Abstract
Ransomware is now the highest risk attack vector in cybersecurity. Reliable and accurate ransomware detection and removal solutions require a deep understanding of the techniques and strategies adopted by malicious code at the file system level. We conducted a large-scale analysis of more than 1.7 billion lines of I/O request packets (IRPs), and additional file system event logs, to gain deeper insights into malicious ransomware behaviors. Such behaviors include crypto-ransomware file system attacks achieved by either encrypting individual files or modifying the Master Boot Record (MBR). Our large-scale analysis shows that crypto-ransomware preferentially attacks certain file types; greedily performs file operations more frequently on more diverse types of files; randomizes novel filename generation for malicious executables; and exhibits a preference for alternating file access. We believe that these insights are vital to building the next generation of ransomware detection and removal solutions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Ransomware Damage Report 2017. https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/. Accessed 24 June 2018
McAfee Labs Threats Report. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2017.pdf. Accessed 24 June 2018
Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM (2016)
Symantec Internet Security Threat Report—April 2017. ISTR, vol. 22. https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf. Accessed 27 Jan 2018
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian Knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: CryptoLock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: USENIX Security Symposium, pp. 757–772 (2016)
Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5
Fayi, S.Y.A.: What Petya/NotPetya ransomware is and what its remidiations are. In: Latifi, S. (ed.) Information Technology - New Generations. AISC, vol. 738, pp. 93–100. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-77028-4_15
Halsey, M., Bettany, A.: Understanding windows file systems. In: Windows File System Troubleshooting, pp. 13–30. Apress, Berkeley (2015)
ESET vs Crypto-Ransomware: What, How and Why. https://cdn1.esetstatic.com/ESET/US/resources/white-papers/WhitePaper_ESET-vs-Crypto-Ransomware.pdf. Accessed 7 Mar 2018
Barreau, D., Nardi, B.A.: Finding and reminding: file organization from the desktop. ACM SigChi Bull. 27(3), 39–43 (1995)
Agrawal, N., Bolosky, W.J., Douceur, J.R., Lorch, J.R.: A five-year study of file-system metadata. ACM Trans. Storage (TOS) 3(3), 9 (2007)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using Cwsandbox. IEEE Secur. Priv. 5(2) (2007)
Layton, R., Watters, P.: Determining provenance in phishing websites using automated conceptual analysis. In: eCrime Researchers Summit, 2009, pp. 1–7. IEEE (2009)
Alazab, M., Venkatraman, S., Watters, P., Alazab, M., Alazab, A.: Cybercrime: the case of obfuscated malware. In: Georgiadis, C.K., Jahankhani, H., Pimenidis, E., Bashroush, R., Al-Nemrat, A. (eds.) Global Security, Safety and Sustainability e-Democracy, pp. 204–211. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33448-1_28
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
McIntosh, T.R., Jang-Jaccard, J., Watters, P.A. (2018). Large Scale Behavioral Analysis of Ransomware Attacks. In: Cheng, L., Leung, A., Ozawa, S. (eds) Neural Information Processing. ICONIP 2018. Lecture Notes in Computer Science(), vol 11306. Springer, Cham. https://doi.org/10.1007/978-3-030-04224-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-04224-0_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04223-3
Online ISBN: 978-3-030-04224-0
eBook Packages: Computer ScienceComputer Science (R0)