Boyang Ma,Yilin Yang,Jinku Li,Fengwei Zhang,Wenbo Shen,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1145/3576915.3616665

2023-01-01

Abstract:Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Muhammad Usman Rana,Munam Ali Shah,Mohammad Abdulaziz Al-Naeem,Carsten Maple

DOI: https://doi.org/10.1109/access.2024.3477631

IF: 3.9

2024-10-19

IEEE Access

Abstract:Ransomware has appeared to be the most damaging and devastating type of malware attack in any cyber physical system. The resilience of a web browser to deal with the malware attack is of significance importance, however, evaluating the performance of a browser to tackle these attacks is a challenging task. Due to various automation techniques, web applications can be tested without human intervention. Technologies such as Junit, Chakram, and Selenium are useful in automated testing but the problem is that the attacker uses harmful code and automated web approaches to distribute their malware. In this research,our contribution is twofold. Firstly, we examine a new attack vector that cyber adversaries can possibly use in the future to infect an operating system with a malware. Currently, attackers use various techniques to gain access to victims' personal computers. Secondly, we present a novel automated web defence to countermeasure these malware attacks. The proposed research aims to provide a better understanding of the new computer virus-spreading techniques that intruders can use in the future. We provide the insight of these attacks and present ways to countermeasure the attacks and to reduce the attack surface. Experiments and flow diagrams have been used to demonstrate the attack and defence approach. To offer malware lateral movement and to encrypt the date of users' device, we use Selenium automation tool on a social media platform. For our experimentation, we developed an application which has been tested on a variety of browsers including Google Chrome, Firefox, and Safari. Our research has revealed that we have an 85 percent success rate when testing in a head-on environment. We have expanded our experiments on headless applications and interestingly, the accuracy rate improved and the probability of success increased to 95 percent. Lastly, we have demonstrated a unique method for detecting and stopping web automation that is generally applicable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jan von der Assen,Chao Feng,Alberto Huertas Celdrán,Róbert Oleš,Gérôme Bovet,Burkhard Stiller

2024-01-31

Abstract:Although ransomware has received broad attention in media and research, this evolving threat vector still poses a systematic threat. Related literature has explored their detection using various approaches leveraging Machine and Deep Learning. While these approaches are effective in detecting malware, they do not answer how to use this intelligence to protect against threats, raising concerns about their applicability in a hostile environment. Solutions that focus on mitigation rarely explore how to prevent and not just alert or halt its execution, especially when considering Linux-based samples. This paper presents GuardFS, a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system. The experiments on GuardFS test the configurations in a reactive setting. The results demonstrate that although data loss cannot be completely prevented, it can be significantly reduced. Usability and performance analysis demonstrate that the defense effectiveness of the configurations relates to their impact on resource consumption and usability.

Cryptography and Security

Abdullah Alqahtani,Frederick T Sheldon

DOI: https://doi.org/10.3390/s22051837

2022-02-25

Abstract:Recently, ransomware attacks have been among the major threats that target a wide range of Internet and mobile users throughout the world, especially critical cyber physical systems. Due to its unique characteristics, ransomware has attracted the attention of security professionals and researchers toward achieving safer and higher assurance systems that can effectively detect and prevent such attacks. The state-of-the-art crypto ransomware early detection models rely on specific data acquired during the runtime of an attack's lifecycle. However, the evasive mechanisms that these attacks employ to avoid detection often nullify the solutions that are currently in place. More effort is needed to keep up with an attacks' momentum to take the current security defenses to the next level. This survey is devoted to exploring and analyzing the state-of-the-art in ransomware attack detection toward facilitating the research community that endeavors to disrupt this very critical and escalating ransomware problem. The focus is on crypto ransomware as the most prevalent, destructive, and challenging variation. The approaches and open issues pertaining to ransomware detection modeling are reviewed to establish recommendations for future research directions and scope.

Kenan Begovic,Abdulaziz Al-Ali,Qutaibah Malluhi

DOI: https://doi.org/10.1016/j.cose.2023.103349

2023-06-21

Abstract:The ransomware threat has loomed over our digital life since 1989. Criminals use this type of cyber attack to lock or encrypt victims' data, often coercing them to pay exorbitant amounts in ransom. The damage ransomware causes ranges from monetary losses paid for ransom at best to endangering human lives. Cryptographic ransomware, where attackers encrypt the victim's data, stands as the predominant ransomware variant. The primary characteristics of these attacks have remained the same since the first ransomware attack. For this reason, we consider this a key factor differentiating ransomware from other cyber attacks, making it vital in tackling the threat of cryptographic ransomware. This paper proposes a cyber kill chain that describes the modern crypto-ransomware attack. The survey focuses on the Encryption phase as described in our proposed cyber kill chain and its detection techniques. We identify three main methods used in detecting encryption-related activities by ransomware, namely API and System calls, I/O monitoring, and file system activities monitoring. Machine learning (ML) is a tool used in all three identified methodologies, and some of the issues within the ML domain related to this survey are also covered as part of their respective methodologies. The survey of selected proposals is conducted through the prism of those three methodologies, showcasing the importance of detecting ransomware during pre-encryption and encryption activities and the windows of opportunity to do so. We also examine commercial crypto-ransomware protection and detection offerings and show the gap between academic research and commercial applications.

Cryptography and Security

Yiwei Hou,Lihua Guo,Chijin Zhou,Yiwen Xu,Zijing Yin,Shanshan Li,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1145/3597503.3639090

2024-01-01

Abstract:The threat of ransomware to the software ecosystem has become increasingly alarming in recent years, raising a demand for large-scale and comprehensive ransomware analysis to help develop more effective countermeasures against unknown attacks. In this paper, we first collect a real-world dataset Maraudermap, consisting of 7,796 active ransomware samples, and analyze their behaviors of disrupting data in victim systems. All samples are executed in iso-lated testbeds to collect all perspectives of six categories of runtime behaviors, such as API calls, I/O accesses, and network traffic. The total logs volume is up to 1.98 TiB. By assessing collected behaviors, we present six critical findings throughout ransomware attacks' data reconnaissance, data tampering, and data exfiltration phases. Based on our findings, we propose three corresponding mitigation strategies to detect ransomware during each phase. Experimental results show that they can enhance the capability of state-of-the-art anti-ransomware tools. We report a preliminary result of a 41%-69% increase in detection rate with no additional false positives, showing that our insights are helpful.

Jan von der Assen,Alberto Huertas Celdrán,Rinor Sefa,Gérôme Bovet,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2306.15566

2023-11-16

Abstract:Ransomware has remained one of the most notorious threats in the cybersecurity field. Moving Target Defense (MTD) has been proposed as a novel paradigm for proactive defense. Although various approaches leverage MTD, few of them rely on the operating system and, specifically, the file system, thereby making them dependent on other computing devices. Furthermore, existing ransomware defense techniques merely replicate or detect attacks, without preventing them. Thus, this paper introduces the MTFS overlay file system and the design and implementation of three novel MTD techniques implemented on top of it. One delaying attackers, one trapping recursive directory traversal, and another one hiding file types. The effectiveness of the techniques are shown in two experiments. First, it is shown that the techniques can delay and mitigate ransomware on real IoT devices. Secondly, in a broader scope, the solution was confronted with 14 ransomware samples, highlighting that it can save 97% of the files.

Cryptography and Security

Caio C. Moreira,Davi C. Moreira,Claudomiro Sales

DOI: https://doi.org/10.1016/j.jisa.2024.103716

IF: 4.96

2024-02-10

Journal of Information Security and Applications

Abstract:This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.

computer science, information systems

Farshid Javadnejad,Ahmed M. Abdelmagid,Cesar A. Pinto,Michael Mcshane,Rafael Diaz

DOI: https://doi.org/10.1080/17517575.2024.2369952

2024-06-25

Enterprise Information Systems

Abstract:This study comprehensively assesses ransomware/malware risks using the Advisen cyber loss dataset. It classifies malware types by frequency and financial impact, revealing that low-frequency attacks can cause significant economic damage. Some malware types incur extensive losses despite their rarity. The analysis highlights cybersecurity technologies like AI-based tools and Zero Trust Architecture (ZTA) for combating attacks. Large organizations and small businesses can adopt these defensive approaches across various industries. The study underscores the need for robust cybersecurity measures to prevent or mitigate future attacks, offering valuable insights into malware and ransomware patterns and trends, stressing adherence to frameworks, policies, and regulations.

computer science, information systems

Veronika Szücs,Gábor Arányi,Ákos Dávid

DOI: https://doi.org/10.3390/app11136070

2021-06-30

Applied Sciences

Abstract:We live in a world of digital information communication and digital data storage. Following the development of technology, demands from the user side also pose serious challenges for developers, both in the field of hardware and software development. However, the increasing penetration of the Internet, IoT and digital solutions that have become available in almost every segment of life, carries risks as well as benefits. In this study, the authors present the phenomenon of ransomware attacks that appear on a daily basis, which endangers the operation and security of the digital sphere of both small and large enterprises and individuals. An overview of ransomware attacks, the tendency and characteristics of the attacks, which have caused serious financial loss and other damages to the victims, are presented. This manuscript also provides a brief overview of protection against ransomware attacks and the software and hardware options that enhance general user security and their effectiveness as standalone applications. The authors present the results of the study, which aimed to explore how the available software and hardware devices can implement digital user security. Based on the results of the research, the authors propose a complex system that can be used to increase the efficiency of network protection and OS protection tools already available to improve network security, and to detect ransomware attacks early. As a result, the model of the proposed protection system is presented, and it can be stated that the complex system should be able to detect ransomware attacks from either the Internet or the internal network at an early stage, mitigate malicious processes and maintain data in recoverable state.

Murat Ozer,Said Varlioglu,Bilal Gonen,Mehmet F. Bastug

DOI: https://doi.org/10.1109/CSCI49370.2019.00032

2020-03-17

Abstract:Over the past three years, especially following WannaCry malware, ransomware has become one of the biggest concerns for private businesses, state, and local government agencies. According to Homeland Security statistics, 1.5 million ransomware attacks have occurred per year since 2016. Cybercriminals often use creative methods to inject their malware into the target machines and use sophisticated cryptographic techniques to hold hostage victims' files and programs unless a certain amount of equivalent Bitcoin is paid. The return to the cybercriminals is so high (estimated \$1 billion in 2019) without any cost because of the advanced anonymity provided by cryptocurrencies, especially Bitcoin \cite{Paquet-Clouston2019}. Given this context, this study first discusses the current state of ransomware, detection, and prevention systems. Second, we propose a global ransomware center to better manage our concerted efforts against cybercriminals. The policy implications of the proposed study are discussed in the conclusion section.

Cryptography and Security

Ali Mehrban,Shirin Karimi Geransayeh

2024-02-04

Abstract:In recent years, there has been a noticeable increase in cyberattacks using ransomware. Attackers use this malicious software to break into networks and harm computer systems. This has caused significant and lasting damage to various organizations, including government, private companies, and regular users. These attacks often lead to the loss or exposure of sensitive information, disruptions in normal operations, and persistent vulnerabilities. This paper focuses on a method for recognizing and identifying ransomware in computer networks. The approach relies on using machine learning algorithms and analyzing the patterns of network traffic. By collecting and studying this traffic, and then applying machine learning models, we can accurately identify and detect ransomware. The results of implementing this method show that machine learning algorithms can effectively pinpoint ransomware based on network traffic, achieving high levels of precision and accuracy.

Cryptography and Security,Machine Learning

Timothy McIntosh,Teo Susnjak,Tong Liu,Dan Xu,Paul Watters,Dongwei Liu,Yaqi Hao,Alex Ng,Malka Halgamuge

DOI: https://doi.org/10.1145/3691340

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.

computer science, theory & methods

Donghyun Min,Yungwoo Ko,Ryan Walker,Junghee Lee,Youngjae Kim

DOI: https://doi.org/10.1109/tcad.2021.3099084

2021-01-01

Abstract:Ransomware is a growing concern in business and government because it causes immediate financial damages or loss of important data. There is a way to detect and block ransomware in advance, but evolved ransomware can still attack while avoiding detection. Another alternative is to back up the original data. However, existing backup solutions can be under the control of ransomware and backup copies can be destroyed by ransomware. Moreover, backup methods incur storage and performance overhead. In this article, we propose AMOEBA, a device-level backup solution that does not require additional storage for backup. AMOEBA is armed with: 1) a hardware accelerator to run content-based detection algorithms for ransomware detection at high speed and 2) a fine-grained backup control mechanism to minimize space overhead for data backup. For evaluations, we not only implemented AMOEBA using the Microsoft solid-state drive (SSD) simulator but also prototyped it on the OpenSSD-platform. Our extensive evaluations with real ransomware workloads show that AMOEBA has high ransomware detection accuracy with negligible performance overhead.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Aaron Zimba,Mumbi Chishimba,Sipiwe Chihana

DOI: https://doi.org/10.48550/arXiv.2102.10632

2021-02-22

Abstract:Ransomware has emerged as an infamous malware that has not escaped a lot of myths and inaccuracies from media hype. Victims are not sure whether or not to pay a ransom demand without fully understanding the lurking consequences. In this paper, we present a ransomware classification framework based on file-deletion and file-encryption attack structures that provides a deeper comprehension of potential flaws and inadequacies exhibited in ransomware. We formulate a threat and attack model representative of a typical ransomware attack process from which we derive the ransomware categorization framework based on a proposed classification algorithm. The framework classifies the virulence of a ransomware attack to entail the overall effectiveness of potential ways of recovering the attacked data without paying the ransom demand as well as the technical prowess of the underlying attack structures. Results of the categorization, in increasing severity from CAT1 through to CAT5, show that many ransomwares exhibit flaws in their implementation of encryption and deletion attack structures which make data recovery possible without paying the ransom. The most severe categories CAT4 and CAT5 are better mitigated by exploiting encryption essentials while CAT3 can be effectively mitigated via reverse engineering. CAT1 and CAT2 are not common and are easily mitigated without any decryption essentials.

Cryptography and Security

Alberto Redondo,David Rios Insua

DOI: https://doi.org/10.48550/arXiv.1911.03653

2019-11-09

Abstract:Malware constitutes a major global risk affecting millions of users each year. Standard algorithms in detection systems perform insufficiently when dealing with malware passed through obfuscation tools. We illustrate this studying in detail an open source metamorphic software, making use of a hybrid framework to obtain the relevant features from binaries. We then provide an improved alternative solution based on adversarial risk analysis which we illustrate describe with an example.

Cryptography and Security,Machine Learning

Jaehyuk Lee,Jinseo Yun,Kyungroul Lee

DOI: https://doi.org/10.3390/electronics13061030

IF: 2.9

2024-03-10

Electronics

Abstract:Ransomware, which emerged in 1989, has evolved to the present in numerous variants and new forms. For this reason, serious damage caused by ransomware has occurred not only within our country but around the world, and, according to the analysis of ransomware trends, ransomware poses an ongoing and significant threat, with major damage expected to continue to occur in the future. To address this problem, various approaches to detect ransomware have been explored, with a recent focus on file entropy estimation methods. These methods exploit the characteristic increase in file entropy that is caused by ransomware encryption. In response, a method was developed to neutralize entropy-based ransomware detection technology by manipulating entropy using encoding methods from the attacker's perspective. Consequently, from the defender's standpoint, countermeasures are essential to minimize the damage caused by ransomware. Therefore, this article proposes a methodology that utilizes diverse machine learning models such as K-Nearest Neighbors (KNN), logistic regression, decision tree, random forest, gradient boosting, support vector machine (SVM), and multi-layer perception (MLP) to detect files infected with ransomware. The experimental results demonstrate empirically that files infected with ransomware can be detected with approximately 98% accuracy, and the results of this research are expected to provide valuable information for developing countermeasures against various ransomware detection technologies.

engineering, electrical & electronic,computer science, information systems,physics, applied

Krzysztof Cabaj,Marcin Gregorczyk,Wojciech Mazurczyk

DOI: https://doi.org/10.1016/j.compeleceng.2017.10.012

2016-11-25

Abstract:Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages' sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.

Cryptography and Security

Routa Moussaileb,Nora Cuppens,Jean-Louis Lanet,Hélène Le Bouder

DOI: https://doi.org/10.1145/3453153

IF: 16.6

2021-07-01

ACM Computing Surveys

Abstract:Ransomware remains an alarming threat in the 21st century. It has evolved from being a simple scare tactic into a complex malware capable of evasion. Formerly, end-users were targeted via mass infection campaigns. Nevertheless, in recent years, the attackers have focused on targeted attacks, since the latter are profitable and can induce severe damage. A vast number of detection mechanisms have been proposed in the literature. We provide a systematic review of ransomware countermeasures starting from its deployment on the victim machine until the ransom payment via cryptocurrency. We define four stages of this malware attack: Delivery, Deployment, Destruction, and Dealing. Then, we assign the corresponding countermeasures for each phase of the attack and cluster them by the techniques used. Finally, we propose a roadmap for researchers to fill the gaps found in the literature in ransomware’s battle.

computer science, theory & methods