On Deception-Based Protection Against Cryptographic Ransomware

Recent progress in machine learning has led to promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper examines the robustness of behavioral ransomware detectors to evasion and proposes multiple novel techniques to evade them. Ransomware behavior differs significantly from that of benign processes, making it an ideal best case for behavioral detectors, and a difficult candidate for evasion. We identify and propose a set of novel attacks that distribute the overall malware workload across a small set of independent, cooperating processes in order to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6 to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors in a black-box setting. Finally, we evaluate a detector designed to identify our most effective attack, as well as discuss potential directions to mitigate our most advanced attack.

show abstract

“…4.1. An orthogonal line of work focuses on decoy files for ransomware detection [48][49][50]. Such defenses are outside the scope of our work.…”

Section: Ransomware Detectionmentioning

confidence: 99%

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Gaspari

Hitaj

Pagnotta

et al. 2022

Neural Comput & Applic

View full text Add to dashboard Cite

show abstract

“…Distributed repositories should be placed in the file system containing randomly generated files of a predefined content to maximize the chances of succeeding using honeypot methodology. Re-designing decoys generation of the deception-based techniques improves the protection of the data of users, as mentioned in [22]. Threats arising from this cyber warfare are exponential.…”

Section: Discussionmentioning

confidence: 99%

Watch out! Doxware on the way…

Moussaileb

Navas

Cuppens

2020

Journal of Information Security and Applications

View full text Add to dashboard Cite

Malware remains the number one threat for individuals, enterprises, and governments. Malware's aftermath can cause irreversible casualties if the requirements of the attackers are not met in time. Security researchers' primary objective is protecting the assets that a person/company possesses. They are in a constant battle in this cyberwar facing attackers' malicious intent. To compete in this arms race against security breaches, we propose an insight into plausible attacks, especially Doxware (also called leakware). We present a quantification model that explores the Windows file system in search of valuable data. It is based on the Term Frequency-Inverse Document Frequency (TF-IDF) solution provided in the literature for information retrieval. The highest-ranked files will be then exfiltrated over the Internet to the attacker's server. Then, we studied possible countermeasures including deceptionbased techniques. Amongst the existent ones, we implemented and tested one based on honeypot files and folders to protect users' assets. We conclude by presenting future perspectives in this area with the possible counter-countermeasures that can be used by an attacker to bypass current detection mechanisms. Our approach delivers an observation of the evolution of malware throughout the last years. It enables users to prevent their sensitive information from being exposed to potential risks.

show abstract

“…Network Activity: Communication-related features such as source and destination IP addresses, ports, domain names, and protocols can be used by researchers to determine if a sample displays ransomware-like communication behavior. Resource Usage: Since ransomware relies on encryption operation, high CPU usage or memory usage can be a sign for the existence of ransomware in the system [74]. Sensor Readings: On-board sensor readings of PCs/workstations can give a clue on the abnormal activity which can signify the existence of ransomware in the system [184].…”

Section: Ransomware Analysis In Pcs/worktationsmentioning

confidence: 99%

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

et al. 2022

View full text Add to dashboard Cite

In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.

show abstract

On Deception-Based Protection Against Cryptographic Ransomware

Cited by 25 publications

References 17 publications

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Watch out! Doxware on the way…

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

Contact Info

Product

Resources

About