Abstract
The pre-encryption behaviour of ransomware refers to the period before the ransomware begins to encrypt the files, where it performs activities to conceal its presence or gather sensitive information of the victim system. For any detection model, it is crucial to restrain ransomware activity before it causes significant damage or spreads further throughout the system. In this regard, we propose RTR-Shield a novel rule based tool to detect and block crypto ransomware activity in its early stage of execution. The tool primarily relies on two monitoring blocks: Registry Activity Monitoring Block (RAMB) and File Trap Monitoring Block (FTMB). RAMB is derived based on forensic analysis of registry modifications performed by 27 recent ransomware families within the first 10 s of payload execution. We also reveal the common keys and values that a ransomware modifies in its pre-encryption phase. FTMB is constructed based on the study of different directories that the ransomware initially access and deploy trap files at strategic locations. In our evaluation, RTR-Shield demonstrates its efficacy in detecting and blocking ransomware activity during the initial stages of encryption, even for previously unseen ransomware variants.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Tajoddin, A., Abadi, M.: RAMD: registry-based anomaly malware detection using one-class ensemble classifiers. Appl. Intell. 15(49), 2641–58 (2019)
Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S.: Detecting malicious software by monitoring anomalous windows registry accesses. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 36–53. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_3
Zavarsky, P., Lindskog, D.: Experimental analysis of ransomware on windows and android platforms: evolution and characterization. Procedia Comput. Sci. 1(94), 465–72 (2016)
Chayal, N.M., Saxena, A., Khan, R.: A review on spreading and forensics analysis of windows-based ransomware. Ann. Data Sci. 8, 1–22 (2022)
Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)
Chen, Z.G., Kang, H.S., Yin, S.N., Kim, S.R.: Automatic ransomware detection and analysis based on dynamic API calls flow graph. In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, pp. 196–201 (2017)
Vinayakumar, R., Soman, K.P., Velan, K.S., Ganorkar, S.: Evaluating shallow and deep networks for ransomware detection and classification. In: 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 259–265 (2017)
Kok, S.H., Abdullah, A., Jhanjhi, N.Z., Supramaniam, M.: Prevention of crypto-ransomware using a pre-encryption detection algorithm. Computers. 8(4), 79 (2019)
Anand, P.M., Charan, P.S., Shukla, S.K.: A comprehensive API call analysis for detecting Windows-based ransomware. In: 2022 IEEE International Conference on Cyber Security and Resilience (CSR), pp. 337–344 (2022)
RegShot Tool [online] https://github.com/Seabreg/Regshot
Intel blog on Revil Ransomware [online] https://intel471.com/blog/changes-in-revil-ransomware-version-2-2
Windows Registry Forensic Analysis - by AndreaFortuna [online] https://andreafortuna.org/2017/10/18/windows-registry-in-forensic-analysis/
Carvey, H.: Windows registry forensics: advanced digital forensic analysis of the windows registry. Elsevier (2011)
Ganfure, G.O., et al.: Deepware: imaging performance counters with deep learning to detect ransomware. IEEE Trans. Comput. 72(3), 600–613 (2022)
Pundir, N., Tehranipoor, M., Rahman, F.: RanStop: a hardware-assisted runtime crypto-ransomware detection technique. arXiv preprint arXiv:2011.12248 (2020)
Manaar, A., et al.: Rapper: Ransomware prevention via performance counters. arXiv preprint arXiv:2004.01712 (2020)
Putrevu, M.A., Putrevu, V.S.C., Shukla, S.K.: early detection of ransomware activity based on hardware performance counters. In: Proceedings of the 2023 Australasian Computer Science Week, pp. 10–17 (2023)
Eşref, A.: Incident response-detection and analysis on recent versions of microsoft Windows. MS thesis. Fen Bilimleri Enstitüsü
Gómez-Hernández, J.A., Sánchez-Fernández, R., García-Teodoro, P.: Inhibiting crypto-ransomware on windows platforms through a honeyfile-based approach with R-Locker. IET Inf. Secur. 16(1), 64–74 (2022)
Sheen, S., Asmitha, K.A., Venkatesan, S.: R-sentry: deception based ransomware detection using file access patterns. Comput. Electr. Eng. 103, 108346 (2022)
Ganfure, G.O., et al.: RTrap: trapping and containing ransomware with machine learning. IEEE Trans. Inf. Forensics Secur. 18, 1433–1448 (2023)
Charan, P.S., et al.: DOTMUG: a threat model for target specific APT attacks-misusing google teachable machine. In: 2022 10th International Symposium on Digital Forensics and Security (ISDFS). IEEE (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Algorithm for RTR-Shield
B Summary of Modifications Made to the Registry by Various Ransomware Families
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Anand, P.M., Charan, P.V.S., Chunduri, H., Shukla, S.K. (2023). RTR-Shield: Early Detection of Ransomware Using Registry and Trap Files. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_13
Download citation
DOI: https://doi.org/10.1007/978-981-99-7032-2_13
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7031-5
Online ISBN: 978-981-99-7032-2
eBook Packages: Computer ScienceComputer Science (R0)