A novel method for recovery from Crypto Ransomware infections

Weckstén, Mattias; Frick, Jan; Sjöström, Andreas; Järpe, Eric

doi:10.1109/compcomm.2016.7924925

Cited by 29 publications

(11 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the log files did produce other notable entries, particularly the ransomware variants terminating the “vssadmin.exe” process responsible for volume shadow copy backups. This is a common tactic used by ransomware to prevent the users, and some commercial backup applications, from restoring their data through a shadow copy of the disk prior to the ransomware infection [ 98 , 99 ]. By showing that the ransomware variants terminated this process, we can determine that the ransomware variants executed successfully and did not alter their execution process as a result of sandbox detection.…”

Section: Evaluation and Discussionmentioning

confidence: 99%

Ransomware: Analysing the Impact on Windows Active Directory Domain Services

McDonald

Papadopoulos

Pitropakis

et al. 2022

Sensors

View full text Add to dashboard Cite

Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services.

show abstract

Section: Evaluation and Discussionmentioning

confidence: 99%

Ransomware: Analysing the Impact on Windows Active Directory Domain Services

McDonald

Papadopoulos

Pitropakis

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Their result achieved an area under the curve around 0.995, but at the same time, the result has a relatively high false positives ratio. Weckstén et al [8] used the file system activity, registry manipulation, software process monitor, and regshots for tracking the processing activity in zeltzers. They found that the crypto-ransomware attacks depend on the executable file of "vssadmin.exe".…”

Section: Related Workmentioning

confidence: 99%

Comparative analysis of various machine learning algorithms for ransomware detection

Khammas

2022

TELKOMNIKA

View full text Add to dashboard Cite

“…However, crypto-ransomware is much more destructive in general as current encryption techniques (e.g., AES and RSA) are almost impossible to be reverted. And this despite some proposals have been developed to overcome this situation [6,7,8]. From this perspective, prevention is the first and most recommended method to fight against cryptoransomware at present [9].…”

Section: Introductionmentioning

confidence: 99%

R-Locker: Thwarting ransomware action through a honeyfile-based approach

Gómez-Hernández

Álvarez-González

García-Teodoro

2018

Computers & Security

114

View full text Add to dashboard Cite

Ransomware has become a pandemic nowadays. Although some proposals exist to fight against this increasing type of extorsion, most of them are prevention like and rely on the assumption that early detection is not so effective once the victim is infected. This paper presents a novel approach intended not just to early detect ransomware but to completly thwart its action. For that, a set of honeyfiles are deployed around the target environment in order to catch the ransomware. Instead of being normal archives, honeyfiles are FIFO like, so that the ransomware is blocked once it starts reading the file. In addition to frustrate its action, our honeyfile solution is able to automatically launch countermeasures to solve the infection. Moreover, as it does not require previous training or knowledge, the approach allows fighting against unknown, zero-day ransomware related attacks. As a proof of concept, we have developed the approach for Unix platforms. The tool, named R-Locker, shows excellent performance both from the perspective of its accuracy as well as in terms of complexity and resource consumption. In addition, it has no special needs or privileges and does not affect the normal operation of the overall environment.

show abstract

A novel method for recovery from Crypto Ransomware infections

Cited by 29 publications

References 2 publications

Ransomware: Analysing the Impact on Windows Active Directory Domain Services

Ransomware: Analysing the Impact on Windows Active Directory Domain Services

Comparative analysis of various machine learning algorithms for ransomware detection

R-Locker: Thwarting ransomware action through a honeyfile-based approach

Contact Info

Product

Resources

About