Redemption: Real-Time Protection Against Ransomware at End-Hosts

Kharraz, Amin; Kirda, Engin

doi:10.1007/978-3-319-66332-6_5

Cited by 98 publications

(119 citation statements)

References 7 publications

Supporting

Mentioning

119

Contrasting

Order By: Relevance

“…Defenses are usually implemented as system services, kernel drivers (unprivileged adversary), or even user-land applications. For instance, Redemption [30] explicitly mentions that their TCB includes the display module, OS kernel, and underlying software. Redemption claims to provide real-time ransomware protection, by inspecting system-wide I/O request patterns.…”

Section: Related Workmentioning

confidence: 99%

“…Common anti-malware approaches relying on binary signatures are largely ineffective against ransomware (see e.g., [55]). Some solutions rely on system/user behavior signatures, exemplified by file system activity monitoring, e.g., [30], [55], [14], [29]. To complement detection based solutions (or assuming they may be bypassed), recovery-based mechanisms may also be deployed, e.g., Paybreak [32] stores (suspected) file encryption keys on-the-fly, right after generated but before encrypted with the ransomware's public key.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

TEE-aided Write Protection Against Privileged Data Tampering

Zhao

Mannan²

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, and more importantly, require an uncompromised OS kernel. However, malware with the highest software privileges has shown its obvious existence.We propose to move from current detection/recovery based mechanisms to data loss prevention, where the focus is on armoring data instead of counteracting malware. Our solution, Inuksuk, relies on today's Trusted Execution Environments (TEEs), as available both on the CPU and storage device, to achieve programmable write protection. We back up a copy of user-selected files as write-protected at all times, and subsequent updates are written as new versions securely through TEE. We implement Inuksuk on Windows 7 and 10, and Linux (Ubuntu); our core design is OS and application agnostic, and incurs no run-time performance penalty for applications. File transfer disruption can be eliminated or alleviated through access modes and customizable update policies (e.g., interval, granularity). For Inuksuk's adoptability in modern OSes, we have also ported Flicker (EuroSys 2008), a defacto standard tool for in-OS privileged TEE management, to the latest 64-bit Windows.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

TEE-aided Write Protection Against Privileged Data Tampering

Zhao

Mannan²

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Meanwhile, the malicious kernel encrypts the Master File Table (MFT) section of the disk which renders the data on that disk unusable. Since NotPetya loads its own kernel, the solutions proposed by [7,13,14] is bypassed and therefore cannot protect the victim. Moreover, [15] logs the random numbers that NotPetya uses to derive the encryption keys.…”

Section: Robustnessmentioning

confidence: 99%

“…ShieldFS also monitors cryptographic primitives through searching the memory space of a suspicious process for a precomputed key schedule to increase detection speed. Lastly, Kharraz and Kirda developed Redemption [14] which monitors the same indicators as above, but redirects write calls to sparse files. By this way, malicious changes reverted more efficiently than previous defenses.…”

Section: Improvementsmentioning

confidence: 99%

No Random, No Ransom: A Key to Stop Cryptographic Ransomware

Genç

Lenzini

Ryan

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. To be effective, ransomware has to implement strong encryption, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to mitigate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses.

show abstract

“…To this end, we propose a general framework, called Redemption [54], to augment the operating system with ransomware protection capabilities. Redemption does not require performing any signicant changes in the semantics of the underlying lesystem functionality, or modifying the architecture of the operating systems.…”

Section: Overview Of the Dissertationmentioning

confidence: 99%

Techniques and solutions for addressing ransomware attacks

Kharraz¹

View full text Add to dashboard Cite

Ransomware is a form of extortion-based attack that locks the victim's digital resources and requests money to release them. Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity. In fact, over the last few years, a number of high-prole ransomware attacks were reported. Very recently, WannaCry ransomware infected thousands of vulnerable machines around the world, and substantially disrupted critical services such as British healthcare system. Given the size and variety of threats we are facing today, having solutions to eectively detect and analyze unknown ransomware attacks seems necessary.In this thesis, we argue that it is possible to develop novel defense mechanisms, and protect user data from a large number of ransomware attacks with zero data loss. We show that such an approach is both feasible and eective. To support this claim, we investigate how a successful ransomware attack interacts with the operating system resources. In the rst part of this thesis, we perform an evolutionary-based analysis to understand the destructive behavior of these attacks. We show that by monitoring lesystem activity, it is possible to design practical defense systems that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. In the second part, we propose a novel dynamic analysis system, called Unveil, that is designed to analyze ransomware attacks, and model their interactions with the lesystem. In the third and the last part, we propose an end-point framework, called Redemption, to protect user data from ransomware attacks. We demonstrate that our proposed solution can be retrotted into existing operating systems, and achieve zero data loss against current ransomware families without introducing alarm fatigue.5

show abstract

Redemption: Real-Time Protection Against Ransomware at End-Hosts

Cited by 98 publications

References 7 publications

TEE-aided Write Protection Against Privileged Data Tampering

TEE-aided Write Protection Against Privileged Data Tampering

No Random, No Ransom: A Key to Stop Cryptographic Ransomware

Techniques and solutions for addressing ransomware attacks

Contact Info

Product

Resources

About