RansomSpector: An introspection-based approach to detect crypto ransomware

Abstract Crypto ransomware encrypts user files and then extorts a ransom for decryption, thus it brings a big threat to users. To address this problem, we propose RansomSpector , an introspection-based approach to detect crypto ransomware. Compared to previous solutions, our approach makes progress in two aspects. First, RansomSpector is based on the virtual machine introspection technique, and it resides in the hypervisor layer under the operating system (OS) where ransomware runs. Thus it is capable of analyzing OS-level ransomware and difficult to be bypassed by privilege escalation attacks. Second, RansomSpector monitors both the filesystem and network activities for ransomware detection, thus it achieves a higher precision and earlier warning than the approaches that only leverage the filesystem activities as the detecting basis. To validate our approach, we have implemented a prototype of RansomSpector , and collected 2,117 recent ransomware samples to evaluate it. The evaluation results indicate that our system effectively detects ransomware with a low performance overhead (

[1]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[2]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[3]  Claudia Eckert,et al.  Nitro: Hardware-Based System Call Tracing for Virtual Machines , 2011, IWSEC.

[4]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[5]  Sungjin Lee,et al.  SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[6]  Damon McCoy,et al.  Tracking Ransomware End-to-end , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[7]  Engin Kirda,et al.  Redemption: Real-Time Protection Against Ransomware at End-Hosts , 2017, RAID.

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[10]  Peng Liu,et al.  FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware , 2017, CCS.

[11]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[13]  Zhiqiang Lin,et al.  HYBRID-BRIDGE: Efficiently Bridging the Semantic Gap in Virtual Memory Introspection via Decoupled Execution and Training Memoization , 2014, NDSS 2014.

[14]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[15]  Radu Sion,et al.  SoK: Introspections on Trust and the Semantic Gap , 2014, 2014 IEEE Symposium on Security and Privacy.

[16]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[17]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[18]  Angelos Stavrou,et al.  Using Hardware Features for Increased Debugging Transparency , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Juan Caballero,et al.  AVclass: A Tool for Massive Malware Labeling , 2016, RAID.

[20]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[21]  Jianhua Lin,et al.  Divergence measures based on the Shannon entropy , 1991, IEEE Trans. Inf. Theory.

[22]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[23]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[25]  Elisa Bertino,et al.  RWGuard: A Real-Time Detection System Against Cryptographic Ransomware , 2018, RAID.

[26]  刘锋,et al.  Kernel-based virtual machine事件跟踪机制的设计与实现 , 2008 .

[27]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[28]  Sungjin Lee,et al.  RansomBlocker: a Low-Overhead Ransomware-Proof SSD , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[29]  Giovanni Vigna,et al.  MalGene: Automatic Extraction of Malware Analysis Evasion Signature , 2015, CCS.

[30]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[31]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, IEEE Symposium on Security and Privacy.

[32]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.