Open Repository for the Evaluation of Ransomware Detection Tools

Berrueta, Eduardo; Morató, D.; Magaña, Eduardo; Izal, Mikel

doi:10.1109/access.2020.2984187

Cited by 28 publications

(7 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Over the years, significant advances have been made in ransomware detection, especially after the devastation that WannaCry caused in 2017 (Adamov & Carlsson, 2017;Berrueta, Morato, Magana, et al, 2020;Fernando, Komninos & Chen, 2020;Molina, Torabi, Sarieddine, et al, 2021;Singh et al, 2019a). Although researchers explored avenues for detection such as static and dynamic information, ransomware has managed to evade static analysis (Subedi et al, 2018).…”

Section: Related Workmentioning

confidence: 99%

Ransomware Detection using Process Memory

Singh

Ikuesan

Venter

2022

iccws

View full text Add to dashboard Cite

Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, which encouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38% – 96.28%. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.

show abstract

Section: Related Workmentioning

confidence: 99%

Ransomware Detection using Process Memory

Singh

Ikuesan

Venter

2022

iccws

View full text Add to dashboard Cite

show abstract

“…The traffic traces for the 'infected' case were obtained from a repository we built and shared publicly in (Berrueta et al, 2020;Berrueta et al, 2022). This repository comprises traffic traces from more than 70 ransomware programs.…”

Section: Datasetmentioning

confidence: 99%

“…There are variants that apply compression to the written data (CTBLocker), variants that batch the file deletion operations (WannaCry), variants that do only partial overwrites of the original files (Shade), or variants operating at low speeds (Revenge), to name a few relevant features. More detail about the binaries and the traffic traces can be found in Berrueta et al (2020) or Berrueta et al (2022); we offer statistics, downloadable traffic files, links to the malware binaries, and text files containing all the file-access operations executed.…”

Section: Datasetmentioning

confidence: 99%

“…Owing to the differences between the encryption processes of different ransomware binaries, the number of bytes encrypted can vary greatly among them. Some ransomware strains encrypt files in the alphabetic order, whereas others do it according to size (Berrueta et al, 2020); this is the reason for the differences in the number of bytes encrypted.…”

Section: Neural Network Model Optimizationmentioning

confidence: 99%

See 1 more Smart Citation

Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic

Berrueta

Morató

Magaña

et al. 2022

Expert Systems with Applications

Self Cite

View full text Add to dashboard Cite

“…For that, some public repositories of malware samples are available. One example of that is [51], but in this case just pcap files are available instead of malware samples themselves. Therefore, we have acquired the experimental samples from TheZoo repository [52].…”

Section: Experimental Evaluationmentioning

confidence: 99%

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Gómez-Hernández

Sánchez-Fernández

García-Teodoro

2021

IET Information Security

View full text Add to dashboard Cite

After several years, crypto‐ransomware attacks still constitute a principal threat for individuals and organisations worldwide. Despite the fact that a number of solutions are deployed to fight against this plague, one main challenge is that of early reaction, as merely detecting its occurrence can be useless to avoid the pernicious effects of the malware. With this aim, the authors introduced in a previous work a novel anti‐ransomware tool for Unix platforms named R‐Locker. The proposal is supported on a honeyfile‐based approach, where ‘infinite’ trap files are disseminated around the target filesystem for early detection and to effectively block the ransomware action. The authors extend here the tool with three main new contributions. First, R‐Locker is migrated to Windows platforms, where specific differences exist regarding FIFO handling. Second, the global management of the honeyfiles around the target filesystem is now improved to maximise protection. Finally, blocking suspicious ransomware is (semi)automated through the dynamic use of white‐/black‐lists. As in the original work for Unix systems, the new Windows version of R‐Locker shows high effectivity and efficiency in thwarting ransomware action.

show abstract

Open Repository for the Evaluation of Ransomware Detection Tools

Cited by 28 publications

References 25 publications

Ransomware Detection using Process Memory

Ransomware Detection using Process Memory

Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Contact Info

Product

Resources

About