Exploiting Ransomware Paranoia For Execution Prevention

Ransomware attacks cost businesses more than $75 billion/year, and it is predicted to cost $6 trillion/year by 2021. These numbers demonstrate the havoc produced by ransomware on a large number of sectors and urge security researches to tackle it. Several ransomware detection approaches have been proposed in the literature that interchange between static and dynamic analysis. Recently, ransomware attacks were shown to fingerprint the execution environment before they attack the system to counter dynamic analysis. In this paper, we exploit the behavior of contemporary ransomware to prevent its attack on real systems and thus avoid the loss of any data. We explore a set of ransomware-generated artifacts that are launched to sniff the surrounding. Furthermore, we design, develop, and evaluate an approach that monitors the behavior of a program by intercepting the called Windows APIs. Consequently, we determine in real-time if the program is trying to inspect its surrounding before the attack, and abort it immediately prior to the initiation of any malicious encryption or locking. Through empirical evaluations using real and recent ransomware samples, we study how ransomware and benign programs inspect the environment. Additionally, we demonstrate how to prevent ransomware with a low false positive rate. We make the developed approach available to the research community at large through GitHub to strongly promote cyber security defense operations and for wide-scale evaluations and enhancements.

[1]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[2]  Amir Afianian,et al.  Malware Dynamic Analysis Evasion Techniques: A Survey. , 2018 .

[3]  Sanchit Gupta,et al.  Malware Characterization Using Windows API Call Sequences , 2018, SPACE.

[4]  Stefan Katzenbeisser,et al.  Code Obfuscation against Static and Dynamic Reverse Engineering , 2011, Information Hiding.

[5]  K. P. Soman,et al.  Evaluating shallow and deep networks for ransomware detection and classification , 2017, 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[6]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[7]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[8]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[9]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[10]  D. Nieuwenhuizen A behavioural-based approach to ransomware detection , 2017 .

[11]  Ali Dehghantanha,et al.  Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection , 2018, ArXiv.

[12]  Mourad Debbabi,et al.  Multidimensional investigation of source port 0 probing , 2014, Digit. Investig..

[13]  Fabio Martinelli,et al.  BRIDEMAID: An Hybrid Tool for Accurate Detection of Android Malware , 2017, AsiaCCS.

[14]  Arun Kumar Sangaiah,et al.  Classification of ransomware families with machine learning based on N-gram of opcodes , 2019, Future Gener. Comput. Syst..