Abstract
We present the Malware - O - Matic analysis platform and the Data Aware Defense ransomware countermeasure based on real time data gathering with as little impact as possible on system performance. Our solution monitors (and blocks if necessary) file system activity of all userland threads with new indicators of compromise. We successfully detect 99.37% of our 798 active ransomware samples with at most 70 MB lost per sample’s thread in 90% of cases, or less than 7 MB in 70% of cases. By a careful analysis of the few false negatives we show that some ransomware authors are specifically trying to hide ongoing encryption. We used free (as in free beer) de facto industry standard benchmarks to evaluate the impact of our solution and enable fair comparisons. In all but the most demanding tests the impact is marginal.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Usually the encryption keys are themselves encrypted with an asymmetric cryptosystem, the ransom must be paid in order to get the corresponding private key.
- 2.
They use the Kullback-Liebler divergence instead but do not introduce an implementation.
- 3.
We restricted ourselves to free (as in free beer) softwares used to assess performance of personal computers to ensure pertinence and affordable reproducibility.
- 4.
Windows 7 SP1 6.1.7601, Intel Xeon W3550, NVIDIA Quadro FX 1800, 4 Gb DDR3, Intel SSD 120 Go SATA III.
- 5.
- 6.
- 7.
PayBreak did, might be samples mislabeling.
References
Bisson, D.: C&C servers? too risky! Android botnet goes with Twitter instead. https://www.blee**computer.com/news/security/candc-servers-too-risky-android-botnet-goes-with-twitter-instead/
Bonferroni, C.E.: Teoria statistica delle classi e calcolo delle probabilita. Libreria internazionale Seeber (1936)
Cimpanu, C.: Microsoft announces controlled folder access to fend off crypto-ransomware. https://www.blee**computer.com/news/microsoft/microsoft-announces-controlled-folder-access-to-fend-off-crypto-ransomware/
Clonezilla: The free and open source software for disk imaging and cloning. http://clonezilla.org/
Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM (2016)
Craig: Differentiate encryption from compression using math, June 2013. http://www.devttys0.com/2013/06/differentiate-encryption-from-compression-using-math/
Crystal Dew World: CrystalDiskMark is a disk benchmark software. http://crystalmark.info/software/CrystalDiskMark/index-e.html
Corpora, D.: Producing the digital body. http://digitalcorpora.org/
Geekbench: New benchmarks, redesigned interface. http://geekbench.com/
Octave, G.N.U.: Scientific programming language. https://octave.sourceforge.io/octave/function/chi2inv.html
Haschek, C.: How to defend your website with ZIP bombs. https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
Ivanov, A., Sinitsyn, F.: The first cryptor to exploit telegram. https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: Proceedings of the 25th USENIX Security Symposium, Austin Texas, pp. 757–772. Usenix (2016)
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)
Malekal: Malware repository. http://malwaredb.malekal.com/
Mbol, F., Robert, J.-M., Sadighian, A.: An efficient approach to detect TorrentLocker ransomware in computer systems. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 532–541. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_32
Microsoft: File system minifilter drivers. https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/file-system-minifilter-drivers
Microsoft: Windows performance toolkit. https://msdn.microsoft.com/en-us/windows/hardware/commercialize/test/wpt/index
Palisse, A., Le Bouder, H., Lanet, J.-L., Le Guernic, C., Legay, A.: Ransomware and the legacy crypto API. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 11–28. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0_2
PCMark 8: The complete benchmark for Windows 8.1, Windows 8 and Windows 7. https://www.futuremark.com/benchmarks/pcmark
PolarToffee: Found a sample of the AES-NI ransomware, April 2017. https://twitter.com/PolarToffee
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stop** ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)
Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11
SonicWall: Annual threat report. Technical report, SonicWall (2017). https://www.sonicwall.com/docs/2017-sonicwall-annual-threat-report-white-paper-24934.pdf
The Talos Group: MBR filter driver. https://github.com/vrtadmin/MBRFilter
Micro, T.: CryLocker uses Imgur as C&C. http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-sept-2-2016-crylocker-uses-imgur-as-c-c
Micro, T.: Cerber starts evading machine learning. http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/
Viper: Binary management and analysis framework. http://viper.li/
VirusShare: Malware repository. https://virusshare.com/
Wardle, P.: Towards generic ransomware detection. https://objective-see.com/blog/blog_0x0F.html
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: 1996 IEEE Symposium on Security and Privacy, Proceedings, pp. 129–140. IEEE (1996)
Young, A.L., Yung, M.M.: An implementation of cryptoviral extortion using Microsoft’s crypto API. CiteSeerX (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix 1: Ransomware Collection
Appendix 2: Empirical Tests
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Palisse, A., Durand, A., Le Bouder, H., Le Guernic, C., Lanet, JL. (2017). Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds) Secure IT Systems. NordSec 2017. Lecture Notes in Computer Science(), vol 10674. Springer, Cham. https://doi.org/10.1007/978-3-319-70290-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-70290-2_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70289-6
Online ISBN: 978-3-319-70290-2
eBook Packages: Computer ScienceComputer Science (R0)