1 Introduction
-
We perform a comprehensive analysis of characteristic features typically used to detect ransomware, and define techniques and criteria for evasion.
-
We assess the robustness of current state-of-the-art behavioral ransomware detectors, showing how it is possible to design ransomware that completely evades detection. In particular, we analyze three evasion techniques: process splitting, functional splitting, and mimicry.
-
We implement and evaluate Cerberus, a proof-of-concept prototype of a ransomware following our approach, proving that our evasion techniques are practical.
-
We evaluate our novel evasion techniques against multiple state-of-the-art ML detectors, as well as against a leading commercial behavioral detector. Results show that our techniques are effective and successfully evade detection, even in a black-box setting.
-
We evaluate the dependence of our attack on the dataset used. Results show that our evasion techniques are effective even without access to the dataset used to train the target classifiers.
-
We implement and evaluate a detector for our most effective attack, functional splitting, showing that it is possible to train a classifier to accurately detect this type of attack.
-
We study if and how well the functional splitting detector generalizes on unseen functional-split ransomware. Our results show that the classifier is indeed robust and can generalize, motivating the need for more complex evasion attacks such as our proposed mimicry attack.
2 Background
2.1 Adversarial ML
2.2 Behavioral ransomware detection
2.2.1 ShieldFS
2.2.2 RWGuard
2.2.3 Malwarebytes
3 Evading behavioral detectors
3.1 Process splitting
3.2 Functional splitting
3.3 Mimicry
4 Features discussion
4.1 Write entropy
4.2 File overwrite
4.3 Directory traversal
4.4 Directory listing
4.5 Cross-file type access
4.6 Read/write/open/create/close operations
4.7 Temporary files
4.8 File type coverage
4.9 File similarity
4.10 File-type change
4.11 Access frequency
DL: Directory listing operation | CL: Close operation |
RD: Read operation | FRD: Fast read operation |
WT: Write operation | FWT: Fast write operation |
RN: Rename operation | FOP: Fast open operation |
OP: Open operation | FCL: Fast close operation |
{X,Y}: Functional group of processes performing op. X and Y |
4.12 Other features
5 Implementation
5.1 The cerberus prototype
DuplicateHandle()
to share handles to opened file between collaborating ransomware processes. We could have considered additional features for the implementation of functional splitting, as discussed in Sect. 4. However, since the goal of Cerberus is merely to prove the feasibility of our evasion techniques, we considered only the most important features exhibited by every ransomware family. Section 6.3 shows that the features considered are enough to evade even commercial ransomware detectors in a black-box settings.DL | RD | WT | RN | % of processes |
---|---|---|---|---|
\(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | 19.07 |
\(\checkmark\) | \(\checkmark\) | – | – | 18.37 |
– | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | 16.35 |
– | \(\checkmark\) | – | – | 11.44 |
\(\checkmark\) | \(\checkmark\) | \(\checkmark\) | – | 7.60 |
– | \(\checkmark\) | – | \(\checkmark\) | 6.85 |
– | – | – | \(\checkmark\) | 6.21 |
– | \(\checkmark\) | \(\checkmark\) | – | 5.61 |
\(\checkmark\) | – | – | – | 3.55 |
– | – | \(\checkmark\) | \(\checkmark\) | 2.18 |
\(\checkmark\) | \(\checkmark\) | – | \(\checkmark\) | 1.76 |
– | – | \(\checkmark\) | - | 0.42 |
\(\checkmark\) | – | – | \(\checkmark\) | 0.38 |
\(\checkmark\) | – | \(\checkmark\) | – | 0.13 |
\(\checkmark\) | – | \(\checkmark\) | \(\checkmark\) | 0.08 |
5.2 Ransomware interprocess communication
5.3 ShieldFS
6 Evaluation
6.1 Dataset and experimental setup
Type | Benign | Ransomware |
---|---|---|
# Unique applications | 2245 | 383 |
# Applications training set | 2074 | 341 |
# Applications testing set | 171 | 42 |
# IRPs [Millions] | 1763 | 663.6 |
6.2 Trace-based evaluation
6.2.1 ShieldFS
6.2.1.1 Process splitting
6.2.1.2 Functional splitting
6.2.1.3 Mimicry
6.2.1.4 Discussion
6.2.2 RWGuard
6.2.2.1 Process splitting
6.2.2.2 Functional splitting
Combination | DL | RD | WT | RN | RD entropy | WT entropy | File access (%) |
---|---|---|---|---|---|---|---|
RD, RN | 0 | 2 | 0 | 1 | 0.53 | 0 | 0.02 |
WT | 0 | 0 | 1 | 0 | 0 | 0.42 | 0.60 |
DL, RD, WT, RN | 1 | 16 | 13 | 1 | 0.59 | 0.46 | 0.83 |
RD | 0 | 1 | 0 | 0 | 0.46 | 0 | 0.03 |
WT, RN | 0 | 0 | 5 | 1 | 0 | 0.47 | 0.02 |
RD, WT | 0 | 5 | 1 | 0 | 0.29 | 0.57 | 1.33 |
DL, RD, RN | 8 | 39 | 0 | 1 | 0.42 | 0 | 0.09 |
DL, WT | 2 | 0 | 1 | 0 | 0 | 0.51 | 0.01 |
RD, WT, RN | 0 | 6 | 20 | 1 | 0.53 | 0.28 | 0.22 |
DL, RD, WT | 3 | 52 | 1 | 0 | 0.57 | 0.77 | 0.17 |
DL | 1 | 0 | 0 | 0 | 0 | 0 | 0.00 |
DL, RD | 1 | 2 | 0 | 0 | 0.52 | 0 | 0.17 |
DL, WT, RN | 1 | 0 | 8 | 2 | 0 | 0.39 | 0.03 |
DL, RN | 45 | 0 | 0 | 1 | 0 | 0 | 0.06 |
RN | 0 | 0 | 0 | 1 | 0 | 0 | 0.03 |