptian Informatics Journal

Abstract:Ransomware attacks have escalated recently and are affecting essential infrastructure and enterprises across the globe. Unfortunately, ransomware uses sophisticated encryption techniques to encrypt important files on the targeted machine and then demands payment to decrypt the data. Artificial intelligent techniques including machine learning have been increasingly applied in the field of cybersecurity and greatly contributed to detecting and preventing different kinds of attacks However, the number of studies that applied machine learning to detect ransomware are still limited by the obfuscation of malware, the lack of setting up a proper analysis environment, the accuracy of models, and the high false-positive rate. Thus, it is crucial to develop effective ransomware detection based on machine learning techniques. This study aims to build a robust machine-learning model that can recognize unknown samples using memory dumps to detect ransomware with high accuracy and minimal false positives providing an extensive analysis of how memory traces can assist in the detection of ransomware. This goal was achieved by building a new dataset composed of recent ransomware group attack samples like Revil, Lockbit, and BlackCat, as well as a number of benign samples, including office applications, Windows applications, and compression applications, which were dynamically analyzed within an enhanced cuckoo sandbox to ensure the most reliable results. Then, a set of machine learning models were developed, and a comparative performance analysis was conducted. Among the various models evaluated, XGBoost was the best-performing model, using only 47 features out of 58. It achieved 97.85% accuracy with a 2% false positive rate.

computer science, information systems, artificial intelligence