Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Research in Attacks, Intrusions, and Defenses

RAID 2017: Research in Attacks, Intrusions, and Defenses pp 98–119Cite as

Redemption: Real-Time Protection Against Ransomware at End-Hosts

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests money to release them. The recent resurgence of high-profile ransomware attacks, particularly in critical sectors such as the health care industry, has highlighted the pressing need for effective defenses. While users are always advised to have a reliable backup strategy, the growing number of paying victims in recent years suggests that an endpoint defense that is able to stop and recover from ransomware’s destructive behavior is needed.

In this paper, we introduce Redemption, a novel defense that makes the operating system more resilient to ransomware attacks. Our approach requires minimal modification of the operating system to maintain a transparent buffer for all storage I/O. At the same time, our system monitors the I/O request patterns of applications on a per-process basis for signs of ransomware-like behavior. If I/O request patterns are observed that indicate possible ransomware activity, the offending processes can be terminated and the data restored.

Our evaluation demonstrates that Redemption can ensure zero data loss against current ransomware families without detracting from the user experience or inducing alarm fatigue. In addition, we show that Redemption incurs modest overhead, averaging 2.6% for realistic workloads.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Minotaur Analysis - Malware Repository. minotauranalysis.com/

  2. Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.104/

  3. MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.com

  4. A brief demo on how Redemption operates (2016). https://www.youtube.com/watch?v=iuEgFVz7a7g

  5. AutoIt (2016). https://www.autoitscript.com/site/autoit/

  6. IOzone Filesystem Benchmark (2016). www.iozone.org

  7. Ajjan, A.: Ransomware: Next-Generation Fake Antivirus (2013). http://www.sophos.com/en-us/medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf

  8. Hern, A.: Major sites including New York Times and BBC hit By Ransomware Malvertising (2016). https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising

  9. Hern, A.: Ransomware threat on the rise as almost 40 percent of bussinesses attacked (2016). https://www.theguardian.com/technology/2016/aug/03/ransomware-threat-on-the-rise-as-40-of-businesses-attacked

  10. Dalton, A.: Hospital paid 17K ransom to hackers of its computer network (2016). http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/hospital-paid-17k-ransom-hackers-its-computer-network

  11. BBC News. University pays 20,000 Dollars to ransomware hackers (2016). http://www.bbc.com/news/technology-36478650

  12. Osborne, C.: Researchers launch another salvo at CryptXXX ransomware (2016). http://www.zdnet.com/article/researchers-launch-another-salvo-at-cryptxxx-ransomware/

  13. Francescani, C.: Ransomware Hackers Blackmail U.S. Police Departments (2016). http://www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html

  14. Mannion, C.: Three U.S. Hospitals Hit in String of Ransomware Attacks (2016). http://www.nbcnews.com/tech/security/three-u-s-hospitals-hit-string-ransomware-attacks-n544366

  15. Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM (2016)

    Google Scholar 

  16. Whitcomb, D.: California lawmakers take step toward outlawing ransomware (2016). http://www.reuters.com/article/us-california-ransomware-idUSKCN0X92PA

  17. Dell SecureWorks. University of Calgary paid 20K in ransomware attack (2016). http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979

  18. Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6, 77–90 (2010)

    Article  Google Scholar 

  19. Wolf, G.: 8 High Profile Ransomware Attacks You May Not Have Heard Of (2016). https://www.linkedin.com/pulse/8-high-profile-ransomware-attacks-you-may-have-heard-gregory-wolf

  20. Zremski, J.: New York Senator Seeks to Combat Ransomware (2016). http://www.govtech.com/security/New-York-Senator-Seeks-to-Combat-Ransomware.html

  21. Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: A large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (2016)

    Google Scholar 

  22. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian Knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_1

    Chapter  Google Scholar 

  23. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 599–611. ACM, New York (2017)

    Google Scholar 

  24. Abrams, L.: TeslaCrypt Decrypted: flaw in TeslaCrypt allows Victim’s to Recover their Files (2016). http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/

  25. Lin, J.: Divergence measures based on the shannon entropy. IEEE Trans. Inform. Theory 37, 145–151 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  26. Malware Don’t Need Coffee. Guess who’s back again? Cryptowall 3.0 (2015). http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

  27. Microsoft, Inc. Blocking Direct Write Operations to Volumes and Disks. https://msdn.microsoft.com/en-us/library/windows/hardware/ff551353(v=vs.85).aspx

  28. Microsoft, Inc. Protecting Anti-Malware Services (2016). https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx

  29. Ms. Smith. Kansas Heart Hospital hit with ransomware; attackers demand two ransoms (2016). http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html

  30. No-More-Ransomware Project. No More Ransomware! (2016). https://www.nomoreransom.org/about-the-project.html

  31. Scaife, N., Carter, H., Traynor, P., Butler, K.R.: CryptoLock (and Drop It): stopping ransomware attacks on user data. In: IEEE International Conference on Distributed Computing Systems (ICDCS) (2016)

    Google Scholar 

  32. O’Gorman, G., McDonald, G.: Ransomware: A Growing Menance (2012). http://www.symantec.com/connect/blogs/ransomware-growing-menace

  33. Symantec, Inc. Internet Security Threat Report (2014). http://www.symantec.com/security_response/publications/threatreport.jsp

  34. TrendLabs. An Onslaught of Online Banking Malware and Ransomware (2013). http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/rpt-cashing-in-on-digital-information.pdf

  35. WIRED Magazine. Why Hospitals Are the Perfect Targets for Ransomware (2016). https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

Download references

Acknowledgements

This work was supported by the National Science Foundation (NSF) under grant CNS-1409738, and Secure Business Austria.

Author information

Authors and Affiliations

  1. Northeastern University, Boston, USA

    Amin Kharraz & Engin Kirda

Authors
  1. Amin Kharraz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amin Kharraz .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Kharraz, A., Kirda, E. (2017). Redemption: Real-Time Protection Against Ransomware at End-Hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation