Ransomware Steals Your Phone. Formal Methods Rescue It

Ransomware is a recent type of malware which makes inaccessible the files or the device of the victim. The only way to unlock the infected device or to have the keys for decrypting the files is to pay a ransom to the attacker. Commercial solutions for removing ransomware and restoring the infected devices and files are ineffective, since this malware uses a very robust form of asymmetric cryptography and erases shadow copies and recovery points of the operating system. Literature does not count many solutions for effectively detecting and blocking ransomware and, at the best knowledge of the authors, formal methods were never applied to identify ransomware. In this paper we propose a methodology based on formal methods that is able to detect the ransomware and to identify in the malware's code the instructions that implement the characteristic instructions of the ransomware. The results of the experimentation are strongly encouraging and suggest that the proposed methodology could be the right way to follow for developing commercial solutions that could successful intercept the ransomware and blocking the infections it provokes.

[1]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[2]  Antonella Santone,et al.  Heuristic search for equivalence checking , 2014, Software & Systems Modeling.

[3]  Roberto Barbuti,et al.  LORETO: a tool for reducing state explosion in verification of LOTOS programs , 1999, Softw. Pract. Exp..

[4]  Alberto Bartoli,et al.  Efficient Verification of a Multicast Protocol for Mobile Computing , 2001, Comput. J..

[5]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[6]  Rance Cleaveland,et al.  The NCSU Concurrency Workbench , 1996, CAV.

[7]  Colin Stirling,et al.  An Introduction to Modal and Temporal Logics for CCS , 1991, Concurrency: Theory, Language, And Architecture.

[8]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[9]  Maria Luisa Villani,et al.  Ant Colony Optimization for Deadlock Detection in Concurrent Systems , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[10]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[11]  Antonella Santone,et al.  Download malware? no, thanks: how formal methods can block update attacks , 2016, FM 2016.

[12]  Antonella Santone,et al.  State Space Reduction by Non-Standard Semantics for Deadlock Analysis , 1998, Sci. Comput. Program..

[13]  Tayssir Touili,et al.  PoMMaDe: pushdown model-checking for malware detection , 2013, ESEC/FSE 2013.

[14]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[15]  Yu Yang,et al.  Automated Detection and Analysis for Android Ransomware , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[16]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[17]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[18]  Antonella Santone,et al.  Infer Gene Regulatory Networks from Time Series Data with Probabilistic Model Checking , 2015, 2015 IEEE/ACM 3rd FME Workshop on Formal Methods in Software Engineering.

[19]  Eric Filiol,et al.  Formalization of Viruses and Malware Through Process Algebras , 2010, 2010 International Conference on Availability, Reliability and Security.

[20]  Tayssir Touili,et al.  Model-Checking for Android Malware Detection , 2014, APLAS.

[21]  Antonella Santone,et al.  Identification of Android Malware Families with Model Checking , 2016, ICISSP.