On Deception-Based Protection Against Cryptographic Ransomware

  • Ziya Alper GençEmail author
  • Gabriele Lenzini
  • Daniele Sgandurra
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11543)


In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-of-concept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.


Ransomware Cryptographic Malware Deception Decoy 



This work was partially funded by European Union’s Horizon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM) and by Luxembourg National Research Fund (FNR) under the project PoC18/13234766-NoCry PoC.


  1. 1.
    Balfanz, D., Durfee, G., Smetters, D.K., Grinter, R.E.: In search of usable security: five lessons from the field. IEEE Secur. Priv. 2(5), 19–24 (2004)CrossRefGoogle Scholar
  2. 2.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). Scholar
  3. 3.
    Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, pp. 2:1–2:21. ACM, New York (2017)Google Scholar
  4. 4.
    Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Netw. 30(6), 14–20 (2016)CrossRefGoogle Scholar
  5. 5.
    Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016)Google Scholar
  6. 6.
    Council of European Union: Council regulation (EU) no 428/2009 (2009). Accessed 22 Feb 2019
  7. 7.
    CyberEdge: 2018 Cyberthreat Defense Report. Technical report, CyberEdge Group, LLC, March 2018.
  8. 8.
    European Commission: Guidance note - Research involving dual-use items. Accessed 22 Feb 2019
  9. 9.
    Feng, Y., Liu, C., Liu, B.: Poster: a new approach to detecting ransomware with deception. In: 38th IEEE Symposium on Security and Privacy Workshops (2017)Google Scholar
  10. 10.
    Genç, Z.A., Lenzini, G., Ryan, P.Y.A.: No random, no ransom: a key to stop cryptographic ransomware. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 234–255. Springer, Cham (2018). Scholar
  11. 11.
    Greenberg, A.: The untold story of NotPetya, the most devastating cyberattack in history, August 2018. Accessed 22 Feb 2019
  12. 12.
    Gómez-Hernández, J.,Álvarez González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)CrossRefGoogle Scholar
  13. 13.
    Hunt, G., Brubacher, D.: Detours: binary interception of win32 functions. In: Proceedings of the 3rd Conference on USENIX Windows NT Symposium, WINSYM1999, vol. 3, p. 14. USENIX Association, Berkeley (1999)Google Scholar
  14. 14.
    Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 145–160. ACM, New York (2013)Google Scholar
  15. 15.
    Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). Scholar
  16. 16.
    Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)Google Scholar
  17. 17.
    Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS 2017, pp. 208–212. ACM, New York (2017)Google Scholar
  18. 18.
    Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 114–136. Springer, Cham (2018). Scholar
  19. 19.
    Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016Google Scholar
  20. 20.
    Moussaileb, R., Bouget, B., Palisse, A., Le Bouder, H., Cuppens, N., Lanet, J.L.: Ransomware’s early mitigation mechanisms. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, pp. 2:1–2:10. ACM (2018)Google Scholar
  21. 21.
    Rowe, N.C.: Measuring the effectiveness of honeypot counter-counterdeception. In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS 2006), vol. 6, pp. 129c–129c, January 2006Google Scholar
  22. 22.
    Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education (2012)Google Scholar
  23. 23.
    Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016Google Scholar
  24. 24.
    Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. CoRR abs/1609.03020 (2016).
  25. 25.
    WatchPoint Data: Cryptostopper (2018).
  26. 26.
    Webroot: 2018 Webroot threat report mid-year update. Technical report, Webroot Inc., September 2018.
  27. 27.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the IEEE Workshop on Information Assurance. United States Military Academy, West Point (2004)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Interdisciplinary Centre for Security Reliability and Trust (SnT)University of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.Information Security GroupRoyal Holloway, University of LondonEghamUK

Personalised recommendations