Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2019: Detection of Intrusions and Malware, and Vulnerability Assessment pp 219–239Cite as

On Deception-Based Protection Against Cryptographic Ransomware

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-of-concept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Some statistics show that nearly 50% of those companies who paid the ransom were actually able to recover their data back, e.g., see [7].

  2. 2.

    Juels and Rivest, who propose honeywords to detect a password leak, call it flatness [14].

  3. 3.

    See the manual page at http://man7.org/linux/man-pages/man3/readdir.3.html.

  4. 4.

    For the sake of proof-of-concept: a real ransomware would use a strong key-management strategy.

  5. 5.

    Available under GPLv3 at https://github.com/ziyagenc/decoy-updater.

  6. 6.

    Due to the limited capability of System.IO.FileSystemWatcher class, we could observe the malicious activity, yet we were not able to identify the process ID of Replace and terminate it. That would be possible with developing a file system mini-filter, which is an implementation effort.

References

  1. Balfanz, D., Durfee, G., Smetters, D.K., Grinter, R.E.: In search of usable security: five lessons from the field. IEEE Secur. Priv. 2(5), 19–24 (2004)

    Article  Google Scholar 

  2. Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05284-2_4

    Chapter  Google Scholar 

  3. Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, pp. 2:1–2:21. ACM, New York (2017)

    Google Scholar 

  4. Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Netw. 30(6), 14–20 (2016)

    Article  Google Scholar 

  5. Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016)

    Google Scholar 

  6. Council of European Union: Council regulation (EU) no 428/2009 (2009). https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:32009R0428. Accessed 22 Feb 2019

  7. CyberEdge: 2018 Cyberthreat Defense Report. Technical report, CyberEdge Group, LLC, March 2018. https://cyber-edge.com/wp-content/uploads/2018/03/CyberEdge-2018-CDR.pdf

  8. European Commission: Guidance note - Research involving dual-use items. http://ec.europa.eu/research/participants/data/ref/h2020/other/hi/guide_research-dual-use_en.pdf. Accessed 22 Feb 2019

  9. Feng, Y., Liu, C., Liu, B.: Poster: a new approach to detecting ransomware with deception. In: 38th IEEE Symposium on Security and Privacy Workshops (2017)

    Google Scholar 

  10. Genç, Z.A., Lenzini, G., Ryan, P.Y.A.: No random, no ransom: a key to stop cryptographic ransomware. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 234–255. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_11

    Chapter  Google Scholar 

  11. Greenberg, A.: The untold story of NotPetya, the most devastating cyberattack in history, August 2018. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. Accessed 22 Feb 2019

  12. Gómez-Hernández, J.,Álvarez González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)

    Article  Google Scholar 

  13. Hunt, G., Brubacher, D.: Detours: binary interception of win32 functions. In: Proceedings of the 3rd Conference on USENIX Windows NT Symposium, WINSYM1999, vol. 3, p. 14. USENIX Association, Berkeley (1999)

    Google Scholar 

  14. Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 145–160. ACM, New York (2013)

    Google Scholar 

  15. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5

    Chapter  Google Scholar 

  16. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)

    Google Scholar 

  17. Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS 2017, pp. 208–212. ACM, New York (2017)

    Google Scholar 

  18. Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 114–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_6

    Chapter  Google Scholar 

  19. Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016

    Google Scholar 

  20. Moussaileb, R., Bouget, B., Palisse, A., Le Bouder, H., Cuppens, N., Lanet, J.L.: Ransomware’s early mitigation mechanisms. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, pp. 2:1–2:10. ACM (2018)

    Google Scholar 

  21. Rowe, N.C.: Measuring the effectiveness of honeypot counter-counterdeception. In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS 2006), vol. 6, pp. 129c–129c, January 2006

    Google Scholar 

  22. Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education (2012)

    Google Scholar 

  23. Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016

    Google Scholar 

  24. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. CoRR abs/1609.03020 (2016). http://arxiv.org/abs/1609.03020

  25. WatchPoint Data: Cryptostopper (2018). https://www.watchpointdata.com/cryptostopper

  26. Webroot: 2018 Webroot threat report mid-year update. Technical report, Webroot Inc., September 2018. https://www.webroot.com/download_file/2780

  27. Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the IEEE Workshop on Information Assurance. United States Military Academy, West Point (2004)

    Google Scholar 

Download references

Acknowledgements

This work was partially funded by European Union’s Horizon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM) and by Luxembourg National Research Fund (FNR) under the project PoC18/13234766-NoCry PoC.

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Security Reliability and Trust (SnT), University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Ziya Alper Genç & Gabriele Lenzini

  2. Information Security Group, Royal Holloway, University of London, Egham, UK

    Daniele Sgandurra

Authors
  1. Ziya Alper Genç
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gabriele Lenzini
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniele Sgandurra
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ziya Alper Genç .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Genç, Z.A., Lenzini, G., Sgandurra, D. (2019). On Deception-Based Protection Against Cryptographic Ransomware. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation