An Efficient Approach to Detect TorrentLocker Ransomware in Computer Systems

Mbol, Faustin; Robert, Jean‐Marc; Sadighian, Alireza

doi:10.1007/978-3-319-48965-0_32

Cited by 47 publications

(41 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In their solution, few files are lost. Another statistical technique was adopted by Mbol et al for ransomware detection [27]. Their focus was on JPEG files since they initially have high entropy.…”

Section: Host Based Ransomware Detectionmentioning

confidence: 99%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Foundations and Practice of Security

View full text Add to dashboard Cite

Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims' computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware's full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data's encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.

show abstract

Section: Host Based Ransomware Detectionmentioning

confidence: 99%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Foundations and Practice of Security

View full text Add to dashboard Cite

show abstract

“…These tasks are supported by strong machine learning solutions [26] and sandboxing [40]. The entropy-based malware analysis is frequent in the bibliography, which allows to distinguish files with encrypted content from the original assets [44]. In [14] the crypto-ransomware is detected by recognizing of strategies for asset discovery, which try to enumerate specific file extensions (e.g.…”

Section: Countermeasuresmentioning

confidence: 99%

A novel Self-Organizing Network solution towards Crypto-ransomware Mitigation

Monge

Vidal

Villalba

2018

Proceedings of the 13th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

In the last decade, crypto-ransomware evolved from a family of malicious software with scarce repercussion in the research community, to a sophisticated and highly effective intrusion method positioned in the spotlight of the main organizations for cyberdefense. Its modus operandi is characterized by fetching the assets to be blocked, their encryption, and triggering an extortion process that leads the victim to pay for the key that allows their recovery. This paper reviews the evolution of crypto-ransomware focusing on the implication of the different advances in communication technologies that empowered its popularization. In addition, a novel defensive approach based on the Self-Organizing Network paradigm and the emergent communication technologies (e.g. Software-Defined Networking, Network Function Virtualization, Cloud Computing, etc.) is proposed. They enhance the orchestration of smart defensive deployments that adapt to the status of the monitoring environment and facilitate the adoption of previously defined risk management policies. In this way it is possible to efficiently coordinate the efforts of sensors and actuators distributed throughout the protected environment without supervision by human operators, resulting in greater protection with increased viability CCS CONCEPTS• Security and privacy → Network Security; Malware and its mitigation; • Networks → Network management;

show abstract

“…Previous papers [5,13,23], use the plug-in method (i.e, discrete symbols in histogram bins) to estimate the Shannon entropy. Nevertheless a study on TorrentLocker [17] shows that the Shannon entropy is not a good distinguisher especially with respect to JPEG compression 6 . Achieving encryption detection on compressed files that already have high entropy is a non-trivial task.…”

Section: Statistical Tests For Ransomware Attacks Detectionmentioning

confidence: 99%

“…For example, the specific problem of boot sectors encryption (e.g, master boot record) is not addressed in this paper, a solution is proposed by the Talos Group [26]. In addition, as outlined in Mbol et al [17], if an encryption algorithm preserving the distribution of the original files is used, it will evade the solution because randomness is the root of the detection. The ransomware which interleave malicious write operations with loops of unnecessary or redundant operations that look non random will go through DaD, as shown fig.…”

Section: Ransomware-like Applicationsmentioning

confidence: 99%

“…To this end we limit our monitoring to a minimum. In order to reduce the impact on detection with a low rate of false positive, we use the chi-square goodness-of-fit test instead of Shannon entropy (i.e, sensitive to compressed chunks of data [17]). We also achieve system completeness and fine granularity by monitoring the whole file system for all userland threads.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure

Palisse

Durand²,

Bouder

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We present the Malware -O -Matic analysis platform and the Data Aware Defense ransomware countermeasure based on real time data gathering with as little impact as possible on system performance. Our solution monitors (and blocks if necessary) file system activity of all userland threads with new indicators of compromise. We successfully detect 99.37% of our 798 active ransomware samples with at most 70 MB lost per sample's thread in 90% of cases, or less than 7 MB in 70% of cases. By a careful analysis of the few false negatives we show that some ransomware authors are specifically trying to hide ongoing encryption. We used free (as in free beer) de facto industry standard benchmarks to evaluate the impact of our solution and enable fair comparisons. In all but the most demanding tests the impact is marginal.

show abstract

An Efficient Approach to Detect TorrentLocker Ransomware in Computer Systems

Cited by 47 publications

References 14 publications

Ransomware Network Traffic Analysis for Pre-encryption Alert

Ransomware Network Traffic Analysis for Pre-encryption Alert

A novel Self-Organizing Network solution towards Crypto-ransomware Mitigation

Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure

Contact Info

Product

Resources

About