Seamlessly Safeguarding Data Against Ransomware Attacks

“…While our current implementation does not include file recovery, we stress that on average Minerva detects ransomware in 1.002sec, with 99.97% of the ransomware activity being detected in one second or less. These detection times align with the page cache delay time used in [12], which means that this approach can be implemented in our system with similarly low overhead.…”

“…In particular, it is assumed that the Disk Activity Monitor module, the File-Based Behavioral Detector module, and the File Recovery module can work correctly and independently of any ransomware infecting the system. These assumptions are in line with prior work in the field [6,12,18,21]. The details of each module are described in Section 4.1.…”

“…We position ourselves in a threat model similar to those considered by prior work in the domain [6,12,18,21]: the adversary is a ransomware that has infected a target machine with the goal of encrypting users files and ask for a ransom to recover the data. Specifically, we consider different types of ransomware attacks according to their capabilities and behaviors:…”

“…Previous work shows that if ransomware is detected quickly, the File Recovery module can be implemented with essentially zero overhead through the operating system's page cache. In [12], the authors implement a similar file protection mechanism that delays the operating system's page cache flushing for suspicious processes to prevent ransomware operations on disk. The authors show that as long as the time required to detect ransomware is low enough, the delay on cache flushing has minimal impact on the system performance (< 2%).…”

“…Should ransomware manage to penetrate network defense, a number of detection algorithms can be used to identify ransomware activity at the process level, terminate the unwanted processes, and restore encrypted files to their original content. Most existing approaches [6,12,18,21] generate and analyze process-level features to distinguish ransomware processes performing file encryption from other benign processes executing on the machine. They effectively build behavioral profiles of benign and ransomware applications and compare all processes in a system against these profiles to classify them.…”

Minerva: A File-Based Ransomware Detector

“…While our current implementation does not include file recovery, we stress that on average Minerva detects ransomware in 1.002sec, with 99.97% of the ransomware activity being detected in one second or less. These detection times align with the page cache delay time used in [12], which means that this approach can be implemented in our system with similarly low overhead.…”

“…In particular, it is assumed that the Disk Activity Monitor module, the File-Based Behavioral Detector module, and the File Recovery module can work correctly and independently of any ransomware infecting the system. These assumptions are in line with prior work in the field [6,12,18,21]. The details of each module are described in Section 4.1.…”

“…We position ourselves in a threat model similar to those considered by prior work in the domain [6,12,18,21]: the adversary is a ransomware that has infected a target machine with the goal of encrypting users files and ask for a ransom to recover the data. Specifically, we consider different types of ransomware attacks according to their capabilities and behaviors:…”

“…Previous work shows that if ransomware is detected quickly, the File Recovery module can be implemented with essentially zero overhead through the operating system's page cache. In [12], the authors implement a similar file protection mechanism that delays the operating system's page cache flushing for suspicious processes to prevent ransomware operations on disk. The authors show that as long as the time required to detect ransomware is low enough, the delay on cache flushing has minimal impact on the system performance (< 2%).…”

“…Should ransomware manage to penetrate network defense, a number of detection algorithms can be used to identify ransomware activity at the process level, terminate the unwanted processes, and restore encrypted files to their original content. Most existing approaches [6,12,18,21] generate and analyze process-level features to distinguish ransomware processes performing file encryption from other benign processes executing on the machine. They effectively build behavioral profiles of benign and ransomware applications and compare all processes in a system against these profiles to classify them.…”

Minerva: A File-Based Ransomware Detector

RansomSheild: Novel Framework for Effective Data Recovery in Ransomware Recovery Process

Ranker: Early Ransomware Detection Through Kernel-Level Behavioral Analysis