Abstract
TorrentLocker is a ransomware that encrypts sensitive data located on infected computer systems. Its creators aim to ransom the victims, if they want to retrieve their data. Unfortunately, antiviruses have difficulties to detect such polymorphic malware. In this paper, we propose a novel approach to detect online suspicious processes accessing a large number of files and encrypting them. Such a behavior corresponds to the classical scenario of a malicious ransomware. We show that the Kullback-Liebler divergence can be used to detect with high effectiveness whether a process transforms structured input files (such as JPEG files) into unstructured encrypted files, or not. We focus mainly on JPEG files since irreplaceable pictures represent in many cases the most valuable data on personal computers or smartphones.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26362-5_18
Arora, R., Singh, A., Pareek, H., Edara, U.R.: A heuristics-based static analysis approach for detecting packed PE binaries. Int. J. Secur. Appl. 7(5), 257–268 (2013)
Cabaj, K., Gawkowski, P., Grochowski, K., Osojca, D.: Network activity analysis of cryptowall ransomware. Przeglad Elektrotechniczny 91(11), 201–204 (2015)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–58 (2009)
Cooper, V.: Android malware detection based on kullback-leibler divergence. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing - Student Research Abstract, pp. 1695–1696. ACM (2014)
Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. John Wiley & Sons, New York (2006)
Gamer, N.: Trend micro (2016). http://blog.trendmicro.com/ransomware-one-of-the-biggest-threats-in-2016/
Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)
Giles, J.: Scareware: the inside story. New Sci. 205(2753), 38–41 (2010)
Jarvis, K.: Cryptolocker ransomware (2014). http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
Khan, H., Mirza, F., Khayam, S.A.: Determining malicious executable distinguishing attributes and low-complexity detection. J. Comput. Virol. 7(2), 95–105 (2011)
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Heidelberg (2015). doi:10.1007/978-3-319-20550-2_1
Kim, D., Soh, W., Kim, S.: Design of quantification model for prevent of cryptolocker. Indian J. Sci. Technol. 8, 19 (2015)
M. Léveillé, M.-E.: Torrentlocker ransomware in a country near you (2014). http://www.welivesecurity.com/2014/12/16/torrentlocker-ransomware-in-a-country-near-you/
Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Ransomware steals your phone. Formal methods rescue it. In: Albert, E., Lanese, I. (eds.) FORTE 2016. LNCS, vol. 9688, pp. 212–221. Springer, Heidelberg (2016). doi:10.1007/978-3-319-39570-8_14
Perdisci, R., Lanzi, A., Lee, W.: Classification of packed executables for accurate computer virus detection. Pattern Recogn. Lett. 29(14), 1941–1946 (2008)
Roussev, V.: Data fingerprinting with similarity digests. In: Chow, K.-P., Shenoi, S. (eds.) DigitalForensics 2010. IAICT, vol. 337, pp. 207–226. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15506-2_15
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)
Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on android platform. Mob. Inf. Syst., 1–8 (2016)
Ugarte-Pedrero, X., Santos, I., Sanz, B., Laorden, C., Bringas, P.G.: Countering entropy measure attacks on packed software detection. In: Proceedings of the IEEE Consumer Communications and Networking Conference (CCNC), pp. 164–168. IEEE (2012)
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 129–140. IEEE (1996)
Acknowledgments
The authors would like to thank the anonymous referees who have pointed out the very recent and relevant paper on CryptoLock. The authors would like also to thank Marc-Étienne M. Léveillé, a malware researcher of ESET, who has provided an execution trace of TorrentLocker. This work is partially supported by Canada NSERC Discovery Grants.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Mbol, F., Robert, JM., Sadighian, A. (2016). An Efficient Approach to Detect TorrentLocker Ransomware in Computer Systems. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_32
Download citation
DOI: https://doi.org/10.1007/978-3-319-48965-0_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48964-3
Online ISBN: 978-3-319-48965-0
eBook Packages: Computer ScienceComputer Science (R0)