Ransomware's Early Mitigation Mechanisms

Moussaileb, Routa; Bouget, Benjamin; Palisse, Aurélien; Bouder, Hélène Le; Cuppens, Nora; Lanet, Jean‐Louis

doi:10.1145/3230833.3234691

Cited by 37 publications

(38 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nevertheless, RLocker has a limitation: it could be bypassed if a process passes randomly through the files without intercepting the lure folders. A similar limitation related to files traversals could be noticed in Moussaileb et al work for early mitigation mechanisms [28]. Even though their solution, solely based on file system exploration, is effective (up to 100% detection rate), their detection would be delayed if a ransomware uses multithreading for simultaneously traversing and encrypting the filesystem (some encrypted files are inevitable in this case).…”

Section: Host Based Ransomware Detectionmentioning

confidence: 78%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims' computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware's full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data's encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.

show abstract

Section: Host Based Ransomware Detectionmentioning

confidence: 78%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The decoy, entropy, and similarity techniques were employed by these data-centric solutions to monitor the file structure before and after it got accessed [8], [15], [23] - [25]. However, this approach is unable to differentiate between the changes caused by the crypto-ransomware form those caused by the benign programs, which lead to high rate of false alarms [9], [26], [27]. More importantly, this approach does not fully protect from ransomware attacks as it sacrifices part of the files that might be more valuable than the remaining data [26], [28].…”

Section: Related Workmentioning

confidence: 99%

A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation and Features Extraction

Al‐rimy¹,

Maarof

Alazab

et al. 2020

IEEE Access

View full text Add to dashboard Cite

The cryptography employed against user files makes the effect of crypto-ransomware attacks irreversible even after detection and removal. Thus, detecting such attacks early, i.e. during pre-encryption phase before the encryption takes place is necessary. Existing crypto-ransomware early detection solutions use a fixed time-based thresholding approach to determine the pre-encryption phase boundaries. However, the fixed time thresholding approach implies that all samples start the encryption at the same time. Such assumption does not necessarily hold for all samples as the time for the main sabotage to start varies among different cryptoransomware families due to the obfuscation techniques employed by the malware to change its attack strategies and evade detection, which generates different attack behaviors. Additionally, the lack of sufficient data at the early phases of the attack adversely affects the ability of feature extraction techniques in early detection models to perceive the characteristics of the attacks, which, consequently, decreases the detection accuracy. Therefore, this paper proposes a Dynamic Pre-encryption Boundary Delineation and Feature Extraction (DPBD-FE) scheme that determines the boundary of the pre-encryption phase, from which the features are extracted and selected more accurately. Unlike the fixed thresholding employed by the extant works, DPBD-FE tracks the pre-encryption phase for each instance individually based on the first occurrence of any cryptography-related APIs. Then, an annotated Term Frequency-Inverse Document Frequency (aTF-IDF) technique was utilized to extract the features from runtime data generated during the pre-encryption phase of crypto-ransomware attacks. The aTF-IDF overcomes the challenge of insufficient attack patterns during the early phases of the attack lifecycle. The experimental evaluation shows that DPBD-FE was able to determine the pre-encryption boundaries and extract the features related to this phase more accurately compared to related works.

show abstract

“…Moussaileb et al proposed a ransomware detection method using decoy folders and file system traversal monitoring. Lee et al also discussed how to deploy decoy files to detect ransomware in users' machines.…”

Section: Related Workmentioning

confidence: 99%

Ransomware detection using machine learning algorithms

Bae

Lee

2019

Concurrency and Computation

View full text Add to dashboard Cite

Summary The number of ransomware variants has increased rapidly every year, and ransomware needs to be distinguished from the other types of malware to protect users' machines from ransomware‐based attacks. Ransomware is similar to other types of malware in some aspects, but other characteristics are clearly different. For example, ransomware generally conducts a large number of file‐related operations in a short period of time to lock or to encrypt files of a victim's machine. The signature‐based malware detection methods, which have difficulties to detect zero‐day ransomware, are not suitable to protect users' files against the attacks caused by risky unknown ransomware. Therefore, a new protection mechanism specialized for ransomware is needed, and the mechanism should focus on ransomware‐specific operations to distinguish ransomware from other types of malware as well as benign files. This paper proposes a ransomware detection method that can distinguish between ransomware and benign files as well as between ransomware and malware. The experimental results show that our proposed method can detect ransomware among malware and benign files.

show abstract

Ransomware's Early Mitigation Mechanisms

Cited by 37 publications

References 16 publications

Ransomware Network Traffic Analysis for Pre-encryption Alert

Ransomware Network Traffic Analysis for Pre-encryption Alert

A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation and Features Extraction

Ransomware detection using machine learning algorithms

Contact Info

Product

Resources

About