A Roadmap for Improving the Impact of Anti-ransomware Research

  • Jamie Pont
  • Osama Abu Oun
  • Calvin Brierley
  • Budi AriefEmail author
  • Julio Hernandez-Castro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11875)


Ransomware is a type of malware which restricts access to a victim’s computing resources and demands a ransom in order to restore access. This is a continually growing and costly threat across the globe, therefore efforts have been made both in academia and industry to develop techniques that can help to detect and recover from ransomware attacks. This paper aims to provide an overview of the current landscape of Windows-based anti-ransomware tools and techniques, using a clear, simple and consistent terminology in terms of Data Sources, Processing and Actions. We extensively analysed relevant literature so that, to the best of our knowledge, we had at the time covered all approaches taken to detect and recover from ransomware attacks. We grouped these techniques according to their main features as a way to understand the landscape. We then selected 15 existing anti-ransomware tools both to examine how they fit into this landscape and to compare them by aggregating their accuracy and overhead – two of the most important selection criteria of these tools – as reported by the tools’ respective authors. We were able to determine popular solutions and unexplored gaps that could lead to promising areas of anti-ransomware development. From there, we propose two novel detection techniques, namely serial byte correlation and edit distance. This paper serves as a much needed roadmap of knowledge and ideas to systematise the current landscape of anti-ransomware tools.


Ransomware Anti-ransomware Detection Recovery 



Part of the work presented in this paper has been funded by the UK Engineering and Physical Sciences Research Council (EPSRC) Project EP/P011772/1 on the EconoMical, PsycHologicAl and Societal Impact of RanSomware (EMPHASIS).


  1. 1.
    Varonis: A brief history of ransomware (2016)
  2. 2.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996Google Scholar
  3. 3.
  4. 4.
  5. 5.
    Cartwright, E., Hernandez Castro, J., Cartwright, A.: To pay or not: game theoretic models of ransomware. J. Cybersecur. 5(1) (2019).
  6. 6.
    Hernandez-Castro, J., et al.: Economic analysis of ransomware. CoRR, abs/1703.06660 (2017).
  7. 7.
  8. 8.
  9. 9.
    BBC News: Huge aluminium plants hit by ‘severe’ ransomware attack (2019).
  10. 10.
    No More Ransom (2019).
  11. 11.
  12. 12.
    Al-rimy, B.A.S., et al.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144–166 (2018)CrossRefGoogle Scholar
  13. 13.
    Ahmadian, M.M., Shahriari, H.R., Ghaffarian, S.M.: Connection-monitor connection-breaker: a novel approach for prevention and detection of high survivable ransomwares. In: 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 79–84, September 2015Google Scholar
  14. 14.
    Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). Scholar
  15. 15.
    Scaife, N., et al.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016Google Scholar
  16. 16.
    Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRefGoogle Scholar
  17. 17.
    Mercaldo, F., et al.: Ransomware inside out. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 628–637, August 2016Google Scholar
  18. 18.
    Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on Android platform. Mob. Inf. Syst. 2016 (2016). Article ID 2946735, 9 p. Google Scholar
  19. 19.
    Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 336–347. ACM, New York (2016)Google Scholar
  20. 20.
    Kharraz, A., et al.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIXSecurity 16), pp. 757–772. USENIX (2016)Google Scholar
  21. 21.
    Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). Scholar
  22. 22.
    Palisse, A., Durand, A., Le Bouder, H., Le Guernic, C., Lanet, J.-L.: Data Aware Defense (DaD): towards a generic and practical ransomware countermeasure. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds.) NordSec 2017. LNCS, vol. 10674, pp. 192–208. Springer, Cham (2017). Scholar
  23. 23.
    Alam, M., et al.: RAPPER: ransomware prevention via performance counters. abs/1802.03909 (2018).
  24. 24.
    Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). Scholar
  25. 25.
    Greenberg, A.: The untold story of NotPetya, the most devastating cyberattack in history (2018).
  26. 26.
    Hull, G., John, H., Arief, B.: Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8(1) (2019).
  27. 27.
    Microsoft: File system minifilter drivers - windows drivers — microsoft docs (2017).
  28. 28.
    Sabić, N.: Fibratus (2016).
  29. 29.
    Ahmadian, M.M., Shahriari, H.R.: 2entFOX: a framework for high survivable ransomwares detection. In: 2016 13th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pp. 79–84, September 2016Google Scholar
  30. 30.
    Sgandurra, D., et al.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)
  31. 31.
    Baek, S., et al.: SSD-insider: internal defense of solid-state drive against ransomware with perfect data recovery. In: 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pp. 875–884, July 2018Google Scholar
  32. 32.
    Kolodenker, E., et al.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ACM (2017)Google Scholar
  33. 33.
    Genç, Z.A., Lenzini, G., Ryan, P.Y.A.: No random, no ransom: a key to stop cryptographic ransomware. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 234–255. Springer, Cham (2018). Scholar
  34. 34.
    Virus Total: Virustotal-free online virus, malware and URL scanner (2012).
  35. 35.
    DTREG: Decision trees compared to regression and neural networks (2019).
  36. 36.
    Microsoft: Detours (2016).
  37. 37.
    Digital Corpora (2018).
  38. 38.
    Lokuketagoda, B., et al.: R-killer: an email based ransomware protection tool. In: 2018 13th International Conference on Computer Science Education (ICCSE), pp. 1–7, August 2018Google Scholar
  39. 39.
    Gómez-Hernández, J., et al.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)CrossRefGoogle Scholar
  40. 40.
    Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016Google Scholar
  41. 41.
  42. 42.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of KentCanterburyUK

Personalised recommendations