Large Scale Behavioral Analysis of Ransomware Attacks

  • Timothy R. McIntoshEmail author
  • Julian Jang-Jaccard
  • Paul A. Watters
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11306)


Ransomware is now the highest risk attack vector in cybersecurity. Reliable and accurate ransomware detection and removal solutions require a deep understanding of the techniques and strategies adopted by malicious code at the file system level. We conducted a large-scale analysis of more than 1.7 billion lines of I/O request packets (IRPs), and additional file system event logs, to gain deeper insights into malicious ransomware behaviors. Such behaviors include crypto-ransomware file system attacks achieved by either encrypting individual files or modifying the Master Boot Record (MBR). Our large-scale analysis shows that crypto-ransomware preferentially attacks certain file types; greedily performs file operations more frequently on more diverse types of files; randomizes novel filename generation for malicious executables; and exhibits a preference for alternating file access. We believe that these insights are vital to building the next generation of ransomware detection and removal solutions.


Ransomware Malware Cybersecurity File system 


  1. 1.
    Ransomware Damage Report 2017. Accessed 24 June 2018
  2. 2.
  3. 3.
    Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM (2016)Google Scholar
  4. 4.
    Symantec Internet Security Threat Report—April 2017. ISTR, vol. 22. Accessed 27 Jan 2018
  5. 5.
    Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian Knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). Scholar
  6. 6.
    Scaife, N., Carter, H., Traynor, P., Butler, K.R.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)Google Scholar
  7. 7.
    Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: USENIX Security Symposium, pp. 757–772 (2016)Google Scholar
  8. 8.
    Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). Scholar
  9. 9.
    Fayi, S.Y.A.: What Petya/NotPetya ransomware is and what its remidiations are. In: Latifi, S. (ed.) Information Technology - New Generations. AISC, vol. 738, pp. 93–100. Springer, Cham (2018). Scholar
  10. 10.
    Halsey, M., Bettany, A.: Understanding windows file systems. In: Windows File System Troubleshooting, pp. 13–30. Apress, Berkeley (2015)CrossRefGoogle Scholar
  11. 11.
    ESET vs Crypto-Ransomware: What, How and Why. Accessed 7 Mar 2018
  12. 12.
    Barreau, D., Nardi, B.A.: Finding and reminding: file organization from the desktop. ACM SigChi Bull. 27(3), 39–43 (1995)CrossRefGoogle Scholar
  13. 13.
    Agrawal, N., Bolosky, W.J., Douceur, J.R., Lorch, J.R.: A five-year study of file-system metadata. ACM Trans. Storage (TOS) 3(3), 9 (2007)CrossRefGoogle Scholar
  14. 14.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using Cwsandbox. IEEE Secur. Priv. 5(2) (2007)CrossRefGoogle Scholar
  15. 15.
    Layton, R., Watters, P.: Determining provenance in phishing websites using automated conceptual analysis. In: eCrime Researchers Summit, 2009, pp. 1–7. IEEE (2009)Google Scholar
  16. 16.
    Alazab, M., Venkatraman, S., Watters, P., Alazab, M., Alazab, A.: Cybercrime: the case of obfuscated malware. In: Georgiadis, C.K., Jahankhani, H., Pimenidis, E., Bashroush, R., Al-Nemrat, A. (eds.) Global Security, Safety and Sustainability e-Democracy, pp. 204–211. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Timothy R. McIntosh
    • 1
    Email author
  • Julian Jang-Jaccard
    • 1
  • Paul A. Watters
    • 2
  1. 1.Massey UniversityAucklandNew Zealand
  2. 2.La Trobe UniversityMelbourneAustralia

Personalised recommendations