Abstract. We present the Malware -O -Matic analysis platform and the Data Aware Defense ransomware countermeasure based on real time data gathering with as little impact as possible on system performance. Our solution monitors (and blocks if necessary) file system activity of all userland threads with new indicators of compromise. We successfully detect 99.37% of our 798 active ransomware samples with at most 70 MB lost per sample's thread in 90% of cases, or less than 7 MB in 70% of cases. By a careful analysis of the few false negatives we show that some ransomware authors are specifically trying to hide ongoing encryption. We used free (as in free beer) de facto industry standard benchmarks to evaluate the impact of our solution and enable fair comparisons. In all but the most demanding tests the impact is marginal.
Abstract. Ransomware are malicious software that encrypt their victim's data and only return the decryption key in exchange of a ransom. After presenting their characteristics and main representatives, we introduce two original countermeasures allowing victims to decrypt their files without paying. The first one takes advantage of the weak mode of operation used by some ransomware. The second one intercept calls made to Microsoft's Cryptographic API. Both methods must be active before the attack takes place, and none is general enough to handle all ransomware. Nevertheless our experimental results show that their combination can protect users from 50% of the active samples at our disposal.
Ransomware remains a modern trend. Attackers are still using cryptovirology forcing victims to pay. Notable attacks have been spreading since 2012, starting with Reveton's ransomware attack to the more recent 2017 WannaCry, Petya and Bad Rabbit cyberattacks. This Ransomware as a Service (RaaS) can lure criminals into developing tools to perform an attack without previous knowledge of the cryptosystem itself. We present in this paper a graph-based ransomware countermeasure to detect malicious threads. It is a new mechanism that doesn't rely on previously used metrics in the literature to detect ransomware such as Shannon's entropy or system calls. An accurate detection is achieved by our solution. The per-thread file system traversal is sufficient to highlight the malicious behaviors. To the best of our knowledge, no previous study has been conducted in this area. The ransomware collection used in our experiments contains more than 700 active examples of ransomware, that were analyzed in our bar metal sandbox environment.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.