Abstract
Ransomware is a type of malware which restricts access to a victim’s computing resources and demands a ransom in order to restore access. This is a continually growing and costly threat across the globe, therefore efforts have been made both in academia and industry to develop techniques that can help to detect and recover from ransomware attacks. This paper aims to provide an overview of the current landscape of Windows-based anti-ransomware tools and techniques, using a clear, simple and consistent terminology in terms of Data Sources, Processing and Actions. We extensively analysed relevant literature so that, to the best of our knowledge, we had at the time covered all approaches taken to detect and recover from ransomware attacks. We grouped these techniques according to their main features as a way to understand the landscape. We then selected 15 existing anti-ransomware tools both to examine how they fit into this landscape and to compare them by aggregating their accuracy and overhead – two of the most important selection criteria of these tools – as reported by the tools’ respective authors. We were able to determine popular solutions and unexplored gaps that could lead to promising areas of anti-ransomware development. From there, we propose two novel detection techniques, namely serial byte correlation and edit distance. This paper serves as a much needed roadmap of knowledge and ideas to systematise the current landscape of anti-ransomware tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Varonis: A brief history of ransomware (2016) https://www.varonis.com/blog/a-brief-history-of-ransomware/
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996
Arsene, L., Gheorghe, A.: Ransomware, a victims perspective (2016). http://www.bitdefender.com/media/materials/white-papers/en/Bitdefender_Ransomware_A_Victim_Perspective.pdf
Dunn, J.E.: Sophoslabs (2018). https://nakedsecurity.sophos.com/2018/11/14/targeted-ransomware-attacks-sophoslabs-2019-threat-report/
Cartwright, E., Hernandez Castro, J., Cartwright, A.: To pay or not: game theoretic models of ransomware. J. Cybersecur. 5(1) (2019). https://doi.org/10.1093/cybsec/tyz009
Hernandez-Castro, J., et al.: Economic analysis of ransomware. CoRR, abs/1703.06660 (2017). http://arxiv.org/abs/1703.06660
Kevin Savage, H.L., Coogan, P.: The evolution of ransomware, August 2015. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
Hart, N.: The New Economy (2018). https://www.theneweconomy.com/technology/raas-satans-business-model
BBC News: Huge aluminium plants hit by ‘severe’ ransomware attack (2019). https://www.bbc.co.uk/news/technology-47624207
No More Ransom (2019). https://www.nomoreransom.org
Trend Micro: Best practices: Ransomware (2017). https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/best-practices-ransomware
Al-rimy, B.A.S., et al.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144–166 (2018)
Ahmadian, M.M., Shahriari, H.R., Ghaffarian, S.M.: Connection-monitor connection-breaker: a novel approach for prevention and detection of high survivable ransomwares. In: 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 79–84, September 2015
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1
Scaife, N., et al.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016
Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)
Mercaldo, F., et al.: Ransomware inside out. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 628–637, August 2016
Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on Android platform. Mob. Inf. Syst. 2016 (2016). Article ID 2946735, 9 p. https://doi.org/10.1155/2016/2946735
Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016)
Kharraz, A., et al.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIXSecurity 16), pp. 757–772. USENIX (2016)
Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_18
Palisse, A., Durand, A., Le Bouder, H., Le Guernic, C., Lanet, J.-L.: Data Aware Defense (DaD): towards a generic and practical ransomware countermeasure. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds.) NordSec 2017. LNCS, vol. 10674, pp. 192–208. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70290-2_12
Alam, M., et al.: RAPPER: ransomware prevention via performance counters. abs/1802.03909 (2018). http://arxiv.org/abs/1802.03909
Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5
Greenberg, A.: The untold story of NotPetya, the most devastating cyberattack in history (2018). https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Hull, G., John, H., Arief, B.: Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8(1) (2019). https://doi.org/10.1186/s40163-019-0097-9
Microsoft: File system minifilter drivers - windows drivers — microsoft docs (2017). https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/file-system-minifilter-drivers
Sabić, N.: Fibratus (2016). https://github.com/rabbitstack
Ahmadian, M.M., Shahriari, H.R.: 2entFOX: a framework for high survivable ransomwares detection. In: 2016 13th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 79–84, September 2016
Sgandurra, D., et al.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)
Baek, S., et al.: SSD-insider: internal defense of solid-state drive against ransomware with perfect data recovery. In: 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pp. 875–884, July 2018
Kolodenker, E., et al.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)
Genç, Z.A., Lenzini, G., Ryan, P.Y.A.: No random, no ransom: a key to stop cryptographic ransomware. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 234–255. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_11
Virus Total: Virustotal-free online virus, malware and URL scanner (2012). https://www.virustotal.com/en
DTREG: Decision trees compared to regression and neural networks (2019). https://www.dtreg.com/methodology/view/decision-trees-compared-to-regression-and-neural-networks
Microsoft: Detours (2016). https://github.com/Microsoft/
Digital Corpora (2018). https://digitalcorpora.org
Lokuketagoda, B., et al.: R-killer: an email based ransomware protection tool. In: 2018 13th International Conference on Computer Science Education (ICCSE), pp. 1–7, August 2018
Gómez-Hernández, J., et al.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)
Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016
BitDefender (2019). https://www.bitdefender.com/business/cyber-threats-solutions/anti-ransomware.html
MalwareBytes (2019). https://www.malwarebytes.com/business/solutions/ransomware/
Acknowledgement
Part of the work presented in this paper has been funded by the UK Engineering and Physical Sciences Research Council (EPSRC) Project EP/P011772/1 on the EconoMical, PsycHologicAl and Societal Impact of RanSomware (EMPHASIS).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Pont, J., Abu Oun, O., Brierley, C., Arief, B., Hernandez-Castro, J. (2019). A Roadmap for Improving the Impact of Anti-ransomware Research. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-35055-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35054-3
Online ISBN: 978-3-030-35055-0
eBook Packages: Computer ScienceComputer Science (R0)