Skip to main content

RWGuard: A Real-Time Detection System Against Cryptographic Ransomware

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11050)

Abstract

Ransomware has recently (re)emerged as a popular malware that targets a wide range of victims - from individual users to corporate ones for monetary gain. Our key observation on the existing ransomware detection mechanisms is that they fail to provide an early warning in real-time which results in irreversible encryption of a significant number of files while the post-encryption techniques (e.g., key extraction, file restoration) suffer from several limitations. Also, the existing detection mechanisms result in high false positives being unable to determine the original intent of file changes, i.e., they fail to distinguish whether a significant change in a file is due to a ransomware encryption or due to a file operation by the user herself (e.g., benign encryption or compression). To address these challenges, in this paper, we introduce a ransomware detection mechanism, RWGuard, which is able to detect crypto-ransomware in real-time on a user’s machine by (1) deploying decoy techniques, (2) carefully monitoring both the running processes and the file system for malicious activities, and (3) omitting benign file changes from being flagged through the learning of users’ encryption behavior. We evaluate our system against samples from 14 most prevalent ransomware families to date. Our experiments show that RWGuard is effective in real-time detection of ransomware with zero false negative and negligible false positive (\(\sim \)0.1%) rates while incurring an overhead of only \(\sim \)1.9%.

Keywords

  • Ransomware
  • Real-time detection
  • I/O monitoring

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-00470-5_6
  • Chapter length: 23 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-00470-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.

References

  1. Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_18

    CrossRef  Google Scholar 

  2. Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05284-2_4

    CrossRef  Google Scholar 

  3. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001). https://doi.org/10.1023/A:1010933404324

    CrossRef  MATH  Google Scholar 

  4. Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. CoRR abs/1611.08294 (2016)

    Google Scholar 

  5. Calvet, J., Fernandez, J.M., Marion, J.Y.: Aligot: cryptographic function identification in obfuscated binary programs. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 169–182. ACM, New York (2012). https://doi.org/10.1145/2382196.2382217

  6. Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016). https://doi.org/10.1145/2991079.2991110

  7. CryptoStopper: www.watchpointdata.com/cryptostopper/

  8. Fox-Brewster, T.: Petya or notpetya: why the latest ransomware is deadlier than wannacry. FORBES, June 2017. https://www.forbes.com/sites/thomasbrewster/2017/06/27/petya-notpetya-ransomware-is-more-powerful-than-wannacry

  9. Huang, D.Y., et al.: Tracking ransomware end-to-end. In: Proceedings of the 2018 IEEE Conference on Security and Privacy, SP 2018 (2018)

    Google Scholar 

  10. Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: Flashguard: leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2231–2244. ACM, New York (2017)

    Google Scholar 

  11. Microsoft Inc.: File system minifilter drivers, May 2014. https://msdn.microsoft.com/en-us/library/windows/hardware/ff540402(v=vs.85).aspx

  12. Jayanthi, A.: First known ransomware attack in 1989 also targeted healthcare. Beckers Hospital Review, May 2016. http://www.beckershospitalreview.com/healthcare-information-technology/first-known-ransomware-attack-in-1989-also-targeted-healthcare.html

  13. Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 757–772. USENIX Association, Austin (2016)

    Google Scholar 

  14. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) Research in Attacks, Intrusions, and Defenses. LNCS, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5

    CrossRef  Google Scholar 

  15. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1

    CrossRef  Google Scholar 

  16. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS, pp. 599–611. ACM, New York (2017). https://doi.org/10.1145/3052973.3053035

  17. Kryptel: https://www.kryptel.com/products/kryptel.php

  18. Lee, J.K., Moon, S.Y., Park, J.H.: CloudRPS: a cloud analysis based enhanced ransomware prevention system. J. Supercomput. 73(7), 3065–3084 (2017). https://doi.org/10.1145/3052973.3053035

    CrossRef  Google Scholar 

  19. Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, pp. 208–212. ACM, New York (2017)

    Google Scholar 

  20. Lestringant, P., Guihéry, F., Fouque, P.A.: Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS, pp. 203–214. ACM, New York (2015). https://doi.org/10.1145/2714576.2714639

  21. Lin, J.: Divergence measures based on the shannon entropy. IEEE Trans. Inf. Theor. 37(1), 145–151 (2006). https://doi.org/10.1109/18.61115

    MathSciNet  CrossRef  MATH  Google Scholar 

  22. Malc0de: http://malc0de.com/rss

  23. Malware, O.: http://openmalware.org

  24. Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers Inc. (1993)

    Google Scholar 

  25. Roussev, V.: Data fingerprinting with similarity digests. In: Chow, K.-P., Shenoi, S. (eds.) DigitalForensics 2010. IAICT, vol. 337, pp. 207–226. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15506-2_15

    CrossRef  Google Scholar 

  26. Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016. https://doi.org/10.1109/ICDCS.2016.46

  27. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits. Limitations and use for detection, ArXiv e-prints, September 2016

    Google Scholar 

  28. VirusTotal: https://www.virustotal.com

  29. VXVault: http://vxvault.siri-urz.net/URL_List.php

  30. Wong, J.C., Solon, O.: Massive ransomware cyber-attack hits nearly 100 countries around the world. Theguardian, May. https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs

  31. Xu, D., Ming, J., Wu, D.: Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In: Proceedings 2017 IEEE Symposium on Security and Privacy, pp. 129–140, May 2017

    Google Scholar 

  32. Zelster: https://zeltser.com/malware-sample-sources/

Download references

Acknowledgement

We thank our shepherd, Alina Oprea, and the anonymous reviewers for their valuable suggestions. The work reported in this paper has been supported by the Schlumberger Foundation under the Faculty For The Future (FFTF) Fellowship.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Shagufta Mehnaz .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Mehnaz, S., Mudgerikar, A., Bertino, E. (2018). RWGuard: A Real-Time Detection System Against Cryptographic Ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)