On Deception-Based Protection Against Cryptographic Ransomware

In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-of-concept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.

[1]  Elisa Bertino,et al.  RWGuard: A Real-Time Detection System Against Cryptographic Ransomware , 2018, RAID.

[2]  Baoxu Liu,et al.  Poster : A New Approach to Detecting Ransomware with Deception , 2017 .

[3]  Neil C. Rowe,et al.  Measuring the Effectiveness of Honeypot Counter-Counterdeception , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[4]  Gabriele Lenzini,et al.  No Random, No Ransom: A Key to Stop Cryptographic Ransomware , 2018, DIMVA.

[5]  Chris Moore,et al.  Detecting Ransomware with Honeypot Techniques , 2016, 2016 Cybersecurity and Cyberforensics Conference (CCC).

[6]  Engin Kirda,et al.  Redemption: Real-Time Protection Against Ransomware at End-Hosts , 2017, RAID.

[7]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[8]  Diana K. Smetters,et al.  In search of usable security: five lessons from the field , 2004, IEEE Security & Privacy Magazine.

[9]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[10]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[11]  Wojciech Mazurczyk,et al.  Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall , 2016, IEEE Network.

[12]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[13]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[14]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[15]  Routa Moussaileb,et al.  Ransomware's Early Mitigation Mechanisms , 2018, ARES.

[16]  Jinwoo Lee,et al.  How to Make Efficient Decoy Files for Ransomware Detection? , 2017, RACS.

[17]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[18]  Pedro García-Teodoro,et al.  R-Locker: Thwarting ransomware action through a honeyfile-based approach , 2018, Comput. Secur..

[19]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[20]  Daniele Sgandurra,et al.  Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection , 2016, ArXiv.