Abstract
Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests money to release them. The recent resurgence of high-profile ransomware attacks, particularly in critical sectors such as the health care industry, has highlighted the pressing need for effective defenses. While users are always advised to have a reliable backup strategy, the growing number of paying victims in recent years suggests that an endpoint defense that is able to stop and recover from ransomware’s destructive behavior is needed.
In this paper, we introduce Redemption, a novel defense that makes the operating system more resilient to ransomware attacks. Our approach requires minimal modification of the operating system to maintain a transparent buffer for all storage I/O. At the same time, our system monitors the I/O request patterns of applications on a per-process basis for signs of ransomware-like behavior. If I/O request patterns are observed that indicate possible ransomware activity, the offending processes can be terminated and the data restored.
Our evaluation demonstrates that Redemption can ensure zero data loss against current ransomware families without detracting from the user experience or inducing alarm fatigue. In addition, we show that Redemption incurs modest overhead, averaging 2.6% for realistic workloads.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Minotaur Analysis - Malware Repository. minotauranalysis.com/
Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.104/
MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.com
A brief demo on how Redemption operates (2016). https://www.youtube.com/watch?v=iuEgFVz7a7g
AutoIt (2016). https://www.autoitscript.com/site/autoit/
IOzone Filesystem Benchmark (2016). www.iozone.org
Ajjan, A.: Ransomware: Next-Generation Fake Antivirus (2013). http://www.sophos.com/en-us/medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf
Hern, A.: Major sites including New York Times and BBC hit By Ransomware Malvertising (2016). https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising
Hern, A.: Ransomware threat on the rise as almost 40 percent of bussinesses attacked (2016). https://www.theguardian.com/technology/2016/aug/03/ransomware-threat-on-the-rise-as-40-of-businesses-attacked
Dalton, A.: Hospital paid 17K ransom to hackers of its computer network (2016). http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/hospital-paid-17k-ransom-hackers-its-computer-network
BBC News. University pays 20,000 Dollars to ransomware hackers (2016). http://www.bbc.com/news/technology-36478650
Osborne, C.: Researchers launch another salvo at CryptXXX ransomware (2016). http://www.zdnet.com/article/researchers-launch-another-salvo-at-cryptxxx-ransomware/
Francescani, C.: Ransomware Hackers Blackmail U.S. Police Departments (2016). http://www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html
Mannion, C.: Three U.S. Hospitals Hit in String of Ransomware Attacks (2016). http://www.nbcnews.com/tech/security/three-u-s-hospitals-hit-string-ransomware-attacks-n544366
Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM (2016)
Whitcomb, D.: California lawmakers take step toward outlawing ransomware (2016). http://www.reuters.com/article/us-california-ransomware-idUSKCN0X92PA
Dell SecureWorks. University of Calgary paid 20K in ransomware attack (2016). http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979
Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6, 77–90 (2010)
Wolf, G.: 8 High Profile Ransomware Attacks You May Not Have Heard Of (2016). https://www.linkedin.com/pulse/8-high-profile-ransomware-attacks-you-may-have-heard-gregory-wolf
Zremski, J.: New York Senator Seeks to Combat Ransomware (2016). http://www.govtech.com/security/New-York-Senator-Seeks-to-Combat-Ransomware.html
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: A large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (2016)
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian Knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_1
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 599–611. ACM, New York (2017)
Abrams, L.: TeslaCrypt Decrypted: flaw in TeslaCrypt allows Victim’s to Recover their Files (2016). http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/
Lin, J.: Divergence measures based on the shannon entropy. IEEE Trans. Inform. Theory 37, 145–151 (1991)
Malware Don’t Need Coffee. Guess who’s back again? Cryptowall 3.0 (2015). http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html
Microsoft, Inc. Blocking Direct Write Operations to Volumes and Disks. https://msdn.microsoft.com/en-us/library/windows/hardware/ff551353(v=vs.85).aspx
Microsoft, Inc. Protecting Anti-Malware Services (2016). https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
Ms. Smith. Kansas Heart Hospital hit with ransomware; attackers demand two ransoms (2016). http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html
No-More-Ransomware Project. No More Ransomware! (2016). https://www.nomoreransom.org/about-the-project.html
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: CryptoLock (and Drop It): stopping ransomware attacks on user data. In: IEEE International Conference on Distributed Computing Systems (ICDCS) (2016)
O’Gorman, G., McDonald, G.: Ransomware: A Growing Menance (2012). http://www.symantec.com/connect/blogs/ransomware-growing-menace
Symantec, Inc. Internet Security Threat Report (2014). http://www.symantec.com/security_response/publications/threatreport.jsp
TrendLabs. An Onslaught of Online Banking Malware and Ransomware (2013). http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/rpt-cashing-in-on-digital-information.pdf
WIRED Magazine. Why Hospitals Are the Perfect Targets for Ransomware (2016). https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/
Acknowledgements
This work was supported by the National Science Foundation (NSF) under grant CNS-1409738, and Secure Business Austria.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kharraz, A., Kirda, E. (2017). Redemption: Real-Time Protection Against Ransomware at End-Hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)