Boyang Ma,Yilin Yang,Jinku Li,Fengwei Zhang,Wenbo Shen,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1145/3576915.3616665

2023-01-01

Abstract:Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Senmiao Wang,Hua Zhang,Sujuan Qin,Tengfei Tu,Ana Shen,Wentao Liu,Wen Min Li

DOI: https://doi.org/10.1109/jiot.2022.3156571

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Nowadays, cryptographic ransomware on Android has become one of the most serious threat. They extort users by means of encrypting private data on their devices. Even worse, there exists little files protection solution on IoT devices without ROOT. In light of this, there is an urgent need for countermeasure solutions on IoT devices without ROOT. In this article, we analyze characteristics of cryptographic ransomware. We propose the strategy of files protection against ransomware based on decoys. In order to satisfy the need of files protection on devices without root, we design and implement KRProtector to detect ransomware and protect files based on decoys.

computer science, information systems,telecommunications,engineering, electrical & electronic

Christopher Jun Wen Chew,Vimal Kumar,Panos Patros,Robi Malik

DOI: https://doi.org/10.1007/s10207-024-00819-x

2024-03-04

International Journal of Information Security

Abstract:Ransomware, particularly crypto ransomware, has emerged as the go-to malware for threat actors aiming to compromise data on Android devices as well as in general. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We first describe our repeatable and extensible methodology for extracting the system call log and patterns. We then identify and present some common high-level system call behavioural patterns exhibited by crypto ransomware, and evaluate these patterns. We further describe the implementation of a streaming implementation that utilises regular expressions for modelling malware behaviours and finite state machines for detecting crypto ransomware behaviours in real time. The success of our proof of concept evaluation allows us to envision our proposed technique applied as part of a self-protection system on Android phones against malware.

computer science, information systems, theory & methods, software engineering

Moutaz Alazab,Ruba Abu Khurma,David Camacho,Alejandro Martín

DOI: https://doi.org/10.1007/s12559-024-10301-4

IF: 4.89

2024-06-02

Cognitive Computation

Abstract:Ransomware is a significant security threat that poses a serious risk to the security of smartphones, and its impact on portable devices has been extensively discussed in a number of research papers. In recent times, this threat has witnessed a significant increase, causing substantial losses for both individuals and organizations. The emergence and widespread occurrence of diverse forms of ransomware present a significant impediment to the pursuit of reliable security measures that can effectively combat them. This constitutes a formidable challenge due to the dynamic nature of ransomware, which renders traditional security protocols inadequate, as they might have a high false alarm rate and exert significant processing demands on mobile devices that are restricted by limited battery life, CPU, and memory. This paper proposes a novel intelligent method for detecting ransomware that is based on a hybrid multi-solution binary JAYA algorithm with a single-solution simulated annealing (SA). The primary objective is to leverage the exploitation power of SA in supporting the exploration power of the binary JAYA algorithm. This approach results in a better balance between global and local search milestones. The empirical results of our research demonstrate the superiority of the proposed SMO-BJAYA-SA-SVM method over other algorithms based on the evaluation measures used. The proposed method achieved an accuracy rate of 98.7%, a precision of 98.6%, a recall of 98.7%, and an F1 score of 98.6%. Therefore, we believe that our approach is an effective method for detecting ransomware on portable devices. It has the potential to provide a more reliable and efficient solution to this growing security threat.

computer science, artificial intelligence,neurosciences

Abdulrahman Alzahrani,Ali Alshehri,Hani Alshahrani,Huirong Fu

DOI: https://doi.org/10.48550/arXiv.2005.05571

2020-05-12

Abstract:Malware proliferation and sophistication have drastically increased and evolved continuously. Recent indiscriminate ransomware victimizations have imposed critical needs of effective detection techniques to prevent damages. Therefore, ransomware has drawn attention among cyberspace researchers. This paper contributes a comprehensive overview of ransomware attacks and summarizes existing detection and prevention techniques in both Windows and Android platforms. Moreover, it highlights the strengths and shortcomings of those techniques and provides a comparison between them. Furthermore, it gives recommendations to users and system administrators.

Computers and Society,Cryptography and Security

Hardlife Ngirande,Martin Muduva,Ronald Chiwariro,Austin Makate

DOI: https://doi.org/10.22214/ijraset.2024.57885

2024-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Ransomware is a malicious code designed to encrypt and lock personal data such as documents and photos, in order to create opportunity for extorting money from the victims. Android operating systems are particularly targeted due to their large market share. Previous studies have primarily relied on signature-based detection methods, which require sufficient data samples and labelled signatures. However, modern ransomware utilizes obfuscation techniques that make it challenging to analyse using static methods. This project proposes a hybrid analysis approach for Android ransomware, employing the SVM algorithm for detection. The novelty lies in the limited exploration of SVM algorithms for ransomware analysis. The dataset used in the study was obtained from CICA and Mal 2017. Static features, including permissions, intents, encoding methods, and API calls were used, along with dynamic features such as network activities and system calls. The SVM model achieved good performance, with 81% accuracy and 90% precision using static features, and 100% accuracy with dynamic features

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

Alian Yu,Jian Kang,Joshua Morris,Elisa Bertino,Dan Lin

DOI: https://doi.org/10.1109/tdsc.2024.3364209

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ransomware attacks have become widespread in the last few years and have affected many critical industries and infrastructures. Unfortunately, there are no recovery tools that can effectively defend against all types of ransomware. Approaches, such as frequent data backups, have several drawbacks. They are expensive in terms of resources and trained technical staff. Therefore, it is much more challenging and cost-consuming for average users and small business owners to survive ransomware attacks. To provide an easy-to-use tool for a broader population of users and businesses, we propose a novel ransomware defense mechanism that can be conveniently deployed in modern Windows systems which have over 76% market share as of 2022. The uniqueness of our approach is to fight malware like malware. We leverage Alternate Data Streams, which are sometimes used by malicious applications, to design and implement a data protection method that misleads the ransomware into attacking only file “shells” instead of the actual file content. We have evaluated our approach against different cryptographic ransomware. The results show that our approach is usable, efficient, and effective.

computer science, information systems, software engineering, hardware & architecture

Narendra Singh,Somanath Tripathy

DOI: https://doi.org/10.1016/j.cose.2024.103819

IF: 5.105

2024-03-29

Computers & Security

Abstract:Ransomware attacks disrupt and disable systems, demanding a ransom from the victim to restore functionality. Most of the state-of-the-art approaches focus on analyzing their behaviour at the post-infection, to identify ransomware and therefore, fails to detect at the early stage. This work proposes a ransomware detection mechanism named Weapon , to identify the threat at the pre-operational stage in Android system. Weapon extracts the key features from the behavioural characteristics (permissions and API calls) of the APK file and generates semantic features. Consequently, the MITRE ATT&CK framework is used to correlate with the semantic features to detect ransomware before its operational stage efficiently. The experimental results demonstrate that our approach could successfully identify 89.82% ransomware samples at the pre-operational stage.

computer science, information systems

K. R. Kalphana,S. Aanjankumar,M. Surya,M. S. Ramadevi,K. R. Ramela,T Anitha,N. Nagaprasad,Ramaswamy Krishnaraj

DOI: https://doi.org/10.1038/s41598-024-70544-x

IF: 4.6

2024-09-29

Scientific Reports

Abstract:In recent times, the number of malware on Android mobile phones has been growing, and a new kind of malware is Android ransomware. This research aims to address the emerging concerns about Android ransomware in the mobile sector. Previous studies highlight that the number of new Android ransomware is increasing annually, which poses a huge threat to the privacy of mobile phone users for sensitive data. Various existing techniques are active to detect ransomware and secure the data in the mobile cloud. However, these approaches lack accuracy and detection performance with insecure storage. To resolve this and enhance the security level, the proposed model is presented. This manuscript provides both recognition algorithms based on the deep learning model and secured storage of detected data in the cloud with a secret key to safeguard sensitive user information using the hybrid cryptographic model. Initially, the input APK files and data are preprocessed to extract features. The collection of optimal features is carried out using the Squirrel search optimization process. After that, the Deep Learning-based model, adaptive deep saliency The AlexNet classifier is presented to detect and classify data as malicious or normal. The detected data, which is not malicious, is stored on a cloud server. For secured storage of data in the cloud, a hybrid cryptographic model such as hybrid homomorphic Elliptic Curve Cryptography and Blowfish is employed, which includes key computation and key generation processes. The cryptographic scheme includes encryption and decryption of data, after which the application response is found to attain a decrypted result upon user request. The performance is carried out for both the Deep Learning-based model and the hybrid cryptography-based security model, and the results obtained are 99.89% accuracy in detecting malware compared with traditional models. The effectiveness of the proposed system over other models such as GNN is 94.76%, CNN is 95.76%, and Random Forest is 96%.

multidisciplinary sciences

Hashida Haidros Rahima Manzil,S. Manohar Naik

DOI: https://doi.org/10.1007/s11416-023-00495-w

2023-08-23

Journal of Computer Virology and Hacking Techniques

Abstract:Ransomware is a serious cyberthreat for Android users, with devastating consequences for its victims. By locking or encrypting the targeted device, victims are often left unable to access their data, with attackers demanding payment in bitcoins in exchange for decryption. These attacks can occur across various sectors, including government, business, and health systems. Therefore, effective measures to mitigate this threat are critical. This paper proposes a novel hamming distance-based feature selection technique for detecting Android ransomware through static analysis. The detection approach involves four phases: feature extraction, binary feature vector generation, feature selection, and classification. A Python tool is used to automatically extract static features from Android applications, which are then processed for feature vector generation and selection. The effectiveness of the proposed technique is evaluated using various experiments, including machine learning and deep learning techniques. In addition, this article outlines a threat scenario of ransomware on the Android platform. The proposed system achieves a maximum detection accuracy of 99% with Random Forest and Decision Tree classifiers, surpassing state-of-the-art studies. Overall, the proposed technique offers an efficient solution for detecting Android ransomware, which could help prevent future attacks and reduce the impact of this serious cyberthreat.

José A. Gómez-Hernández,Pedro García-Teodoro

DOI: https://doi.org/10.3390/s24092679

IF: 3.9

2024-04-24

Sensors

Abstract:Given the high relevance and impact of ransomware in companies, organizations, and individuals around the world, coupled with the widespread adoption of mobile and IoT-related devices for both personal and professional use, the development of effective and efficient ransomware mitigation schemes is a necessity nowadays. Although a number of proposals are available in the literature in this line, most of them rely on machine-learning schemes that usually involve high computational cost and resource consumption. Since current personal devices are small and limited in capacities and resources, the mentioned schemes are generally not feasible and usable in practical environments. Based on a honeyfile detection solution previously introduced by the authors for Linux and Window OSs, this paper presents a ransomware detection tool for Android platforms where the use of trap files is combined with a reactive monitoring scheme, with three main characteristics: (i) the trap files are properly deployed around the target file system, (ii) the FileObserver service is used to early alert events that access the traps following certain suspicious sequences, and (iii) the experimental results show high performance of the solution in terms of detection accuracy and efficiency.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Atef Ibrahim,Usman Tariq,Tariq Ahamed Ahanger,Bilal Tariq,Fayez Gebali

DOI: https://doi.org/10.3390/math11010249

IF: 2.4

2023-01-04

Mathematics

Abstract:Ransomware is malicious software that encrypts data before demanding payment to unlock them. The majority of ransomware variants use nearly identical command and control (C&C) servers but with minor upgrades. There are numerous variations of ransomware, each of which can encrypt either the entire computer system or specific files. Malicious software needs to infiltrate a system before it can do any real damage. Manually inspecting all potentially malicious file types is a time-consuming and resource-intensive requirement of conventional security software. Using established metrics, this research delves into the complex issues of identifying and preventing ransomware. On the basis of real-world malware samples, we created a parameterized categorization strategy for functional classes and suggestive features. We also furnished a set of criteria that highlights the most commonly featured criteria and investigated both behavior and insights. We used a distinct operating system and specific cloud platform to facilitate remote access and collaboration on files throughout the entire operational experimental infrastructure. With the help of our proposed ransomware detection mechanism, we were able to effectively recognize and prevent both state-of-art and modified ransomware anomalies. Aggregated log revealed a consistent but satisfactory detection rate at 89%. To the best of our knowledge, no research exists that has investigated the ransomware detection and impact of ransomware for PureOS, which offers a unique platform for PC, mobile phones, and resource intensive IoT (Internet of Things) devices.

mathematics

Amnah Albin Ahmed,Afrah Shaahid,Fatima Alnasser,Shahad Alfaddagh,Shadha Binagag,Deemah Alqahtani

DOI: https://doi.org/10.3390/s24010189

2023-12-28

Abstract:In today's digitalized era, the usage of Android devices is being extensively witnessed in various sectors. Cybercriminals inevitably adapt to new security technologies and utilize these platforms to exploit vulnerabilities for nefarious purposes, such as stealing users' sensitive and personal data. This may result in financial losses, discredit, ransomware, or the spreading of infectious malware and other catastrophic cyber-attacks. Due to the fact that ransomware encrypts user data and requests a ransom payment in exchange for the decryption key, it is one of the most devastating types of malicious software. The implications of ransomware attacks can range from a loss of essential data to a disruption of business operations and significant monetary damage. Artificial intelligence (AI)-based techniques, namely machine learning (ML), have proven to be notable in the detection of Android ransomware attacks. However, ensemble models and deep learning (DL) models have not been sufficiently explored. Therefore, in this study, we utilized ML- and DL-based techniques to build efficient, precise, and robust models for binary classification. A publicly available dataset from Kaggle consisting of 392,035 records with benign traffic and 10 different types of Android ransomware attacks was used to train and test the models. Two experiments were carried out. In experiment 1, all the features of the dataset were used. In experiment 2, only the best 19 features were used. The deployed models included a decision tree (DT), support vector machine (SVM), k-nearest neighbor (KNN), ensemble of (DT, SVM, and KNN), feedforward neural network (FNN), and tabular attention network (TabNet). Overall, the experiments yielded excellent results. DT outperformed the others, with an accuracy of 97.24%, precision of 98.50%, and F1-score of 98.45%. Whereas, in terms of the highest recall, SVM achieved 100%. The acquired results were thoroughly discussed, in addition to addressing limitations and exploring potential directions for future work.

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Aaron Zimba,Mumbi Chishimba,Sipiwe Chihana

DOI: https://doi.org/10.48550/arXiv.2102.10632

2021-02-22

Abstract:Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.

Cryptography and Security

Javier Yuste,Sergio Pastrana

DOI: https://doi.org/10.1016/j.cose.2021.102388

2021-10-01

Abstract:<p>Malware is an emerging and popular threat flourishing in the underground economy. The commoditization of Malware-as-a-Service (MaaS) allows criminals to obtain financial benefits at a low risk and with little technical background. One such popular product is ransomware, which is a popular type of malware traded in the underground economy. In ransomware attacks, data from infected systems is held hostage (encrypted) until a ransom is paid to the criminals. In addition, a recent blackmailing strategy adopted by criminals is to leak data online from the infected systems if the ransom is not paid before a given time, producing further economic and reputational damage. In this work, we perform an in-depth analysis of Avaddon, a ransomware offered in the underground economy as an affiliate program business. This threat has been linked to various cyberattacks and has infected and leaked data from at least 62 organizations. Additionally, it also runs Distributed Denial-of-Service (DDoS) attacks against victims that do not pay the ransom. We first provide an analysis of the criminal business model in the underground economy. Then, we identify and describe its technical capabilities, dissecting details of its inner structure. As a result, we provide tools to assist analysis, decrypting and labeling obfuscated strings observed in the ransomware binary. Additionally, we provide empirical evidence of links between this variant and a previous family, suggesting that the same group was behind the development and, possibly, the operation of both campaigns. Finally, we develop a procedure to recover files encrypted by Avaddon. We successfully tested the proposed procedure against different versions of Avaddon. The proposed method is released as an open-source tool so it can be incorporated in existing Antivirus engines and extended to decrypt other ransomware families that implement a similar encryption approach.</p>

computer science, information systems

Saleh Alzahrani,Yang Xiao,Wei Sun

DOI: https://doi.org/10.1109/access.2022.3207757

IF: 3.9

2022-09-30

IEEE Access

Abstract:In recent years, there has been an increase in ransomware attacks worldwide. These attacks aim to lock victims' machines or encrypt their files for ransom. These kinds of ransomware differ in their implementation and techniques, starting from how they spread, vulnerabilities they leverage, methods to hide their behaviors from antivirus software, encryption methods, and performance. The Conti ransomware is sophisticated ransomware that operates as ransomware-as-a-service. It started in 2019 and had an unprecedented human impact by targeting healthcare systems and cost $$ $ 45 million. This paper analyzes the Conti ransomware source codes leaked on February 27, 2022, by an anonymous individual. We first look at the general code structure. Then, we analyze its flow, starting with its application programming interface disguise techniques, anti hook mechanisms, command-line arguments, and finally, its multithreaded encryption. We also perform a static and dynamic analysis of the latest known Conti sample in an isolated environment and compare its behavior to its source code flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jan von der Assen,Chao Feng,Alberto Huertas Celdrán,Róbert Oleš,Gérôme Bovet,Burkhard Stiller

2024-01-31

Abstract:Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

Cryptography and Security