RWGuard: A Real-Time Detection System Against Cryptographic Ransomware

  • Shagufta MehnazEmail author
  • Anand Mudgerikar
  • Elisa Bertino
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


Ransomware has recently (re)emerged as a popular malware that targets a wide range of victims - from individual users to corporate ones for monetary gain. Our key observation on the existing ransomware detection mechanisms is that they fail to provide an early warning in real-time which results in irreversible encryption of a significant number of files while the post-encryption techniques (e.g., key extraction, file restoration) suffer from several limitations. Also, the existing detection mechanisms result in high false positives being unable to determine the original intent of file changes, i.e., they fail to distinguish whether a significant change in a file is due to a ransomware encryption or due to a file operation by the user herself (e.g., benign encryption or compression). To address these challenges, in this paper, we introduce a ransomware detection mechanism, RWGuard, which is able to detect crypto-ransomware in real-time on a user’s machine by (1) deploying decoy techniques, (2) carefully monitoring both the running processes and the file system for malicious activities, and (3) omitting benign file changes from being flagged through the learning of users’ encryption behavior. We evaluate our system against samples from 14 most prevalent ransomware families to date. Our experiments show that RWGuard is effective in real-time detection of ransomware with zero false negative and negligible false positive (\(\sim \)0.1%) rates while incurring an overhead of only \(\sim \)1.9%.


Ransomware Real-time detection I/O monitoring 



We thank our shepherd, Alina Oprea, and the anonymous reviewers for their valuable suggestions. The work reported in this paper has been supported by the Schlumberger Foundation under the Faculty For The Future (FFTF) Fellowship.


  1. 1.
    Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). Scholar
  2. 2.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). Scholar
  3. 3.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001). Scholar
  4. 4.
    Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. CoRR abs/1611.08294 (2016)Google Scholar
  5. 5.
    Calvet, J., Fernandez, J.M., Marion, J.Y.: Aligot: cryptographic function identification in obfuscated binary programs. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 169–182. ACM, New York (2012).
  6. 6.
    Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016).
  7. 7.
  8. 8.
    Fox-Brewster, T.: Petya or notpetya: why the latest ransomware is deadlier than wannacry. FORBES, June 2017.
  9. 9.
    Huang, D.Y., et al.: Tracking ransomware end-to-end. In: Proceedings of the 2018 IEEE Conference on Security and Privacy, SP 2018 (2018)Google Scholar
  10. 10.
    Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: Flashguard: leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2231–2244. ACM, New York (2017)Google Scholar
  11. 11.
    Microsoft Inc.: File system minifilter drivers, May 2014.
  12. 12.
    Jayanthi, A.: First known ransomware attack in 1989 also targeted healthcare. Beckers Hospital Review, May 2016.
  13. 13.
    Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 757–772. USENIX Association, Austin (2016)Google Scholar
  14. 14.
    Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) Research in Attacks, Intrusions, and Defenses. LNCS, pp. 98–119. Springer, Cham (2017). Scholar
  15. 15.
    Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). Scholar
  16. 16.
    Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS, pp. 599–611. ACM, New York (2017).
  17. 17.
  18. 18.
    Lee, J.K., Moon, S.Y., Park, J.H.: CloudRPS: a cloud analysis based enhanced ransomware prevention system. J. Supercomput. 73(7), 3065–3084 (2017). Scholar
  19. 19.
    Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, pp. 208–212. ACM, New York (2017)Google Scholar
  20. 20.
    Lestringant, P., Guihéry, F., Fouque, P.A.: Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS, pp. 203–214. ACM, New York (2015).
  21. 21.
    Lin, J.: Divergence measures based on the shannon entropy. IEEE Trans. Inf. Theor. 37(1), 145–151 (2006). Scholar
  22. 22.
  23. 23.
  24. 24.
    Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers Inc. (1993)Google Scholar
  25. 25.
    Roussev, V.: Data fingerprinting with similarity digests. In: Chow, K.-P., Shenoi, S. (eds.) DigitalForensics 2010. IAICT, vol. 337, pp. 207–226. Springer, Heidelberg (2010). Scholar
  26. 26.
    Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016.
  27. 27.
    Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits. Limitations and use for detection, ArXiv e-prints, September 2016Google Scholar
  28. 28.
  29. 29.
  30. 30.
    Wong, J.C., Solon, O.: Massive ransomware cyber-attack hits nearly 100 countries around the world. Theguardian, May.
  31. 31.
    Xu, D., Ming, J., Wu, D.: Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In: Proceedings 2017 IEEE Symposium on Security and Privacy, pp. 129–140, May 2017Google Scholar
  32. 32.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Shagufta Mehnaz
    • 1
    Email author
  • Anand Mudgerikar
    • 1
  • Elisa Bertino
    • 1
  1. 1.Purdue UniversityWest LafayetteUSA

Personalised recommendations