Neutralization Method of Ransomware Detection Technology Using Format Preserving Encryption

Lee, Sun-Young; Yim, Kangbin; Lee, Kyungroul

doi:10.3390/s23104728

Cited by 1 publication

(2 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most of these encodings consist of lightweight operations, thereby not significantly impacting the speed of the ransomware attack. However, if the defense system identifies that the file is encoded, it can effectively detect the file infected with ransomware because decoding can be performed without the key [ 40 ].…”

Section: Ransomware Detection and Neutralization Methodsmentioning

confidence: 99%

“…FPE is an encryption method that maintains the same format for plaintext and ciphertext, thus keeping the entropy after encryption similar to that of plaintext. In [ 40 ], the FF1 algorithm was used to circumvent entropy-based ransomware detection using the characteristics of FPE. However, this can reduce the speed of ransomware’s encryption attack due to its high computational complexity.…”

Section: Ransomware Detection and Neutralization Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations

Bang,

Kim,

Lee

2024

Sensors

View full text Add to dashboard Cite

This study presents a groundbreaking approach to the ever-evolving challenge of ransomware detection. A lot of detection methods predominantly rely on pinpointing high-entropy blocks, which is a hallmark of the encryption techniques commonly employed in ransomware. These blocks, typically difficult to recover, serve as key indicators of malicious activity. So far, many neutralization techniques have been introduced so that ransomware utilizing standard encryption can effectively bypass these entropy-based detection systems. However, these have limited capabilities or require relatively high computational costs. To address these problems, we introduce a new concept entropy sharing. This method can be seamlessly integrated with every type of cryptographic algorithm and is also composed of lightweight operations, masking the high-entropy blocks undetectable. In addition, the proposed method cannot be easily nullified, contrary to simple encoding methods, without knowing the order of shares. Our findings demonstrate that entropy sharing can effectively bypass entropy-based detection systems. Ransomware utilizing such attack methods can cause significant damage, as they are difficult to detect through conventional detection methods.

show abstract

Section: Ransomware Detection and Neutralization Methodsmentioning

confidence: 99%

Section: Ransomware Detection and Neutralization Methodsmentioning

confidence: 99%