Andrea Continella
Stefano Zanero
ABSTRACT
Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. Indeed, the remarkable amount of illicit profit and the cyber-criminals' increasing interest in ransomware schemes suggest that a fair number of users are actually paying the ransoms.
Unfortunately, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient nowadays, because often we do not have the luxury of being able to isolate a sample to analyze, and when this happens it is already too late for several users! We believe that a forward-looking solution is to equip modern operating systems with practical self-healing capabilities against this serious threat. Towards such a vision, we propose ShieldFS, an add-on driver that makes the Windows native filesystem immune to ransomware attacks. For each running process, ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism, according to the outcome of its detection component. Internally, ShieldFS monitors the low-level filesystem activity to update a set of adaptive models that profile the system activity over time. Whenever one or more processes violate these models, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back.
We designed ShieldFS after an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. This is the first measurement on the filesystem activity of a large set of benign applications in real working conditions.
We evaluated ShieldFS in real-world working conditions on real, personal machines, against samples from state of the art ransomware families. ShieldFS was able to detect the malicious activity at runtime and transparently recover all the original files. Although the models can be tuned to fit various filesystem usage profiles, our results show that our initial tuning yields high accuracy even on unseen samples and variants.
- Nicoló Andronio, Stefano Zanero, and Federico Maggi. "HelDroid: Dissecting and Detecting Mobile Ransomware." In: Research in Attacks, Intrusions, and Defenses. Springer, 2015, pp. 382--404. Google Scholar
Digital Library
- Liviu Arsene and Alexandra Gheorghe. Ransomware. A Victim's Perspective. Tech. rep. Bitdefender, 2016. url: http://www.bitdefender.com/media/materials/white-papers/en/Bitdefender_Ransomware_A_Victim_Perspective.pdf.Google Scholar
- FBI. Criminals Continue to Defraud and Extort Funds from Victims Using CryptoWall Ransomware Schemes. 2015. url: http://www.ic3.gov/media/2015/150623.aspx.Google Scholar
- Shay Gueron. Intel Advanced Encryption Standard (AES) New Instructions Set. Tech. rep. Intel, 2012. url: https://software.intel.com/sites/default/files/article/165683/aes-wp-2012-09-22-v01.pdf.Google Scholar
- Microsoft Inc. File System Minifilter Drivers. 2014. url: https://msdn.microsoft.com/en-us/library/windows/hardware/ff540402(v=vs.85).aspx.Google Scholar
- Amin Kharaz et al. "UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware." In: 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, 2016, pp. 757--772. isbn: 978-1-931971-32-4.Google Scholar
- Amin Kharraz et al. "Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks." In: Detection of Intrusions and Malware, and Vulnerability Assessment: 12th International Conference, DIMVA 2015, Milan, Italy, July 9--10, 2015, Proceedings. Vol. 9148. Springer. 2015, p. 3. Google ScholarDigital Library
- Vadim Kotov and Mantej Singh Rajpal. Understanding Crypto-Ransomware: In-Depth Analysis of the Most Popular Malware Families. Tech. rep. Bromium, 2014.Google Scholar
- Andrea Lanzi et al. "AccessMiner: using system-centric models for malware protection." In: Proceedings of the 17th ACM conference on Computer and communications security. ACM. 2010, pp. 399--412. Google ScholarDigital Library
- Pierre Lestringant, Frédéric Guihéry, and Pierre-Alain Fouque. "Automated Identification of Cryptographic Primitives in Binary Code with Data Flow Graph Isomorphism." In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM. 2015, pp. 203--214. Google ScholarDigital Library
- Trend Micro. Ransomware Bill Seeks to Curb the Extortion Malware Epidemic. 2016. url: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-bill-curb-the-extortion-malware-epidemic.Google Scholar
- Christian Rossow et al."Prudent practices for designing malware experiments: Status quo and outlook." In: Security and Privacy (SP), 2012 IEEE Symposium on. IEEE. 2012, pp. 65--79. Google ScholarDigital Library
- Kevin Savage, Peter Coogan, and Hon Lau. The evolution of ransomware. Tech. rep. Symantec, 2015.Google Scholar
- Nolen Scaife et al. "CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data." In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). IEEE. 2016.Google Scholar
- Michele Spagnuolo, Federico Maggi, and Stefano Zanero. "Financial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3--7, 2014, Revised Selected Papers." In: ed. by Nicolas Christin and Reihaneh Safavi-Naini. Berlin, Heidelberg: Springer Berlin Heidelberg, 2014. Chap. BitIodine: Extracting Intelligence from the Bit-coin Network, pp. 457--468. isbn: 978-3-662-45472-5.Google Scholar
- Unlock the key to repel ransomware. Tech. rep. Kasper-sky Lab, 2015.Google Scholar
- Video demonstration of ShieldFS in action. url: https://www.youtube.com/watch?v=0UlgdnQQaLM.Google Scholar
- David Wagner and Paolo Soto. "Mimicry attacks on host-based intrusion detection systems." In: Proceedings of the 9th ACM Conference on Computer and Communications Security. ACM. 2002, pp. 255--264. Google ScholarDigital Library
- Tobias Wüchner, Martín Ochoa, and Alexander Pretschner. "Robust and Effective Malware Detection Through Quantitative Data Flow Graph Metrics." In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2015, pp. 98--118. Google ScholarDigital Library
- Adam Young and Moti Yung."Cryptovirology: Extortion-based security threats and countermeasures." In: Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on. IEEE. 1996, pp. 129--140. Google ScholarDigital Library
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Comments