Next Generation Cryptographic Ransomware

Genç, Ziya Alper; Lenzini, Gabriele; Ryan, Peter Y. A.

doi:10.1007/978-3-030-03638-6_24

Cited by 14 publications

(10 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Each defense system has pros and cons, and NoCry may well find its beater in some next generation ransomware. As discussed in [8], ransomware applications can find other ways than calling CSPRNG to get random numbers e.g., by relying on noncryptographic sources of randomness, but we believe that the alternative choices have weak points. The fact is that all the samples and variants of ransomware in the cryptographically-hard niche that we have analyzed so far, do call CSPRNG APIs.…”

Section: Critical Discussion and Conclusionmentioning

confidence: 99%

NoCry: No More Secure Encryption Keys for Cryptographic Ransomware

Genç

Lenzini

Ryan

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Since the appearance of ransomware in the cyber crime scene, researchers and anti-malware companies have been offering solutions to mitigate the threat. Anti-malware solutions differ on the specific strategy they implement, and all have pros and cons. However, three requirements concern them all: their implementation must be secure, be effective, and be efficient. Recently, Genç et al. proposed to stop a specific class of ransomware, the cryptographically strong one, by blocking unauthorized calls to cryptographically secure pseudo-random number generators, which are required to build strong encryption keys. Here, in adherence to the requirements, we discuss an implementation of that solution that is more secure (with components that are not vulnerable to known attacks), more effective (with less false negatives in the class of ransomware addressed) and more efficient (with minimal false positive rate and negligible overhead) than the original, bringing its security and technological readiness to a higher level.

show abstract

Section: Critical Discussion and Conclusionmentioning

confidence: 99%

NoCry: No More Secure Encryption Keys for Cryptographic Ransomware

Genç

Lenzini

Ryan

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Different surveys have been published on ransomware protections (Genc ¸et al, 2018;Al-rimy et al, 2018b;Aurangzeb et al, 2017;Moussaileb, 2020). A first idea to protect data against ransomware attacks is to use data back-up as explained in (Castiglione and Pavlovic, 2019;Baykara and Sekin, 2018) but it is not possible to have at any time an up to date back-up of data and to decide when and which data need to be restored it is necessary to have a mechanism to detect a ransomware attack when it occurs.…”

Section: State Of the Artmentioning

confidence: 99%

Ransomware Detection using Markov Chain Models over File Headers

Bailluet

Bouder

Lubicz

2021

Proceedings of the 18th International Conference on Security and Cryptography

View full text Add to dashboard Cite

In this paper, a new approach for the detection of ransomware based on the runtime analysis of their behaviour is presented. The main idea is to get samples by using a mini-filter to intercept write requests, then decide if a sample corresponds to a benign or a malicious write request. To do so, in a learning phase, statistical models of structured file headers are built using Markov chains. Then in a detection phase, a maximum likelihood test is used to decide if a sample provided by a write request is normal or malicious. We introduce new statistical distances between two Markov chains, which are variants of the Kullback-Leibler divergence, which measure the efficiency of a maximum likelihood test to distinguish between two distributions given by Markov chains. This distance and extensive experiments are used to demonstrate the relevance of our method.

show abstract

“…The use of statistical approaches to detect ransomware was the second most common approach to detecting ransomware in 2019, according to an analysis of the academic anti-ransomware landscape [20]. Genç et al classify measuring entropy inflation as one of the main behavioural analysis approaches to defending against ransomware [7], and Al-Rimy et al highlight the use of entropy in their analysis of ransomware research [1]. There are some potential reasons as to why statistical approaches may be so popular in this context.…”

Section: Related Workmentioning

confidence: 99%

“…We then moved towards compressed data, whose tendency to generate false positives has been noted in the literature [7,15]. We compressed data from the Govdocs threads, which are mutually exclusive sets of approximately 1,000 files.…”

Section: Dataset Creationmentioning

confidence: 99%