Top

Published in:

2019 | OriginalPaper | Chapter

On Deception-Based Protection Against Cryptographic Ransomware

Authors : Ziya Alper Genç, Gabriele Lenzini, Daniele Sgandurra

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-of-concept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter How Does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

next chapter PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware

Some statistics show that nearly 50% of those companies who paid the ransom were actually able to recover their data back, e.g., see [7].

Juels and Rivest, who propose honeywords to detect a password leak, call it flatness [14].

See the manual page at http://man7.org/linux/man-pages/man3/readdir.3.html.

For the sake of proof-of-concept: a real ransomware would use a strong key-management strategy.

Available under GPLv3 at https://github.com/ziyagenc/decoy-updater.

Due to the limited capability of System.IO.FileSystemWatcher class, we could observe the malicious activity, yet we were not able to identify the process ID of Replace and terminate it. That would be possible with developing a file system mini-filter, which is an implementation effort.

Balfanz, D., Durfee, G., Smetters, D.K., Grinter, R.E.: In search of usable security: five lessons from the field. IEEE Secur. Priv. 2(5), 19–24 (2004)CrossRef

Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05284-2_4CrossRef

Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, pp. 2:1–2:21. ACM, New York (2017)

Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Netw. 30(6), 14–20 (2016)CrossRef

Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016)

Council of European Union: Council regulation (EU) no 428/2009 (2009). https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:32009R0428. Accessed 22 Feb 2019

CyberEdge: 2018 Cyberthreat Defense Report. Technical report, CyberEdge Group, LLC, March 2018. https://cyber-edge.com/wp-content/uploads/2018/03/CyberEdge-2018-CDR.pdf

European Commission: Guidance note - Research involving dual-use items. http://ec.europa.eu/research/participants/data/ref/h2020/other/hi/guide_research-dual-use_en.pdf. Accessed 22 Feb 2019

Feng, Y., Liu, C., Liu, B.: Poster: a new approach to detecting ransomware with deception. In: 38th IEEE Symposium on Security and Privacy Workshops (2017)

10.

Genç, Z.A., Lenzini, G., Ryan, P.Y.A.: No random, no ransom: a key to stop cryptographic ransomware. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 234–255. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_11CrossRef

11.

Greenberg, A.: The untold story of NotPetya, the most devastating cyberattack in history, August 2018. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. Accessed 22 Feb 2019

12.

Gómez-Hernández, J.,Álvarez González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)CrossRef

13.

Hunt, G., Brubacher, D.: Detours: binary interception of win32 functions. In: Proceedings of the 3rd Conference on USENIX Windows NT Symposium, WINSYM1999, vol. 3, p. 14. USENIX Association, Berkeley (1999)

14.

Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 145–160. ACM, New York (2013)

15.

Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5CrossRef

16.

Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)

17.

Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS 2017, pp. 208–212. ACM, New York (2017)

18.

Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 114–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_6CrossRef

19.

Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016

20.

Moussaileb, R., Bouget, B., Palisse, A., Le Bouder, H., Cuppens, N., Lanet, J.L.: Ransomware’s early mitigation mechanisms. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, pp. 2:1–2:10. ACM (2018)

21.

Rowe, N.C.: Measuring the effectiveness of honeypot counter-counterdeception. In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS 2006), vol. 6, pp. 129c–129c, January 2006

22.

Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education (2012)

23.

Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016

24.

Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. CoRR abs/1609.03020 (2016). http://arxiv.org/abs/1609.03020

25.

WatchPoint Data: Cryptostopper (2018). https://www.watchpointdata.com/cryptostopper

26.

Webroot: 2018 Webroot threat report mid-year update. Technical report, Webroot Inc., September 2018. https://www.webroot.com/download_file/2780

27.

Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the IEEE Workshop on Information Assurance. United States Military Academy, West Point (2004)

Title: On Deception-Based Protection Against Cryptographic Ransomware
Authors: Ziya Alper Genç
Gabriele Lenzini
Daniele Sgandurra
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_11

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner